Revert "smbd: introduce sconn->sync_thread_pool"
[garming/samba-autobuild/.git] / source3 / smbd / process.c
1 /* 
2    Unix SMB/CIFS implementation.
3    process incoming packets - main loop
4    Copyright (C) Andrew Tridgell 1992-1998
5    Copyright (C) Volker Lendecke 2005-2007
6
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License as published by
9    the Free Software Foundation; either version 3 of the License, or
10    (at your option) any later version.
11
12    This program is distributed in the hope that it will be useful,
13    but WITHOUT ANY WARRANTY; without even the implied warranty of
14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15    GNU General Public License for more details.
16
17    You should have received a copy of the GNU General Public License
18    along with this program.  If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include "../lib/tsocket/tsocket.h"
23 #include "system/filesys.h"
24 #include "smbd/smbd.h"
25 #include "smbd/globals.h"
26 #include "librpc/gen_ndr/netlogon.h"
27 #include "../lib/async_req/async_sock.h"
28 #include "ctdbd_conn.h"
29 #include "../lib/util/select.h"
30 #include "printing/queue_process.h"
31 #include "system/select.h"
32 #include "passdb.h"
33 #include "auth.h"
34 #include "messages.h"
35 #include "lib/messages_ctdb.h"
36 #include "smbprofile.h"
37 #include "rpc_server/spoolss/srv_spoolss_nt.h"
38 #include "libsmb/libsmb.h"
39 #include "../lib/util/tevent_ntstatus.h"
40 #include "../libcli/security/dom_sid.h"
41 #include "../libcli/security/security_token.h"
42 #include "lib/id_cache.h"
43 #include "lib/util/sys_rw_data.h"
44 #include "system/threads.h"
45 #include "lib/pthreadpool/pthreadpool_tevent.h"
46 #include "util_event.h"
47
48 /* Internal message queue for deferred opens. */
49 struct pending_message_list {
50         struct pending_message_list *next, *prev;
51         struct timeval request_time; /* When was this first issued? */
52         struct smbd_server_connection *sconn;
53         struct smbXsrv_connection *xconn;
54         struct tevent_timer *te;
55         struct smb_perfcount_data pcd;
56         uint32_t seqnum;
57         bool encrypted;
58         bool processed;
59         DATA_BLOB buf;
60         struct deferred_open_record *open_rec;
61 };
62
63 static void construct_reply_common(uint8_t cmd, const uint8_t *inbuf,
64                                    char *outbuf);
65 static struct pending_message_list *get_deferred_open_message_smb(
66         struct smbd_server_connection *sconn, uint64_t mid);
67 static bool smb_splice_chain(uint8_t **poutbuf, const uint8_t *andx_buf);
68
69 static void smbd_echo_init(struct smbXsrv_connection *xconn)
70 {
71         xconn->smb1.echo_handler.trusted_fd = -1;
72         xconn->smb1.echo_handler.socket_lock_fd = -1;
73 #ifdef HAVE_ROBUST_MUTEXES
74         xconn->smb1.echo_handler.socket_mutex = NULL;
75 #endif
76 }
77
78 static bool smbd_echo_active(struct smbXsrv_connection *xconn)
79 {
80         if (xconn->smb1.echo_handler.socket_lock_fd != -1) {
81                 return true;
82         }
83
84 #ifdef HAVE_ROBUST_MUTEXES
85         if (xconn->smb1.echo_handler.socket_mutex != NULL) {
86                 return true;
87         }
88 #endif
89
90         return false;
91 }
92
93 static bool smbd_lock_socket_internal(struct smbXsrv_connection *xconn)
94 {
95         if (!smbd_echo_active(xconn)) {
96                 return true;
97         }
98
99         xconn->smb1.echo_handler.ref_count++;
100
101         if (xconn->smb1.echo_handler.ref_count > 1) {
102                 return true;
103         }
104
105         DEBUG(10,("pid[%d] wait for socket lock\n", (int)getpid()));
106
107 #ifdef HAVE_ROBUST_MUTEXES
108         if (xconn->smb1.echo_handler.socket_mutex != NULL) {
109                 int ret = EINTR;
110
111                 while (ret == EINTR) {
112                         ret = pthread_mutex_lock(
113                                 xconn->smb1.echo_handler.socket_mutex);
114                         if (ret == 0) {
115                                 break;
116                         }
117                 }
118                 if (ret != 0) {
119                         DEBUG(1, ("pthread_mutex_lock failed: %s\n",
120                                   strerror(ret)));
121                         return false;
122                 }
123         }
124 #endif
125
126         if (xconn->smb1.echo_handler.socket_lock_fd != -1) {
127                 bool ok;
128
129                 do {
130                         ok = fcntl_lock(
131                                 xconn->smb1.echo_handler.socket_lock_fd,
132                                 F_SETLKW, 0, 0, F_WRLCK);
133                 } while (!ok && (errno == EINTR));
134
135                 if (!ok) {
136                         DEBUG(1, ("fcntl_lock failed: %s\n", strerror(errno)));
137                         return false;
138                 }
139         }
140
141         DEBUG(10,("pid[%d] got socket lock\n", (int)getpid()));
142
143         return true;
144 }
145
146 void smbd_lock_socket(struct smbXsrv_connection *xconn)
147 {
148         if (!smbd_lock_socket_internal(xconn)) {
149                 exit_server_cleanly("failed to lock socket");
150         }
151 }
152
153 static bool smbd_unlock_socket_internal(struct smbXsrv_connection *xconn)
154 {
155         if (!smbd_echo_active(xconn)) {
156                 return true;
157         }
158
159         xconn->smb1.echo_handler.ref_count--;
160
161         if (xconn->smb1.echo_handler.ref_count > 0) {
162                 return true;
163         }
164
165 #ifdef HAVE_ROBUST_MUTEXES
166         if (xconn->smb1.echo_handler.socket_mutex != NULL) {
167                 int ret;
168                 ret = pthread_mutex_unlock(
169                         xconn->smb1.echo_handler.socket_mutex);
170                 if (ret != 0) {
171                         DEBUG(1, ("pthread_mutex_unlock failed: %s\n",
172                                   strerror(ret)));
173                         return false;
174                 }
175         }
176 #endif
177
178         if (xconn->smb1.echo_handler.socket_lock_fd != -1) {
179                 bool ok;
180
181                 do {
182                         ok = fcntl_lock(
183                                 xconn->smb1.echo_handler.socket_lock_fd,
184                                 F_SETLKW, 0, 0, F_UNLCK);
185                 } while (!ok && (errno == EINTR));
186
187                 if (!ok) {
188                         DEBUG(1, ("fcntl_lock failed: %s\n", strerror(errno)));
189                         return false;
190                 }
191         }
192
193         DEBUG(10,("pid[%d] unlocked socket\n", (int)getpid()));
194
195         return true;
196 }
197
198 void smbd_unlock_socket(struct smbXsrv_connection *xconn)
199 {
200         if (!smbd_unlock_socket_internal(xconn)) {
201                 exit_server_cleanly("failed to unlock socket");
202         }
203 }
204
205 /* Accessor function for smb_read_error for smbd functions. */
206
207 /****************************************************************************
208  Send an smb to a fd.
209 ****************************************************************************/
210
211 bool srv_send_smb(struct smbXsrv_connection *xconn, char *buffer,
212                   bool do_signing, uint32_t seqnum,
213                   bool do_encrypt,
214                   struct smb_perfcount_data *pcd)
215 {
216         size_t len = 0;
217         ssize_t ret;
218         char *buf_out = buffer;
219
220         if (!NT_STATUS_IS_OK(xconn->transport.status)) {
221                 /*
222                  * we're not supposed to do any io
223                  */
224                 return true;
225         }
226
227         smbd_lock_socket(xconn);
228
229         if (do_signing) {
230                 /* Sign the outgoing packet if required. */
231                 srv_calculate_sign_mac(xconn, buf_out, seqnum);
232         }
233
234         if (do_encrypt) {
235                 NTSTATUS status = srv_encrypt_buffer(xconn, buffer, &buf_out);
236                 if (!NT_STATUS_IS_OK(status)) {
237                         DEBUG(0, ("send_smb: SMB encryption failed "
238                                 "on outgoing packet! Error %s\n",
239                                 nt_errstr(status) ));
240                         ret = -1;
241                         goto out;
242                 }
243         }
244
245         len = smb_len_large(buf_out) + 4;
246
247         ret = write_data(xconn->transport.sock, buf_out, len);
248         if (ret <= 0) {
249                 int saved_errno = errno;
250                 /*
251                  * Try and give an error message saying what
252                  * client failed.
253                  */
254                 DEBUG(1,("pid[%d] Error writing %d bytes to client %s. %d. (%s)\n",
255                          (int)getpid(), (int)len,
256                          smbXsrv_connection_dbg(xconn),
257                          (int)ret, strerror(saved_errno)));
258                 errno = saved_errno;
259
260                 srv_free_enc_buffer(xconn, buf_out);
261                 goto out;
262         }
263
264         SMB_PERFCOUNT_SET_MSGLEN_OUT(pcd, len);
265         srv_free_enc_buffer(xconn, buf_out);
266 out:
267         SMB_PERFCOUNT_END(pcd);
268
269         smbd_unlock_socket(xconn);
270         return (ret > 0);
271 }
272
273 /*******************************************************************
274  Setup the word count and byte count for a smb message.
275 ********************************************************************/
276
277 size_t srv_set_message(char *buf,
278                        size_t num_words,
279                        size_t num_bytes,
280                        bool zero)
281 {
282         if (zero && (num_words || num_bytes)) {
283                 memset(buf + smb_size,'\0',num_words*2 + num_bytes);
284         }
285         SCVAL(buf,smb_wct,num_words);
286         SSVAL(buf,smb_vwv + num_words*SIZEOFWORD,num_bytes);
287         smb_setlen(buf,(smb_size + num_words*2 + num_bytes - 4));
288         return (smb_size + num_words*2 + num_bytes);
289 }
290
291 static bool valid_smb_header(const uint8_t *inbuf)
292 {
293         if (is_encrypted_packet(inbuf)) {
294                 return true;
295         }
296         /*
297          * This used to be (strncmp(smb_base(inbuf),"\377SMB",4) == 0)
298          * but it just looks weird to call strncmp for this one.
299          */
300         return (IVAL(smb_base(inbuf), 0) == 0x424D53FF);
301 }
302
303 /* Socket functions for smbd packet processing. */
304
305 static bool valid_packet_size(size_t len)
306 {
307         /*
308          * A WRITEX with CAP_LARGE_WRITEX can be 64k worth of data plus 65 bytes
309          * of header. Don't print the error if this fits.... JRA.
310          */
311
312         if (len > (LARGE_WRITEX_BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE)) {
313                 DEBUG(0,("Invalid packet length! (%lu bytes).\n",
314                                         (unsigned long)len));
315                 return false;
316         }
317         return true;
318 }
319
320 static NTSTATUS read_packet_remainder(int fd, char *buffer,
321                                       unsigned int timeout, ssize_t len)
322 {
323         NTSTATUS status;
324
325         if (len <= 0) {
326                 return NT_STATUS_OK;
327         }
328
329         status = read_fd_with_timeout(fd, buffer, len, len, timeout, NULL);
330         if (!NT_STATUS_IS_OK(status)) {
331                 char addr[INET6_ADDRSTRLEN];
332                 DEBUG(0, ("read_fd_with_timeout failed for client %s read "
333                           "error = %s.\n",
334                           get_peer_addr(fd, addr, sizeof(addr)),
335                           nt_errstr(status)));
336         }
337         return status;
338 }
339
340 /****************************************************************************
341  Attempt a zerocopy writeX read. We know here that len > smb_size-4
342 ****************************************************************************/
343
344 /*
345  * Unfortunately, earlier versions of smbclient/libsmbclient
346  * don't send this "standard" writeX header. I've fixed this
347  * for 3.2 but we'll use the old method with earlier versions.
348  * Windows and CIFSFS at least use this standard size. Not
349  * sure about MacOSX.
350  */
351
352 #define STANDARD_WRITE_AND_X_HEADER_SIZE (smb_size - 4 + /* basic header */ \
353                                 (2*14) + /* word count (including bcc) */ \
354                                 1 /* pad byte */)
355
356 static NTSTATUS receive_smb_raw_talloc_partial_read(TALLOC_CTX *mem_ctx,
357                                                     const char lenbuf[4],
358                                                     struct smbXsrv_connection *xconn,
359                                                     int sock,
360                                                     char **buffer,
361                                                     unsigned int timeout,
362                                                     size_t *p_unread,
363                                                     size_t *len_ret)
364 {
365         /* Size of a WRITEX call (+4 byte len). */
366         char writeX_header[4 + STANDARD_WRITE_AND_X_HEADER_SIZE];
367         ssize_t len = smb_len_large(lenbuf); /* Could be a UNIX large writeX. */
368         ssize_t toread;
369         NTSTATUS status;
370
371         memcpy(writeX_header, lenbuf, 4);
372
373         status = read_fd_with_timeout(
374                 sock, writeX_header + 4,
375                 STANDARD_WRITE_AND_X_HEADER_SIZE,
376                 STANDARD_WRITE_AND_X_HEADER_SIZE,
377                 timeout, NULL);
378
379         if (!NT_STATUS_IS_OK(status)) {
380                 DEBUG(0, ("read_fd_with_timeout failed for client %s read "
381                           "error = %s.\n",
382                           smbXsrv_connection_dbg(xconn),
383                           nt_errstr(status)));
384                 return status;
385         }
386
387         /*
388          * Ok - now try and see if this is a possible
389          * valid writeX call.
390          */
391
392         if (is_valid_writeX_buffer(xconn, (uint8_t *)writeX_header)) {
393                 /*
394                  * If the data offset is beyond what
395                  * we've read, drain the extra bytes.
396                  */
397                 uint16_t doff = SVAL(writeX_header,smb_vwv11);
398                 ssize_t newlen;
399
400                 if (doff > STANDARD_WRITE_AND_X_HEADER_SIZE) {
401                         size_t drain = doff - STANDARD_WRITE_AND_X_HEADER_SIZE;
402                         if (drain_socket(sock, drain) != drain) {
403                                 smb_panic("receive_smb_raw_talloc_partial_read:"
404                                         " failed to drain pending bytes");
405                         }
406                 } else {
407                         doff = STANDARD_WRITE_AND_X_HEADER_SIZE;
408                 }
409
410                 /* Spoof down the length and null out the bcc. */
411                 set_message_bcc(writeX_header, 0);
412                 newlen = smb_len(writeX_header);
413
414                 /* Copy the header we've written. */
415
416                 *buffer = (char *)talloc_memdup(mem_ctx,
417                                 writeX_header,
418                                 sizeof(writeX_header));
419
420                 if (*buffer == NULL) {
421                         DEBUG(0, ("Could not allocate inbuf of length %d\n",
422                                   (int)sizeof(writeX_header)));
423                         return NT_STATUS_NO_MEMORY;
424                 }
425
426                 /* Work out the remaining bytes. */
427                 *p_unread = len - STANDARD_WRITE_AND_X_HEADER_SIZE;
428                 *len_ret = newlen + 4;
429                 return NT_STATUS_OK;
430         }
431
432         if (!valid_packet_size(len)) {
433                 return NT_STATUS_INVALID_PARAMETER;
434         }
435
436         /*
437          * Not a valid writeX call. Just do the standard
438          * talloc and return.
439          */
440
441         *buffer = talloc_array(mem_ctx, char, len+4);
442
443         if (*buffer == NULL) {
444                 DEBUG(0, ("Could not allocate inbuf of length %d\n",
445                           (int)len+4));
446                 return NT_STATUS_NO_MEMORY;
447         }
448
449         /* Copy in what we already read. */
450         memcpy(*buffer,
451                 writeX_header,
452                 4 + STANDARD_WRITE_AND_X_HEADER_SIZE);
453         toread = len - STANDARD_WRITE_AND_X_HEADER_SIZE;
454
455         if(toread > 0) {
456                 status = read_packet_remainder(
457                         sock,
458                         (*buffer) + 4 + STANDARD_WRITE_AND_X_HEADER_SIZE,
459                         timeout, toread);
460
461                 if (!NT_STATUS_IS_OK(status)) {
462                         DEBUG(10, ("receive_smb_raw_talloc_partial_read: %s\n",
463                                    nt_errstr(status)));
464                         return status;
465                 }
466         }
467
468         *len_ret = len + 4;
469         return NT_STATUS_OK;
470 }
471
472 static NTSTATUS receive_smb_raw_talloc(TALLOC_CTX *mem_ctx,
473                                        struct smbXsrv_connection *xconn,
474                                        int sock,
475                                        char **buffer, unsigned int timeout,
476                                        size_t *p_unread, size_t *plen)
477 {
478         char lenbuf[4];
479         size_t len;
480         int min_recv_size = lp_min_receive_file_size();
481         NTSTATUS status;
482
483         *p_unread = 0;
484
485         status = read_smb_length_return_keepalive(sock, lenbuf, timeout,
486                                                   &len);
487         if (!NT_STATUS_IS_OK(status)) {
488                 return status;
489         }
490
491         if (CVAL(lenbuf,0) == 0 && min_recv_size &&
492             (smb_len_large(lenbuf) > /* Could be a UNIX large writeX. */
493                 (min_recv_size + STANDARD_WRITE_AND_X_HEADER_SIZE)) &&
494             !srv_is_signing_active(xconn) &&
495             xconn->smb1.echo_handler.trusted_fde == NULL) {
496
497                 return receive_smb_raw_talloc_partial_read(
498                         mem_ctx, lenbuf, xconn, sock, buffer, timeout,
499                         p_unread, plen);
500         }
501
502         if (!valid_packet_size(len)) {
503                 return NT_STATUS_INVALID_PARAMETER;
504         }
505
506         /*
507          * The +4 here can't wrap, we've checked the length above already.
508          */
509
510         *buffer = talloc_array(mem_ctx, char, len+4);
511
512         if (*buffer == NULL) {
513                 DEBUG(0, ("Could not allocate inbuf of length %d\n",
514                           (int)len+4));
515                 return NT_STATUS_NO_MEMORY;
516         }
517
518         memcpy(*buffer, lenbuf, sizeof(lenbuf));
519
520         status = read_packet_remainder(sock, (*buffer)+4, timeout, len);
521         if (!NT_STATUS_IS_OK(status)) {
522                 return status;
523         }
524
525         *plen = len + 4;
526         return NT_STATUS_OK;
527 }
528
529 static NTSTATUS receive_smb_talloc(TALLOC_CTX *mem_ctx,
530                                    struct smbXsrv_connection *xconn,
531                                    int sock,
532                                    char **buffer, unsigned int timeout,
533                                    size_t *p_unread, bool *p_encrypted,
534                                    size_t *p_len,
535                                    uint32_t *seqnum,
536                                    bool trusted_channel)
537 {
538         size_t len = 0;
539         NTSTATUS status;
540
541         *p_encrypted = false;
542
543         status = receive_smb_raw_talloc(mem_ctx, xconn, sock, buffer, timeout,
544                                         p_unread, &len);
545         if (!NT_STATUS_IS_OK(status)) {
546                 DEBUG(NT_STATUS_EQUAL(status, NT_STATUS_END_OF_FILE)?5:1,
547                       ("receive_smb_raw_talloc failed for client %s "
548                        "read error = %s.\n",
549                        smbXsrv_connection_dbg(xconn),
550                        nt_errstr(status)) );
551                 return status;
552         }
553
554         if (is_encrypted_packet((uint8_t *)*buffer)) {
555                 status = srv_decrypt_buffer(xconn, *buffer);
556                 if (!NT_STATUS_IS_OK(status)) {
557                         DEBUG(0, ("receive_smb_talloc: SMB decryption failed on "
558                                 "incoming packet! Error %s\n",
559                                 nt_errstr(status) ));
560                         return status;
561                 }
562                 *p_encrypted = true;
563         }
564
565         /* Check the incoming SMB signature. */
566         if (!srv_check_sign_mac(xconn, *buffer, seqnum, trusted_channel)) {
567                 DEBUG(0, ("receive_smb: SMB Signature verification failed on "
568                           "incoming packet!\n"));
569                 return NT_STATUS_INVALID_NETWORK_RESPONSE;
570         }
571
572         *p_len = len;
573         return NT_STATUS_OK;
574 }
575
576 /*
577  * Initialize a struct smb_request from an inbuf
578  */
579
580 static bool init_smb_request(struct smb_request *req,
581                              struct smbd_server_connection *sconn,
582                              struct smbXsrv_connection *xconn,
583                              const uint8_t *inbuf,
584                              size_t unread_bytes, bool encrypted,
585                              uint32_t seqnum)
586 {
587         struct smbXsrv_tcon *tcon;
588         NTSTATUS status;
589         NTTIME now;
590         size_t req_size = smb_len(inbuf) + 4;
591
592         /* Ensure we have at least smb_size bytes. */
593         if (req_size < smb_size) {
594                 DEBUG(0,("init_smb_request: invalid request size %u\n",
595                         (unsigned int)req_size ));
596                 return false;
597         }
598
599         req->request_time = timeval_current();
600         now = timeval_to_nttime(&req->request_time);
601
602         req->cmd    = CVAL(inbuf, smb_com);
603         req->flags2 = SVAL(inbuf, smb_flg2);
604         req->smbpid = SVAL(inbuf, smb_pid);
605         req->mid    = (uint64_t)SVAL(inbuf, smb_mid);
606         req->seqnum = seqnum;
607         req->vuid   = SVAL(inbuf, smb_uid);
608         req->tid    = SVAL(inbuf, smb_tid);
609         req->wct    = CVAL(inbuf, smb_wct);
610         req->vwv    = (const uint16_t *)(inbuf+smb_vwv);
611         req->buflen = smb_buflen(inbuf);
612         req->buf    = (const uint8_t *)smb_buf_const(inbuf);
613         req->unread_bytes = unread_bytes;
614         req->encrypted = encrypted;
615         req->sconn = sconn;
616         req->xconn = xconn;
617         req->conn = NULL;
618         if (xconn != NULL) {
619                 status = smb1srv_tcon_lookup(xconn, req->tid, now, &tcon);
620                 if (NT_STATUS_IS_OK(status)) {
621                         req->conn = tcon->compat;
622                 }
623         }
624         req->chain_fsp = NULL;
625         req->smb2req = NULL;
626         req->priv_paths = NULL;
627         req->chain = NULL;
628         req->posix_pathnames = lp_posix_pathnames();
629         smb_init_perfcount_data(&req->pcd);
630
631         /* Ensure we have at least wct words and 2 bytes of bcc. */
632         if (smb_size + req->wct*2 > req_size) {
633                 DEBUG(0,("init_smb_request: invalid wct number %u (size %u)\n",
634                         (unsigned int)req->wct,
635                         (unsigned int)req_size));
636                 return false;
637         }
638         /* Ensure bcc is correct. */
639         if (((const uint8_t *)smb_buf_const(inbuf)) + req->buflen > inbuf + req_size) {
640                 DEBUG(0,("init_smb_request: invalid bcc number %u "
641                         "(wct = %u, size %u)\n",
642                         (unsigned int)req->buflen,
643                         (unsigned int)req->wct,
644                         (unsigned int)req_size));
645                 return false;
646         }
647
648         req->outbuf = NULL;
649         return true;
650 }
651
652 static void process_smb(struct smbXsrv_connection *xconn,
653                         uint8_t *inbuf, size_t nread, size_t unread_bytes,
654                         uint32_t seqnum, bool encrypted,
655                         struct smb_perfcount_data *deferred_pcd);
656
657 static void smbd_deferred_open_timer(struct tevent_context *ev,
658                                      struct tevent_timer *te,
659                                      struct timeval _tval,
660                                      void *private_data)
661 {
662         struct pending_message_list *msg = talloc_get_type(private_data,
663                                            struct pending_message_list);
664         struct smbd_server_connection *sconn = msg->sconn;
665         struct smbXsrv_connection *xconn = msg->xconn;
666         TALLOC_CTX *mem_ctx = talloc_tos();
667         uint64_t mid = (uint64_t)SVAL(msg->buf.data,smb_mid);
668         uint8_t *inbuf;
669
670         inbuf = (uint8_t *)talloc_memdup(mem_ctx, msg->buf.data,
671                                          msg->buf.length);
672         if (inbuf == NULL) {
673                 exit_server("smbd_deferred_open_timer: talloc failed\n");
674                 return;
675         }
676
677         /* We leave this message on the queue so the open code can
678            know this is a retry. */
679         DEBUG(5,("smbd_deferred_open_timer: trigger mid %llu.\n",
680                 (unsigned long long)mid ));
681
682         /* Mark the message as processed so this is not
683          * re-processed in error. */
684         msg->processed = true;
685
686         process_smb(xconn, inbuf,
687                     msg->buf.length, 0,
688                     msg->seqnum, msg->encrypted, &msg->pcd);
689
690         /* If it's still there and was processed, remove it. */
691         msg = get_deferred_open_message_smb(sconn, mid);
692         if (msg && msg->processed) {
693                 remove_deferred_open_message_smb(xconn, mid);
694         }
695 }
696
697 /****************************************************************************
698  Function to push a message onto the tail of a linked list of smb messages ready
699  for processing.
700 ****************************************************************************/
701
702 static bool push_queued_message(struct smb_request *req,
703                                 struct timeval request_time,
704                                 struct timeval end_time,
705                                 struct deferred_open_record *open_rec)
706 {
707         int msg_len = smb_len(req->inbuf) + 4;
708         struct pending_message_list *msg;
709
710         msg = talloc_zero(NULL, struct pending_message_list);
711
712         if(msg == NULL) {
713                 DEBUG(0,("push_message: malloc fail (1)\n"));
714                 return False;
715         }
716         msg->sconn = req->sconn;
717         msg->xconn = req->xconn;
718
719         msg->buf = data_blob_talloc(msg, req->inbuf, msg_len);
720         if(msg->buf.data == NULL) {
721                 DEBUG(0,("push_message: malloc fail (2)\n"));
722                 TALLOC_FREE(msg);
723                 return False;
724         }
725
726         msg->request_time = request_time;
727         msg->seqnum = req->seqnum;
728         msg->encrypted = req->encrypted;
729         msg->processed = false;
730         SMB_PERFCOUNT_DEFER_OP(&req->pcd, &msg->pcd);
731
732         if (open_rec) {
733                 msg->open_rec = talloc_move(msg, &open_rec);
734         }
735
736 #if 0
737         msg->te = tevent_add_timer(msg->sconn->ev_ctx,
738                                    msg,
739                                    end_time,
740                                    smbd_deferred_open_timer,
741                                    msg);
742         if (!msg->te) {
743                 DEBUG(0,("push_message: event_add_timed failed\n"));
744                 TALLOC_FREE(msg);
745                 return false;
746         }
747 #endif
748
749         DLIST_ADD_END(req->sconn->deferred_open_queue, msg);
750
751         DEBUG(10,("push_message: pushed message length %u on "
752                   "deferred_open_queue\n", (unsigned int)msg_len));
753
754         return True;
755 }
756
757 /****************************************************************************
758  Function to delete a sharing violation open message by mid.
759 ****************************************************************************/
760
761 void remove_deferred_open_message_smb(struct smbXsrv_connection *xconn,
762                                       uint64_t mid)
763 {
764         struct smbd_server_connection *sconn = xconn->client->sconn;
765         struct pending_message_list *pml;
766
767         if (sconn->using_smb2) {
768                 remove_deferred_open_message_smb2(xconn, mid);
769                 return;
770         }
771
772         for (pml = sconn->deferred_open_queue; pml; pml = pml->next) {
773                 if (mid == (uint64_t)SVAL(pml->buf.data,smb_mid)) {
774                         DEBUG(10,("remove_deferred_open_message_smb: "
775                                   "deleting mid %llu len %u\n",
776                                   (unsigned long long)mid,
777                                   (unsigned int)pml->buf.length ));
778                         DLIST_REMOVE(sconn->deferred_open_queue, pml);
779                         TALLOC_FREE(pml);
780                         return;
781                 }
782         }
783 }
784
785 /****************************************************************************
786  Move a sharing violation open retry message to the front of the list and
787  schedule it for immediate processing.
788 ****************************************************************************/
789
790 bool schedule_deferred_open_message_smb(struct smbXsrv_connection *xconn,
791                                         uint64_t mid)
792 {
793         struct smbd_server_connection *sconn = xconn->client->sconn;
794         struct pending_message_list *pml;
795         int i = 0;
796
797         if (sconn->using_smb2) {
798                 return schedule_deferred_open_message_smb2(xconn, mid);
799         }
800
801         for (pml = sconn->deferred_open_queue; pml; pml = pml->next) {
802                 uint64_t msg_mid = (uint64_t)SVAL(pml->buf.data,smb_mid);
803
804                 DEBUG(10,("schedule_deferred_open_message_smb: [%d] "
805                         "msg_mid = %llu\n",
806                         i++,
807                         (unsigned long long)msg_mid ));
808
809                 if (mid == msg_mid) {
810                         struct tevent_timer *te;
811
812                         if (pml->processed) {
813                                 /* A processed message should not be
814                                  * rescheduled. */
815                                 DEBUG(0,("schedule_deferred_open_message_smb: LOGIC ERROR "
816                                         "message mid %llu was already processed\n",
817                                         (unsigned long long)msg_mid ));
818                                 continue;
819                         }
820
821                         DEBUG(10,("schedule_deferred_open_message_smb: "
822                                 "scheduling mid %llu\n",
823                                 (unsigned long long)mid ));
824
825                         /*
826                          * smbd_deferred_open_timer() calls
827                          * process_smb() to redispatch the request
828                          * including the required impersonation.
829                          *
830                          * So we can just use the raw tevent_context.
831                          */
832                         te = tevent_add_timer(xconn->client->raw_ev_ctx,
833                                               pml,
834                                               timeval_zero(),
835                                               smbd_deferred_open_timer,
836                                               pml);
837                         if (!te) {
838                                 DEBUG(10,("schedule_deferred_open_message_smb: "
839                                         "event_add_timed() failed, "
840                                         "skipping mid %llu\n",
841                                         (unsigned long long)msg_mid ));
842                         }
843
844                         TALLOC_FREE(pml->te);
845                         pml->te = te;
846                         DLIST_PROMOTE(sconn->deferred_open_queue, pml);
847                         return true;
848                 }
849         }
850
851         DEBUG(10,("schedule_deferred_open_message_smb: failed to "
852                 "find message mid %llu\n",
853                 (unsigned long long)mid ));
854
855         return false;
856 }
857
858 /****************************************************************************
859  Return true if this mid is on the deferred queue and was not yet processed.
860 ****************************************************************************/
861
862 bool open_was_deferred(struct smbXsrv_connection *xconn, uint64_t mid)
863 {
864         struct smbd_server_connection *sconn = xconn->client->sconn;
865         struct pending_message_list *pml;
866
867         if (sconn->using_smb2) {
868                 return open_was_deferred_smb2(xconn, mid);
869         }
870
871         for (pml = sconn->deferred_open_queue; pml; pml = pml->next) {
872                 if (((uint64_t)SVAL(pml->buf.data,smb_mid)) == mid && !pml->processed) {
873                         return True;
874                 }
875         }
876         return False;
877 }
878
879 /****************************************************************************
880  Return the message queued by this mid.
881 ****************************************************************************/
882
883 static struct pending_message_list *get_deferred_open_message_smb(
884         struct smbd_server_connection *sconn, uint64_t mid)
885 {
886         struct pending_message_list *pml;
887
888         for (pml = sconn->deferred_open_queue; pml; pml = pml->next) {
889                 if (((uint64_t)SVAL(pml->buf.data,smb_mid)) == mid) {
890                         return pml;
891                 }
892         }
893         return NULL;
894 }
895
896 /****************************************************************************
897  Get the state data queued by this mid.
898 ****************************************************************************/
899
900 bool get_deferred_open_message_state(struct smb_request *smbreq,
901                                 struct timeval *p_request_time,
902                                 struct deferred_open_record **open_rec)
903 {
904         struct pending_message_list *pml;
905
906         if (smbreq->sconn->using_smb2) {
907                 return get_deferred_open_message_state_smb2(smbreq->smb2req,
908                                         p_request_time,
909                                         open_rec);
910         }
911
912         pml = get_deferred_open_message_smb(smbreq->sconn, smbreq->mid);
913         if (!pml) {
914                 return false;
915         }
916         if (p_request_time) {
917                 *p_request_time = pml->request_time;
918         }
919         if (open_rec != NULL) {
920                 *open_rec = pml->open_rec;
921         }
922         return true;
923 }
924
925 /****************************************************************************
926  Function to push a deferred open smb message onto a linked list of local smb
927  messages ready for processing.
928 ****************************************************************************/
929
930 bool push_deferred_open_message_smb(struct smb_request *req,
931                                struct timeval request_time,
932                                struct timeval timeout,
933                                struct file_id id,
934                                struct deferred_open_record *open_rec)
935 {
936         struct timeval end_time;
937
938         if (req->smb2req) {
939                 return push_deferred_open_message_smb2(req->smb2req,
940                                                 request_time,
941                                                 timeout,
942                                                 id,
943                                                 open_rec);
944         }
945
946         if (req->unread_bytes) {
947                 DEBUG(0,("push_deferred_open_message_smb: logic error ! "
948                         "unread_bytes = %u\n",
949                         (unsigned int)req->unread_bytes ));
950                 smb_panic("push_deferred_open_message_smb: "
951                         "logic error unread_bytes != 0" );
952         }
953
954         end_time = timeval_sum(&request_time, &timeout);
955
956         DEBUG(10,("push_deferred_open_message_smb: pushing message "
957                 "len %u mid %llu timeout time [%u.%06u]\n",
958                 (unsigned int) smb_len(req->inbuf)+4,
959                 (unsigned long long)req->mid,
960                 (unsigned int)end_time.tv_sec,
961                 (unsigned int)end_time.tv_usec));
962
963         return push_queued_message(req, request_time, end_time, open_rec);
964 }
965
966 static void smbd_sig_term_handler(struct tevent_context *ev,
967                                   struct tevent_signal *se,
968                                   int signum,
969                                   int count,
970                                   void *siginfo,
971                                   void *private_data)
972 {
973         exit_server_cleanly("termination signal");
974 }
975
976 static void smbd_setup_sig_term_handler(struct smbd_server_connection *sconn)
977 {
978         struct tevent_signal *se;
979
980         se = tevent_add_signal(sconn->root_ev_ctx,
981                                sconn,
982                                SIGTERM, 0,
983                                smbd_sig_term_handler,
984                                sconn);
985         if (!se) {
986                 exit_server("failed to setup SIGTERM handler");
987         }
988 }
989
990 static void smbd_sig_hup_handler(struct tevent_context *ev,
991                                   struct tevent_signal *se,
992                                   int signum,
993                                   int count,
994                                   void *siginfo,
995                                   void *private_data)
996 {
997         struct smbd_server_connection *sconn =
998                 talloc_get_type_abort(private_data,
999                 struct smbd_server_connection);
1000
1001         DEBUG(1,("Reloading services after SIGHUP\n"));
1002         reload_services(sconn, conn_snum_used, false);
1003 }
1004
1005 static void smbd_setup_sig_hup_handler(struct smbd_server_connection *sconn)
1006 {
1007         struct tevent_signal *se;
1008
1009         se = tevent_add_signal(sconn->root_ev_ctx,
1010                                sconn,
1011                                SIGHUP, 0,
1012                                smbd_sig_hup_handler,
1013                                sconn);
1014         if (!se) {
1015                 exit_server("failed to setup SIGHUP handler");
1016         }
1017 }
1018
1019 static void smbd_conf_updated(struct messaging_context *msg,
1020                               void *private_data,
1021                               uint32_t msg_type,
1022                               struct server_id server_id,
1023                               DATA_BLOB *data)
1024 {
1025         struct smbd_server_connection *sconn =
1026                 talloc_get_type_abort(private_data,
1027                 struct smbd_server_connection);
1028
1029         DEBUG(10,("smbd_conf_updated: Got message saying smb.conf was "
1030                   "updated. Reloading.\n"));
1031         change_to_root_user();
1032         reload_services(sconn, conn_snum_used, false);
1033 }
1034
1035 /*
1036  * Only allow 5 outstanding trans requests. We're allocating memory, so
1037  * prevent a DoS.
1038  */
1039
1040 NTSTATUS allow_new_trans(struct trans_state *list, uint64_t mid)
1041 {
1042         int count = 0;
1043         for (; list != NULL; list = list->next) {
1044
1045                 if (list->mid == mid) {
1046                         return NT_STATUS_INVALID_PARAMETER;
1047                 }
1048
1049                 count += 1;
1050         }
1051         if (count > 5) {
1052                 return NT_STATUS_INSUFFICIENT_RESOURCES;
1053         }
1054
1055         return NT_STATUS_OK;
1056 }
1057
1058 /*
1059 These flags determine some of the permissions required to do an operation 
1060
1061 Note that I don't set NEED_WRITE on some write operations because they
1062 are used by some brain-dead clients when printing, and I don't want to
1063 force write permissions on print services.
1064 */
1065 #define AS_USER (1<<0)
1066 #define NEED_WRITE (1<<1) /* Must be paired with AS_USER */
1067 #define TIME_INIT (1<<2)
1068 #define CAN_IPC (1<<3) /* Must be paired with AS_USER */
1069 #define AS_GUEST (1<<5) /* Must *NOT* be paired with AS_USER */
1070 #define DO_CHDIR (1<<6)
1071
1072 /* 
1073    define a list of possible SMB messages and their corresponding
1074    functions. Any message that has a NULL function is unimplemented -
1075    please feel free to contribute implementations!
1076 */
1077 static const struct smb_message_struct {
1078         const char *name;
1079         void (*fn)(struct smb_request *req);
1080         int flags;
1081 } smb_messages[256] = {
1082
1083 /* 0x00 */ { "SMBmkdir",reply_mkdir,AS_USER | NEED_WRITE},
1084 /* 0x01 */ { "SMBrmdir",reply_rmdir,AS_USER | NEED_WRITE},
1085 /* 0x02 */ { "SMBopen",reply_open,AS_USER },
1086 /* 0x03 */ { "SMBcreate",reply_mknew,AS_USER},
1087 /* 0x04 */ { "SMBclose",reply_close,AS_USER | CAN_IPC },
1088 /* 0x05 */ { "SMBflush",reply_flush,AS_USER},
1089 /* 0x06 */ { "SMBunlink",reply_unlink,AS_USER | NEED_WRITE },
1090 /* 0x07 */ { "SMBmv",reply_mv,AS_USER | NEED_WRITE },
1091 /* 0x08 */ { "SMBgetatr",reply_getatr,AS_USER},
1092 /* 0x09 */ { "SMBsetatr",reply_setatr,AS_USER | NEED_WRITE},
1093 /* 0x0a */ { "SMBread",reply_read,AS_USER},
1094 /* 0x0b */ { "SMBwrite",reply_write,AS_USER | CAN_IPC },
1095 /* 0x0c */ { "SMBlock",reply_lock,AS_USER},
1096 /* 0x0d */ { "SMBunlock",reply_unlock,AS_USER},
1097 /* 0x0e */ { "SMBctemp",reply_ctemp,AS_USER },
1098 /* 0x0f */ { "SMBmknew",reply_mknew,AS_USER},
1099 /* 0x10 */ { "SMBcheckpath",reply_checkpath,AS_USER},
1100 /* 0x11 */ { "SMBexit",reply_exit,DO_CHDIR},
1101 /* 0x12 */ { "SMBlseek",reply_lseek,AS_USER},
1102 /* 0x13 */ { "SMBlockread",reply_lockread,AS_USER},
1103 /* 0x14 */ { "SMBwriteunlock",reply_writeunlock,AS_USER},
1104 /* 0x15 */ { NULL, NULL, 0 },
1105 /* 0x16 */ { NULL, NULL, 0 },
1106 /* 0x17 */ { NULL, NULL, 0 },
1107 /* 0x18 */ { NULL, NULL, 0 },
1108 /* 0x19 */ { NULL, NULL, 0 },
1109 /* 0x1a */ { "SMBreadbraw",reply_readbraw,AS_USER},
1110 /* 0x1b */ { "SMBreadBmpx",reply_readbmpx,AS_USER},
1111 /* 0x1c */ { "SMBreadBs",reply_readbs,AS_USER },
1112 /* 0x1d */ { "SMBwritebraw",reply_writebraw,AS_USER},
1113 /* 0x1e */ { "SMBwriteBmpx",reply_writebmpx,AS_USER},
1114 /* 0x1f */ { "SMBwriteBs",reply_writebs,AS_USER},
1115 /* 0x20 */ { "SMBwritec", NULL,0},
1116 /* 0x21 */ { NULL, NULL, 0 },
1117 /* 0x22 */ { "SMBsetattrE",reply_setattrE,AS_USER | NEED_WRITE },
1118 /* 0x23 */ { "SMBgetattrE",reply_getattrE,AS_USER },
1119 /* 0x24 */ { "SMBlockingX",reply_lockingX,AS_USER },
1120 /* 0x25 */ { "SMBtrans",reply_trans,AS_USER | CAN_IPC },
1121 /* 0x26 */ { "SMBtranss",reply_transs,AS_USER | CAN_IPC},
1122 /* 0x27 */ { "SMBioctl",reply_ioctl,0},
1123 /* 0x28 */ { "SMBioctls", NULL,AS_USER},
1124 /* 0x29 */ { "SMBcopy",reply_copy,AS_USER | NEED_WRITE },
1125 /* 0x2a */ { "SMBmove", NULL,AS_USER | NEED_WRITE },
1126 /* 0x2b */ { "SMBecho",reply_echo,0},
1127 /* 0x2c */ { "SMBwriteclose",reply_writeclose,AS_USER},
1128 /* 0x2d */ { "SMBopenX",reply_open_and_X,AS_USER | CAN_IPC },
1129 /* 0x2e */ { "SMBreadX",reply_read_and_X,AS_USER | CAN_IPC },
1130 /* 0x2f */ { "SMBwriteX",reply_write_and_X,AS_USER | CAN_IPC },
1131 /* 0x30 */ { NULL, NULL, 0 },
1132 /* 0x31 */ { NULL, NULL, 0 },
1133 /* 0x32 */ { "SMBtrans2",reply_trans2, AS_USER | CAN_IPC },
1134 /* 0x33 */ { "SMBtranss2",reply_transs2, AS_USER | CAN_IPC },
1135 /* 0x34 */ { "SMBfindclose",reply_findclose,AS_USER},
1136 /* 0x35 */ { "SMBfindnclose",reply_findnclose,AS_USER},
1137 /* 0x36 */ { NULL, NULL, 0 },
1138 /* 0x37 */ { NULL, NULL, 0 },
1139 /* 0x38 */ { NULL, NULL, 0 },
1140 /* 0x39 */ { NULL, NULL, 0 },
1141 /* 0x3a */ { NULL, NULL, 0 },
1142 /* 0x3b */ { NULL, NULL, 0 },
1143 /* 0x3c */ { NULL, NULL, 0 },
1144 /* 0x3d */ { NULL, NULL, 0 },
1145 /* 0x3e */ { NULL, NULL, 0 },
1146 /* 0x3f */ { NULL, NULL, 0 },
1147 /* 0x40 */ { NULL, NULL, 0 },
1148 /* 0x41 */ { NULL, NULL, 0 },
1149 /* 0x42 */ { NULL, NULL, 0 },
1150 /* 0x43 */ { NULL, NULL, 0 },
1151 /* 0x44 */ { NULL, NULL, 0 },
1152 /* 0x45 */ { NULL, NULL, 0 },
1153 /* 0x46 */ { NULL, NULL, 0 },
1154 /* 0x47 */ { NULL, NULL, 0 },
1155 /* 0x48 */ { NULL, NULL, 0 },
1156 /* 0x49 */ { NULL, NULL, 0 },
1157 /* 0x4a */ { NULL, NULL, 0 },
1158 /* 0x4b */ { NULL, NULL, 0 },
1159 /* 0x4c */ { NULL, NULL, 0 },
1160 /* 0x4d */ { NULL, NULL, 0 },
1161 /* 0x4e */ { NULL, NULL, 0 },
1162 /* 0x4f */ { NULL, NULL, 0 },
1163 /* 0x50 */ { NULL, NULL, 0 },
1164 /* 0x51 */ { NULL, NULL, 0 },
1165 /* 0x52 */ { NULL, NULL, 0 },
1166 /* 0x53 */ { NULL, NULL, 0 },
1167 /* 0x54 */ { NULL, NULL, 0 },
1168 /* 0x55 */ { NULL, NULL, 0 },
1169 /* 0x56 */ { NULL, NULL, 0 },
1170 /* 0x57 */ { NULL, NULL, 0 },
1171 /* 0x58 */ { NULL, NULL, 0 },
1172 /* 0x59 */ { NULL, NULL, 0 },
1173 /* 0x5a */ { NULL, NULL, 0 },
1174 /* 0x5b */ { NULL, NULL, 0 },
1175 /* 0x5c */ { NULL, NULL, 0 },
1176 /* 0x5d */ { NULL, NULL, 0 },
1177 /* 0x5e */ { NULL, NULL, 0 },
1178 /* 0x5f */ { NULL, NULL, 0 },
1179 /* 0x60 */ { NULL, NULL, 0 },
1180 /* 0x61 */ { NULL, NULL, 0 },
1181 /* 0x62 */ { NULL, NULL, 0 },
1182 /* 0x63 */ { NULL, NULL, 0 },
1183 /* 0x64 */ { NULL, NULL, 0 },
1184 /* 0x65 */ { NULL, NULL, 0 },
1185 /* 0x66 */ { NULL, NULL, 0 },
1186 /* 0x67 */ { NULL, NULL, 0 },
1187 /* 0x68 */ { NULL, NULL, 0 },
1188 /* 0x69 */ { NULL, NULL, 0 },
1189 /* 0x6a */ { NULL, NULL, 0 },
1190 /* 0x6b */ { NULL, NULL, 0 },
1191 /* 0x6c */ { NULL, NULL, 0 },
1192 /* 0x6d */ { NULL, NULL, 0 },
1193 /* 0x6e */ { NULL, NULL, 0 },
1194 /* 0x6f */ { NULL, NULL, 0 },
1195 /* 0x70 */ { "SMBtcon",reply_tcon,0},
1196 /* 0x71 */ { "SMBtdis",reply_tdis,DO_CHDIR},
1197 /* 0x72 */ { "SMBnegprot",reply_negprot,0},
1198 /* 0x73 */ { "SMBsesssetupX",reply_sesssetup_and_X,0},
1199 /* 0x74 */ { "SMBulogoffX",reply_ulogoffX, 0}, /* ulogoff doesn't give a valid TID */
1200 /* 0x75 */ { "SMBtconX",reply_tcon_and_X,0},
1201 /* 0x76 */ { NULL, NULL, 0 },
1202 /* 0x77 */ { NULL, NULL, 0 },
1203 /* 0x78 */ { NULL, NULL, 0 },
1204 /* 0x79 */ { NULL, NULL, 0 },
1205 /* 0x7a */ { NULL, NULL, 0 },
1206 /* 0x7b */ { NULL, NULL, 0 },
1207 /* 0x7c */ { NULL, NULL, 0 },
1208 /* 0x7d */ { NULL, NULL, 0 },
1209 /* 0x7e */ { NULL, NULL, 0 },
1210 /* 0x7f */ { NULL, NULL, 0 },
1211 /* 0x80 */ { "SMBdskattr",reply_dskattr,AS_USER},
1212 /* 0x81 */ { "SMBsearch",reply_search,AS_USER},
1213 /* 0x82 */ { "SMBffirst",reply_search,AS_USER},
1214 /* 0x83 */ { "SMBfunique",reply_search,AS_USER},
1215 /* 0x84 */ { "SMBfclose",reply_fclose,AS_USER},
1216 /* 0x85 */ { NULL, NULL, 0 },
1217 /* 0x86 */ { NULL, NULL, 0 },
1218 /* 0x87 */ { NULL, NULL, 0 },
1219 /* 0x88 */ { NULL, NULL, 0 },
1220 /* 0x89 */ { NULL, NULL, 0 },
1221 /* 0x8a */ { NULL, NULL, 0 },
1222 /* 0x8b */ { NULL, NULL, 0 },
1223 /* 0x8c */ { NULL, NULL, 0 },
1224 /* 0x8d */ { NULL, NULL, 0 },
1225 /* 0x8e */ { NULL, NULL, 0 },
1226 /* 0x8f */ { NULL, NULL, 0 },
1227 /* 0x90 */ { NULL, NULL, 0 },
1228 /* 0x91 */ { NULL, NULL, 0 },
1229 /* 0x92 */ { NULL, NULL, 0 },
1230 /* 0x93 */ { NULL, NULL, 0 },
1231 /* 0x94 */ { NULL, NULL, 0 },
1232 /* 0x95 */ { NULL, NULL, 0 },
1233 /* 0x96 */ { NULL, NULL, 0 },
1234 /* 0x97 */ { NULL, NULL, 0 },
1235 /* 0x98 */ { NULL, NULL, 0 },
1236 /* 0x99 */ { NULL, NULL, 0 },
1237 /* 0x9a */ { NULL, NULL, 0 },
1238 /* 0x9b */ { NULL, NULL, 0 },
1239 /* 0x9c */ { NULL, NULL, 0 },
1240 /* 0x9d */ { NULL, NULL, 0 },
1241 /* 0x9e */ { NULL, NULL, 0 },
1242 /* 0x9f */ { NULL, NULL, 0 },
1243 /* 0xa0 */ { "SMBnttrans",reply_nttrans, AS_USER | CAN_IPC },
1244 /* 0xa1 */ { "SMBnttranss",reply_nttranss, AS_USER | CAN_IPC },
1245 /* 0xa2 */ { "SMBntcreateX",reply_ntcreate_and_X, AS_USER | CAN_IPC },
1246 /* 0xa3 */ { NULL, NULL, 0 },
1247 /* 0xa4 */ { "SMBntcancel",reply_ntcancel, 0 },
1248 /* 0xa5 */ { "SMBntrename",reply_ntrename, AS_USER | NEED_WRITE },
1249 /* 0xa6 */ { NULL, NULL, 0 },
1250 /* 0xa7 */ { NULL, NULL, 0 },
1251 /* 0xa8 */ { NULL, NULL, 0 },
1252 /* 0xa9 */ { NULL, NULL, 0 },
1253 /* 0xaa */ { NULL, NULL, 0 },
1254 /* 0xab */ { NULL, NULL, 0 },
1255 /* 0xac */ { NULL, NULL, 0 },
1256 /* 0xad */ { NULL, NULL, 0 },
1257 /* 0xae */ { NULL, NULL, 0 },
1258 /* 0xaf */ { NULL, NULL, 0 },
1259 /* 0xb0 */ { NULL, NULL, 0 },
1260 /* 0xb1 */ { NULL, NULL, 0 },
1261 /* 0xb2 */ { NULL, NULL, 0 },
1262 /* 0xb3 */ { NULL, NULL, 0 },
1263 /* 0xb4 */ { NULL, NULL, 0 },
1264 /* 0xb5 */ { NULL, NULL, 0 },
1265 /* 0xb6 */ { NULL, NULL, 0 },
1266 /* 0xb7 */ { NULL, NULL, 0 },
1267 /* 0xb8 */ { NULL, NULL, 0 },
1268 /* 0xb9 */ { NULL, NULL, 0 },
1269 /* 0xba */ { NULL, NULL, 0 },
1270 /* 0xbb */ { NULL, NULL, 0 },
1271 /* 0xbc */ { NULL, NULL, 0 },
1272 /* 0xbd */ { NULL, NULL, 0 },
1273 /* 0xbe */ { NULL, NULL, 0 },
1274 /* 0xbf */ { NULL, NULL, 0 },
1275 /* 0xc0 */ { "SMBsplopen",reply_printopen,AS_USER},
1276 /* 0xc1 */ { "SMBsplwr",reply_printwrite,AS_USER},
1277 /* 0xc2 */ { "SMBsplclose",reply_printclose,AS_USER},
1278 /* 0xc3 */ { "SMBsplretq",reply_printqueue,AS_USER},
1279 /* 0xc4 */ { NULL, NULL, 0 },
1280 /* 0xc5 */ { NULL, NULL, 0 },
1281 /* 0xc6 */ { NULL, NULL, 0 },
1282 /* 0xc7 */ { NULL, NULL, 0 },
1283 /* 0xc8 */ { NULL, NULL, 0 },
1284 /* 0xc9 */ { NULL, NULL, 0 },
1285 /* 0xca */ { NULL, NULL, 0 },
1286 /* 0xcb */ { NULL, NULL, 0 },
1287 /* 0xcc */ { NULL, NULL, 0 },
1288 /* 0xcd */ { NULL, NULL, 0 },
1289 /* 0xce */ { NULL, NULL, 0 },
1290 /* 0xcf */ { NULL, NULL, 0 },
1291 /* 0xd0 */ { "SMBsends",reply_sends,AS_GUEST},
1292 /* 0xd1 */ { "SMBsendb", NULL,AS_GUEST},
1293 /* 0xd2 */ { "SMBfwdname", NULL,AS_GUEST},
1294 /* 0xd3 */ { "SMBcancelf", NULL,AS_GUEST},
1295 /* 0xd4 */ { "SMBgetmac", NULL,AS_GUEST},
1296 /* 0xd5 */ { "SMBsendstrt",reply_sendstrt,AS_GUEST},
1297 /* 0xd6 */ { "SMBsendend",reply_sendend,AS_GUEST},
1298 /* 0xd7 */ { "SMBsendtxt",reply_sendtxt,AS_GUEST},
1299 /* 0xd8 */ { NULL, NULL, 0 },
1300 /* 0xd9 */ { NULL, NULL, 0 },
1301 /* 0xda */ { NULL, NULL, 0 },
1302 /* 0xdb */ { NULL, NULL, 0 },
1303 /* 0xdc */ { NULL, NULL, 0 },
1304 /* 0xdd */ { NULL, NULL, 0 },
1305 /* 0xde */ { NULL, NULL, 0 },
1306 /* 0xdf */ { NULL, NULL, 0 },
1307 /* 0xe0 */ { NULL, NULL, 0 },
1308 /* 0xe1 */ { NULL, NULL, 0 },
1309 /* 0xe2 */ { NULL, NULL, 0 },
1310 /* 0xe3 */ { NULL, NULL, 0 },
1311 /* 0xe4 */ { NULL, NULL, 0 },
1312 /* 0xe5 */ { NULL, NULL, 0 },
1313 /* 0xe6 */ { NULL, NULL, 0 },
1314 /* 0xe7 */ { NULL, NULL, 0 },
1315 /* 0xe8 */ { NULL, NULL, 0 },
1316 /* 0xe9 */ { NULL, NULL, 0 },
1317 /* 0xea */ { NULL, NULL, 0 },
1318 /* 0xeb */ { NULL, NULL, 0 },
1319 /* 0xec */ { NULL, NULL, 0 },
1320 /* 0xed */ { NULL, NULL, 0 },
1321 /* 0xee */ { NULL, NULL, 0 },
1322 /* 0xef */ { NULL, NULL, 0 },
1323 /* 0xf0 */ { NULL, NULL, 0 },
1324 /* 0xf1 */ { NULL, NULL, 0 },
1325 /* 0xf2 */ { NULL, NULL, 0 },
1326 /* 0xf3 */ { NULL, NULL, 0 },
1327 /* 0xf4 */ { NULL, NULL, 0 },
1328 /* 0xf5 */ { NULL, NULL, 0 },
1329 /* 0xf6 */ { NULL, NULL, 0 },
1330 /* 0xf7 */ { NULL, NULL, 0 },
1331 /* 0xf8 */ { NULL, NULL, 0 },
1332 /* 0xf9 */ { NULL, NULL, 0 },
1333 /* 0xfa */ { NULL, NULL, 0 },
1334 /* 0xfb */ { NULL, NULL, 0 },
1335 /* 0xfc */ { NULL, NULL, 0 },
1336 /* 0xfd */ { NULL, NULL, 0 },
1337 /* 0xfe */ { NULL, NULL, 0 },
1338 /* 0xff */ { NULL, NULL, 0 }
1339
1340 };
1341
1342 /*******************************************************************
1343  allocate and initialize a reply packet
1344 ********************************************************************/
1345
1346 static bool create_outbuf(TALLOC_CTX *mem_ctx, struct smb_request *req,
1347                           const uint8_t *inbuf, char **outbuf,
1348                           uint8_t num_words, uint32_t num_bytes)
1349 {
1350         size_t smb_len = MIN_SMB_SIZE + VWV(num_words) + num_bytes;
1351
1352         /*
1353          * Protect against integer wrap.
1354          * The SMB layer reply can be up to 0xFFFFFF bytes.
1355          */
1356         if ((num_bytes > 0xffffff) || (smb_len > 0xffffff)) {
1357                 char *msg;
1358                 if (asprintf(&msg, "num_bytes too large: %u",
1359                              (unsigned)num_bytes) == -1) {
1360                         msg = discard_const_p(char, "num_bytes too large");
1361                 }
1362                 smb_panic(msg);
1363         }
1364
1365         /*
1366          * Here we include the NBT header for now.
1367          */
1368         *outbuf = talloc_array(mem_ctx, char,
1369                                NBT_HDR_SIZE + smb_len);
1370         if (*outbuf == NULL) {
1371                 return false;
1372         }
1373
1374         construct_reply_common(req->cmd, inbuf, *outbuf);
1375         srv_set_message(*outbuf, num_words, num_bytes, false);
1376         /*
1377          * Zero out the word area, the caller has to take care of the bcc area
1378          * himself
1379          */
1380         if (num_words != 0) {
1381                 memset(*outbuf + (NBT_HDR_SIZE + HDR_VWV), 0, VWV(num_words));
1382         }
1383
1384         return true;
1385 }
1386
1387 void reply_outbuf(struct smb_request *req, uint8_t num_words, uint32_t num_bytes)
1388 {
1389         char *outbuf;
1390         if (!create_outbuf(req, req, req->inbuf, &outbuf, num_words,
1391                            num_bytes)) {
1392                 smb_panic("could not allocate output buffer\n");
1393         }
1394         req->outbuf = (uint8_t *)outbuf;
1395 }
1396
1397
1398 /*******************************************************************
1399  Dump a packet to a file.
1400 ********************************************************************/
1401
1402 static void smb_dump(const char *name, int type, const char *data)
1403 {
1404         size_t len;
1405         int fd, i;
1406         char *fname = NULL;
1407         if (DEBUGLEVEL < 50) {
1408                 return;
1409         }
1410
1411         len = smb_len_tcp(data)+4;
1412         for (i=1;i<100;i++) {
1413                 fname = talloc_asprintf(talloc_tos(),
1414                                 "/tmp/%s.%d.%s",
1415                                 name,
1416                                 i,
1417                                 type ? "req" : "resp");
1418                 if (fname == NULL) {
1419                         return;
1420                 }
1421                 fd = open(fname, O_WRONLY|O_CREAT|O_EXCL, 0644);
1422                 if (fd != -1 || errno != EEXIST) break;
1423                 TALLOC_FREE(fname);
1424         }
1425         if (fd != -1) {
1426                 ssize_t ret = write(fd, data, len);
1427                 if (ret != len)
1428                         DEBUG(0,("smb_dump: problem: write returned %d\n", (int)ret ));
1429                 close(fd);
1430                 DEBUG(0,("created %s len %lu\n", fname, (unsigned long)len));
1431         }
1432         TALLOC_FREE(fname);
1433 }
1434
1435 static void smb1srv_update_crypto_flags(struct smbXsrv_session *session,
1436                                         struct smb_request *req,
1437                                         uint8_t type,
1438                                         bool *update_session_globalp,
1439                                         bool *update_tcon_globalp)
1440 {
1441         connection_struct *conn = req->conn;
1442         struct smbXsrv_tcon *tcon = conn ? conn->tcon : NULL;
1443         uint8_t encrypt_flag = SMBXSRV_PROCESSED_UNENCRYPTED_PACKET;
1444         uint8_t sign_flag = SMBXSRV_PROCESSED_UNSIGNED_PACKET;
1445         bool update_session = false;
1446         bool update_tcon = false;
1447
1448         if (req->encrypted) {
1449                 encrypt_flag = SMBXSRV_PROCESSED_ENCRYPTED_PACKET;
1450         }
1451
1452         if (srv_is_signing_active(req->xconn)) {
1453                 sign_flag = SMBXSRV_PROCESSED_SIGNED_PACKET;
1454         } else if ((type == SMBecho) || (type == SMBsesssetupX)) {
1455                 /*
1456                  * echo can be unsigned. Sesssion setup except final
1457                  * session setup response too
1458                  */
1459                 sign_flag &= ~SMBXSRV_PROCESSED_UNSIGNED_PACKET;
1460         }
1461
1462         update_session |= smbXsrv_set_crypto_flag(
1463                 &session->global->encryption_flags, encrypt_flag);
1464         update_session |= smbXsrv_set_crypto_flag(
1465                 &session->global->signing_flags, sign_flag);
1466
1467         if (tcon) {
1468                 update_tcon |= smbXsrv_set_crypto_flag(
1469                         &tcon->global->encryption_flags, encrypt_flag);
1470                 update_tcon |= smbXsrv_set_crypto_flag(
1471                         &tcon->global->signing_flags, sign_flag);
1472         }
1473
1474         if (update_session) {
1475                 session->global->channels[0].encryption_cipher = SMB_ENCRYPTION_GSSAPI;
1476         }
1477
1478         *update_session_globalp = update_session;
1479         *update_tcon_globalp = update_tcon;
1480         return;
1481 }
1482
1483 /****************************************************************************
1484  Prepare everything for calling the actual request function, and potentially
1485  call the request function via the "new" interface.
1486
1487  Return False if the "legacy" function needs to be called, everything is
1488  prepared.
1489
1490  Return True if we're done.
1491
1492  I know this API sucks, but it is the one with the least code change I could
1493  find.
1494 ****************************************************************************/
1495
1496 static connection_struct *switch_message(uint8_t type, struct smb_request *req)
1497 {
1498         int flags;
1499         uint64_t session_tag;
1500         connection_struct *conn = NULL;
1501         struct smbXsrv_connection *xconn = req->xconn;
1502         NTTIME now = timeval_to_nttime(&req->request_time);
1503         struct smbXsrv_session *session = NULL;
1504         NTSTATUS status;
1505
1506         errno = 0;
1507
1508         req->ev_ctx = NULL;
1509
1510         if (!xconn->smb1.negprot.done) {
1511                 switch (type) {
1512                         /*
1513                          * Without a negprot the request must
1514                          * either be a negprot, or one of the
1515                          * evil old SMB mailslot messaging types.
1516                          */
1517                         case SMBnegprot:
1518                         case SMBsendstrt:
1519                         case SMBsendend:
1520                         case SMBsendtxt:
1521                                 break;
1522                         default:
1523                                 exit_server_cleanly("The first request "
1524                                         "should be a negprot");
1525                 }
1526         }
1527
1528         if (smb_messages[type].fn == NULL) {
1529                 DEBUG(0,("Unknown message type %d!\n",type));
1530                 smb_dump("Unknown", 1, (const char *)req->inbuf);
1531                 reply_unknown_new(req, type);
1532                 return NULL;
1533         }
1534
1535         flags = smb_messages[type].flags;
1536
1537         /* In share mode security we must ignore the vuid. */
1538         session_tag = req->vuid;
1539         conn = req->conn;
1540
1541         DEBUG(3,("switch message %s (pid %d) conn 0x%lx\n", smb_fn_name(type),
1542                  (int)getpid(), (unsigned long)conn));
1543
1544         smb_dump(smb_fn_name(type), 1, (const char *)req->inbuf);
1545
1546         /* Ensure this value is replaced in the incoming packet. */
1547         SSVAL(discard_const_p(uint8_t, req->inbuf),smb_uid,session_tag);
1548
1549         /*
1550          * Ensure the correct username is in current_user_info.  This is a
1551          * really ugly bugfix for problems with multiple session_setup_and_X's
1552          * being done and allowing %U and %G substitutions to work correctly.
1553          * There is a reason this code is done here, don't move it unless you
1554          * know what you're doing... :-).
1555          * JRA.
1556          */
1557
1558         /*
1559          * lookup an existing session
1560          *
1561          * Note: for now we only check for NT_STATUS_NETWORK_SESSION_EXPIRED
1562          * here, the main check is still in change_to_user()
1563          */
1564         status = smb1srv_session_lookup(xconn,
1565                                         session_tag,
1566                                         now,
1567                                         &session);
1568         if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED)) {
1569                 switch (type) {
1570                 case SMBsesssetupX:
1571                         status = NT_STATUS_OK;
1572                         break;
1573                 default:
1574                         DEBUG(1,("Error: session %llu is expired, mid=%llu.\n",
1575                                  (unsigned long long)session_tag,
1576                                  (unsigned long long)req->mid));
1577                         reply_nterror(req, NT_STATUS_NETWORK_SESSION_EXPIRED);
1578                         return conn;
1579                 }
1580         }
1581
1582         if (session != NULL && !(flags & AS_USER)) {
1583                 struct user_struct *vuser = session->compat;
1584
1585                 /*
1586                  * change_to_user() implies set_current_user_info()
1587                  * and chdir_connect_service().
1588                  *
1589                  * So we only call set_current_user_info if
1590                  * we don't have AS_USER specified.
1591                  */
1592                 if (vuser) {
1593                         set_current_user_info(
1594                                 vuser->session_info->unix_info->sanitized_username,
1595                                 vuser->session_info->unix_info->unix_name,
1596                                 vuser->session_info->info->domain_name);
1597                 }
1598         }
1599
1600         /* Does this call need to be run as the connected user? */
1601         if (flags & AS_USER) {
1602
1603                 /* Does this call need a valid tree connection? */
1604                 if (!conn) {
1605                         /*
1606                          * Amazingly, the error code depends on the command
1607                          * (from Samba4).
1608                          */
1609                         if (type == SMBntcreateX) {
1610                                 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
1611                         } else {
1612                                 reply_nterror(req, NT_STATUS_NETWORK_NAME_DELETED);
1613                         }
1614                         return NULL;
1615                 }
1616
1617                 set_current_case_sensitive(conn, SVAL(req->inbuf,smb_flg));
1618
1619                 /*
1620                  * change_to_user() implies set_current_user_info()
1621                  * and chdir_connect_service().
1622                  */
1623                 if (!change_to_user(conn,session_tag)) {
1624                         DEBUG(0, ("Error: Could not change to user. Removing "
1625                                 "deferred open, mid=%llu.\n",
1626                                 (unsigned long long)req->mid));
1627                         reply_force_doserror(req, ERRSRV, ERRbaduid);
1628                         return conn;
1629                 }
1630
1631                 /* All NEED_WRITE and CAN_IPC flags must also have AS_USER. */
1632
1633                 /* Does it need write permission? */
1634                 if ((flags & NEED_WRITE) && !CAN_WRITE(conn)) {
1635                         reply_nterror(req, NT_STATUS_MEDIA_WRITE_PROTECTED);
1636                         return conn;
1637                 }
1638
1639                 /* IPC services are limited */
1640                 if (IS_IPC(conn) && !(flags & CAN_IPC)) {
1641                         reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1642                         return conn;
1643                 }
1644
1645                 req->ev_ctx = conn->user_ev_ctx;
1646         } else if (flags & AS_GUEST) {
1647                 /*
1648                  * Does this protocol need to be run as guest? (Only archane
1649                  * messenger service requests have this...)
1650                  */
1651                 if (!change_to_guest()) {
1652                         reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1653                         return conn;
1654                 }
1655
1656                 req->ev_ctx = req->sconn->guest_ev_ctx;
1657         } else {
1658                 /* This call needs to be run as root */
1659                 change_to_root_user();
1660
1661                 req->ev_ctx = req->sconn->root_ev_ctx;
1662         }
1663
1664         /* load service specific parameters */
1665         if (conn) {
1666                 if (req->encrypted) {
1667                         conn->encrypted_tid = true;
1668                         /* encrypted required from now on. */
1669                         conn->encrypt_level = SMB_SIGNING_REQUIRED;
1670                 } else if (ENCRYPTION_REQUIRED(conn)) {
1671                         if (req->cmd != SMBtrans2 && req->cmd != SMBtranss2) {
1672                                 DEBUG(1,("service[%s] requires encryption"
1673                                         "%s ACCESS_DENIED. mid=%llu\n",
1674                                         lp_servicename(talloc_tos(), SNUM(conn)),
1675                                         smb_fn_name(type),
1676                                         (unsigned long long)req->mid));
1677                                 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1678                                 return conn;
1679                         }
1680                 }
1681
1682                 if (flags & DO_CHDIR) {
1683                         bool ok;
1684
1685                         ok = chdir_current_service(conn);
1686                         if (!ok) {
1687                                 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1688                                 return conn;
1689                         }
1690                 }
1691                 conn->num_smb_operations++;
1692         }
1693
1694         /*
1695          * Update encryption and signing state tracking flags that are
1696          * used by smbstatus to display signing and encryption status.
1697          */
1698         if (session != NULL) {
1699                 bool update_session_global = false;
1700                 bool update_tcon_global = false;
1701
1702                 smb1srv_update_crypto_flags(session, req, type,
1703                                             &update_session_global,
1704                                             &update_tcon_global);
1705
1706                 if (update_session_global) {
1707                         status = smbXsrv_session_update(session);
1708                         if (!NT_STATUS_IS_OK(status)) {
1709                                 reply_nterror(req, NT_STATUS_UNSUCCESSFUL);
1710                                 return conn;
1711                         }
1712                 }
1713
1714                 if (update_tcon_global) {
1715                         status = smbXsrv_tcon_update(req->conn->tcon);
1716                         if (!NT_STATUS_IS_OK(status)) {
1717                                 reply_nterror(req, NT_STATUS_UNSUCCESSFUL);
1718                                 return conn;
1719                         }
1720                 }
1721         }
1722
1723         smb_messages[type].fn(req);
1724         return req->conn;
1725 }
1726
1727 /****************************************************************************
1728  Construct a reply to the incoming packet.
1729 ****************************************************************************/
1730
1731 static void construct_reply(struct smbXsrv_connection *xconn,
1732                             char *inbuf, int size, size_t unread_bytes,
1733                             uint32_t seqnum, bool encrypted,
1734                             struct smb_perfcount_data *deferred_pcd)
1735 {
1736         struct smbd_server_connection *sconn = xconn->client->sconn;
1737         struct smb_request *req;
1738
1739         if (!(req = talloc(talloc_tos(), struct smb_request))) {
1740                 smb_panic("could not allocate smb_request");
1741         }
1742
1743         if (!init_smb_request(req, sconn, xconn, (uint8_t *)inbuf, unread_bytes,
1744                               encrypted, seqnum)) {
1745                 exit_server_cleanly("Invalid SMB request");
1746         }
1747
1748         req->inbuf  = (uint8_t *)talloc_move(req, &inbuf);
1749
1750         /* we popped this message off the queue - keep original perf data */
1751         if (deferred_pcd)
1752                 req->pcd = *deferred_pcd;
1753         else {
1754                 SMB_PERFCOUNT_START(&req->pcd);
1755                 SMB_PERFCOUNT_SET_OP(&req->pcd, req->cmd);
1756                 SMB_PERFCOUNT_SET_MSGLEN_IN(&req->pcd, size);
1757         }
1758
1759         req->conn = switch_message(req->cmd, req);
1760
1761         if (req->outbuf == NULL) {
1762                 /*
1763                  * Request has suspended itself, will come
1764                  * back here.
1765                  */
1766                 return;
1767         }
1768         if (CVAL(req->outbuf,0) == 0) {
1769                 show_msg((char *)req->outbuf);
1770         }
1771         smb_request_done(req);
1772 }
1773
1774 static void construct_reply_chain(struct smbXsrv_connection *xconn,
1775                                   char *inbuf, int size, uint32_t seqnum,
1776                                   bool encrypted,
1777                                   struct smb_perfcount_data *deferred_pcd)
1778 {
1779         struct smb_request **reqs = NULL;
1780         struct smb_request *req;
1781         unsigned num_reqs;
1782         bool ok;
1783
1784         ok = smb1_parse_chain(xconn, (uint8_t *)inbuf, xconn, encrypted,
1785                               seqnum, &reqs, &num_reqs);
1786         if (!ok) {
1787                 char errbuf[smb_size];
1788                 error_packet(errbuf, 0, 0, NT_STATUS_INVALID_PARAMETER,
1789                              __LINE__, __FILE__);
1790                 if (!srv_send_smb(xconn, errbuf, true, seqnum, encrypted,
1791                                   NULL)) {
1792                         exit_server_cleanly("construct_reply_chain: "
1793                                             "srv_send_smb failed.");
1794                 }
1795                 return;
1796         }
1797
1798         req = reqs[0];
1799         req->inbuf = (uint8_t *)talloc_move(reqs, &inbuf);
1800
1801         req->conn = switch_message(req->cmd, req);
1802
1803         if (req->outbuf == NULL) {
1804                 /*
1805                  * Request has suspended itself, will come
1806                  * back here.
1807                  */
1808                 return;
1809         }
1810         smb_request_done(req);
1811 }
1812
1813 /*
1814  * To be called from an async SMB handler that is potentially chained
1815  * when it is finished for shipping.
1816  */
1817
1818 void smb_request_done(struct smb_request *req)
1819 {
1820         struct smb_request **reqs = NULL;
1821         struct smb_request *first_req;
1822         size_t i, num_reqs, next_index;
1823         NTSTATUS status;
1824
1825         if (req->chain == NULL) {
1826                 first_req = req;
1827                 goto shipit;
1828         }
1829
1830         reqs = req->chain;
1831         num_reqs = talloc_array_length(reqs);
1832
1833         for (i=0; i<num_reqs; i++) {
1834                 if (reqs[i] == req) {
1835                         break;
1836                 }
1837         }
1838         if (i == num_reqs) {
1839                 /*
1840                  * Invalid chain, should not happen
1841                  */
1842                 status = NT_STATUS_INTERNAL_ERROR;
1843                 goto error;
1844         }
1845         next_index = i+1;
1846
1847         while ((next_index < num_reqs) && (IVAL(req->outbuf, smb_rcls) == 0)) {
1848                 struct smb_request *next = reqs[next_index];
1849                 struct smbXsrv_tcon *tcon;
1850                 NTTIME now = timeval_to_nttime(&req->request_time);
1851
1852                 next->vuid = SVAL(req->outbuf, smb_uid);
1853                 next->tid  = SVAL(req->outbuf, smb_tid);
1854                 status = smb1srv_tcon_lookup(req->xconn, next->tid,
1855                                              now, &tcon);
1856
1857                 if (NT_STATUS_IS_OK(status)) {
1858                         next->conn = tcon->compat;
1859                 } else {
1860                         next->conn = NULL;
1861                 }
1862                 next->chain_fsp = req->chain_fsp;
1863                 next->inbuf = req->inbuf;
1864
1865                 req = next;
1866                 req->conn = switch_message(req->cmd, req);
1867
1868                 if (req->outbuf == NULL) {
1869                         /*
1870                          * Request has suspended itself, will come
1871                          * back here.
1872                          */
1873                         return;
1874                 }
1875                 next_index += 1;
1876         }
1877
1878         first_req = reqs[0];
1879
1880         for (i=1; i<next_index; i++) {
1881                 bool ok;
1882
1883                 ok = smb_splice_chain(&first_req->outbuf, reqs[i]->outbuf);
1884                 if (!ok) {
1885                         status = NT_STATUS_INTERNAL_ERROR;
1886                         goto error;
1887                 }
1888         }
1889
1890         SSVAL(first_req->outbuf, smb_uid, SVAL(req->outbuf, smb_uid));
1891         SSVAL(first_req->outbuf, smb_tid, SVAL(req->outbuf, smb_tid));
1892
1893         /*
1894          * This scary statement intends to set the
1895          * FLAGS2_32_BIT_ERROR_CODES flg2 field in first_req->outbuf
1896          * to the value last_req->outbuf carries
1897          */
1898         SSVAL(first_req->outbuf, smb_flg2,
1899               (SVAL(first_req->outbuf, smb_flg2) & ~FLAGS2_32_BIT_ERROR_CODES)
1900               |(SVAL(req->outbuf, smb_flg2) & FLAGS2_32_BIT_ERROR_CODES));
1901
1902         /*
1903          * Transfer the error codes from the subrequest to the main one
1904          */
1905         SSVAL(first_req->outbuf, smb_rcls, SVAL(req->outbuf, smb_rcls));
1906         SSVAL(first_req->outbuf, smb_err,  SVAL(req->outbuf, smb_err));
1907
1908         _smb_setlen_large(
1909                 first_req->outbuf, talloc_get_size(first_req->outbuf) - 4);
1910
1911 shipit:
1912         if (!srv_send_smb(first_req->xconn,
1913                           (char *)first_req->outbuf,
1914                           true, first_req->seqnum+1,
1915                           IS_CONN_ENCRYPTED(req->conn)||first_req->encrypted,
1916                           &first_req->pcd)) {
1917                 exit_server_cleanly("construct_reply_chain: srv_send_smb "
1918                                     "failed.");
1919         }
1920         TALLOC_FREE(req);       /* non-chained case */
1921         TALLOC_FREE(reqs);      /* chained case */
1922         return;
1923
1924 error:
1925         {
1926                 char errbuf[smb_size];
1927                 error_packet(errbuf, 0, 0, status, __LINE__, __FILE__);
1928                 if (!srv_send_smb(req->xconn, errbuf, true,
1929                                   req->seqnum+1, req->encrypted,
1930                                   NULL)) {
1931                         exit_server_cleanly("construct_reply_chain: "
1932                                             "srv_send_smb failed.");
1933                 }
1934         }
1935         TALLOC_FREE(req);       /* non-chained case */
1936         TALLOC_FREE(reqs);      /* chained case */
1937 }
1938
1939 /****************************************************************************
1940  Process an smb from the client
1941 ****************************************************************************/
1942 static void process_smb(struct smbXsrv_connection *xconn,
1943                         uint8_t *inbuf, size_t nread, size_t unread_bytes,
1944                         uint32_t seqnum, bool encrypted,
1945                         struct smb_perfcount_data *deferred_pcd)
1946 {
1947         struct smbd_server_connection *sconn = xconn->client->sconn;
1948         int msg_type = CVAL(inbuf,0);
1949
1950         DO_PROFILE_INC(request);
1951
1952         DEBUG( 6, ( "got message type 0x%x of len 0x%x\n", msg_type,
1953                     smb_len(inbuf) ) );
1954         DEBUG(3, ("Transaction %d of length %d (%u toread)\n",
1955                   sconn->trans_num, (int)nread, (unsigned int)unread_bytes));
1956
1957         if (msg_type != NBSSmessage) {
1958                 /*
1959                  * NetBIOS session request, keepalive, etc.
1960                  */
1961                 reply_special(xconn, (char *)inbuf, nread);
1962                 goto done;
1963         }
1964
1965         if (sconn->using_smb2) {
1966                 /* At this point we're not really using smb2,
1967                  * we make the decision here.. */
1968                 if (smbd_is_smb2_header(inbuf, nread)) {
1969                         const uint8_t *inpdu = inbuf + NBT_HDR_SIZE;
1970                         size_t pdulen = nread - NBT_HDR_SIZE;
1971                         smbd_smb2_process_negprot(xconn, 0, inpdu, pdulen);
1972                         return;
1973                 }
1974                 if (nread >= smb_size && valid_smb_header(inbuf)
1975                                 && CVAL(inbuf, smb_com) != 0x72) {
1976                         /* This is a non-negprot SMB1 packet.
1977                            Disable SMB2 from now on. */
1978                         sconn->using_smb2 = false;
1979                 }
1980         }
1981
1982         /* Make sure this is an SMB packet. smb_size contains NetBIOS header
1983          * so subtract 4 from it. */
1984         if ((nread < (smb_size - 4)) || !valid_smb_header(inbuf)) {
1985                 DEBUG(2,("Non-SMB packet of length %d. Terminating server\n",
1986                          smb_len(inbuf)));
1987
1988                 /* special magic for immediate exit */
1989                 if ((nread == 9) &&
1990                     (IVAL(inbuf, 4) == 0x74697865) &&
1991                     lp_parm_bool(-1, "smbd", "suicide mode", false)) {
1992                         uint8_t exitcode = CVAL(inbuf, 8);
1993                         DEBUG(1, ("Exiting immediately with code %d\n",
1994                                   (int)exitcode));
1995                         exit(exitcode);
1996                 }
1997
1998                 exit_server_cleanly("Non-SMB packet");
1999         }
2000
2001         show_msg((char *)inbuf);
2002
2003         if ((unread_bytes == 0) && smb1_is_chain(inbuf)) {
2004                 construct_reply_chain(xconn, (char *)inbuf, nread,
2005                                       seqnum, encrypted, deferred_pcd);
2006         } else {
2007                 construct_reply(xconn, (char *)inbuf, nread, unread_bytes,
2008                                 seqnum, encrypted, deferred_pcd);
2009         }
2010
2011         sconn->trans_num++;
2012
2013 done:
2014         sconn->num_requests++;
2015
2016         /* The timeout_processing function isn't run nearly
2017            often enough to implement 'max log size' without
2018            overrunning the size of the file by many megabytes.
2019            This is especially true if we are running at debug
2020            level 10.  Checking every 50 SMBs is a nice
2021            tradeoff of performance vs log file size overrun. */
2022
2023         if ((sconn->num_requests % 50) == 0 &&
2024             need_to_check_log_size()) {
2025                 change_to_root_user();
2026                 check_log_size();
2027         }
2028 }
2029
2030 /****************************************************************************
2031  Return a string containing the function name of a SMB command.
2032 ****************************************************************************/
2033
2034 const char *smb_fn_name(int type)
2035 {
2036         const char *unknown_name = "SMBunknown";
2037
2038         if (smb_messages[type].name == NULL)
2039                 return(unknown_name);
2040
2041         return(smb_messages[type].name);
2042 }
2043
2044 /****************************************************************************
2045  Helper functions for contruct_reply.
2046 ****************************************************************************/
2047
2048 void add_to_common_flags2(uint32_t v)
2049 {
2050         common_flags2 |= v;
2051 }
2052
2053 void remove_from_common_flags2(uint32_t v)
2054 {
2055         common_flags2 &= ~v;
2056 }
2057
2058 static void construct_reply_common(uint8_t cmd, const uint8_t *inbuf,
2059                                    char *outbuf)
2060 {
2061         uint16_t in_flags2 = SVAL(inbuf,smb_flg2);
2062         uint16_t out_flags2 = common_flags2;
2063
2064         out_flags2 |= in_flags2 & FLAGS2_UNICODE_STRINGS;
2065         out_flags2 |= in_flags2 & FLAGS2_SMB_SECURITY_SIGNATURES;
2066         out_flags2 |= in_flags2 & FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED;
2067
2068         srv_set_message(outbuf,0,0,false);
2069
2070         SCVAL(outbuf, smb_com, cmd);
2071         SIVAL(outbuf,smb_rcls,0);
2072         SCVAL(outbuf,smb_flg, FLAG_REPLY | (CVAL(inbuf,smb_flg) & FLAG_CASELESS_PATHNAMES)); 
2073         SSVAL(outbuf,smb_flg2, out_flags2);
2074         memset(outbuf+smb_pidhigh,'\0',(smb_tid-smb_pidhigh));
2075         memcpy(outbuf+smb_ss_field, inbuf+smb_ss_field, 8);
2076
2077         SSVAL(outbuf,smb_tid,SVAL(inbuf,smb_tid));
2078         SSVAL(outbuf,smb_pid,SVAL(inbuf,smb_pid));
2079         SSVAL(outbuf,smb_pidhigh,SVAL(inbuf,smb_pidhigh));
2080         SSVAL(outbuf,smb_uid,SVAL(inbuf,smb_uid));
2081         SSVAL(outbuf,smb_mid,SVAL(inbuf,smb_mid));
2082 }
2083
2084 void construct_reply_common_req(struct smb_request *req, char *outbuf)
2085 {
2086         construct_reply_common(req->cmd, req->inbuf, outbuf);
2087 }
2088
2089 /**
2090  * @brief Find the smb_cmd offset of the last command pushed
2091  * @param[in] buf       The buffer we're building up
2092  * @retval              Where can we put our next andx cmd?
2093  *
2094  * While chaining requests, the "next" request we're looking at needs to put
2095  * its SMB_Command before the data the previous request already built up added
2096  * to the chain. Find the offset to the place where we have to put our cmd.
2097  */
2098
2099 static bool find_andx_cmd_ofs(uint8_t *buf, size_t *pofs)
2100 {
2101         uint8_t cmd;
2102         size_t ofs;
2103
2104         cmd = CVAL(buf, smb_com);
2105
2106         if (!is_andx_req(cmd)) {
2107                 return false;
2108         }
2109
2110         ofs = smb_vwv0;
2111
2112         while (CVAL(buf, ofs) != 0xff) {
2113
2114                 if (!is_andx_req(CVAL(buf, ofs))) {
2115                         return false;
2116                 }
2117
2118                 /*
2119                  * ofs is from start of smb header, so add the 4 length
2120                  * bytes. The next cmd is right after the wct field.
2121                  */
2122                 ofs = SVAL(buf, ofs+2) + 4 + 1;
2123
2124                 if (ofs+4 >= talloc_get_size(buf)) {
2125                         return false;
2126                 }
2127         }
2128
2129         *pofs = ofs;
2130         return true;
2131 }
2132
2133 /**
2134  * @brief Do the smb chaining at a buffer level
2135  * @param[in] poutbuf           Pointer to the talloc'ed buffer to be modified
2136  * @param[in] andx_buf          Buffer to be appended
2137  */
2138
2139 static bool smb_splice_chain(uint8_t **poutbuf, const uint8_t *andx_buf)
2140 {
2141         uint8_t smb_command     = CVAL(andx_buf, smb_com);
2142         uint8_t wct             = CVAL(andx_buf, smb_wct);
2143         const uint16_t *vwv     = (const uint16_t *)(andx_buf + smb_vwv);
2144         uint32_t num_bytes      = smb_buflen(andx_buf);
2145         const uint8_t *bytes    = (const uint8_t *)smb_buf_const(andx_buf);
2146
2147         uint8_t *outbuf;
2148         size_t old_size, new_size;
2149         size_t ofs;
2150         size_t chain_padding = 0;
2151         size_t andx_cmd_ofs;
2152
2153
2154         old_size = talloc_get_size(*poutbuf);
2155
2156         if ((old_size % 4) != 0) {
2157                 /*
2158                  * Align the wct field of subsequent requests to a 4-byte
2159                  * boundary
2160                  */
2161                 chain_padding = 4 - (old_size % 4);
2162         }
2163
2164         /*
2165          * After the old request comes the new wct field (1 byte), the vwv's
2166          * and the num_bytes field.
2167          */
2168
2169         new_size = old_size + chain_padding + 1 + wct * sizeof(uint16_t) + 2;
2170         new_size += num_bytes;
2171
2172         if ((smb_command != SMBwriteX) && (new_size > 0xffff)) {
2173                 DEBUG(1, ("smb_splice_chain: %u bytes won't fit\n",
2174                           (unsigned)new_size));
2175                 return false;
2176         }
2177
2178         outbuf = talloc_realloc(NULL, *poutbuf, uint8_t, new_size);
2179         if (outbuf == NULL) {
2180                 DEBUG(0, ("talloc failed\n"));
2181                 return false;
2182         }
2183         *poutbuf = outbuf;
2184
2185         if (!find_andx_cmd_ofs(outbuf, &andx_cmd_ofs)) {
2186                 DEBUG(1, ("invalid command chain\n"));
2187                 *poutbuf = talloc_realloc(NULL, *poutbuf, uint8_t, old_size);
2188                 return false;
2189         }
2190
2191         if (chain_padding != 0) {
2192                 memset(outbuf + old_size, 0, chain_padding);
2193                 old_size += chain_padding;
2194         }
2195
2196         SCVAL(outbuf, andx_cmd_ofs, smb_command);
2197         SSVAL(outbuf, andx_cmd_ofs + 2, old_size - 4);
2198
2199         ofs = old_size;
2200
2201         /*
2202          * Push the chained request:
2203          *
2204          * wct field
2205          */
2206
2207         SCVAL(outbuf, ofs, wct);
2208         ofs += 1;
2209
2210         /*
2211          * vwv array
2212          */
2213
2214         memcpy(outbuf + ofs, vwv, sizeof(uint16_t) * wct);
2215
2216         /*
2217          * HACK ALERT
2218          *
2219          * Read&X has an offset into its data buffer at
2220          * vwv[6]. reply_read_andx has no idea anymore that it's
2221          * running from within a chain, so we have to fix up the
2222          * offset here.
2223          *
2224          * Although it looks disgusting at this place, I want to keep
2225          * it here. The alternative would be to push knowledge about
2226          * the andx chain down into read&x again.
2227          */
2228
2229         if (smb_command == SMBreadX) {
2230                 uint8_t *bytes_addr;
2231
2232                 if (wct < 7) {
2233                         /*
2234                          * Invalid read&x response
2235                          */
2236                         return false;
2237                 }
2238
2239                 bytes_addr = outbuf + ofs        /* vwv start */
2240                         + sizeof(uint16_t) * wct /* vwv array */
2241                         + sizeof(uint16_t)       /* bcc */
2242                         + 1;                     /* padding byte */
2243
2244                 SSVAL(outbuf + ofs, 6 * sizeof(uint16_t),
2245                       bytes_addr - outbuf - 4);
2246         }
2247
2248         ofs += sizeof(uint16_t) * wct;
2249
2250         /*
2251          * bcc (byte count)
2252          */
2253
2254         SSVAL(outbuf, ofs, num_bytes);
2255         ofs += sizeof(uint16_t);
2256
2257         /*
2258          * The bytes field
2259          */
2260
2261         memcpy(outbuf + ofs, bytes, num_bytes);
2262
2263         return true;
2264 }
2265
2266 bool smb1_is_chain(const uint8_t *buf)
2267 {
2268         uint8_t cmd, wct, andx_cmd;
2269
2270         cmd = CVAL(buf, smb_com);
2271         if (!is_andx_req(cmd)) {
2272                 return false;
2273         }
2274         wct = CVAL(buf, smb_wct);
2275         if (wct < 2) {
2276                 return false;
2277         }
2278         andx_cmd = CVAL(buf, smb_vwv);
2279         return (andx_cmd != 0xFF);
2280 }
2281
2282 bool smb1_walk_chain(const uint8_t *buf,
2283                      bool (*fn)(uint8_t cmd,
2284                                 uint8_t wct, const uint16_t *vwv,
2285                                 uint16_t num_bytes, const uint8_t *bytes,
2286                                 void *private_data),
2287                      void *private_data)
2288 {
2289         size_t smblen = smb_len(buf);
2290         const char *smb_buf = smb_base(buf);
2291         uint8_t cmd, chain_cmd;
2292         uint8_t wct;
2293         const uint16_t *vwv;
2294         uint16_t num_bytes;
2295         const uint8_t *bytes;
2296
2297         cmd = CVAL(buf, smb_com);
2298         wct = CVAL(buf, smb_wct);
2299         vwv = (const uint16_t *)(buf + smb_vwv);
2300         num_bytes = smb_buflen(buf);
2301         bytes = (const uint8_t *)smb_buf_const(buf);
2302
2303         if (!fn(cmd, wct, vwv, num_bytes, bytes, private_data)) {
2304                 return false;
2305         }
2306
2307         if (!is_andx_req(cmd)) {
2308                 return true;
2309         }
2310         if (wct < 2) {
2311                 return false;
2312         }
2313
2314         chain_cmd = CVAL(vwv, 0);
2315
2316         while (chain_cmd != 0xff) {
2317                 uint32_t chain_offset;  /* uint32_t to avoid overflow */
2318                 size_t length_needed;
2319                 ptrdiff_t vwv_offset;
2320
2321                 chain_offset = SVAL(vwv+1, 0);
2322
2323                 /*
2324                  * Check if the client tries to fool us. The chain
2325                  * offset needs to point beyond the current request in
2326                  * the chain, it needs to strictly grow. Otherwise we
2327                  * might be tricked into an endless loop always
2328                  * processing the same request over and over again. We
2329                  * used to assume that vwv and the byte buffer array
2330                  * in a chain are always attached, but OS/2 the
2331                  * Write&X/Read&X chain puts the Read&X vwv array
2332                  * right behind the Write&X vwv chain. The Write&X bcc
2333                  * array is put behind the Read&X vwv array. So now we
2334                  * check whether the chain offset points strictly
2335                  * behind the previous vwv array. req->buf points
2336                  * right after the vwv array of the previous
2337                  * request. See
2338                  * https://bugzilla.samba.org/show_bug.cgi?id=8360 for
2339                  * more information.
2340                  */
2341
2342                 vwv_offset = ((const char *)vwv - smb_buf);
2343                 if (chain_offset <= vwv_offset) {
2344                         return false;
2345                 }
2346
2347                 /*
2348                  * Next check: Make sure the chain offset does not
2349                  * point beyond the overall smb request length.
2350                  */
2351
2352                 length_needed = chain_offset+1; /* wct */
2353                 if (length_needed > smblen) {
2354                         return false;
2355                 }
2356
2357                 /*
2358                  * Now comes the pointer magic. Goal here is to set up
2359                  * vwv and buf correctly again. The chain offset (the
2360                  * former vwv[1]) points at the new wct field.
2361                  */
2362
2363                 wct = CVAL(smb_buf, chain_offset);
2364
2365                 if (is_andx_req(chain_cmd) && (wct < 2)) {
2366                         return false;
2367                 }
2368
2369                 /*
2370                  * Next consistency check: Make the new vwv array fits
2371                  * in the overall smb request.
2372                  */
2373
2374                 length_needed += (wct+1)*sizeof(uint16_t); /* vwv+buflen */
2375                 if (length_needed > smblen) {
2376                         return false;
2377                 }
2378                 vwv = (const uint16_t *)(smb_buf + chain_offset + 1);
2379
2380                 /*
2381                  * Now grab the new byte buffer....
2382                  */
2383
2384                 num_bytes = SVAL(vwv+wct, 0);
2385
2386                 /*
2387                  * .. and check that it fits.
2388                  */
2389
2390                 length_needed += num_bytes;
2391                 if (length_needed > smblen) {
2392                         return false;
2393                 }
2394                 bytes = (const uint8_t *)(vwv+wct+1);
2395
2396                 if (!fn(chain_cmd, wct, vwv, num_bytes, bytes, private_data)) {
2397                         return false;
2398                 }
2399
2400                 if (!is_andx_req(chain_cmd)) {
2401                         return true;
2402                 }
2403                 chain_cmd = CVAL(vwv, 0);
2404         }
2405         return true;
2406 }
2407
2408 static bool smb1_chain_length_cb(uint8_t cmd,
2409                                  uint8_t wct, const uint16_t *vwv,
2410                                  uint16_t num_bytes, const uint8_t *bytes,
2411                                  void *private_data)
2412 {
2413         unsigned *count = (unsigned *)private_data;
2414         *count += 1;
2415         return true;
2416 }
2417
2418 unsigned smb1_chain_length(const uint8_t *buf)
2419 {
2420         unsigned count = 0;
2421
2422         if (!smb1_walk_chain(buf, smb1_chain_length_cb, &count)) {
2423                 return 0;
2424         }
2425         return count;
2426 }
2427
2428 struct smb1_parse_chain_state {
2429         TALLOC_CTX *mem_ctx;
2430         const uint8_t *buf;
2431         struct smbd_server_connection *sconn;
2432         struct smbXsrv_connection *xconn;
2433         bool encrypted;
2434         uint32_t seqnum;
2435
2436         struct smb_request **reqs;
2437         unsigned num_reqs;
2438 };
2439
2440 static bool smb1_parse_chain_cb(uint8_t cmd,
2441                                 uint8_t wct, const uint16_t *vwv,
2442                                 uint16_t num_bytes, const uint8_t *bytes,
2443                                 void *private_data)
2444 {
2445         struct smb1_parse_chain_state *state =
2446                 (struct smb1_parse_chain_state *)private_data;
2447         struct smb_request **reqs;
2448         struct smb_request *req;
2449         bool ok;
2450
2451         reqs = talloc_realloc(state->mem_ctx, state->reqs,
2452                               struct smb_request *, state->num_reqs+1);
2453         if (reqs == NULL) {
2454                 return false;
2455         }
2456         state->reqs = reqs;
2457
2458         req = talloc(reqs, struct smb_request);
2459         if (req == NULL) {
2460                 return false;
2461         }
2462
2463         ok = init_smb_request(req, state->sconn, state->xconn, state->buf, 0,
2464                               state->encrypted, state->seqnum);
2465         if (!ok) {
2466                 return false;
2467         }
2468         req->cmd = cmd;
2469         req->wct = wct;
2470         req->vwv = vwv;
2471         req->buflen = num_bytes;
2472         req->buf = bytes;
2473
2474         reqs[state->num_reqs] = req;
2475         state->num_reqs += 1;
2476         return true;
2477 }
2478
2479 bool smb1_parse_chain(TALLOC_CTX *mem_ctx, const uint8_t *buf,
2480                       struct smbXsrv_connection *xconn,
2481                       bool encrypted, uint32_t seqnum,
2482                       struct smb_request ***reqs, unsigned *num_reqs)
2483 {
2484         struct smbd_server_connection *sconn = NULL;
2485         struct smb1_parse_chain_state state;
2486         unsigned i;
2487
2488         if (xconn != NULL) {
2489                 sconn = xconn->client->sconn;
2490         }
2491
2492         state.mem_ctx = mem_ctx;
2493         state.buf = buf;
2494         state.sconn = sconn;
2495         state.xconn = xconn;
2496         state.encrypted = encrypted;
2497         state.seqnum = seqnum;
2498         state.reqs = NULL;
2499         state.num_reqs = 0;
2500
2501         if (!smb1_walk_chain(buf, smb1_parse_chain_cb, &state)) {
2502                 TALLOC_FREE(state.reqs);
2503                 return false;
2504         }
2505         for (i=0; i<state.num_reqs; i++) {
2506                 state.reqs[i]->chain = state.reqs;
2507         }
2508         *reqs = state.reqs;
2509         *num_reqs = state.num_reqs;
2510         return true;
2511 }
2512
2513 /****************************************************************************
2514  Check if services need reloading.
2515 ****************************************************************************/
2516
2517 static void check_reload(struct smbd_server_connection *sconn, time_t t)
2518 {
2519
2520         if (last_smb_conf_reload_time == 0) {
2521                 last_smb_conf_reload_time = t;
2522         }
2523
2524         if (t >= last_smb_conf_reload_time+SMBD_RELOAD_CHECK) {
2525                 reload_services(sconn, conn_snum_used, true);
2526                 last_smb_conf_reload_time = t;
2527         }
2528 }
2529
2530 static bool fd_is_readable(int fd)
2531 {
2532         int ret, revents;
2533
2534         ret = poll_one_fd(fd, POLLIN|POLLHUP, 0, &revents);
2535
2536         return ((ret > 0) && ((revents & (POLLIN|POLLHUP|POLLERR)) != 0));
2537
2538 }
2539
2540 static void smbd_server_connection_write_handler(
2541         struct smbXsrv_connection *xconn)
2542 {
2543         /* TODO: make write nonblocking */
2544 }
2545
2546 static void smbd_server_connection_read_handler(
2547         struct smbXsrv_connection *xconn, int fd)
2548 {
2549         uint8_t *inbuf = NULL;
2550         size_t inbuf_len = 0;
2551         size_t unread_bytes = 0;
2552         bool encrypted = false;
2553         TALLOC_CTX *mem_ctx = talloc_tos();
2554         NTSTATUS status;
2555         uint32_t seqnum;
2556
2557         bool async_echo = lp_async_smb_echo_handler();
2558         bool from_client = false;
2559
2560         if (async_echo) {
2561                 if (fd_is_readable(xconn->smb1.echo_handler.trusted_fd)) {
2562                         /*
2563                          * This is the super-ugly hack to prefer the packets
2564                          * forwarded by the echo handler over the ones by the
2565                          * client directly
2566                          */
2567                         fd = xconn->smb1.echo_handler.trusted_fd;
2568                 }
2569         }
2570
2571         from_client = (xconn->transport.sock == fd);
2572
2573         if (async_echo && from_client) {
2574                 smbd_lock_socket(xconn);
2575
2576                 if (!fd_is_readable(fd)) {
2577                         DEBUG(10,("the echo listener was faster\n"));
2578                         smbd_unlock_socket(xconn);
2579                         return;
2580                 }
2581         }
2582
2583         /* TODO: make this completely nonblocking */
2584         status = receive_smb_talloc(mem_ctx, xconn, fd,
2585                                     (char **)(void *)&inbuf,
2586                                     0, /* timeout */
2587                                     &unread_bytes,
2588                                     &encrypted,
2589                                     &inbuf_len, &seqnum,
2590                                     !from_client /* trusted channel */);
2591
2592         if (async_echo && from_client) {
2593                 smbd_unlock_socket(xconn);
2594         }
2595
2596         if (NT_STATUS_EQUAL(status, NT_STATUS_RETRY)) {
2597                 goto process;
2598         }
2599         if (NT_STATUS_IS_ERR(status)) {
2600                 exit_server_cleanly("failed to receive smb request");
2601         }
2602         if (!NT_STATUS_IS_OK(status)) {
2603                 return;
2604         }
2605
2606 process:
2607         process_smb(xconn, inbuf, inbuf_len, unread_bytes,
2608                     seqnum, encrypted, NULL);
2609 }
2610
2611 static void smbd_server_connection_handler(struct tevent_context *ev,
2612                                            struct tevent_fd *fde,
2613                                            uint16_t flags,
2614                                            void *private_data)
2615 {
2616         struct smbXsrv_connection *xconn =
2617                 talloc_get_type_abort(private_data,
2618                 struct smbXsrv_connection);
2619
2620         if (!NT_STATUS_IS_OK(xconn->transport.status)) {
2621                 /*
2622                  * we're not supposed to do any io
2623                  */
2624                 TEVENT_FD_NOT_READABLE(xconn->transport.fde);
2625                 TEVENT_FD_NOT_WRITEABLE(xconn->transport.fde);
2626                 return;
2627         }
2628
2629         if (flags & TEVENT_FD_WRITE) {
2630                 smbd_server_connection_write_handler(xconn);
2631                 return;
2632         }
2633         if (flags & TEVENT_FD_READ) {
2634                 smbd_server_connection_read_handler(xconn, xconn->transport.sock);
2635                 return;
2636         }
2637 }
2638
2639 static void smbd_server_echo_handler(struct tevent_context *ev,
2640                                      struct tevent_fd *fde,
2641                                      uint16_t flags,
2642                                      void *private_data)
2643 {
2644         struct smbXsrv_connection *xconn =
2645                 talloc_get_type_abort(private_data,
2646                 struct smbXsrv_connection);
2647
2648         if (!NT_STATUS_IS_OK(xconn->transport.status)) {
2649                 /*
2650                  * we're not supposed to do any io
2651                  */
2652                 TEVENT_FD_NOT_READABLE(xconn->smb1.echo_handler.trusted_fde);
2653                 TEVENT_FD_NOT_WRITEABLE(xconn->smb1.echo_handler.trusted_fde);
2654                 return;
2655         }
2656
2657         if (flags & TEVENT_FD_WRITE) {
2658                 smbd_server_connection_write_handler(xconn);
2659                 return;
2660         }
2661         if (flags & TEVENT_FD_READ) {
2662                 smbd_server_connection_read_handler(
2663                         xconn, xconn->smb1.echo_handler.trusted_fd);
2664                 return;
2665         }
2666 }
2667
2668 struct smbd_release_ip_state {
2669         struct smbXsrv_connection *xconn;
2670         struct tevent_immediate *im;
2671         char addr[INET6_ADDRSTRLEN];
2672 };
2673
2674 static void smbd_release_ip_immediate(struct tevent_context *ctx,
2675                                       struct tevent_immediate *im,
2676                                       void *private_data)
2677 {
2678         struct smbd_release_ip_state *state =
2679                 talloc_get_type_abort(private_data,
2680                 struct smbd_release_ip_state);
2681         struct smbXsrv_connection *xconn = state->xconn;
2682
2683         if (!NT_STATUS_EQUAL(xconn->transport.status, NT_STATUS_ADDRESS_CLOSED)) {
2684                 /*
2685                  * smbd_server_connection_terminate() already triggered ?
2686                  */
2687                 return;
2688         }
2689
2690         smbd_server_connection_terminate(xconn, "CTDB_SRVID_RELEASE_IP");
2691 }
2692
2693 /****************************************************************************
2694 received when we should release a specific IP
2695 ****************************************************************************/
2696 static int release_ip(struct tevent_context *ev,
2697                       uint32_t src_vnn, uint32_t dst_vnn,
2698                       uint64_t dst_srvid,
2699                       const uint8_t *msg, size_t msglen,
2700                       void *private_data)
2701 {
2702         struct smbd_release_ip_state *state =
2703                 talloc_get_type_abort(private_data,
2704                 struct smbd_release_ip_state);
2705         struct smbXsrv_connection *xconn = state->xconn;
2706         const char *ip;
2707         const char *addr = state->addr;
2708         const char *p = addr;
2709
2710         if (msglen == 0) {
2711                 return 0;
2712         }
2713         if (msg[msglen-1] != '\0') {
2714                 return 0;
2715         }
2716
2717         ip = (const char *)msg;
2718
2719         if (!NT_STATUS_IS_OK(xconn->transport.status)) {
2720                 /* avoid recursion */
2721                 return 0;
2722         }
2723
2724         if (strncmp("::ffff:", addr, 7) == 0) {
2725                 p = addr + 7;
2726         }
2727
2728         DEBUG(10, ("Got release IP message for %s, "
2729                    "our address is %s\n", ip, p));
2730
2731         if ((strcmp(p, ip) == 0) || ((p != addr) && strcmp(addr, ip) == 0)) {
2732                 DEBUG(0,("Got release IP message for our IP %s - exiting immediately\n",
2733                         ip));
2734                 /*
2735                  * With SMB2 we should do a clean disconnect,
2736                  * the previous_session_id in the session setup
2737                  * will cleanup the old session, tcons and opens.
2738                  *
2739                  * A clean disconnect is needed in order to support
2740                  * durable handles.
2741                  *
2742                  * Note: typically this is never triggered
2743                  *       as we got a TCP RST (triggered by ctdb event scripts)
2744                  *       before we get CTDB_SRVID_RELEASE_IP.
2745                  *
2746                  * We used to call _exit(1) here, but as this was mostly never
2747                  * triggered and has implication on our process model,
2748                  * we can just use smbd_server_connection_terminate()
2749                  * (also for SMB1).
2750                  *
2751                  * We don't call smbd_server_connection_terminate() directly
2752                  * as we might be called from within ctdbd_migrate(),
2753                  * we need to defer our action to the next event loop
2754                  */
2755                 tevent_schedule_immediate(state->im,
2756                                           xconn->client->raw_ev_ctx,
2757                                           smbd_release_ip_immediate,
2758                                           state);
2759
2760                 /*
2761                  * Make sure we don't get any io on the connection.
2762                  */
2763                 xconn->transport.status = NT_STATUS_ADDRESS_CLOSED;
2764                 return EADDRNOTAVAIL;
2765         }
2766
2767         return 0;
2768 }
2769
2770 static NTSTATUS smbd_register_ips(struct smbXsrv_connection *xconn,
2771                                   struct sockaddr_storage *srv,
2772                                   struct sockaddr_storage *clnt)
2773 {
2774         struct smbd_release_ip_state *state;
2775         struct ctdbd_connection *cconn;
2776         int ret;
2777
2778         cconn = messaging_ctdb_connection();
2779         if (cconn == NULL) {
2780                 return NT_STATUS_NO_MEMORY;
2781         }
2782
2783         state = talloc_zero(xconn, struct smbd_release_ip_state);
2784         if (state == NULL) {
2785                 return NT_STATUS_NO_MEMORY;
2786         }
2787         state->xconn = xconn;
2788         state->im = tevent_create_immediate(state);
2789         if (state->im == NULL) {
2790                 return NT_STATUS_NO_MEMORY;
2791         }
2792         if (print_sockaddr(state->addr, sizeof(state->addr), srv) == NULL) {
2793                 return NT_STATUS_NO_MEMORY;
2794         }
2795
2796         ret = ctdbd_register_ips(cconn, srv, clnt, release_ip, state);
2797         if (ret != 0) {
2798                 return map_nt_error_from_unix(ret);
2799         }
2800         return NT_STATUS_OK;
2801 }
2802
2803 static void msg_kill_client_ip(struct messaging_context *msg_ctx,
2804                                   void *private_data, uint32_t msg_type,
2805                                   struct server_id server_id, DATA_BLOB *data)
2806 {
2807         struct smbd_server_connection *sconn = talloc_get_type_abort(
2808                 private_data, struct smbd_server_connection);
2809         const char *ip = (char *) data->data;
2810         char *client_ip;
2811
2812         DBG_DEBUG("Got kill request for client IP %s\n", ip);
2813
2814         client_ip = tsocket_address_inet_addr_string(sconn->remote_address,
2815                                                      talloc_tos());
2816         if (client_ip == NULL) {
2817                 return;
2818         }
2819
2820         if (strequal(ip, client_ip)) {
2821                 DBG_WARNING("Got kill client message for %s - "
2822                             "exiting immediately\n", ip);
2823                 exit_server_cleanly("Forced disconnect for client");
2824         }
2825
2826         TALLOC_FREE(client_ip);
2827 }
2828
2829 /*
2830  * Send keepalive packets to our client
2831  */
2832 static bool keepalive_fn(const struct timeval *now, void *private_data)
2833 {
2834         struct smbd_server_connection *sconn = talloc_get_type_abort(
2835                 private_data, struct smbd_server_connection);
2836         struct smbXsrv_connection *xconn = NULL;
2837         bool ret;
2838
2839         if (sconn->using_smb2) {
2840                 /* Don't do keepalives on an SMB2 connection. */
2841                 return false;
2842         }
2843
2844         /*
2845          * With SMB1 we only have 1 connection
2846          */
2847         xconn = sconn->client->connections;
2848         smbd_lock_socket(xconn);
2849         ret = send_keepalive(xconn->transport.sock);
2850         smbd_unlock_socket(xconn);
2851
2852         if (!ret) {
2853                 int saved_errno = errno;
2854                 /*
2855                  * Try and give an error message saying what
2856                  * client failed.
2857                  */
2858                 DEBUG(0, ("send_keepalive failed for client %s. "
2859                           "Error %s - exiting\n",
2860                           smbXsrv_connection_dbg(xconn),
2861                           strerror(saved_errno)));
2862                 errno = saved_errno;
2863                 return False;
2864         }
2865         return True;
2866 }
2867
2868 /*
2869  * Do the recurring check if we're idle
2870  */
2871 static bool deadtime_fn(const struct timeval *now, void *private_data)
2872 {
2873         struct smbd_server_connection *sconn =
2874                 (struct smbd_server_connection *)private_data;
2875
2876         if ((conn_num_open(sconn) == 0)
2877             || (conn_idle_all(sconn, now->tv_sec))) {
2878                 DEBUG( 2, ( "Closing idle connection\n" ) );
2879                 messaging_send(sconn->msg_ctx,
2880                                messaging_server_id(sconn->msg_ctx),
2881                                MSG_SHUTDOWN, &data_blob_null);
2882                 return False;
2883         }
2884
2885         return True;
2886 }
2887
2888 /*
2889  * Do the recurring log file and smb.conf reload checks.
2890  */
2891
2892 static bool housekeeping_fn(const struct timeval *now, void *private_data)
2893 {
2894         struct smbd_server_connection *sconn = talloc_get_type_abort(
2895                 private_data, struct smbd_server_connection);
2896
2897         DEBUG(5, ("housekeeping\n"));
2898
2899         change_to_root_user();
2900
2901         /* update printer queue caches if necessary */
2902         update_monitored_printq_cache(sconn->msg_ctx);
2903
2904         /* check if we need to reload services */
2905         check_reload(sconn, time_mono(NULL));
2906
2907         /*
2908          * Force a log file check.
2909          */
2910         force_check_log_size();
2911         check_log_size();
2912         return true;
2913 }
2914
2915 /*
2916  * Read an smb packet in the echo handler child, giving the parent
2917  * smbd one second to react once the socket becomes readable.
2918  */
2919
2920 struct smbd_echo_read_state {
2921         struct tevent_context *ev;
2922         struct smbXsrv_connection *xconn;
2923
2924         char *buf;
2925         size_t buflen;
2926         uint32_t seqnum;
2927 };
2928
2929 static void smbd_echo_read_readable(struct tevent_req *subreq);
2930 static void smbd_echo_read_waited(struct tevent_req *subreq);
2931
2932 static struct tevent_req *smbd_echo_read_send(
2933         TALLOC_CTX *mem_ctx, struct tevent_context *ev,
2934         struct smbXsrv_connection *xconn)
2935 {
2936         struct tevent_req *req, *subreq;
2937         struct smbd_echo_read_state *state;
2938
2939         req = tevent_req_create(mem_ctx, &state,
2940                                 struct smbd_echo_read_state);
2941         if (req == NULL) {
2942                 return NULL;
2943         }
2944         state->ev = ev;
2945         state->xconn = xconn;
2946
2947         subreq = wait_for_read_send(state, ev, xconn->transport.sock, false);
2948         if (tevent_req_nomem(subreq, req)) {
2949                 return tevent_req_post(req, ev);
2950         }
2951         tevent_req_set_callback(subreq, smbd_echo_read_readable, req);
2952         return req;
2953 }
2954
2955 static void smbd_echo_read_readable(struct tevent_req *subreq)
2956 {
2957         struct tevent_req *req = tevent_req_callback_data(
2958                 subreq, struct tevent_req);
2959         struct smbd_echo_read_state *state = tevent_req_data(
2960                 req, struct smbd_echo_read_state);
2961         bool ok;
2962         int err;
2963
2964         ok = wait_for_read_recv(subreq, &err);
2965         TALLOC_FREE(subreq);
2966         if (!ok) {
2967                 tevent_req_nterror(req, map_nt_error_from_unix(err));
2968                 return;
2969         }
2970
2971         /*
2972          * Give the parent smbd one second to step in
2973          */
2974
2975         subreq = tevent_wakeup_send(
2976                 state, state->ev, timeval_current_ofs(1, 0));
2977         if (tevent_req_nomem(subreq, req)) {
2978                 return;
2979         }
2980         tevent_req_set_callback(subreq, smbd_echo_read_waited, req);
2981 }
2982
2983 static void smbd_echo_read_waited(struct tevent_req *subreq)
2984 {
2985         struct tevent_req *req = tevent_req_callback_data(
2986                 subreq, struct tevent_req);
2987         struct smbd_echo_read_state *state = tevent_req_data(
2988                 req, struct smbd_echo_read_state);
2989         struct smbXsrv_connection *xconn = state->xconn;
2990         bool ok;
2991         NTSTATUS status;
2992         size_t unread = 0;
2993         bool encrypted;
2994
2995         ok = tevent_wakeup_recv(subreq);
2996         TALLOC_FREE(subreq);
2997         if (!ok) {
2998                 tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
2999                 return;
3000         }
3001
3002         ok = smbd_lock_socket_internal(xconn);
3003         if (!ok) {
3004                 tevent_req_nterror(req, map_nt_error_from_unix(errno));
3005                 DEBUG(0, ("%s: failed to lock socket\n", __location__));
3006                 return;
3007         }
3008
3009         if (!fd_is_readable(xconn->transport.sock)) {
3010                 DEBUG(10,("echo_handler[%d] the parent smbd was faster\n",
3011                           (int)getpid()));
3012
3013                 ok = smbd_unlock_socket_internal(xconn);
3014                 if (!ok) {
3015                         tevent_req_nterror(req, map_nt_error_from_unix(errno));
3016                         DEBUG(1, ("%s: failed to unlock socket\n",
3017                                 __location__));
3018                         return;
3019                 }
3020
3021                 subreq = wait_for_read_send(state, state->ev,
3022                                             xconn->transport.sock, false);
3023                 if (tevent_req_nomem(subreq, req)) {
3024                         return;
3025                 }
3026                 tevent_req_set_callback(subreq, smbd_echo_read_readable, req);
3027                 return;
3028         }
3029
3030         status = receive_smb_talloc(state, xconn,
3031                                     xconn->transport.sock,
3032                                     &state->buf,
3033                                     0 /* timeout */,
3034                                     &unread,
3035                                     &encrypted,
3036                                     &state->buflen,
3037                                     &state->seqnum,
3038                                     false /* trusted_channel*/);
3039
3040         if (tevent_req_nterror(req, status)) {
3041                 tevent_req_nterror(req, status);
3042                 DEBUG(1, ("echo_handler[%d]: receive_smb_raw_talloc failed: %s\n",
3043                           (int)getpid(), nt_errstr(status)));
3044                 return;
3045         }
3046
3047         ok = smbd_unlock_socket_internal(xconn);
3048         if (!ok) {
3049                 tevent_req_nterror(req, map_nt_error_from_unix(errno));
3050                 DEBUG(1, ("%s: failed to unlock socket\n", __location__));
3051                 return;
3052         }
3053         tevent_req_done(req);
3054 }
3055
3056 static NTSTATUS smbd_echo_read_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
3057                                     char **pbuf, size_t *pbuflen, uint32_t *pseqnum)
3058 {
3059         struct smbd_echo_read_state *state = tevent_req_data(
3060                 req, struct smbd_echo_read_state);
3061         NTSTATUS status;
3062
3063         if (tevent_req_is_nterror(req, &status)) {
3064                 return status;
3065         }
3066         *pbuf = talloc_move(mem_ctx, &state->buf);
3067         *pbuflen = state->buflen;
3068         *pseqnum = state->seqnum;
3069         return NT_STATUS_OK;
3070 }
3071
3072 struct smbd_echo_state {
3073         struct tevent_context *ev;
3074         struct iovec *pending;
3075         struct smbd_server_connection *sconn;
3076         struct smbXsrv_connection *xconn;
3077         int parent_pipe;
3078
3079         struct tevent_fd *parent_fde;
3080
3081         struct tevent_req *write_req;
3082 };
3083
3084 static void smbd_echo_writer_done(struct tevent_req *req);
3085
3086 static void smbd_echo_activate_writer(struct smbd_echo_state *state)
3087 {
3088         int num_pending;
3089
3090         if (state->write_req != NULL) {
3091                 return;
3092         }
3093
3094         num_pending = talloc_array_length(state->pending);
3095         if (num_pending == 0) {
3096                 return;
3097         }
3098
3099         state->write_req = writev_send(state, state->ev, NULL,
3100                                        state->parent_pipe, false,
3101                                        state->pending, num_pending);
3102         if (state->write_req == NULL) {
3103                 DEBUG(1, ("writev_send failed\n"));
3104                 exit(1);
3105         }
3106
3107         talloc_steal(state->write_req, state->pending);
3108         state->pending = NULL;
3109
3110         tevent_req_set_callback(state->write_req, smbd_echo_writer_done,
3111                                 state);
3112 }
3113
3114 static void smbd_echo_writer_done(struct tevent_req *req)
3115 {
3116         struct smbd_echo_state *state = tevent_req_callback_data(
3117                 req, struct smbd_echo_state);
3118         ssize_t written;
3119         int err;
3120
3121         written = writev_recv(req, &err);
3122         TALLOC_FREE(req);
3123         state->write_req = NULL;
3124         if (written == -1) {
3125                 DEBUG(1, ("writev to parent failed: %s\n", strerror(err)));
3126                 exit(1);
3127         }
3128         DEBUG(10,("echo_handler[%d]: forwarded pdu to main\n", (int)getpid()));
3129         smbd_echo_activate_writer(state);
3130 }
3131
3132 static bool smbd_echo_reply(struct smbd_echo_state *state,
3133