2 Unix SMB/CIFS implementation.
3 client transaction calls
4 Copyright (C) Andrew Tridgell 1994-1998
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 #include "libsmb/libsmb.h"
22 #include "../lib/util/tevent_ntstatus.h"
23 #include "async_smb.h"
25 struct trans_recvblob {
27 uint32_t max, total, received;
30 struct cli_trans_state {
31 struct cli_state *cli;
32 struct tevent_context *ev;
35 const char *pipe_name;
36 uint8_t *pipe_name_conv;
37 size_t pipe_name_conv_len;
42 uint8_t num_setup, max_setup;
44 uint32_t num_param, param_sent;
46 uint32_t num_data, data_sent;
50 struct trans_recvblob rparam;
51 struct trans_recvblob rdata;
59 struct tevent_req *primary_subreq;
62 static void cli_trans_cleanup_primary(struct cli_trans_state *state)
64 if (state->primary_subreq) {
65 cli_smb_req_set_mid(state->primary_subreq, 0);
66 cli_smb_req_unset_pending(state->primary_subreq);
67 TALLOC_FREE(state->primary_subreq);
71 static int cli_trans_state_destructor(struct cli_trans_state *state)
73 cli_trans_cleanup_primary(state);
77 static NTSTATUS cli_pull_trans(uint8_t *inbuf,
78 uint8_t wct, uint16_t *vwv,
79 uint16_t num_bytes, uint8_t *bytes,
80 uint8_t smb_cmd, bool expect_first_reply,
81 uint8_t *pnum_setup, uint16_t **psetup,
82 uint32_t *ptotal_param, uint32_t *pnum_param,
83 uint32_t *pparam_disp, uint8_t **pparam,
84 uint32_t *ptotal_data, uint32_t *pnum_data,
85 uint32_t *pdata_disp, uint8_t **pdata)
87 uint32_t param_ofs, data_ofs;
88 uint8_t expected_num_setup;
90 if (expect_first_reply) {
91 if ((wct != 0) || (num_bytes != 0)) {
92 return NT_STATUS_INVALID_NETWORK_RESPONSE;
101 return NT_STATUS_INVALID_NETWORK_RESPONSE;
103 expected_num_setup = wct - 10;
104 *ptotal_param = SVAL(vwv + 0, 0);
105 *ptotal_data = SVAL(vwv + 1, 0);
106 *pnum_param = SVAL(vwv + 3, 0);
107 param_ofs = SVAL(vwv + 4, 0);
108 *pparam_disp = SVAL(vwv + 5, 0);
109 *pnum_data = SVAL(vwv + 6, 0);
110 data_ofs = SVAL(vwv + 7, 0);
111 *pdata_disp = SVAL(vwv + 8, 0);
112 *pnum_setup = CVAL(vwv + 9, 0);
113 if (expected_num_setup < (*pnum_setup)) {
114 return NT_STATUS_INVALID_NETWORK_RESPONSE;
121 return NT_STATUS_INVALID_NETWORK_RESPONSE;
123 expected_num_setup = wct - 18;
124 *ptotal_param = IVAL(vwv, 3);
125 *ptotal_data = IVAL(vwv, 7);
126 *pnum_param = IVAL(vwv, 11);
127 param_ofs = IVAL(vwv, 15);
128 *pparam_disp = IVAL(vwv, 19);
129 *pnum_data = IVAL(vwv, 23);
130 data_ofs = IVAL(vwv, 27);
131 *pdata_disp = IVAL(vwv, 31);
132 *pnum_setup = CVAL(vwv, 35);
133 if (expected_num_setup < (*pnum_setup)) {
134 return NT_STATUS_INVALID_NETWORK_RESPONSE;
140 return NT_STATUS_INTERNAL_ERROR;
144 * Check for buffer overflows. data_ofs needs to be checked against
145 * the incoming buffer length, data_disp against the total
146 * length. Likewise for param_ofs/param_disp.
149 if (smb_buffer_oob(smb_len_nbt(inbuf), param_ofs, *pnum_param)
150 || smb_buffer_oob(*ptotal_param, *pparam_disp, *pnum_param)
151 || smb_buffer_oob(smb_len_nbt(inbuf), data_ofs, *pnum_data)
152 || smb_buffer_oob(*ptotal_data, *pdata_disp, *pnum_data)) {
153 return NT_STATUS_INVALID_NETWORK_RESPONSE;
156 *pparam = (uint8_t *)inbuf + 4 + param_ofs;
157 *pdata = (uint8_t *)inbuf + 4 + data_ofs;
162 static NTSTATUS cli_trans_pull_blob(TALLOC_CTX *mem_ctx,
163 struct trans_recvblob *blob,
164 uint32_t total, uint32_t thistime,
165 uint8_t *buf, uint32_t displacement)
167 if (blob->data == NULL) {
168 if (total > blob->max) {
169 return NT_STATUS_INVALID_NETWORK_RESPONSE;
172 blob->data = talloc_array(mem_ctx, uint8_t, total);
173 if (blob->data == NULL) {
174 return NT_STATUS_NO_MEMORY;
178 if (total > blob->total) {
179 return NT_STATUS_INVALID_NETWORK_RESPONSE;
183 memcpy(blob->data + displacement, buf, thistime);
184 blob->received += thistime;
190 static void cli_trans_format(struct cli_trans_state *state, uint8_t *pwct,
193 struct cli_state *cli = state->cli;
195 struct iovec *iov = state->iov;
196 uint8_t *pad = state->pad;
197 uint16_t *vwv = state->vwv;
198 uint32_t param_offset;
199 uint32_t this_param = 0;
201 uint32_t data_offset;
202 uint32_t this_data = 0;
204 uint32_t useable_space;
209 if ((state->param_sent != 0) || (state->data_sent != 0)) {
210 /* The secondary commands are one after the primary ones */
214 param_offset = MIN_SMB_SIZE;
218 if (cli_ucs2(state->cli)) {
220 iov[0].iov_base = (void *)pad;
225 iov[0].iov_base = (void *)state->pipe_name_conv;
226 iov[0].iov_len = state->pipe_name_conv_len;
227 wct = 14 + state->num_setup;
228 param_offset += iov[0].iov_len;
233 pad[1] = 'D'; /* Copy this from "old" 3.0 behaviour */
235 iov[0].iov_base = (void *)pad;
237 wct = 14 + state->num_setup;
248 wct = 19 + state->num_setup;
255 param_offset += wct * sizeof(uint16_t);
256 useable_space = cli_state_available_size(cli, param_offset);
258 param_pad = param_offset % 4;
260 param_pad = MIN(param_pad, useable_space);
261 iov[0].iov_base = (void *)state->zero_pad;
262 iov[0].iov_len = param_pad;
264 param_offset += param_pad;
266 useable_space = cli_state_available_size(cli, param_offset);
268 if (state->param_sent < state->num_param) {
269 this_param = MIN(state->num_param - state->param_sent,
271 iov[0].iov_base = (void *)(state->param + state->param_sent);
272 iov[0].iov_len = this_param;
276 data_offset = param_offset + this_param;
277 useable_space = cli_state_available_size(cli, data_offset);
279 data_pad = data_offset % 4;
281 data_pad = MIN(data_pad, useable_space);
282 iov[0].iov_base = (void *)state->zero_pad;
283 iov[0].iov_len = data_pad;
285 data_offset += data_pad;
287 useable_space = cli_state_available_size(cli, data_offset);
289 if (state->data_sent < state->num_data) {
290 this_data = MIN(state->num_data - state->data_sent,
292 iov[0].iov_base = (void *)(state->data + state->data_sent);
293 iov[0].iov_len = this_data;
297 DEBUG(10, ("num_setup=%u, max_setup=%u, "
298 "param_total=%u, this_param=%u, max_param=%u, "
299 "data_total=%u, this_data=%u, max_data=%u, "
300 "param_offset=%u, param_pad=%u, param_disp=%u, "
301 "data_offset=%u, data_pad=%u, data_disp=%u\n",
302 (unsigned)state->num_setup, (unsigned)state->max_setup,
303 (unsigned)state->num_param, (unsigned)this_param,
304 (unsigned)state->rparam.max,
305 (unsigned)state->num_data, (unsigned)this_data,
306 (unsigned)state->rdata.max,
307 (unsigned)param_offset, (unsigned)param_pad,
308 (unsigned)state->param_sent,
309 (unsigned)data_offset, (unsigned)data_pad,
310 (unsigned)state->data_sent));
315 SSVAL(vwv + 0, 0, state->num_param);
316 SSVAL(vwv + 1, 0, state->num_data);
317 SSVAL(vwv + 2, 0, state->rparam.max);
318 SSVAL(vwv + 3, 0, state->rdata.max);
319 SCVAL(vwv + 4, 0, state->max_setup);
320 SCVAL(vwv + 4, 1, 0); /* reserved */
321 SSVAL(vwv + 5, 0, state->flags);
322 SIVAL(vwv + 6, 0, 0); /* timeout */
323 SSVAL(vwv + 8, 0, 0); /* reserved */
324 SSVAL(vwv + 9, 0, this_param);
325 SSVAL(vwv +10, 0, param_offset);
326 SSVAL(vwv +11, 0, this_data);
327 SSVAL(vwv +12, 0, data_offset);
328 SCVAL(vwv +13, 0, state->num_setup);
329 SCVAL(vwv +13, 1, 0); /* reserved */
330 memcpy(vwv + 14, state->setup,
331 sizeof(uint16_t) * state->num_setup);
335 SSVAL(vwv + 0, 0, state->num_param);
336 SSVAL(vwv + 1, 0, state->num_data);
337 SSVAL(vwv + 2, 0, this_param);
338 SSVAL(vwv + 3, 0, param_offset);
339 SSVAL(vwv + 4, 0, state->param_sent);
340 SSVAL(vwv + 5, 0, this_data);
341 SSVAL(vwv + 6, 0, data_offset);
342 SSVAL(vwv + 7, 0, state->data_sent);
343 if (cmd == SMBtranss2) {
344 SSVAL(vwv + 8, 0, state->fid);
348 SCVAL(vwv + 0, 0, state->max_setup);
349 SSVAL(vwv + 0, 1, 0); /* reserved */
350 SIVAL(vwv + 1, 1, state->num_param);
351 SIVAL(vwv + 3, 1, state->num_data);
352 SIVAL(vwv + 5, 1, state->rparam.max);
353 SIVAL(vwv + 7, 1, state->rdata.max);
354 SIVAL(vwv + 9, 1, this_param);
355 SIVAL(vwv +11, 1, param_offset);
356 SIVAL(vwv +13, 1, this_data);
357 SIVAL(vwv +15, 1, data_offset);
358 SCVAL(vwv +17, 1, state->num_setup);
359 SSVAL(vwv +18, 0, state->function);
360 memcpy(vwv + 19, state->setup,
361 sizeof(uint16_t) * state->num_setup);
364 SSVAL(vwv + 0, 0, 0); /* reserved */
365 SCVAL(vwv + 1, 0, 0); /* reserved */
366 SIVAL(vwv + 1, 1, state->num_param);
367 SIVAL(vwv + 3, 1, state->num_data);
368 SIVAL(vwv + 5, 1, this_param);
369 SIVAL(vwv + 7, 1, param_offset);
370 SIVAL(vwv + 9, 1, state->param_sent);
371 SIVAL(vwv +11, 1, this_data);
372 SIVAL(vwv +13, 1, data_offset);
373 SIVAL(vwv +15, 1, state->data_sent);
374 SCVAL(vwv +17, 1, 0); /* reserved */
378 state->param_sent += this_param;
379 state->data_sent += this_data;
382 *piov_count = iov - state->iov;
385 static void cli_trans_done(struct tevent_req *subreq);
387 struct tevent_req *cli_trans_send(
388 TALLOC_CTX *mem_ctx, struct tevent_context *ev,
389 struct cli_state *cli, uint8_t cmd,
390 const char *pipe_name, uint16_t fid, uint16_t function, int flags,
391 uint16_t *setup, uint8_t num_setup, uint8_t max_setup,
392 uint8_t *param, uint32_t num_param, uint32_t max_param,
393 uint8_t *data, uint32_t num_data, uint32_t max_data)
395 struct tevent_req *req, *subreq;
396 struct cli_trans_state *state;
401 req = tevent_req_create(mem_ctx, &state, struct cli_trans_state);
406 if ((cmd == SMBtrans) || (cmd == SMBtrans2)) {
407 if ((num_param > 0xffff) || (max_param > 0xffff)
408 || (num_data > 0xffff) || (max_data > 0xffff)) {
409 DEBUG(3, ("Attempt to send invalid trans2 request "
410 "(setup %u, params %u/%u, data %u/%u)\n",
412 (unsigned)num_param, (unsigned)max_param,
413 (unsigned)num_data, (unsigned)max_data));
414 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
415 return tevent_req_post(req, ev);
420 * The largest wct will be for nttrans (19+num_setup). Make sure we
421 * don't overflow state->vwv in cli_trans_format.
424 if ((num_setup + 19) > ARRAY_SIZE(state->vwv)) {
425 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
426 return tevent_req_post(req, ev);
432 state->flags = flags;
433 state->num_rsetup = 0;
434 state->rsetup = NULL;
435 ZERO_STRUCT(state->rparam);
436 ZERO_STRUCT(state->rdata);
438 if ((pipe_name != NULL)
439 && (!convert_string_talloc(state, CH_UNIX,
440 cli_ucs2(cli) ? CH_UTF16LE : CH_DOS,
441 pipe_name, strlen(pipe_name) + 1,
442 &state->pipe_name_conv,
443 &state->pipe_name_conv_len))) {
444 tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
445 return tevent_req_post(req, ev);
447 state->fid = fid; /* trans2 */
448 state->function = function; /* nttrans */
450 state->setup = setup;
451 state->num_setup = num_setup;
452 state->max_setup = max_setup;
454 state->param = param;
455 state->num_param = num_param;
456 state->param_sent = 0;
457 state->rparam.max = max_param;
460 state->num_data = num_data;
461 state->data_sent = 0;
462 state->rdata.max = max_data;
464 cli_trans_format(state, &wct, &iov_count);
466 subreq = cli_smb_req_create(state, ev, cli, cmd, 0, wct, state->vwv,
467 iov_count, state->iov);
468 if (tevent_req_nomem(subreq, req)) {
469 return tevent_req_post(req, ev);
471 status = cli_smb_req_send(subreq);
472 if (!NT_STATUS_IS_OK(status)) {
473 tevent_req_nterror(req, status);
474 return tevent_req_post(req, state->ev);
476 tevent_req_set_callback(subreq, cli_trans_done, req);
479 * Now get the MID of the primary request
480 * and mark it as persistent. This means
481 * we will able to send and receive multiple
482 * SMB pdus using this MID in both directions
483 * (including correct SMB signing).
485 state->mid = cli_smb_req_mid(subreq);
486 cli_smb_req_set_mid(subreq, state->mid);
487 state->primary_subreq = subreq;
488 talloc_set_destructor(state, cli_trans_state_destructor);
493 static void cli_trans_done2(struct tevent_req *subreq);
495 static void cli_trans_done(struct tevent_req *subreq)
497 struct tevent_req *req = tevent_req_callback_data(
498 subreq, struct tevent_req);
499 struct cli_trans_state *state = tevent_req_data(
500 req, struct cli_trans_state);
503 const uint8_t *inhdr;
509 uint8_t num_setup = 0;
510 uint16_t *setup = NULL;
511 uint32_t total_param = 0;
512 uint32_t num_param = 0;
513 uint32_t param_disp = 0;
514 uint32_t total_data = 0;
515 uint32_t num_data = 0;
516 uint32_t data_disp = 0;
517 uint8_t *param = NULL;
518 uint8_t *data = NULL;
520 status = cli_smb_recv(subreq, state, &inbuf, 0, &wct, &vwv,
523 * Do not TALLOC_FREE(subreq) here, we might receive more than
524 * one response for the same mid.
528 * We can receive something like STATUS_MORE_ENTRIES, so don't use
529 * !NT_STATUS_IS_OK(status) here.
532 if (NT_STATUS_IS_ERR(status)) {
535 inhdr = inbuf + NBT_HDR_SIZE;
537 sent_all = ((state->param_sent == state->num_param)
538 && (state->data_sent == state->num_data));
540 status = cli_pull_trans(
541 inbuf, wct, vwv, num_bytes, bytes,
542 state->cmd, !sent_all, &num_setup, &setup,
543 &total_param, &num_param, ¶m_disp, ¶m,
544 &total_data, &num_data, &data_disp, &data);
546 if (!NT_STATUS_IS_OK(status)) {
552 struct tevent_req *subreq2;
554 cli_trans_format(state, &wct, &iov_count);
556 subreq2 = cli_smb_req_create(state, state->ev, state->cli,
557 state->cmd + 1, 0, wct, state->vwv,
558 iov_count, state->iov);
559 if (tevent_req_nomem(subreq2, req)) {
562 cli_smb_req_set_mid(subreq2, state->mid);
564 status = cli_smb_req_send(subreq2);
566 if (!NT_STATUS_IS_OK(status)) {
569 tevent_req_set_callback(subreq2, cli_trans_done2, req);
574 status = cli_trans_pull_blob(
575 state, &state->rparam, total_param, num_param, param,
578 if (!NT_STATUS_IS_OK(status)) {
579 DEBUG(10, ("Pulling params failed: %s\n", nt_errstr(status)));
583 status = cli_trans_pull_blob(
584 state, &state->rdata, total_data, num_data, data,
587 if (!NT_STATUS_IS_OK(status)) {
588 DEBUG(10, ("Pulling data failed: %s\n", nt_errstr(status)));
592 if ((state->rparam.total == state->rparam.received)
593 && (state->rdata.total == state->rdata.received)) {
594 state->recv_flags2 = SVAL(inhdr, HDR_FLG2);
595 cli_trans_cleanup_primary(state);
596 tevent_req_done(req);
605 cli_trans_cleanup_primary(state);
606 tevent_req_nterror(req, status);
609 static void cli_trans_done2(struct tevent_req *subreq2)
611 struct tevent_req *req = tevent_req_callback_data(
612 subreq2, struct tevent_req);
613 struct cli_trans_state *state = tevent_req_data(
614 req, struct cli_trans_state);
621 * First backup the seqnum of the secondary request
622 * and attach it to the primary request.
624 seqnum = cli_smb_req_seqnum(subreq2);
625 cli_smb_req_set_seqnum(state->primary_subreq, seqnum);
627 status = cli_smb_recv(subreq2, state, NULL, 0, &wct, NULL,
629 TALLOC_FREE(subreq2);
631 if (!NT_STATUS_IS_OK(status)) {
636 status = NT_STATUS_INVALID_NETWORK_RESPONSE;
640 sent_all = ((state->param_sent == state->num_param)
641 && (state->data_sent == state->num_data));
646 cli_trans_format(state, &wct, &iov_count);
648 subreq2 = cli_smb_req_create(state, state->ev, state->cli,
649 state->cmd + 1, 0, wct, state->vwv,
650 iov_count, state->iov);
651 if (tevent_req_nomem(subreq2, req)) {
654 cli_smb_req_set_mid(subreq2, state->mid);
656 status = cli_smb_req_send(subreq2);
658 if (!NT_STATUS_IS_OK(status)) {
661 tevent_req_set_callback(subreq2, cli_trans_done2, req);
668 cli_trans_cleanup_primary(state);
669 tevent_req_nterror(req, status);
672 NTSTATUS cli_trans_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
673 uint16_t *recv_flags2,
674 uint16_t **setup, uint8_t min_setup,
676 uint8_t **param, uint32_t min_param,
678 uint8_t **data, uint32_t min_data,
681 struct cli_trans_state *state = tevent_req_data(
682 req, struct cli_trans_state);
685 cli_trans_cleanup_primary(state);
687 if (tevent_req_is_nterror(req, &status)) {
691 if ((state->num_rsetup < min_setup)
692 || (state->rparam.total < min_param)
693 || (state->rdata.total < min_data)) {
694 return NT_STATUS_INVALID_NETWORK_RESPONSE;
697 if (recv_flags2 != NULL) {
698 *recv_flags2 = state->recv_flags2;
702 *setup = talloc_move(mem_ctx, &state->rsetup);
703 *num_setup = state->num_rsetup;
705 TALLOC_FREE(state->rsetup);
709 *param = talloc_move(mem_ctx, &state->rparam.data);
710 *num_param = state->rparam.total;
712 TALLOC_FREE(state->rparam.data);
716 *data = talloc_move(mem_ctx, &state->rdata.data);
717 *num_data = state->rdata.total;
719 TALLOC_FREE(state->rdata.data);
725 NTSTATUS cli_trans(TALLOC_CTX *mem_ctx, struct cli_state *cli,
727 const char *pipe_name, uint16_t fid, uint16_t function,
729 uint16_t *setup, uint8_t num_setup, uint8_t max_setup,
730 uint8_t *param, uint32_t num_param, uint32_t max_param,
731 uint8_t *data, uint32_t num_data, uint32_t max_data,
732 uint16_t *recv_flags2,
733 uint16_t **rsetup, uint8_t min_rsetup, uint8_t *num_rsetup,
734 uint8_t **rparam, uint32_t min_rparam, uint32_t *num_rparam,
735 uint8_t **rdata, uint32_t min_rdata, uint32_t *num_rdata)
737 TALLOC_CTX *frame = talloc_stackframe();
738 struct tevent_context *ev;
739 struct tevent_req *req;
740 NTSTATUS status = NT_STATUS_OK;
742 if (cli_has_async_calls(cli)) {
744 * Can't use sync call while an async call is in flight
746 status = NT_STATUS_INVALID_PARAMETER;
750 ev = tevent_context_init(frame);
752 status = NT_STATUS_NO_MEMORY;
756 req = cli_trans_send(frame, ev, cli, trans_cmd,
757 pipe_name, fid, function, flags,
758 setup, num_setup, max_setup,
759 param, num_param, max_param,
760 data, num_data, max_data);
762 status = NT_STATUS_NO_MEMORY;
766 if (!tevent_req_poll(req, ev)) {
767 status = map_nt_error_from_unix_common(errno);
771 status = cli_trans_recv(req, mem_ctx, recv_flags2,
772 rsetup, min_rsetup, num_rsetup,
773 rparam, min_rparam, num_rparam,
774 rdata, min_rdata, num_rdata);