2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1998
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
6 * Copyright (C) Paul Ashton 1997-1998,
7 * Copyright (C) Jeremy Allison 1999,
8 * Copyright (C) Anthony Liguori 2003.
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
25 /* this module apparently provides an implementation of DCE/RPC over a
26 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
27 * documentation are available (in on-line form) from the X-Open group.
29 * this module should provide a level of abstraction between SMB
30 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
31 * data copies, and network traffic.
33 * in this version, which takes a "let's learn what's going on and
34 * get something running" approach, there is additional network
35 * traffic generated, but the code should be easier to understand...
37 * ... if you read the docs. or stare at packets for weeks on end.
44 #define DBGC_CLASS DBGC_RPC_SRV
46 /*************************************************************
48 We need to transfer the session key from one rpc bind to the
49 next. This is the way the netlogon schannel works.
50 **************************************************************/
51 struct dcinfo last_dcinfo;
53 static void NTLMSSPcalc_p( pipes_struct *p, unsigned char *data, int len)
55 unsigned char *hash = p->ntlmssp_hash;
56 unsigned char index_i = hash[256];
57 unsigned char index_j = hash[257];
60 for( ind = 0; ind < len; ind++) {
65 index_j += hash[index_i];
68 hash[index_i] = hash[index_j];
71 t = hash[index_i] + hash[index_j];
72 data[ind] = data[ind] ^ hash[t];
79 /*******************************************************************
80 Generate the next PDU to be returned from the data in p->rdata.
81 We cheat here as this function doesn't handle the special auth
82 footers of the authenticated bind response reply.
83 ********************************************************************/
85 BOOL create_next_pdu(pipes_struct *p)
87 RPC_HDR_RESP hdr_resp;
88 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
89 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
91 uint32 data_space_available;
93 prs_struct outgoing_pdu;
97 * If we're in the fault state, keep returning fault PDU's until
98 * the pipe gets closed. JRA.
102 setup_fault_pdu(p, NT_STATUS(0x1c010002));
106 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
108 /* Change the incoming request header to a response. */
109 p->hdr.pkt_type = RPC_RESPONSE;
111 /* Set up rpc header flags. */
112 if (p->out_data.data_sent_length == 0)
113 p->hdr.flags = RPC_FLG_FIRST;
118 * Work out how much we can fit in a single PDU.
121 data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
122 if(p->ntlmssp_auth_validated)
123 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN);
125 if(p->netsec_auth_validated)
126 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NETSEC_CHK_LEN);
129 * The amount we send is the minimum of the available
130 * space and the amount left to send.
133 data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
136 * Ensure there really is data left to send.
140 DEBUG(0,("create_next_pdu: no data left to send !\n"));
144 data_len = MIN(data_len_left, data_space_available);
147 * Set up the alloc hint. This should be the data left to
151 hdr_resp.alloc_hint = data_len_left;
154 * Set up the header lengths.
157 if (p->ntlmssp_auth_validated) {
158 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len +
159 RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN;
160 p->hdr.auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
161 } else if (p->netsec_auth_validated) {
162 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len +
163 RPC_HDR_AUTH_LEN + RPC_AUTH_NETSEC_CHK_LEN;
164 p->hdr.auth_len = RPC_AUTH_NETSEC_CHK_LEN;
166 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
171 * Work out if this PDU will be the last.
174 if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata))
175 p->hdr.flags |= RPC_FLG_LAST;
178 * Init the parse struct to point at the outgoing
182 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
183 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
185 /* Store the header in the data stream. */
186 if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
187 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR.\n"));
188 prs_mem_free(&outgoing_pdu);
192 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
193 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_RESP.\n"));
194 prs_mem_free(&outgoing_pdu);
198 /* Store the current offset. */
199 data_pos = prs_offset(&outgoing_pdu);
201 /* Copy the data into the PDU. */
203 if(!prs_append_some_prs_data(&outgoing_pdu, &p->out_data.rdata, p->out_data.data_sent_length, data_len)) {
204 DEBUG(0,("create_next_pdu: failed to copy %u bytes of data.\n", (unsigned int)data_len));
205 prs_mem_free(&outgoing_pdu);
209 if (p->ntlmssp_auth_validated) {
213 DEBUG(5,("create_next_pdu: sign: %s seal: %s data %d auth %d\n",
214 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, p->hdr.auth_len));
217 * Set data to point to where we copied the data into.
220 data = prs_data_p(&outgoing_pdu) + data_pos;
223 crc32 = crc32_calc_buffer(data, data_len);
224 NTLMSSPcalc_p(p, (uchar*)data, data_len);
227 if (auth_seal || auth_verify) {
228 RPC_HDR_AUTH auth_info;
230 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, RPC_PIPE_AUTH_SEAL_LEVEL,
231 (auth_verify ? RPC_HDR_AUTH_LEN : 0), (auth_verify ? 1 : 0));
232 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
233 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
234 prs_mem_free(&outgoing_pdu);
240 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
241 char *auth_data = prs_data_p(&outgoing_pdu);
243 p->ntlmssp_seq_num++;
244 init_rpc_auth_ntlmssp_chk(&ntlmssp_chk, NTLMSSP_SIGN_VERSION,
245 crc32, p->ntlmssp_seq_num++);
246 auth_data = prs_data_p(&outgoing_pdu) + prs_offset(&outgoing_pdu) + 4;
247 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, &outgoing_pdu, 0)) {
248 DEBUG(0,("create_next_pdu: failed to marshall RPC_AUTH_NTLMSSP_CHK.\n"));
249 prs_mem_free(&outgoing_pdu);
252 NTLMSSPcalc_p(p, (uchar*)auth_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
256 if (p->netsec_auth_validated) {
258 RPC_HDR_AUTH auth_info;
259 static const uchar netsec_sig[8] = NETSEC_SIGNATURE;
260 static const uchar nullbytes[8] = { 0,0,0,0,0,0,0,0 };
262 RPC_AUTH_NETSEC_CHK verf;
266 data = prs_data_p(&outgoing_pdu) + data_pos;
268 init_rpc_hdr_auth(&auth_info, NETSEC_AUTH_TYPE, RPC_PIPE_AUTH_SEAL_LEVEL,
269 RPC_HDR_AUTH_LEN, 1);
271 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
272 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
273 prs_mem_free(&outgoing_pdu);
277 prs_init(&rverf, 0, p->mem_ctx, MARSHALL);
278 prs_init(&rauth, 0, p->mem_ctx, MARSHALL);
280 if ((p->netsec_auth.seq_num & 1) == 0) {
281 DEBUG(0,("SCHANNEL ERROR: seq_num must be odd in server! (seq_num=%d)\n",
282 p->netsec_auth.seq_num));
285 init_rpc_auth_netsec_chk(&verf, netsec_sig, nullbytes, nullbytes, nullbytes);
287 netsec_encode(&p->netsec_auth,
288 AUTH_PIPE_NETSEC|AUTH_PIPE_SIGN|AUTH_PIPE_SEAL,
290 &verf, data, data_len);
292 smb_io_rpc_auth_netsec_chk("", &verf, &outgoing_pdu, 0);
294 p->netsec_auth.seq_num++;
298 * Setup the counts for this PDU.
301 p->out_data.data_sent_length += data_len;
302 p->out_data.current_pdu_len = p->hdr.frag_len;
303 p->out_data.current_pdu_sent = 0;
305 prs_mem_free(&outgoing_pdu);
309 /*******************************************************************
310 Process an NTLMSSP authentication response.
311 If this function succeeds, the user has been authenticated
312 and their domain, name and calling workstation stored in
314 The initial challenge is stored in p->challenge.
315 *******************************************************************/
317 static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlmssp_resp)
329 struct auth_context *auth_context = NULL;
330 auth_usersupplied_info *user_info = NULL;
331 auth_serversupplied_info *server_info = NULL;
333 DEBUG(5,("api_pipe_ntlmssp_verify: checking user details\n"));
335 memset(p->user_name, '\0', sizeof(p->user_name));
336 memset(p->pipe_user_name, '\0', sizeof(p->pipe_user_name));
337 memset(p->domain, '\0', sizeof(p->domain));
338 memset(p->wks, '\0', sizeof(p->wks));
340 /* Set up for non-authenticated user. */
341 delete_nt_token(&p->pipe_user.nt_user_token);
342 p->pipe_user.ngroups = 0;
343 SAFE_FREE( p->pipe_user.groups);
346 * Setup an empty password for a guest user.
350 * We always negotiate UNICODE.
353 if (p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_UNICODE) {
354 rpcstr_pull(user_name, ntlmssp_resp->user, sizeof(fstring), ntlmssp_resp->hdr_usr.str_str_len*2, 0 );
355 rpcstr_pull(domain, ntlmssp_resp->domain, sizeof(fstring), ntlmssp_resp->hdr_domain.str_str_len*2, 0);
356 rpcstr_pull(wks, ntlmssp_resp->wks, sizeof(fstring), ntlmssp_resp->hdr_wks.str_str_len*2, 0);
358 pull_ascii_fstring(user_name, ntlmssp_resp->user);
359 pull_ascii_fstring(domain, ntlmssp_resp->domain);
360 pull_ascii_fstring(wks, ntlmssp_resp->wks);
363 DEBUG(5,("user: %s domain: %s wks: %s\n", user_name, domain, wks));
365 nt_pw_len = MIN(sizeof(nt_owf), ntlmssp_resp->hdr_nt_resp.str_str_len);
366 lm_pw_len = MIN(sizeof(lm_owf), ntlmssp_resp->hdr_lm_resp.str_str_len);
368 memcpy(lm_owf, ntlmssp_resp->lm_resp, sizeof(lm_owf));
369 memcpy(nt_owf, ntlmssp_resp->nt_resp, nt_pw_len);
371 #ifdef DEBUG_PASSWORD
372 DEBUG(100,("lm, nt owfs, chal\n"));
373 dump_data(100, (char *)lm_owf, sizeof(lm_owf));
374 dump_data(100, (char *)nt_owf, nt_pw_len);
375 dump_data(100, (char *)p->challenge, 8);
379 * Allow guest access. Patch from Shirish Kalele <kalele@veritas.com>.
385 * Do the length checking only if user is not NULL.
388 if (ntlmssp_resp->hdr_lm_resp.str_str_len == 0)
390 if (ntlmssp_resp->hdr_nt_resp.str_str_len == 0)
392 if (ntlmssp_resp->hdr_usr.str_str_len == 0)
394 if (ntlmssp_resp->hdr_domain.str_str_len == 0)
396 if (ntlmssp_resp->hdr_wks.str_str_len == 0)
401 make_auth_context_fixed(&auth_context, (uchar*)p->challenge);
403 if (!make_user_info_netlogon_network(&user_info,
404 user_name, domain, wks,
406 nt_owf, nt_pw_len)) {
407 DEBUG(0,("make_user_info_netlogon_network failed! Failing authenticaion.\n"));
411 nt_status = auth_context->check_ntlm_password(auth_context, user_info, &server_info);
413 (auth_context->free)(&auth_context);
414 free_user_info(&user_info);
416 p->ntlmssp_auth_validated = NT_STATUS_IS_OK(nt_status);
418 if (!p->ntlmssp_auth_validated) {
419 DEBUG(1,("api_pipe_ntlmssp_verify: User [%s]\\[%s] from machine %s \
420 failed authentication on named pipe %s.\n", domain, user_name, wks, p->name ));
421 free_server_info(&server_info);
426 * Set up the sign/seal data.
431 NTLMSSPOWFencrypt(server_info->first_8_lm_hash, lm_owf, p24);
443 for (ind = 0; ind < 256; ind++)
444 p->ntlmssp_hash[ind] = (unsigned char)ind;
446 for( ind = 0; ind < 256; ind++) {
449 j += (p->ntlmssp_hash[ind] + k2[ind%8]);
451 tc = p->ntlmssp_hash[ind];
452 p->ntlmssp_hash[ind] = p->ntlmssp_hash[j];
453 p->ntlmssp_hash[j] = tc;
456 p->ntlmssp_hash[256] = 0;
457 p->ntlmssp_hash[257] = 0;
460 dump_data_pw("NTLMSSP hash (v1)\n", p->ntlmssp_hash,
461 sizeof(p->ntlmssp_hash));
463 /* NTLMSSPhash(p->ntlmssp_hash, p24); */
464 p->ntlmssp_seq_num = 0;
468 fstrcpy(p->user_name, user_name);
469 fstrcpy(p->pipe_user_name, server_info->unix_name);
470 fstrcpy(p->domain, domain);
471 fstrcpy(p->wks, wks);
474 * Store the UNIX credential data (uid/gid pair) in the pipe structure.
477 memcpy(p->session_key, server_info->session_key, sizeof(p->session_key));
479 p->pipe_user.uid = server_info->uid;
480 p->pipe_user.gid = server_info->gid;
482 p->pipe_user.ngroups = server_info->n_groups;
483 if (p->pipe_user.ngroups) {
484 if (!(p->pipe_user.groups = memdup(server_info->groups, sizeof(gid_t) * p->pipe_user.ngroups))) {
485 DEBUG(0,("failed to memdup group list to p->pipe_user.groups\n"));
486 free_server_info(&server_info);
491 if (server_info->ptok)
492 p->pipe_user.nt_user_token = dup_nt_token(server_info->ptok);
494 DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
495 p->pipe_user.nt_user_token = NULL;
496 free_server_info(&server_info);
500 p->ntlmssp_auth_validated = True;
502 free_server_info(&server_info);
506 /*******************************************************************
507 The switch table for the pipe names and the functions to handle them.
508 *******************************************************************/
517 struct api_struct *cmds;
521 static struct rpc_table *rpc_lookup;
522 static int rpc_lookup_size;
524 /*******************************************************************
525 This is the client reply to our challenge for an authenticated
526 bind request. The challenge we sent is in p->challenge.
527 *******************************************************************/
529 BOOL api_pipe_bind_auth_resp(pipes_struct *p, prs_struct *rpc_in_p)
531 RPC_HDR_AUTHA autha_info;
532 RPC_AUTH_VERIFIER auth_verifier;
533 RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
535 DEBUG(5,("api_pipe_bind_auth_resp: decode request. %d\n", __LINE__));
537 if (p->hdr.auth_len == 0) {
538 DEBUG(0,("api_pipe_bind_auth_resp: No auth field sent !\n"));
543 * Decode the authentication verifier response.
546 if(!smb_io_rpc_hdr_autha("", &autha_info, rpc_in_p, 0)) {
547 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_HDR_AUTHA failed.\n"));
551 if (autha_info.auth_type != NTLMSSP_AUTH_TYPE || autha_info.auth_level != RPC_PIPE_AUTH_SEAL_LEVEL) {
552 DEBUG(0,("api_pipe_bind_auth_resp: incorrect auth type (%d) or level (%d).\n",
553 (int)autha_info.auth_type, (int)autha_info.auth_level ));
557 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
558 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_AUTH_VERIFIER failed.\n"));
563 * Ensure this is a NTLMSSP_AUTH packet type.
566 if (!rpc_auth_verifier_chk(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH)) {
567 DEBUG(0,("api_pipe_bind_auth_resp: rpc_auth_verifier_chk failed.\n"));
571 if(!smb_io_rpc_auth_ntlmssp_resp("", &ntlmssp_resp, rpc_in_p, 0)) {
572 DEBUG(0,("api_pipe_bind_auth_resp: Failed to unmarshall RPC_AUTH_NTLMSSP_RESP.\n"));
577 * The following call actually checks the challenge/response data.
578 * for correctness against the given DOMAIN\user name.
581 if (!api_pipe_ntlmssp_verify(p, &ntlmssp_resp))
589 /*******************************************************************
590 Marshall a bind_nak pdu.
591 *******************************************************************/
593 static BOOL setup_bind_nak(pipes_struct *p)
595 prs_struct outgoing_rpc;
599 /* Free any memory in the current return data buffer. */
600 prs_mem_free(&p->out_data.rdata);
603 * Marshall directly into the outgoing PDU space. We
604 * must do this as we need to set to the bind response
605 * header and are never sending more than one PDU here.
608 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
609 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
613 * Initialize a bind_nak header.
616 init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
617 p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
620 * Marshall the header into the outgoing PDU.
623 if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
624 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
625 prs_mem_free(&outgoing_rpc);
630 * Now add the reject reason.
633 if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
634 prs_mem_free(&outgoing_rpc);
638 p->out_data.data_sent_length = 0;
639 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
640 p->out_data.current_pdu_sent = 0;
642 p->pipe_bound = False;
647 /*******************************************************************
648 Marshall a fault pdu.
649 *******************************************************************/
651 BOOL setup_fault_pdu(pipes_struct *p, NTSTATUS status)
653 prs_struct outgoing_pdu;
655 RPC_HDR_RESP hdr_resp;
656 RPC_HDR_FAULT fault_resp;
658 /* Free any memory in the current return data buffer. */
659 prs_mem_free(&p->out_data.rdata);
662 * Marshall directly into the outgoing PDU space. We
663 * must do this as we need to set to the bind response
664 * header and are never sending more than one PDU here.
667 prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
668 prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
671 * Initialize a fault header.
674 init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
675 p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
678 * Initialize the HDR_RESP and FAULT parts of the PDU.
681 memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
683 fault_resp.status = status;
684 fault_resp.reserved = 0;
687 * Marshall the header into the outgoing PDU.
690 if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
691 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
692 prs_mem_free(&outgoing_pdu);
696 if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
697 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
698 prs_mem_free(&outgoing_pdu);
702 if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
703 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
704 prs_mem_free(&outgoing_pdu);
708 p->out_data.data_sent_length = 0;
709 p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
710 p->out_data.current_pdu_sent = 0;
712 prs_mem_free(&outgoing_pdu);
716 /*******************************************************************
717 Ensure a bind request has the correct abstract & transfer interface.
718 Used to reject unknown binds from Win2k.
719 *******************************************************************/
721 BOOL check_bind_req(char* pipe_name, RPC_IFACE* abstract,
724 extern struct pipe_id_info pipe_names[];
727 fstrcpy(pname,"\\PIPE\\");
728 fstrcat(pname,pipe_name);
730 DEBUG(3,("check_bind_req for %s\n", pname));
732 #ifndef SUPPORT_NEW_LSARPC_UUID
734 /* check for the first pipe matching the name */
736 for ( i=0; pipe_names[i].client_pipe; i++ ) {
737 if ( strequal(pipe_names[i].client_pipe, pname) )
741 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
743 for ( i=0; pipe_names[i].client_pipe; i++ )
745 if ( strequal(pipe_names[i].client_pipe, pname)
746 && (abstract->version == pipe_names[i].abstr_syntax.version)
747 && (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid, sizeof(RPC_UUID)) == 0)
748 && (transfer->version == pipe_names[i].trans_syntax.version)
749 && (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid, sizeof(RPC_UUID)) == 0) )
756 if(pipe_names[i].client_pipe == NULL)
759 #ifndef SUPPORT_NEW_LSARPC_UUID
760 /* check the abstract interface */
761 if ( (abstract->version != pipe_names[i].abstr_syntax.version)
762 || (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid, sizeof(RPC_UUID)) != 0) )
767 /* check the transfer interface */
768 if ( (transfer->version != pipe_names[i].trans_syntax.version)
769 || (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid, sizeof(RPC_UUID)) != 0) )
777 /*******************************************************************
778 Register commands to an RPC pipe
779 *******************************************************************/
780 NTSTATUS rpc_pipe_register_commands(int version, const char *clnt, const char *srv, const struct api_struct *cmds, int size)
782 struct rpc_table *rpc_entry;
784 if (!clnt || !srv || !cmds) {
785 return NT_STATUS_INVALID_PARAMETER;
788 if (version != SMB_RPC_INTERFACE_VERSION) {
789 DEBUG(0,("Can't register rpc commands!\n"
790 "You tried to register a rpc module with SMB_RPC_INTERFACE_VERSION %d"
791 ", while this version of samba uses version %d!\n",
792 version,SMB_RPC_INTERFACE_VERSION));
793 return NT_STATUS_OBJECT_TYPE_MISMATCH;
798 * we still need to make sure that don't register the same commands twice!!!
803 /* We use a temporary variable because this call can fail and
804 rpc_lookup will still be valid afterwards. It could then succeed if
805 called again later */
806 rpc_entry = realloc(rpc_lookup,
807 ++rpc_lookup_size*sizeof(struct rpc_table));
808 if (NULL == rpc_entry) {
810 DEBUG(0, ("rpc_pipe_register_commands: memory allocation failed\n"));
811 return NT_STATUS_NO_MEMORY;
813 rpc_lookup = rpc_entry;
816 rpc_entry = rpc_lookup + (rpc_lookup_size - 1);
817 ZERO_STRUCTP(rpc_entry);
818 rpc_entry->pipe.clnt = strdup(clnt);
819 rpc_entry->pipe.srv = strdup(srv);
820 rpc_entry->cmds = realloc(rpc_entry->cmds,
821 (rpc_entry->n_cmds + size) *
822 sizeof(struct api_struct));
823 memcpy(rpc_entry->cmds + rpc_entry->n_cmds, cmds,
824 size * sizeof(struct api_struct));
825 rpc_entry->n_cmds += size;
830 /*******************************************************************
831 Respond to a pipe bind request.
832 *******************************************************************/
834 BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
838 RPC_HDR_AUTH auth_info;
840 fstring ack_pipe_name;
841 prs_struct out_hdr_ba;
843 prs_struct outgoing_rpc;
846 enum RPC_PKT_TYPE reply_pkt_type;
848 p->ntlmssp_auth_requested = False;
849 p->netsec_auth_validated = False;
851 DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
854 * Try and find the correct pipe name to ensure
855 * that this is a pipe name we support.
859 for (i = 0; i < rpc_lookup_size; i++) {
860 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
861 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
862 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
863 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
868 if (i == rpc_lookup_size) {
869 if (NT_STATUS_IS_ERR(smb_probe_module("rpc", p->name))) {
870 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
872 if(!setup_bind_nak(p))
877 for (i = 0; i < rpc_lookup_size; i++) {
878 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
879 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
880 rpc_lookup[i].pipe.clnt, rpc_lookup[i].pipe.srv));
881 fstrcpy(p->pipe_srv_name, rpc_lookup[i].pipe.srv);
886 if (i == rpc_lookup_size) {
887 DEBUG(0, ("module %s doesn't provide functions for pipe %s!\n", p->name, p->name));
892 /* decode the bind request */
893 if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0)) {
894 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
899 * Check if this is an authenticated request.
902 if (p->hdr.auth_len != 0) {
903 RPC_AUTH_VERIFIER auth_verifier;
904 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
907 * Decode the authentication verifier.
910 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
911 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
915 if(auth_info.auth_type == NTLMSSP_AUTH_TYPE) {
917 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
918 DEBUG(0,("api_pipe_bind_req: unable to "
919 "unmarshall RPC_HDR_AUTH struct.\n"));
923 if(!strequal(auth_verifier.signature, "NTLMSSP")) {
924 DEBUG(0,("api_pipe_bind_req: "
925 "auth_verifier.signature != NTLMSSP\n"));
929 if(auth_verifier.msg_type != NTLMSSP_NEGOTIATE) {
930 DEBUG(0,("api_pipe_bind_req: "
931 "auth_verifier.msg_type (%d) != NTLMSSP_NEGOTIATE\n",
932 auth_verifier.msg_type));
936 if(!smb_io_rpc_auth_ntlmssp_neg("", &ntlmssp_neg, rpc_in_p, 0)) {
937 DEBUG(0,("api_pipe_bind_req: "
938 "Failed to unmarshall RPC_AUTH_NTLMSSP_NEG.\n"));
942 p->ntlmssp_chal_flags = SMBD_NTLMSSP_NEG_FLAGS;
943 p->ntlmssp_auth_requested = True;
945 } else if (auth_info.auth_type == NETSEC_AUTH_TYPE) {
947 RPC_AUTH_NETSEC_NEG neg;
948 struct netsec_auth_struct *a = &(p->netsec_auth);
950 if (!smb_io_rpc_auth_netsec_neg("", &neg, rpc_in_p, 0)) {
951 DEBUG(0,("api_pipe_bind_req: "
952 "Could not unmarshal SCHANNEL auth neg\n"));
956 p->netsec_auth_validated = True;
958 memset(a->sess_key, 0, sizeof(a->sess_key));
959 memcpy(a->sess_key, last_dcinfo.sess_key, sizeof(last_dcinfo.sess_key));
963 DEBUG(10,("schannel auth: domain [%s] myname [%s]\n",
964 neg.domain, neg.myname));
967 DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n",
968 auth_info.auth_type ));
973 switch(p->hdr.pkt_type) {
975 /* name has to be \PIPE\xxxxx */
976 fstrcpy(ack_pipe_name, "\\PIPE\\");
977 fstrcat(ack_pipe_name, p->pipe_srv_name);
978 reply_pkt_type = RPC_BINDACK;
981 /* secondary address CAN be NULL
982 * as the specs say it's ignored.
983 * It MUST NULL to have the spoolss working.
985 fstrcpy(ack_pipe_name,"");
986 reply_pkt_type = RPC_ALTCONTRESP;
992 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
995 * Marshall directly into the outgoing PDU space. We
996 * must do this as we need to set to the bind response
997 * header and are never sending more than one PDU here.
1000 prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
1001 prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
1004 * Setup the memory to marshall the ba header, and the
1008 if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
1009 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
1010 prs_mem_free(&outgoing_rpc);
1014 if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
1015 DEBUG(0,("pi_pipe_bind_req: malloc out_auth failed.\n"));
1016 prs_mem_free(&outgoing_rpc);
1017 prs_mem_free(&out_hdr_ba);
1021 if (p->ntlmssp_auth_requested)
1024 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
1027 * Create the bind response struct.
1030 /* If the requested abstract synt uuid doesn't match our client pipe,
1031 reject the bind_ack & set the transfer interface synt to all 0's,
1032 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1034 Needed when adding entries to a DACL from NT5 - SK */
1036 if(check_bind_req(p->name, &hdr_rb.abstract, &hdr_rb.transfer)) {
1037 init_rpc_hdr_ba(&hdr_ba,
1045 RPC_IFACE null_interface;
1046 ZERO_STRUCT(null_interface);
1047 /* Rejection reason: abstract syntax not supported */
1048 init_rpc_hdr_ba(&hdr_ba, MAX_PDU_FRAG_LEN,
1049 MAX_PDU_FRAG_LEN, assoc_gid,
1050 ack_pipe_name, 0x1, 0x2, 0x1,
1058 if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
1059 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
1064 * Now the authentication.
1067 if (p->ntlmssp_auth_requested) {
1068 RPC_AUTH_VERIFIER auth_verifier;
1069 RPC_AUTH_NTLMSSP_CHAL ntlmssp_chal;
1071 generate_random_buffer(p->challenge, 8, False);
1073 /*** Authentication info ***/
1075 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, RPC_PIPE_AUTH_SEAL_LEVEL, RPC_HDR_AUTH_LEN, 1);
1076 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
1077 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
1081 /*** NTLMSSP verifier ***/
1083 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_CHALLENGE);
1084 if(!smb_io_rpc_auth_verifier("", &auth_verifier, &out_auth, 0)) {
1085 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1089 /* NTLMSSP challenge ***/
1091 init_rpc_auth_ntlmssp_chal(&ntlmssp_chal, p->ntlmssp_chal_flags, p->challenge);
1092 if(!smb_io_rpc_auth_ntlmssp_chal("", &ntlmssp_chal, &out_auth, 0)) {
1093 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_NTLMSSP_CHAL failed.\n"));
1097 /* Auth len in the rpc header doesn't include auth_header. */
1098 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1101 if (p->netsec_auth_validated) {
1102 RPC_AUTH_VERIFIER auth_verifier;
1105 /* The client opens a second RPC NETLOGON pipe without
1106 doing a auth2. The credentials for the schannel are
1107 re-used from the auth2 the client did before. */
1108 p->dc = last_dcinfo;
1110 init_rpc_hdr_auth(&auth_info, NETSEC_AUTH_TYPE, RPC_PIPE_AUTH_SEAL_LEVEL, RPC_HDR_AUTH_LEN, 1);
1111 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
1112 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
1116 /*** NETSEC verifier ***/
1118 init_rpc_auth_verifier(&auth_verifier, "\001", 0x0);
1119 if(!smb_io_rpc_netsec_verifier("", &auth_verifier, &out_auth, 0)) {
1120 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
1124 prs_align(&out_auth);
1127 if(!prs_uint32("flags ", &out_auth, 0, &flags))
1130 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
1134 * Create the header, now we know the length.
1137 init_rpc_hdr(&p->hdr, reply_pkt_type, RPC_FLG_FIRST | RPC_FLG_LAST,
1139 RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
1143 * Marshall the header into the outgoing PDU.
1146 if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
1147 DEBUG(0,("pi_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
1152 * Now add the RPC_HDR_BA and any auth needed.
1155 if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
1156 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
1160 if((p->ntlmssp_auth_requested|p->netsec_auth_validated) &&
1161 !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
1162 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
1166 if(!p->ntlmssp_auth_requested)
1167 p->pipe_bound = True;
1170 * Setup the lengths for the initial reply.
1173 p->out_data.data_sent_length = 0;
1174 p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
1175 p->out_data.current_pdu_sent = 0;
1177 prs_mem_free(&out_hdr_ba);
1178 prs_mem_free(&out_auth);
1184 prs_mem_free(&outgoing_rpc);
1185 prs_mem_free(&out_hdr_ba);
1186 prs_mem_free(&out_auth);
1190 /****************************************************************************
1191 Deal with sign & seal processing on an RPC request.
1192 ****************************************************************************/
1194 BOOL api_pipe_auth_process(pipes_struct *p, prs_struct *rpc_in)
1197 * We always negotiate the following two bits....
1199 BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
1200 BOOL auth_seal = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
1206 auth_len = p->hdr.auth_len;
1208 if ((auth_len != RPC_AUTH_NTLMSSP_CHK_LEN) && auth_verify) {
1209 DEBUG(0,("api_pipe_auth_process: Incorrect auth_len %d.\n", auth_len ));
1214 * The following is that length of the data we must verify or unseal.
1215 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1216 * preceeding the auth_data.
1219 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
1220 (auth_verify ? RPC_HDR_AUTH_LEN : 0) - auth_len;
1222 DEBUG(5,("api_pipe_auth_process: sign: %s seal: %s data %d auth %d\n",
1223 BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, auth_len));
1227 * The data in rpc_in doesn't contain the RPC_HEADER as this
1228 * has already been consumed.
1230 char *data = prs_data_p(rpc_in) + RPC_HDR_REQ_LEN;
1231 dump_data_pw("NTLMSSP hash (v1)\n", p->ntlmssp_hash,
1232 sizeof(p->ntlmssp_hash));
1234 dump_data_pw("Incoming RPC PDU (NTLMSSP sealed)\n",
1236 NTLMSSPcalc_p(p, (uchar*)data, data_len);
1237 dump_data_pw("Incoming RPC PDU (NTLMSSP unsealed)\n",
1239 crc32 = crc32_calc_buffer(data, data_len);
1242 old_offset = prs_offset(rpc_in);
1244 if (auth_seal || auth_verify) {
1245 RPC_HDR_AUTH auth_info;
1247 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
1248 DEBUG(0,("api_pipe_auth_process: cannot move offset to %u.\n",
1249 (unsigned int)old_offset + data_len ));
1253 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1254 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
1260 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
1261 char *req_data = prs_data_p(rpc_in) + prs_offset(rpc_in) + 4;
1263 DEBUG(5,("api_pipe_auth_process: auth %d\n", prs_offset(rpc_in) + 4));
1266 * Ensure we have RPC_AUTH_NTLMSSP_CHK_LEN - 4 more bytes in the
1269 if(prs_mem_get(rpc_in, RPC_AUTH_NTLMSSP_CHK_LEN - 4) == NULL) {
1270 DEBUG(0,("api_pipe_auth_process: missing %d bytes in buffer.\n",
1271 RPC_AUTH_NTLMSSP_CHK_LEN - 4 ));
1275 NTLMSSPcalc_p(p, (uchar*)req_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
1276 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, rpc_in, 0)) {
1277 DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_AUTH_NTLMSSP_CHK.\n"));
1281 if (!rpc_auth_ntlmssp_chk(&ntlmssp_chk, crc32, p->ntlmssp_seq_num)) {
1282 DEBUG(0,("api_pipe_auth_process: NTLMSSP check failed.\n"));
1288 * Return the current pointer to the data offset.
1291 if(!prs_set_offset(rpc_in, old_offset)) {
1292 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
1293 (unsigned int)old_offset ));
1300 /****************************************************************************
1301 Deal with schannel processing on an RPC request.
1302 ****************************************************************************/
1303 BOOL api_pipe_netsec_process(pipes_struct *p, prs_struct *rpc_in)
1306 * We always negotiate the following two bits....
1311 RPC_HDR_AUTH auth_info;
1312 RPC_AUTH_NETSEC_CHK netsec_chk;
1315 auth_len = p->hdr.auth_len;
1317 if (auth_len != RPC_AUTH_NETSEC_CHK_LEN) {
1318 DEBUG(0,("Incorrect auth_len %d.\n", auth_len ));
1323 * The following is that length of the data we must verify or unseal.
1324 * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1325 * preceeding the auth_data.
1328 data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
1329 RPC_HDR_AUTH_LEN - auth_len;
1331 DEBUG(5,("data %d auth %d\n", data_len, auth_len));
1333 old_offset = prs_offset(rpc_in);
1335 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
1336 DEBUG(0,("cannot move offset to %u.\n",
1337 (unsigned int)old_offset + data_len ));
1341 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1342 DEBUG(0,("failed to unmarshall RPC_HDR_AUTH.\n"));
1346 if ((auth_info.auth_type != NETSEC_AUTH_TYPE) ||
1347 (auth_info.auth_level != RPC_PIPE_AUTH_SEAL_LEVEL)) {
1348 DEBUG(0,("Invalid auth info %d or level %d on schannel\n",
1349 auth_info.auth_type, auth_info.auth_level));
1353 if(!smb_io_rpc_auth_netsec_chk("", &netsec_chk, rpc_in, 0)) {
1354 DEBUG(0,("failed to unmarshal RPC_AUTH_NETSEC_CHK.\n"));
1358 if (!netsec_decode(&p->netsec_auth,
1359 AUTH_PIPE_NETSEC|AUTH_PIPE_SIGN|AUTH_PIPE_SEAL,
1360 SENDER_IS_INITIATOR,
1362 prs_data_p(rpc_in)+old_offset, data_len)) {
1363 DEBUG(0,("failed to decode PDU\n"));
1368 * Return the current pointer to the data offset.
1371 if(!prs_set_offset(rpc_in, old_offset)) {
1372 DEBUG(0,("failed to set offset back to %u\n",
1373 (unsigned int)old_offset ));
1377 /* The sequence number gets incremented on both send and receive. */
1378 p->netsec_auth.seq_num++;
1383 /****************************************************************************
1384 Return a user struct for a pipe user.
1385 ****************************************************************************/
1387 struct current_user *get_current_user(struct current_user *user, pipes_struct *p)
1389 if (p->ntlmssp_auth_validated) {
1390 memcpy(user, &p->pipe_user, sizeof(struct current_user));
1392 extern struct current_user current_user;
1393 memcpy(user, ¤t_user, sizeof(struct current_user));
1399 /****************************************************************************
1400 Find the correct RPC function to call for this request.
1401 If the pipe is authenticated then become the correct UNIX user
1402 before doing the call.
1403 ****************************************************************************/
1405 BOOL api_pipe_request(pipes_struct *p)
1410 if (p->ntlmssp_auth_validated) {
1412 if(!become_authenticated_pipe_user(p)) {
1413 prs_mem_free(&p->out_data.rdata);
1418 DEBUG(5, ("Requested \\PIPE\\%s\n", p->name));
1420 for (i = 0; i < rpc_lookup_size; i++) {
1421 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1422 DEBUG(3,("Doing \\PIPE\\%s\n",
1423 rpc_lookup[i].pipe.clnt));
1424 set_current_rpc_talloc(p->mem_ctx);
1425 ret = api_rpcTNP(p, rpc_lookup[i].pipe.clnt,
1427 rpc_lookup[i].n_cmds);
1428 set_current_rpc_talloc(NULL);
1434 if (i == rpc_lookup_size) {
1435 smb_probe_module("rpc", p->name);
1437 for (i = 0; i < rpc_lookup_size; i++) {
1438 if (strequal(rpc_lookup[i].pipe.clnt, p->name)) {
1439 DEBUG(3,("Doing \\PIPE\\%s\n",
1440 rpc_lookup[i].pipe.clnt));
1441 set_current_rpc_talloc(p->mem_ctx);
1442 ret = api_rpcTNP(p, rpc_lookup[i].pipe.clnt,
1444 rpc_lookup[i].n_cmds);
1445 set_current_rpc_talloc(NULL);
1451 if(p->ntlmssp_auth_validated)
1452 unbecome_authenticated_pipe_user();
1457 /*******************************************************************
1458 Calls the underlying RPC function for a named pipe.
1459 ********************************************************************/
1461 BOOL api_rpcTNP(pipes_struct *p, const char *rpc_name,
1462 const struct api_struct *api_rpc_cmds, int n_cmds)
1466 uint32 offset1, offset2;
1468 /* interpret the command */
1469 DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
1471 slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
1472 prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
1474 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
1475 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
1476 DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
1481 if (fn_num == n_cmds) {
1483 * For an unknown RPC just return a fault PDU but
1484 * return True to allow RPC's on the pipe to continue
1485 * and not put the pipe into fault state. JRA.
1487 DEBUG(4, ("unknown\n"));
1488 setup_fault_pdu(p, NT_STATUS(0x1c010002));
1492 offset1 = prs_offset(&p->out_data.rdata);
1494 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
1495 fn_num, api_rpc_cmds[fn_num].fn));
1496 /* do the actual command */
1497 if(!api_rpc_cmds[fn_num].fn(p)) {
1498 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
1499 prs_mem_free(&p->out_data.rdata);
1503 if (p->bad_handle_fault_state) {
1504 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
1505 p->bad_handle_fault_state = False;
1506 setup_fault_pdu(p, NT_STATUS(0x1C00001A));
1510 slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
1511 offset2 = prs_offset(&p->out_data.rdata);
1512 prs_set_offset(&p->out_data.rdata, offset1);
1513 prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
1514 prs_set_offset(&p->out_data.rdata, offset2);
1516 DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
1518 /* Check for buffer underflow in rpc parsing */
1520 if ((DEBUGLEVEL >= 10) &&
1521 (prs_offset(&p->in_data.data) != prs_data_size(&p->in_data.data))) {
1522 size_t data_len = prs_data_size(&p->in_data.data) - prs_offset(&p->in_data.data);
1525 data = malloc(data_len);
1527 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
1529 prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data, (uint32)data_len);