s3: Make "init_smb_request" static to process.c
[ira/wip.git] / source3 / smbd / process.c
1 /* 
2    Unix SMB/CIFS implementation.
3    process incoming packets - main loop
4    Copyright (C) Andrew Tridgell 1992-1998
5    Copyright (C) Volker Lendecke 2005-2007
6    
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License as published by
9    the Free Software Foundation; either version 3 of the License, or
10    (at your option) any later version.
11    
12    This program is distributed in the hope that it will be useful,
13    but WITHOUT ANY WARRANTY; without even the implied warranty of
14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15    GNU General Public License for more details.
16    
17    You should have received a copy of the GNU General Public License
18    along with this program.  If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include "smbd/globals.h"
23 #include "../librpc/gen_ndr/srv_dfs.h"
24 #include "../librpc/gen_ndr/srv_dssetup.h"
25 #include "../librpc/gen_ndr/srv_echo.h"
26 #include "../librpc/gen_ndr/srv_eventlog.h"
27 #include "../librpc/gen_ndr/srv_initshutdown.h"
28 #include "../librpc/gen_ndr/srv_lsa.h"
29 #include "../librpc/gen_ndr/srv_netlogon.h"
30 #include "../librpc/gen_ndr/srv_ntsvcs.h"
31 #include "../librpc/gen_ndr/srv_samr.h"
32 #include "../librpc/gen_ndr/srv_spoolss.h"
33 #include "../librpc/gen_ndr/srv_srvsvc.h"
34 #include "../librpc/gen_ndr/srv_svcctl.h"
35 #include "../librpc/gen_ndr/srv_winreg.h"
36 #include "../librpc/gen_ndr/srv_wkssvc.h"
37
38 extern bool global_machine_password_needs_changing;
39
40 static void construct_reply_common(struct smb_request *req, const char *inbuf,
41                                    char *outbuf);
42
43 /* Accessor function for smb_read_error for smbd functions. */
44
45 /****************************************************************************
46  Send an smb to a fd.
47 ****************************************************************************/
48
49 bool srv_send_smb(int fd, char *buffer,
50                   bool do_signing, uint32_t seqnum,
51                   bool do_encrypt,
52                   struct smb_perfcount_data *pcd)
53 {
54         size_t len = 0;
55         size_t nwritten=0;
56         ssize_t ret;
57         char *buf_out = buffer;
58
59         if (do_signing) {
60                 /* Sign the outgoing packet if required. */
61                 srv_calculate_sign_mac(smbd_server_conn, buf_out, seqnum);
62         }
63
64         if (do_encrypt) {
65                 NTSTATUS status = srv_encrypt_buffer(buffer, &buf_out);
66                 if (!NT_STATUS_IS_OK(status)) {
67                         DEBUG(0, ("send_smb: SMB encryption failed "
68                                 "on outgoing packet! Error %s\n",
69                                 nt_errstr(status) ));
70                         goto out;
71                 }
72         }
73
74         len = smb_len(buf_out) + 4;
75
76         ret = write_data(fd,buf_out+nwritten,len - nwritten);
77         if (ret <= 0) {
78                 DEBUG(0,("Error writing %d bytes to client. %d. (%s)\n",
79                          (int)len,(int)ret, strerror(errno) ));
80                 srv_free_enc_buffer(buf_out);
81                 goto out;
82         }
83
84         SMB_PERFCOUNT_SET_MSGLEN_OUT(pcd, len);
85         srv_free_enc_buffer(buf_out);
86 out:
87         SMB_PERFCOUNT_END(pcd);
88         return true;
89 }
90
91 /*******************************************************************
92  Setup the word count and byte count for a smb message.
93 ********************************************************************/
94
95 int srv_set_message(char *buf,
96                         int num_words,
97                         int num_bytes,
98                         bool zero)
99 {
100         if (zero && (num_words || num_bytes)) {
101                 memset(buf + smb_size,'\0',num_words*2 + num_bytes);
102         }
103         SCVAL(buf,smb_wct,num_words);
104         SSVAL(buf,smb_vwv + num_words*SIZEOFWORD,num_bytes);
105         smb_setlen(buf,(smb_size + num_words*2 + num_bytes - 4));
106         return (smb_size + num_words*2 + num_bytes);
107 }
108
109 static bool valid_smb_header(const uint8_t *inbuf)
110 {
111         if (is_encrypted_packet(inbuf)) {
112                 return true;
113         }
114         /*
115          * This used to be (strncmp(smb_base(inbuf),"\377SMB",4) == 0)
116          * but it just looks weird to call strncmp for this one.
117          */
118         return (IVAL(smb_base(inbuf), 0) == 0x424D53FF);
119 }
120
121 /* Socket functions for smbd packet processing. */
122
123 static bool valid_packet_size(size_t len)
124 {
125         /*
126          * A WRITEX with CAP_LARGE_WRITEX can be 64k worth of data plus 65 bytes
127          * of header. Don't print the error if this fits.... JRA.
128          */
129
130         if (len > (BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE)) {
131                 DEBUG(0,("Invalid packet length! (%lu bytes).\n",
132                                         (unsigned long)len));
133                 return false;
134         }
135         return true;
136 }
137
138 static NTSTATUS read_packet_remainder(int fd, char *buffer,
139                                       unsigned int timeout, ssize_t len)
140 {
141         if (len <= 0) {
142                 return NT_STATUS_OK;
143         }
144
145         return read_fd_with_timeout(fd, buffer, len, len, timeout, NULL);
146 }
147
148 /****************************************************************************
149  Attempt a zerocopy writeX read. We know here that len > smb_size-4
150 ****************************************************************************/
151
152 /*
153  * Unfortunately, earlier versions of smbclient/libsmbclient
154  * don't send this "standard" writeX header. I've fixed this
155  * for 3.2 but we'll use the old method with earlier versions.
156  * Windows and CIFSFS at least use this standard size. Not
157  * sure about MacOSX.
158  */
159
160 #define STANDARD_WRITE_AND_X_HEADER_SIZE (smb_size - 4 + /* basic header */ \
161                                 (2*14) + /* word count (including bcc) */ \
162                                 1 /* pad byte */)
163
164 static NTSTATUS receive_smb_raw_talloc_partial_read(TALLOC_CTX *mem_ctx,
165                                                     const char lenbuf[4],
166                                                     int fd, char **buffer,
167                                                     unsigned int timeout,
168                                                     size_t *p_unread,
169                                                     size_t *len_ret)
170 {
171         /* Size of a WRITEX call (+4 byte len). */
172         char writeX_header[4 + STANDARD_WRITE_AND_X_HEADER_SIZE];
173         ssize_t len = smb_len_large(lenbuf); /* Could be a UNIX large writeX. */
174         ssize_t toread;
175         NTSTATUS status;
176
177         memcpy(writeX_header, lenbuf, 4);
178
179         status = read_fd_with_timeout(
180                 fd, writeX_header + 4,
181                 STANDARD_WRITE_AND_X_HEADER_SIZE,
182                 STANDARD_WRITE_AND_X_HEADER_SIZE,
183                 timeout, NULL);
184
185         if (!NT_STATUS_IS_OK(status)) {
186                 return status;
187         }
188
189         /*
190          * Ok - now try and see if this is a possible
191          * valid writeX call.
192          */
193
194         if (is_valid_writeX_buffer((uint8_t *)writeX_header)) {
195                 /*
196                  * If the data offset is beyond what
197                  * we've read, drain the extra bytes.
198                  */
199                 uint16_t doff = SVAL(writeX_header,smb_vwv11);
200                 ssize_t newlen;
201
202                 if (doff > STANDARD_WRITE_AND_X_HEADER_SIZE) {
203                         size_t drain = doff - STANDARD_WRITE_AND_X_HEADER_SIZE;
204                         if (drain_socket(smbd_server_fd(), drain) != drain) {
205                                 smb_panic("receive_smb_raw_talloc_partial_read:"
206                                         " failed to drain pending bytes");
207                         }
208                 } else {
209                         doff = STANDARD_WRITE_AND_X_HEADER_SIZE;
210                 }
211
212                 /* Spoof down the length and null out the bcc. */
213                 set_message_bcc(writeX_header, 0);
214                 newlen = smb_len(writeX_header);
215
216                 /* Copy the header we've written. */
217
218                 *buffer = (char *)TALLOC_MEMDUP(mem_ctx,
219                                 writeX_header,
220                                 sizeof(writeX_header));
221
222                 if (*buffer == NULL) {
223                         DEBUG(0, ("Could not allocate inbuf of length %d\n",
224                                   (int)sizeof(writeX_header)));
225                         return NT_STATUS_NO_MEMORY;
226                 }
227
228                 /* Work out the remaining bytes. */
229                 *p_unread = len - STANDARD_WRITE_AND_X_HEADER_SIZE;
230                 *len_ret = newlen + 4;
231                 return NT_STATUS_OK;
232         }
233
234         if (!valid_packet_size(len)) {
235                 return NT_STATUS_INVALID_PARAMETER;
236         }
237
238         /*
239          * Not a valid writeX call. Just do the standard
240          * talloc and return.
241          */
242
243         *buffer = TALLOC_ARRAY(mem_ctx, char, len+4);
244
245         if (*buffer == NULL) {
246                 DEBUG(0, ("Could not allocate inbuf of length %d\n",
247                           (int)len+4));
248                 return NT_STATUS_NO_MEMORY;
249         }
250
251         /* Copy in what we already read. */
252         memcpy(*buffer,
253                 writeX_header,
254                 4 + STANDARD_WRITE_AND_X_HEADER_SIZE);
255         toread = len - STANDARD_WRITE_AND_X_HEADER_SIZE;
256
257         if(toread > 0) {
258                 status = read_packet_remainder(
259                         fd, (*buffer) + 4 + STANDARD_WRITE_AND_X_HEADER_SIZE,
260                         timeout, toread);
261
262                 if (!NT_STATUS_IS_OK(status)) {
263                         DEBUG(10, ("receive_smb_raw_talloc_partial_read: %s\n",
264                                    nt_errstr(status)));
265                         return status;
266                 }
267         }
268
269         *len_ret = len + 4;
270         return NT_STATUS_OK;
271 }
272
273 static NTSTATUS receive_smb_raw_talloc(TALLOC_CTX *mem_ctx, int fd,
274                                        char **buffer, unsigned int timeout,
275                                        size_t *p_unread, size_t *plen)
276 {
277         char lenbuf[4];
278         size_t len;
279         int min_recv_size = lp_min_receive_file_size();
280         NTSTATUS status;
281
282         *p_unread = 0;
283
284         status = read_smb_length_return_keepalive(fd, lenbuf, timeout, &len);
285         if (!NT_STATUS_IS_OK(status)) {
286                 DEBUG(10, ("receive_smb_raw: %s\n", nt_errstr(status)));
287                 return status;
288         }
289
290         if (CVAL(lenbuf,0) == 0 && min_recv_size &&
291             (smb_len_large(lenbuf) > /* Could be a UNIX large writeX. */
292                 (min_recv_size + STANDARD_WRITE_AND_X_HEADER_SIZE)) &&
293             !srv_is_signing_active(smbd_server_conn)) {
294
295                 return receive_smb_raw_talloc_partial_read(
296                         mem_ctx, lenbuf, fd, buffer, timeout, p_unread, plen);
297         }
298
299         if (!valid_packet_size(len)) {
300                 return NT_STATUS_INVALID_PARAMETER;
301         }
302
303         /*
304          * The +4 here can't wrap, we've checked the length above already.
305          */
306
307         *buffer = TALLOC_ARRAY(mem_ctx, char, len+4);
308
309         if (*buffer == NULL) {
310                 DEBUG(0, ("Could not allocate inbuf of length %d\n",
311                           (int)len+4));
312                 return NT_STATUS_NO_MEMORY;
313         }
314
315         memcpy(*buffer, lenbuf, sizeof(lenbuf));
316
317         status = read_packet_remainder(fd, (*buffer)+4, timeout, len);
318         if (!NT_STATUS_IS_OK(status)) {
319                 return status;
320         }
321
322         *plen = len + 4;
323         return NT_STATUS_OK;
324 }
325
326 static NTSTATUS receive_smb_talloc(TALLOC_CTX *mem_ctx, int fd,
327                                    char **buffer, unsigned int timeout,
328                                    size_t *p_unread, bool *p_encrypted,
329                                    size_t *p_len,
330                                    uint32_t *seqnum)
331 {
332         size_t len = 0;
333         NTSTATUS status;
334
335         *p_encrypted = false;
336
337         status = receive_smb_raw_talloc(mem_ctx, fd, buffer, timeout,
338                                         p_unread, &len);
339         if (!NT_STATUS_IS_OK(status)) {
340                 return status;
341         }
342
343         if (is_encrypted_packet((uint8_t *)*buffer)) {
344                 status = srv_decrypt_buffer(*buffer);
345                 if (!NT_STATUS_IS_OK(status)) {
346                         DEBUG(0, ("receive_smb_talloc: SMB decryption failed on "
347                                 "incoming packet! Error %s\n",
348                                 nt_errstr(status) ));
349                         return status;
350                 }
351                 *p_encrypted = true;
352         }
353
354         /* Check the incoming SMB signature. */
355         if (!srv_check_sign_mac(smbd_server_conn, *buffer, seqnum)) {
356                 DEBUG(0, ("receive_smb: SMB Signature verification failed on "
357                           "incoming packet!\n"));
358                 return NT_STATUS_INVALID_NETWORK_RESPONSE;
359         }
360
361         *p_len = len;
362         return NT_STATUS_OK;
363 }
364
365 /*
366  * Initialize a struct smb_request from an inbuf
367  */
368
369 static void init_smb_request(struct smb_request *req, const uint8 *inbuf,
370                              size_t unread_bytes, bool encrypted)
371 {
372         struct smbd_server_connection *sconn = smbd_server_conn;
373         size_t req_size = smb_len(inbuf) + 4;
374         /* Ensure we have at least smb_size bytes. */
375         if (req_size < smb_size) {
376                 DEBUG(0,("init_smb_request: invalid request size %u\n",
377                         (unsigned int)req_size ));
378                 exit_server_cleanly("Invalid SMB request");
379         }
380         req->cmd    = CVAL(inbuf, smb_com);
381         req->flags2 = SVAL(inbuf, smb_flg2);
382         req->smbpid = SVAL(inbuf, smb_pid);
383         req->mid    = SVAL(inbuf, smb_mid);
384         req->seqnum = 0;
385         req->vuid   = SVAL(inbuf, smb_uid);
386         req->tid    = SVAL(inbuf, smb_tid);
387         req->wct    = CVAL(inbuf, smb_wct);
388         req->vwv    = (uint16_t *)(inbuf+smb_vwv);
389         req->buflen = smb_buflen(inbuf);
390         req->buf    = (const uint8_t *)smb_buf(inbuf);
391         req->unread_bytes = unread_bytes;
392         req->encrypted = encrypted;
393         req->conn = conn_find(sconn,req->tid);
394         req->chain_fsp = NULL;
395         req->chain_outbuf = NULL;
396         req->done = false;
397         smb_init_perfcount_data(&req->pcd);
398
399         /* Ensure we have at least wct words and 2 bytes of bcc. */
400         if (smb_size + req->wct*2 > req_size) {
401                 DEBUG(0,("init_smb_request: invalid wct number %u (size %u)\n",
402                         (unsigned int)req->wct,
403                         (unsigned int)req_size));
404                 exit_server_cleanly("Invalid SMB request");
405         }
406         /* Ensure bcc is correct. */
407         if (((uint8 *)smb_buf(inbuf)) + req->buflen > inbuf + req_size) {
408                 DEBUG(0,("init_smb_request: invalid bcc number %u "
409                         "(wct = %u, size %u)\n",
410                         (unsigned int)req->buflen,
411                         (unsigned int)req->wct,
412                         (unsigned int)req_size));
413                 exit_server_cleanly("Invalid SMB request");
414         }
415
416         req->outbuf = NULL;
417 }
418
419 static void process_smb(struct smbd_server_connection *conn,
420                         uint8_t *inbuf, size_t nread, size_t unread_bytes,
421                         uint32_t seqnum, bool encrypted,
422                         struct smb_perfcount_data *deferred_pcd);
423
424 static void smbd_deferred_open_timer(struct event_context *ev,
425                                      struct timed_event *te,
426                                      struct timeval _tval,
427                                      void *private_data)
428 {
429         struct pending_message_list *msg = talloc_get_type(private_data,
430                                            struct pending_message_list);
431         TALLOC_CTX *mem_ctx = talloc_tos();
432         uint16_t mid = SVAL(msg->buf.data,smb_mid);
433         uint8_t *inbuf;
434
435         inbuf = (uint8_t *)talloc_memdup(mem_ctx, msg->buf.data,
436                                          msg->buf.length);
437         if (inbuf == NULL) {
438                 exit_server("smbd_deferred_open_timer: talloc failed\n");
439                 return;
440         }
441
442         /* We leave this message on the queue so the open code can
443            know this is a retry. */
444         DEBUG(5,("smbd_deferred_open_timer: trigger mid %u.\n",
445                 (unsigned int)mid ));
446
447         /* Mark the message as processed so this is not
448          * re-processed in error. */
449         msg->processed = true;
450
451         process_smb(smbd_server_conn, inbuf,
452                     msg->buf.length, 0,
453                     msg->seqnum, msg->encrypted, &msg->pcd);
454
455         /* If it's still there and was processed, remove it. */
456         msg = get_open_deferred_message(mid);
457         if (msg && msg->processed) {
458                 remove_deferred_open_smb_message(mid);
459         }
460 }
461
462 /****************************************************************************
463  Function to push a message onto the tail of a linked list of smb messages ready
464  for processing.
465 ****************************************************************************/
466
467 static bool push_queued_message(struct smb_request *req,
468                                 struct timeval request_time,
469                                 struct timeval end_time,
470                                 char *private_data, size_t private_len)
471 {
472         int msg_len = smb_len(req->inbuf) + 4;
473         struct pending_message_list *msg;
474
475         msg = TALLOC_ZERO_P(NULL, struct pending_message_list);
476
477         if(msg == NULL) {
478                 DEBUG(0,("push_message: malloc fail (1)\n"));
479                 return False;
480         }
481
482         msg->buf = data_blob_talloc(msg, req->inbuf, msg_len);
483         if(msg->buf.data == NULL) {
484                 DEBUG(0,("push_message: malloc fail (2)\n"));
485                 TALLOC_FREE(msg);
486                 return False;
487         }
488
489         msg->request_time = request_time;
490         msg->seqnum = req->seqnum;
491         msg->encrypted = req->encrypted;
492         msg->processed = false;
493         SMB_PERFCOUNT_DEFER_OP(&req->pcd, &msg->pcd);
494
495         if (private_data) {
496                 msg->private_data = data_blob_talloc(msg, private_data,
497                                                      private_len);
498                 if (msg->private_data.data == NULL) {
499                         DEBUG(0,("push_message: malloc fail (3)\n"));
500                         TALLOC_FREE(msg);
501                         return False;
502                 }
503         }
504
505         msg->te = event_add_timed(smbd_event_context(),
506                                   msg,
507                                   end_time,
508                                   smbd_deferred_open_timer,
509                                   msg);
510         if (!msg->te) {
511                 DEBUG(0,("push_message: event_add_timed failed\n"));
512                 TALLOC_FREE(msg);
513                 return false;
514         }
515
516         DLIST_ADD_END(deferred_open_queue, msg, struct pending_message_list *);
517
518         DEBUG(10,("push_message: pushed message length %u on "
519                   "deferred_open_queue\n", (unsigned int)msg_len));
520
521         return True;
522 }
523
524 /****************************************************************************
525  Function to delete a sharing violation open message by mid.
526 ****************************************************************************/
527
528 void remove_deferred_open_smb_message(uint16 mid)
529 {
530         struct pending_message_list *pml;
531
532         for (pml = deferred_open_queue; pml; pml = pml->next) {
533                 if (mid == SVAL(pml->buf.data,smb_mid)) {
534                         DEBUG(10,("remove_deferred_open_smb_message: "
535                                   "deleting mid %u len %u\n",
536                                   (unsigned int)mid,
537                                   (unsigned int)pml->buf.length ));
538                         DLIST_REMOVE(deferred_open_queue, pml);
539                         TALLOC_FREE(pml);
540                         return;
541                 }
542         }
543 }
544
545 /****************************************************************************
546  Move a sharing violation open retry message to the front of the list and
547  schedule it for immediate processing.
548 ****************************************************************************/
549
550 void schedule_deferred_open_smb_message(uint16 mid)
551 {
552         struct pending_message_list *pml;
553         int i = 0;
554
555         for (pml = deferred_open_queue; pml; pml = pml->next) {
556                 uint16 msg_mid = SVAL(pml->buf.data,smb_mid);
557
558                 DEBUG(10,("schedule_deferred_open_smb_message: [%d] msg_mid = %u\n", i++,
559                         (unsigned int)msg_mid ));
560
561                 if (mid == msg_mid) {
562                         struct timed_event *te;
563
564                         if (pml->processed) {
565                                 /* A processed message should not be
566                                  * rescheduled. */
567                                 DEBUG(0,("schedule_deferred_open_smb_message: LOGIC ERROR "
568                                         "message mid %u was already processed\n",
569                                         msg_mid ));
570                                 continue;
571                         }
572
573                         DEBUG(10,("schedule_deferred_open_smb_message: scheduling mid %u\n",
574                                 mid ));
575
576                         te = event_add_timed(smbd_event_context(),
577                                              pml,
578                                              timeval_zero(),
579                                              smbd_deferred_open_timer,
580                                              pml);
581                         if (!te) {
582                                 DEBUG(10,("schedule_deferred_open_smb_message: "
583                                           "event_add_timed() failed, skipping mid %u\n",
584                                           mid ));
585                         }
586
587                         TALLOC_FREE(pml->te);
588                         pml->te = te;
589                         DLIST_PROMOTE(deferred_open_queue, pml);
590                         return;
591                 }
592         }
593
594         DEBUG(10,("schedule_deferred_open_smb_message: failed to find message mid %u\n",
595                 mid ));
596 }
597
598 /****************************************************************************
599  Return true if this mid is on the deferred queue and was not yet processed.
600 ****************************************************************************/
601
602 bool open_was_deferred(uint16 mid)
603 {
604         struct pending_message_list *pml;
605
606         for (pml = deferred_open_queue; pml; pml = pml->next) {
607                 if (SVAL(pml->buf.data,smb_mid) == mid && !pml->processed) {
608                         return True;
609                 }
610         }
611         return False;
612 }
613
614 /****************************************************************************
615  Return the message queued by this mid.
616 ****************************************************************************/
617
618 struct pending_message_list *get_open_deferred_message(uint16 mid)
619 {
620         struct pending_message_list *pml;
621
622         for (pml = deferred_open_queue; pml; pml = pml->next) {
623                 if (SVAL(pml->buf.data,smb_mid) == mid) {
624                         return pml;
625                 }
626         }
627         return NULL;
628 }
629
630 /****************************************************************************
631  Function to push a deferred open smb message onto a linked list of local smb
632  messages ready for processing.
633 ****************************************************************************/
634
635 bool push_deferred_smb_message(struct smb_request *req,
636                                struct timeval request_time,
637                                struct timeval timeout,
638                                char *private_data, size_t priv_len)
639 {
640         struct timeval end_time;
641
642         if (req->unread_bytes) {
643                 DEBUG(0,("push_deferred_smb_message: logic error ! "
644                         "unread_bytes = %u\n",
645                         (unsigned int)req->unread_bytes ));
646                 smb_panic("push_deferred_smb_message: "
647                         "logic error unread_bytes != 0" );
648         }
649
650         end_time = timeval_sum(&request_time, &timeout);
651
652         DEBUG(10,("push_deferred_open_smb_message: pushing message len %u mid %u "
653                   "timeout time [%u.%06u]\n",
654                   (unsigned int) smb_len(req->inbuf)+4, (unsigned int)req->mid,
655                   (unsigned int)end_time.tv_sec,
656                   (unsigned int)end_time.tv_usec));
657
658         return push_queued_message(req, request_time, end_time,
659                                    private_data, priv_len);
660 }
661
662 struct idle_event {
663         struct timed_event *te;
664         struct timeval interval;
665         char *name;
666         bool (*handler)(const struct timeval *now, void *private_data);
667         void *private_data;
668 };
669
670 static void smbd_idle_event_handler(struct event_context *ctx,
671                                     struct timed_event *te,
672                                     struct timeval now,
673                                     void *private_data)
674 {
675         struct idle_event *event =
676                 talloc_get_type_abort(private_data, struct idle_event);
677
678         TALLOC_FREE(event->te);
679
680         DEBUG(10,("smbd_idle_event_handler: %s %p called\n",
681                   event->name, event->te));
682
683         if (!event->handler(&now, event->private_data)) {
684                 DEBUG(10,("smbd_idle_event_handler: %s %p stopped\n",
685                           event->name, event->te));
686                 /* Don't repeat, delete ourselves */
687                 TALLOC_FREE(event);
688                 return;
689         }
690
691         DEBUG(10,("smbd_idle_event_handler: %s %p rescheduled\n",
692                   event->name, event->te));
693
694         event->te = event_add_timed(ctx, event,
695                                     timeval_sum(&now, &event->interval),
696                                     smbd_idle_event_handler, event);
697
698         /* We can't do much but fail here. */
699         SMB_ASSERT(event->te != NULL);
700 }
701
702 struct idle_event *event_add_idle(struct event_context *event_ctx,
703                                   TALLOC_CTX *mem_ctx,
704                                   struct timeval interval,
705                                   const char *name,
706                                   bool (*handler)(const struct timeval *now,
707                                                   void *private_data),
708                                   void *private_data)
709 {
710         struct idle_event *result;
711         struct timeval now = timeval_current();
712
713         result = TALLOC_P(mem_ctx, struct idle_event);
714         if (result == NULL) {
715                 DEBUG(0, ("talloc failed\n"));
716                 return NULL;
717         }
718
719         result->interval = interval;
720         result->handler = handler;
721         result->private_data = private_data;
722
723         if (!(result->name = talloc_asprintf(result, "idle_evt(%s)", name))) {
724                 DEBUG(0, ("talloc failed\n"));
725                 TALLOC_FREE(result);
726                 return NULL;
727         }
728
729         result->te = event_add_timed(event_ctx, result,
730                                      timeval_sum(&now, &interval),
731                                      smbd_idle_event_handler, result);
732         if (result->te == NULL) {
733                 DEBUG(0, ("event_add_timed failed\n"));
734                 TALLOC_FREE(result);
735                 return NULL;
736         }
737
738         DEBUG(10,("event_add_idle: %s %p\n", result->name, result->te));
739         return result;
740 }
741
742 static void smbd_sig_term_handler(struct tevent_context *ev,
743                                   struct tevent_signal *se,
744                                   int signum,
745                                   int count,
746                                   void *siginfo,
747                                   void *private_data)
748 {
749         exit_server_cleanly("termination signal");
750 }
751
752 void smbd_setup_sig_term_handler(void)
753 {
754         struct tevent_signal *se;
755
756         se = tevent_add_signal(smbd_event_context(),
757                                smbd_event_context(),
758                                SIGTERM, 0,
759                                smbd_sig_term_handler,
760                                NULL);
761         if (!se) {
762                 exit_server("failed to setup SIGTERM handler");
763         }
764 }
765
766 static void smbd_sig_hup_handler(struct tevent_context *ev,
767                                   struct tevent_signal *se,
768                                   int signum,
769                                   int count,
770                                   void *siginfo,
771                                   void *private_data)
772 {
773         change_to_root_user();
774         DEBUG(1,("Reloading services after SIGHUP\n"));
775         reload_services(False);
776 }
777
778 void smbd_setup_sig_hup_handler(void)
779 {
780         struct tevent_signal *se;
781
782         se = tevent_add_signal(smbd_event_context(),
783                                smbd_event_context(),
784                                SIGHUP, 0,
785                                smbd_sig_hup_handler,
786                                NULL);
787         if (!se) {
788                 exit_server("failed to setup SIGHUP handler");
789         }
790 }
791
792 static NTSTATUS smbd_server_connection_loop_once(struct smbd_server_connection *conn)
793 {
794         fd_set r_fds, w_fds;
795         int selrtn;
796         struct timeval to;
797         int maxfd = 0;
798
799         to.tv_sec = SMBD_SELECT_TIMEOUT;
800         to.tv_usec = 0;
801
802         /*
803          * Setup the select fd sets.
804          */
805
806         FD_ZERO(&r_fds);
807         FD_ZERO(&w_fds);
808
809         /*
810          * Are there any timed events waiting ? If so, ensure we don't
811          * select for longer than it would take to wait for them.
812          */
813
814         {
815                 struct timeval now;
816                 GetTimeOfDay(&now);
817
818                 event_add_to_select_args(smbd_event_context(), &now,
819                                          &r_fds, &w_fds, &to, &maxfd);
820         }
821
822         /* Process a signal and timed events now... */
823         if (run_events(smbd_event_context(), 0, NULL, NULL)) {
824                 return NT_STATUS_RETRY;
825         }
826
827         {
828                 int sav;
829                 START_PROFILE(smbd_idle);
830
831                 selrtn = sys_select(maxfd+1,&r_fds,&w_fds,NULL,&to);
832                 sav = errno;
833
834                 END_PROFILE(smbd_idle);
835                 errno = sav;
836         }
837
838         if (run_events(smbd_event_context(), selrtn, &r_fds, &w_fds)) {
839                 return NT_STATUS_RETRY;
840         }
841
842         /* Check if error */
843         if (selrtn == -1) {
844                 /* something is wrong. Maybe the socket is dead? */
845                 return map_nt_error_from_unix(errno);
846         }
847
848         /* Did we timeout ? */
849         if (selrtn == 0) {
850                 return NT_STATUS_RETRY;
851         }
852
853         /* should not be reached */
854         return NT_STATUS_INTERNAL_ERROR;
855 }
856
857 /*
858  * Only allow 5 outstanding trans requests. We're allocating memory, so
859  * prevent a DoS.
860  */
861
862 NTSTATUS allow_new_trans(struct trans_state *list, int mid)
863 {
864         int count = 0;
865         for (; list != NULL; list = list->next) {
866
867                 if (list->mid == mid) {
868                         return NT_STATUS_INVALID_PARAMETER;
869                 }
870
871                 count += 1;
872         }
873         if (count > 5) {
874                 return NT_STATUS_INSUFFICIENT_RESOURCES;
875         }
876
877         return NT_STATUS_OK;
878 }
879
880 /*
881 These flags determine some of the permissions required to do an operation 
882
883 Note that I don't set NEED_WRITE on some write operations because they
884 are used by some brain-dead clients when printing, and I don't want to
885 force write permissions on print services.
886 */
887 #define AS_USER (1<<0)
888 #define NEED_WRITE (1<<1) /* Must be paired with AS_USER */
889 #define TIME_INIT (1<<2)
890 #define CAN_IPC (1<<3) /* Must be paired with AS_USER */
891 #define AS_GUEST (1<<5) /* Must *NOT* be paired with AS_USER */
892 #define DO_CHDIR (1<<6)
893
894 /* 
895    define a list of possible SMB messages and their corresponding
896    functions. Any message that has a NULL function is unimplemented -
897    please feel free to contribute implementations!
898 */
899 static const struct smb_message_struct {
900         const char *name;
901         void (*fn)(struct smb_request *req);
902         int flags;
903 } smb_messages[256] = {
904
905 /* 0x00 */ { "SMBmkdir",reply_mkdir,AS_USER | NEED_WRITE},
906 /* 0x01 */ { "SMBrmdir",reply_rmdir,AS_USER | NEED_WRITE},
907 /* 0x02 */ { "SMBopen",reply_open,AS_USER },
908 /* 0x03 */ { "SMBcreate",reply_mknew,AS_USER},
909 /* 0x04 */ { "SMBclose",reply_close,AS_USER | CAN_IPC },
910 /* 0x05 */ { "SMBflush",reply_flush,AS_USER},
911 /* 0x06 */ { "SMBunlink",reply_unlink,AS_USER | NEED_WRITE },
912 /* 0x07 */ { "SMBmv",reply_mv,AS_USER | NEED_WRITE },
913 /* 0x08 */ { "SMBgetatr",reply_getatr,AS_USER},
914 /* 0x09 */ { "SMBsetatr",reply_setatr,AS_USER | NEED_WRITE},
915 /* 0x0a */ { "SMBread",reply_read,AS_USER},
916 /* 0x0b */ { "SMBwrite",reply_write,AS_USER | CAN_IPC },
917 /* 0x0c */ { "SMBlock",reply_lock,AS_USER},
918 /* 0x0d */ { "SMBunlock",reply_unlock,AS_USER},
919 /* 0x0e */ { "SMBctemp",reply_ctemp,AS_USER },
920 /* 0x0f */ { "SMBmknew",reply_mknew,AS_USER},
921 /* 0x10 */ { "SMBcheckpath",reply_checkpath,AS_USER},
922 /* 0x11 */ { "SMBexit",reply_exit,DO_CHDIR},
923 /* 0x12 */ { "SMBlseek",reply_lseek,AS_USER},
924 /* 0x13 */ { "SMBlockread",reply_lockread,AS_USER},
925 /* 0x14 */ { "SMBwriteunlock",reply_writeunlock,AS_USER},
926 /* 0x15 */ { NULL, NULL, 0 },
927 /* 0x16 */ { NULL, NULL, 0 },
928 /* 0x17 */ { NULL, NULL, 0 },
929 /* 0x18 */ { NULL, NULL, 0 },
930 /* 0x19 */ { NULL, NULL, 0 },
931 /* 0x1a */ { "SMBreadbraw",reply_readbraw,AS_USER},
932 /* 0x1b */ { "SMBreadBmpx",reply_readbmpx,AS_USER},
933 /* 0x1c */ { "SMBreadBs",reply_readbs,AS_USER },
934 /* 0x1d */ { "SMBwritebraw",reply_writebraw,AS_USER},
935 /* 0x1e */ { "SMBwriteBmpx",reply_writebmpx,AS_USER},
936 /* 0x1f */ { "SMBwriteBs",reply_writebs,AS_USER},
937 /* 0x20 */ { "SMBwritec", NULL,0},
938 /* 0x21 */ { NULL, NULL, 0 },
939 /* 0x22 */ { "SMBsetattrE",reply_setattrE,AS_USER | NEED_WRITE },
940 /* 0x23 */ { "SMBgetattrE",reply_getattrE,AS_USER },
941 /* 0x24 */ { "SMBlockingX",reply_lockingX,AS_USER },
942 /* 0x25 */ { "SMBtrans",reply_trans,AS_USER | CAN_IPC },
943 /* 0x26 */ { "SMBtranss",reply_transs,AS_USER | CAN_IPC},
944 /* 0x27 */ { "SMBioctl",reply_ioctl,0},
945 /* 0x28 */ { "SMBioctls", NULL,AS_USER},
946 /* 0x29 */ { "SMBcopy",reply_copy,AS_USER | NEED_WRITE },
947 /* 0x2a */ { "SMBmove", NULL,AS_USER | NEED_WRITE },
948 /* 0x2b */ { "SMBecho",reply_echo,0},
949 /* 0x2c */ { "SMBwriteclose",reply_writeclose,AS_USER},
950 /* 0x2d */ { "SMBopenX",reply_open_and_X,AS_USER | CAN_IPC },
951 /* 0x2e */ { "SMBreadX",reply_read_and_X,AS_USER | CAN_IPC },
952 /* 0x2f */ { "SMBwriteX",reply_write_and_X,AS_USER | CAN_IPC },
953 /* 0x30 */ { NULL, NULL, 0 },
954 /* 0x31 */ { NULL, NULL, 0 },
955 /* 0x32 */ { "SMBtrans2",reply_trans2, AS_USER | CAN_IPC },
956 /* 0x33 */ { "SMBtranss2",reply_transs2, AS_USER | CAN_IPC },
957 /* 0x34 */ { "SMBfindclose",reply_findclose,AS_USER},
958 /* 0x35 */ { "SMBfindnclose",reply_findnclose,AS_USER},
959 /* 0x36 */ { NULL, NULL, 0 },
960 /* 0x37 */ { NULL, NULL, 0 },
961 /* 0x38 */ { NULL, NULL, 0 },
962 /* 0x39 */ { NULL, NULL, 0 },
963 /* 0x3a */ { NULL, NULL, 0 },
964 /* 0x3b */ { NULL, NULL, 0 },
965 /* 0x3c */ { NULL, NULL, 0 },
966 /* 0x3d */ { NULL, NULL, 0 },
967 /* 0x3e */ { NULL, NULL, 0 },
968 /* 0x3f */ { NULL, NULL, 0 },
969 /* 0x40 */ { NULL, NULL, 0 },
970 /* 0x41 */ { NULL, NULL, 0 },
971 /* 0x42 */ { NULL, NULL, 0 },
972 /* 0x43 */ { NULL, NULL, 0 },
973 /* 0x44 */ { NULL, NULL, 0 },
974 /* 0x45 */ { NULL, NULL, 0 },
975 /* 0x46 */ { NULL, NULL, 0 },
976 /* 0x47 */ { NULL, NULL, 0 },
977 /* 0x48 */ { NULL, NULL, 0 },
978 /* 0x49 */ { NULL, NULL, 0 },
979 /* 0x4a */ { NULL, NULL, 0 },
980 /* 0x4b */ { NULL, NULL, 0 },
981 /* 0x4c */ { NULL, NULL, 0 },
982 /* 0x4d */ { NULL, NULL, 0 },
983 /* 0x4e */ { NULL, NULL, 0 },
984 /* 0x4f */ { NULL, NULL, 0 },
985 /* 0x50 */ { NULL, NULL, 0 },
986 /* 0x51 */ { NULL, NULL, 0 },
987 /* 0x52 */ { NULL, NULL, 0 },
988 /* 0x53 */ { NULL, NULL, 0 },
989 /* 0x54 */ { NULL, NULL, 0 },
990 /* 0x55 */ { NULL, NULL, 0 },
991 /* 0x56 */ { NULL, NULL, 0 },
992 /* 0x57 */ { NULL, NULL, 0 },
993 /* 0x58 */ { NULL, NULL, 0 },
994 /* 0x59 */ { NULL, NULL, 0 },
995 /* 0x5a */ { NULL, NULL, 0 },
996 /* 0x5b */ { NULL, NULL, 0 },
997 /* 0x5c */ { NULL, NULL, 0 },
998 /* 0x5d */ { NULL, NULL, 0 },
999 /* 0x5e */ { NULL, NULL, 0 },
1000 /* 0x5f */ { NULL, NULL, 0 },
1001 /* 0x60 */ { NULL, NULL, 0 },
1002 /* 0x61 */ { NULL, NULL, 0 },
1003 /* 0x62 */ { NULL, NULL, 0 },
1004 /* 0x63 */ { NULL, NULL, 0 },
1005 /* 0x64 */ { NULL, NULL, 0 },
1006 /* 0x65 */ { NULL, NULL, 0 },
1007 /* 0x66 */ { NULL, NULL, 0 },
1008 /* 0x67 */ { NULL, NULL, 0 },
1009 /* 0x68 */ { NULL, NULL, 0 },
1010 /* 0x69 */ { NULL, NULL, 0 },
1011 /* 0x6a */ { NULL, NULL, 0 },
1012 /* 0x6b */ { NULL, NULL, 0 },
1013 /* 0x6c */ { NULL, NULL, 0 },
1014 /* 0x6d */ { NULL, NULL, 0 },
1015 /* 0x6e */ { NULL, NULL, 0 },
1016 /* 0x6f */ { NULL, NULL, 0 },
1017 /* 0x70 */ { "SMBtcon",reply_tcon,0},
1018 /* 0x71 */ { "SMBtdis",reply_tdis,DO_CHDIR},
1019 /* 0x72 */ { "SMBnegprot",reply_negprot,0},
1020 /* 0x73 */ { "SMBsesssetupX",reply_sesssetup_and_X,0},
1021 /* 0x74 */ { "SMBulogoffX",reply_ulogoffX, 0}, /* ulogoff doesn't give a valid TID */
1022 /* 0x75 */ { "SMBtconX",reply_tcon_and_X,0},
1023 /* 0x76 */ { NULL, NULL, 0 },
1024 /* 0x77 */ { NULL, NULL, 0 },
1025 /* 0x78 */ { NULL, NULL, 0 },
1026 /* 0x79 */ { NULL, NULL, 0 },
1027 /* 0x7a */ { NULL, NULL, 0 },
1028 /* 0x7b */ { NULL, NULL, 0 },
1029 /* 0x7c */ { NULL, NULL, 0 },
1030 /* 0x7d */ { NULL, NULL, 0 },
1031 /* 0x7e */ { NULL, NULL, 0 },
1032 /* 0x7f */ { NULL, NULL, 0 },
1033 /* 0x80 */ { "SMBdskattr",reply_dskattr,AS_USER},
1034 /* 0x81 */ { "SMBsearch",reply_search,AS_USER},
1035 /* 0x82 */ { "SMBffirst",reply_search,AS_USER},
1036 /* 0x83 */ { "SMBfunique",reply_search,AS_USER},
1037 /* 0x84 */ { "SMBfclose",reply_fclose,AS_USER},
1038 /* 0x85 */ { NULL, NULL, 0 },
1039 /* 0x86 */ { NULL, NULL, 0 },
1040 /* 0x87 */ { NULL, NULL, 0 },
1041 /* 0x88 */ { NULL, NULL, 0 },
1042 /* 0x89 */ { NULL, NULL, 0 },
1043 /* 0x8a */ { NULL, NULL, 0 },
1044 /* 0x8b */ { NULL, NULL, 0 },
1045 /* 0x8c */ { NULL, NULL, 0 },
1046 /* 0x8d */ { NULL, NULL, 0 },
1047 /* 0x8e */ { NULL, NULL, 0 },
1048 /* 0x8f */ { NULL, NULL, 0 },
1049 /* 0x90 */ { NULL, NULL, 0 },
1050 /* 0x91 */ { NULL, NULL, 0 },
1051 /* 0x92 */ { NULL, NULL, 0 },
1052 /* 0x93 */ { NULL, NULL, 0 },
1053 /* 0x94 */ { NULL, NULL, 0 },
1054 /* 0x95 */ { NULL, NULL, 0 },
1055 /* 0x96 */ { NULL, NULL, 0 },
1056 /* 0x97 */ { NULL, NULL, 0 },
1057 /* 0x98 */ { NULL, NULL, 0 },
1058 /* 0x99 */ { NULL, NULL, 0 },
1059 /* 0x9a */ { NULL, NULL, 0 },
1060 /* 0x9b */ { NULL, NULL, 0 },
1061 /* 0x9c */ { NULL, NULL, 0 },
1062 /* 0x9d */ { NULL, NULL, 0 },
1063 /* 0x9e */ { NULL, NULL, 0 },
1064 /* 0x9f */ { NULL, NULL, 0 },
1065 /* 0xa0 */ { "SMBnttrans",reply_nttrans, AS_USER | CAN_IPC },
1066 /* 0xa1 */ { "SMBnttranss",reply_nttranss, AS_USER | CAN_IPC },
1067 /* 0xa2 */ { "SMBntcreateX",reply_ntcreate_and_X, AS_USER | CAN_IPC },
1068 /* 0xa3 */ { NULL, NULL, 0 },
1069 /* 0xa4 */ { "SMBntcancel",reply_ntcancel, 0 },
1070 /* 0xa5 */ { "SMBntrename",reply_ntrename, AS_USER | NEED_WRITE },
1071 /* 0xa6 */ { NULL, NULL, 0 },
1072 /* 0xa7 */ { NULL, NULL, 0 },
1073 /* 0xa8 */ { NULL, NULL, 0 },
1074 /* 0xa9 */ { NULL, NULL, 0 },
1075 /* 0xaa */ { NULL, NULL, 0 },
1076 /* 0xab */ { NULL, NULL, 0 },
1077 /* 0xac */ { NULL, NULL, 0 },
1078 /* 0xad */ { NULL, NULL, 0 },
1079 /* 0xae */ { NULL, NULL, 0 },
1080 /* 0xaf */ { NULL, NULL, 0 },
1081 /* 0xb0 */ { NULL, NULL, 0 },
1082 /* 0xb1 */ { NULL, NULL, 0 },
1083 /* 0xb2 */ { NULL, NULL, 0 },
1084 /* 0xb3 */ { NULL, NULL, 0 },
1085 /* 0xb4 */ { NULL, NULL, 0 },
1086 /* 0xb5 */ { NULL, NULL, 0 },
1087 /* 0xb6 */ { NULL, NULL, 0 },
1088 /* 0xb7 */ { NULL, NULL, 0 },
1089 /* 0xb8 */ { NULL, NULL, 0 },
1090 /* 0xb9 */ { NULL, NULL, 0 },
1091 /* 0xba */ { NULL, NULL, 0 },
1092 /* 0xbb */ { NULL, NULL, 0 },
1093 /* 0xbc */ { NULL, NULL, 0 },
1094 /* 0xbd */ { NULL, NULL, 0 },
1095 /* 0xbe */ { NULL, NULL, 0 },
1096 /* 0xbf */ { NULL, NULL, 0 },
1097 /* 0xc0 */ { "SMBsplopen",reply_printopen,AS_USER},
1098 /* 0xc1 */ { "SMBsplwr",reply_printwrite,AS_USER},
1099 /* 0xc2 */ { "SMBsplclose",reply_printclose,AS_USER},
1100 /* 0xc3 */ { "SMBsplretq",reply_printqueue,AS_USER},
1101 /* 0xc4 */ { NULL, NULL, 0 },
1102 /* 0xc5 */ { NULL, NULL, 0 },
1103 /* 0xc6 */ { NULL, NULL, 0 },
1104 /* 0xc7 */ { NULL, NULL, 0 },
1105 /* 0xc8 */ { NULL, NULL, 0 },
1106 /* 0xc9 */ { NULL, NULL, 0 },
1107 /* 0xca */ { NULL, NULL, 0 },
1108 /* 0xcb */ { NULL, NULL, 0 },
1109 /* 0xcc */ { NULL, NULL, 0 },
1110 /* 0xcd */ { NULL, NULL, 0 },
1111 /* 0xce */ { NULL, NULL, 0 },
1112 /* 0xcf */ { NULL, NULL, 0 },
1113 /* 0xd0 */ { "SMBsends",reply_sends,AS_GUEST},
1114 /* 0xd1 */ { "SMBsendb", NULL,AS_GUEST},
1115 /* 0xd2 */ { "SMBfwdname", NULL,AS_GUEST},
1116 /* 0xd3 */ { "SMBcancelf", NULL,AS_GUEST},
1117 /* 0xd4 */ { "SMBgetmac", NULL,AS_GUEST},
1118 /* 0xd5 */ { "SMBsendstrt",reply_sendstrt,AS_GUEST},
1119 /* 0xd6 */ { "SMBsendend",reply_sendend,AS_GUEST},
1120 /* 0xd7 */ { "SMBsendtxt",reply_sendtxt,AS_GUEST},
1121 /* 0xd8 */ { NULL, NULL, 0 },
1122 /* 0xd9 */ { NULL, NULL, 0 },
1123 /* 0xda */ { NULL, NULL, 0 },
1124 /* 0xdb */ { NULL, NULL, 0 },
1125 /* 0xdc */ { NULL, NULL, 0 },
1126 /* 0xdd */ { NULL, NULL, 0 },
1127 /* 0xde */ { NULL, NULL, 0 },
1128 /* 0xdf */ { NULL, NULL, 0 },
1129 /* 0xe0 */ { NULL, NULL, 0 },
1130 /* 0xe1 */ { NULL, NULL, 0 },
1131 /* 0xe2 */ { NULL, NULL, 0 },
1132 /* 0xe3 */ { NULL, NULL, 0 },
1133 /* 0xe4 */ { NULL, NULL, 0 },
1134 /* 0xe5 */ { NULL, NULL, 0 },
1135 /* 0xe6 */ { NULL, NULL, 0 },
1136 /* 0xe7 */ { NULL, NULL, 0 },
1137 /* 0xe8 */ { NULL, NULL, 0 },
1138 /* 0xe9 */ { NULL, NULL, 0 },
1139 /* 0xea */ { NULL, NULL, 0 },
1140 /* 0xeb */ { NULL, NULL, 0 },
1141 /* 0xec */ { NULL, NULL, 0 },
1142 /* 0xed */ { NULL, NULL, 0 },
1143 /* 0xee */ { NULL, NULL, 0 },
1144 /* 0xef */ { NULL, NULL, 0 },
1145 /* 0xf0 */ { NULL, NULL, 0 },
1146 /* 0xf1 */ { NULL, NULL, 0 },
1147 /* 0xf2 */ { NULL, NULL, 0 },
1148 /* 0xf3 */ { NULL, NULL, 0 },
1149 /* 0xf4 */ { NULL, NULL, 0 },
1150 /* 0xf5 */ { NULL, NULL, 0 },
1151 /* 0xf6 */ { NULL, NULL, 0 },
1152 /* 0xf7 */ { NULL, NULL, 0 },
1153 /* 0xf8 */ { NULL, NULL, 0 },
1154 /* 0xf9 */ { NULL, NULL, 0 },
1155 /* 0xfa */ { NULL, NULL, 0 },
1156 /* 0xfb */ { NULL, NULL, 0 },
1157 /* 0xfc */ { NULL, NULL, 0 },
1158 /* 0xfd */ { NULL, NULL, 0 },
1159 /* 0xfe */ { NULL, NULL, 0 },
1160 /* 0xff */ { NULL, NULL, 0 }
1161
1162 };
1163
1164 /*******************************************************************
1165  allocate and initialize a reply packet
1166 ********************************************************************/
1167
1168 static bool create_outbuf(TALLOC_CTX *mem_ctx, struct smb_request *req,
1169                           const char *inbuf, char **outbuf, uint8_t num_words,
1170                           uint32_t num_bytes)
1171 {
1172         /*
1173          * Protect against integer wrap
1174          */
1175         if ((num_bytes > 0xffffff)
1176             || ((num_bytes + smb_size + num_words*2) > 0xffffff)) {
1177                 char *msg;
1178                 if (asprintf(&msg, "num_bytes too large: %u",
1179                              (unsigned)num_bytes) == -1) {
1180                         msg = CONST_DISCARD(char *, "num_bytes too large");
1181                 }
1182                 smb_panic(msg);
1183         }
1184
1185         *outbuf = TALLOC_ARRAY(mem_ctx, char,
1186                                smb_size + num_words*2 + num_bytes);
1187         if (*outbuf == NULL) {
1188                 return false;
1189         }
1190
1191         construct_reply_common(req, inbuf, *outbuf);
1192         srv_set_message(*outbuf, num_words, num_bytes, false);
1193         /*
1194          * Zero out the word area, the caller has to take care of the bcc area
1195          * himself
1196          */
1197         if (num_words != 0) {
1198                 memset(*outbuf + smb_vwv0, 0, num_words*2);
1199         }
1200
1201         return true;
1202 }
1203
1204 void reply_outbuf(struct smb_request *req, uint8 num_words, uint32 num_bytes)
1205 {
1206         char *outbuf;
1207         if (!create_outbuf(req, req, (char *)req->inbuf, &outbuf, num_words,
1208                            num_bytes)) {
1209                 smb_panic("could not allocate output buffer\n");
1210         }
1211         req->outbuf = (uint8_t *)outbuf;
1212 }
1213
1214
1215 /*******************************************************************
1216  Dump a packet to a file.
1217 ********************************************************************/
1218
1219 static void smb_dump(const char *name, int type, const char *data, ssize_t len)
1220 {
1221         int fd, i;
1222         char *fname = NULL;
1223         if (DEBUGLEVEL < 50) {
1224                 return;
1225         }
1226
1227         if (len < 4) len = smb_len(data)+4;
1228         for (i=1;i<100;i++) {
1229                 if (asprintf(&fname, "/tmp/%s.%d.%s", name, i,
1230                              type ? "req" : "resp") == -1) {
1231                         return;
1232                 }
1233                 fd = open(fname, O_WRONLY|O_CREAT|O_EXCL, 0644);
1234                 if (fd != -1 || errno != EEXIST) break;
1235         }
1236         if (fd != -1) {
1237                 ssize_t ret = write(fd, data, len);
1238                 if (ret != len)
1239                         DEBUG(0,("smb_dump: problem: write returned %d\n", (int)ret ));
1240                 close(fd);
1241                 DEBUG(0,("created %s len %lu\n", fname, (unsigned long)len));
1242         }
1243         SAFE_FREE(fname);
1244 }
1245
1246 /****************************************************************************
1247  Prepare everything for calling the actual request function, and potentially
1248  call the request function via the "new" interface.
1249
1250  Return False if the "legacy" function needs to be called, everything is
1251  prepared.
1252
1253  Return True if we're done.
1254
1255  I know this API sucks, but it is the one with the least code change I could
1256  find.
1257 ****************************************************************************/
1258
1259 static connection_struct *switch_message(uint8 type, struct smb_request *req, int size)
1260 {
1261         int flags;
1262         uint16 session_tag;
1263         connection_struct *conn = NULL;
1264         struct smbd_server_connection *sconn = smbd_server_conn;
1265
1266         errno = 0;
1267
1268         /* Make sure this is an SMB packet. smb_size contains NetBIOS header
1269          * so subtract 4 from it. */
1270         if (!valid_smb_header(req->inbuf)
1271             || (size < (smb_size - 4))) {
1272                 DEBUG(2,("Non-SMB packet of length %d. Terminating server\n",
1273                          smb_len(req->inbuf)));
1274                 exit_server_cleanly("Non-SMB packet");
1275         }
1276
1277         if (smb_messages[type].fn == NULL) {
1278                 DEBUG(0,("Unknown message type %d!\n",type));
1279                 smb_dump("Unknown", 1, (char *)req->inbuf, size);
1280                 reply_unknown_new(req, type);
1281                 return NULL;
1282         }
1283
1284         flags = smb_messages[type].flags;
1285
1286         /* In share mode security we must ignore the vuid. */
1287         session_tag = (lp_security() == SEC_SHARE)
1288                 ? UID_FIELD_INVALID : req->vuid;
1289         conn = req->conn;
1290
1291         DEBUG(3,("switch message %s (pid %d) conn 0x%lx\n", smb_fn_name(type),
1292                  (int)sys_getpid(), (unsigned long)conn));
1293
1294         smb_dump(smb_fn_name(type), 1, (char *)req->inbuf, size);
1295
1296         /* Ensure this value is replaced in the incoming packet. */
1297         SSVAL(req->inbuf,smb_uid,session_tag);
1298
1299         /*
1300          * Ensure the correct username is in current_user_info.  This is a
1301          * really ugly bugfix for problems with multiple session_setup_and_X's
1302          * being done and allowing %U and %G substitutions to work correctly.
1303          * There is a reason this code is done here, don't move it unless you
1304          * know what you're doing... :-).
1305          * JRA.
1306          */
1307
1308         if (session_tag != sconn->smb1.sessions.last_session_tag) {
1309                 user_struct *vuser = NULL;
1310
1311                 sconn->smb1.sessions.last_session_tag = session_tag;
1312                 if(session_tag != UID_FIELD_INVALID) {
1313                         vuser = get_valid_user_struct(sconn, session_tag);
1314                         if (vuser) {
1315                                 set_current_user_info(
1316                                         vuser->server_info->sanitized_username,
1317                                         vuser->server_info->unix_name,
1318                                         pdb_get_domain(vuser->server_info
1319                                                        ->sam_account));
1320                         }
1321                 }
1322         }
1323
1324         /* Does this call need to be run as the connected user? */
1325         if (flags & AS_USER) {
1326
1327                 /* Does this call need a valid tree connection? */
1328                 if (!conn) {
1329                         /*
1330                          * Amazingly, the error code depends on the command
1331                          * (from Samba4).
1332                          */
1333                         if (type == SMBntcreateX) {
1334                                 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
1335                         } else {
1336                                 reply_nterror(req, NT_STATUS_NETWORK_NAME_DELETED);
1337                         }
1338                         return NULL;
1339                 }
1340
1341                 if (!change_to_user(conn,session_tag)) {
1342                         DEBUG(0, ("Error: Could not change to user. Removing "
1343                             "deferred open, mid=%d.\n", req->mid));
1344                         reply_force_doserror(req, ERRSRV, ERRbaduid);
1345                         return conn;
1346                 }
1347
1348                 /* All NEED_WRITE and CAN_IPC flags must also have AS_USER. */
1349
1350                 /* Does it need write permission? */
1351                 if ((flags & NEED_WRITE) && !CAN_WRITE(conn)) {
1352                         reply_nterror(req, NT_STATUS_MEDIA_WRITE_PROTECTED);
1353                         return conn;
1354                 }
1355
1356                 /* IPC services are limited */
1357                 if (IS_IPC(conn) && !(flags & CAN_IPC)) {
1358                         reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1359                         return conn;
1360                 }
1361         } else {
1362                 /* This call needs to be run as root */
1363                 change_to_root_user();
1364         }
1365
1366         /* load service specific parameters */
1367         if (conn) {
1368                 if (req->encrypted) {
1369                         conn->encrypted_tid = true;
1370                         /* encrypted required from now on. */
1371                         conn->encrypt_level = Required;
1372                 } else if (ENCRYPTION_REQUIRED(conn)) {
1373                         if (req->cmd != SMBtrans2 && req->cmd != SMBtranss2) {
1374                                 exit_server_cleanly("encryption required "
1375                                         "on connection");
1376                                 return conn;
1377                         }
1378                 }
1379
1380                 if (!set_current_service(conn,SVAL(req->inbuf,smb_flg),
1381                                          (flags & (AS_USER|DO_CHDIR)
1382                                           ?True:False))) {
1383                         reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1384                         return conn;
1385                 }
1386                 conn->num_smb_operations++;
1387         }
1388
1389         /* does this protocol need to be run as guest? */
1390         if ((flags & AS_GUEST)
1391             && (!change_to_guest() ||
1392                 !check_access(smbd_server_fd(), lp_hostsallow(-1),
1393                               lp_hostsdeny(-1)))) {
1394                 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1395                 return conn;
1396         }
1397
1398         smb_messages[type].fn(req);
1399         return req->conn;
1400 }
1401
1402 /****************************************************************************
1403  Construct a reply to the incoming packet.
1404 ****************************************************************************/
1405
1406 static void construct_reply(char *inbuf, int size, size_t unread_bytes,
1407                             uint32_t seqnum, bool encrypted,
1408                             struct smb_perfcount_data *deferred_pcd)
1409 {
1410         connection_struct *conn;
1411         struct smb_request *req;
1412
1413         if (!(req = talloc(talloc_tos(), struct smb_request))) {
1414                 smb_panic("could not allocate smb_request");
1415         }
1416
1417         init_smb_request(req, (uint8 *)inbuf, unread_bytes, encrypted);
1418         req->inbuf  = (uint8_t *)talloc_move(req, &inbuf);
1419         req->seqnum = seqnum;
1420
1421         /* we popped this message off the queue - keep original perf data */
1422         if (deferred_pcd)
1423                 req->pcd = *deferred_pcd;
1424         else {
1425                 SMB_PERFCOUNT_START(&req->pcd);
1426                 SMB_PERFCOUNT_SET_OP(&req->pcd, req->cmd);
1427                 SMB_PERFCOUNT_SET_MSGLEN_IN(&req->pcd, size);
1428         }
1429
1430         conn = switch_message(req->cmd, req, size);
1431
1432         if (req->unread_bytes) {
1433                 /* writeX failed. drain socket. */
1434                 if (drain_socket(smbd_server_fd(), req->unread_bytes) !=
1435                                 req->unread_bytes) {
1436                         smb_panic("failed to drain pending bytes");
1437                 }
1438                 req->unread_bytes = 0;
1439         }
1440
1441         if (req->done) {
1442                 TALLOC_FREE(req);
1443                 return;
1444         }
1445
1446         if (req->outbuf == NULL) {
1447                 return;
1448         }
1449
1450         if (CVAL(req->outbuf,0) == 0) {
1451                 show_msg((char *)req->outbuf);
1452         }
1453
1454         if (!srv_send_smb(smbd_server_fd(),
1455                         (char *)req->outbuf,
1456                         true, req->seqnum+1,
1457                         IS_CONN_ENCRYPTED(conn)||req->encrypted,
1458                         &req->pcd)) {
1459                 exit_server_cleanly("construct_reply: srv_send_smb failed.");
1460         }
1461
1462         TALLOC_FREE(req);
1463
1464         return;
1465 }
1466
1467 /****************************************************************************
1468  Process an smb from the client
1469 ****************************************************************************/
1470 static void process_smb(struct smbd_server_connection *conn,
1471                         uint8_t *inbuf, size_t nread, size_t unread_bytes,
1472                         uint32_t seqnum, bool encrypted,
1473                         struct smb_perfcount_data *deferred_pcd)
1474 {
1475         int msg_type = CVAL(inbuf,0);
1476
1477         DO_PROFILE_INC(smb_count);
1478
1479         DEBUG( 6, ( "got message type 0x%x of len 0x%x\n", msg_type,
1480                     smb_len(inbuf) ) );
1481         DEBUG( 3, ( "Transaction %d of length %d (%u toread)\n", trans_num,
1482                                 (int)nread,
1483                                 (unsigned int)unread_bytes ));
1484
1485         if (msg_type != 0) {
1486                 /*
1487                  * NetBIOS session request, keepalive, etc.
1488                  */
1489                 reply_special((char *)inbuf);
1490                 goto done;
1491         }
1492
1493         if (smbd_server_conn->allow_smb2) {
1494                 if (smbd_is_smb2_header(inbuf, nread)) {
1495                         smbd_smb2_first_negprot(smbd_server_conn, inbuf, nread);
1496                         return;
1497                 }
1498                 smbd_server_conn->allow_smb2 = false;
1499         }
1500
1501         show_msg((char *)inbuf);
1502
1503         construct_reply((char *)inbuf,nread,unread_bytes,seqnum,encrypted,deferred_pcd);
1504         trans_num++;
1505
1506 done:
1507         conn->smb1.num_requests++;
1508
1509         /* The timeout_processing function isn't run nearly
1510            often enough to implement 'max log size' without
1511            overrunning the size of the file by many megabytes.
1512            This is especially true if we are running at debug
1513            level 10.  Checking every 50 SMBs is a nice
1514            tradeoff of performance vs log file size overrun. */
1515
1516         if ((conn->smb1.num_requests % 50) == 0 &&
1517             need_to_check_log_size()) {
1518                 change_to_root_user();
1519                 check_log_size();
1520         }
1521 }
1522
1523 /****************************************************************************
1524  Return a string containing the function name of a SMB command.
1525 ****************************************************************************/
1526
1527 const char *smb_fn_name(int type)
1528 {
1529         const char *unknown_name = "SMBunknown";
1530
1531         if (smb_messages[type].name == NULL)
1532                 return(unknown_name);
1533
1534         return(smb_messages[type].name);
1535 }
1536
1537 /****************************************************************************
1538  Helper functions for contruct_reply.
1539 ****************************************************************************/
1540
1541 void add_to_common_flags2(uint32 v)
1542 {
1543         common_flags2 |= v;
1544 }
1545
1546 void remove_from_common_flags2(uint32 v)
1547 {
1548         common_flags2 &= ~v;
1549 }
1550
1551 static void construct_reply_common(struct smb_request *req, const char *inbuf,
1552                                    char *outbuf)
1553 {
1554         srv_set_message(outbuf,0,0,false);
1555         
1556         SCVAL(outbuf, smb_com, req->cmd);
1557         SIVAL(outbuf,smb_rcls,0);
1558         SCVAL(outbuf,smb_flg, FLAG_REPLY | (CVAL(inbuf,smb_flg) & FLAG_CASELESS_PATHNAMES)); 
1559         SSVAL(outbuf,smb_flg2,
1560                 (SVAL(inbuf,smb_flg2) & FLAGS2_UNICODE_STRINGS) |
1561                 common_flags2);
1562         memset(outbuf+smb_pidhigh,'\0',(smb_tid-smb_pidhigh));
1563
1564         SSVAL(outbuf,smb_tid,SVAL(inbuf,smb_tid));
1565         SSVAL(outbuf,smb_pid,SVAL(inbuf,smb_pid));
1566         SSVAL(outbuf,smb_uid,SVAL(inbuf,smb_uid));
1567         SSVAL(outbuf,smb_mid,SVAL(inbuf,smb_mid));
1568 }
1569
1570 void construct_reply_common_req(struct smb_request *req, char *outbuf)
1571 {
1572         construct_reply_common(req, (char *)req->inbuf, outbuf);
1573 }
1574
1575 /*
1576  * How many bytes have we already accumulated up to the current wct field
1577  * offset?
1578  */
1579
1580 size_t req_wct_ofs(struct smb_request *req)
1581 {
1582         size_t buf_size;
1583
1584         if (req->chain_outbuf == NULL) {
1585                 return smb_wct - 4;
1586         }
1587         buf_size = talloc_get_size(req->chain_outbuf);
1588         if ((buf_size % 4) != 0) {
1589                 buf_size += (4 - (buf_size % 4));
1590         }
1591         return buf_size - 4;
1592 }
1593
1594 /*
1595  * Hack around reply_nterror & friends not being aware of chained requests,
1596  * generating illegal (i.e. wct==0) chain replies.
1597  */
1598
1599 static void fixup_chain_error_packet(struct smb_request *req)
1600 {
1601         uint8_t *outbuf = req->outbuf;
1602         req->outbuf = NULL;
1603         reply_outbuf(req, 2, 0);
1604         memcpy(req->outbuf, outbuf, smb_wct);
1605         TALLOC_FREE(outbuf);
1606         SCVAL(req->outbuf, smb_vwv0, 0xff);
1607 }
1608
1609 /**
1610  * @brief Find the smb_cmd offset of the last command pushed
1611  * @param[in] buf       The buffer we're building up
1612  * @retval              Where can we put our next andx cmd?
1613  *
1614  * While chaining requests, the "next" request we're looking at needs to put
1615  * its SMB_Command before the data the previous request already built up added
1616  * to the chain. Find the offset to the place where we have to put our cmd.
1617  */
1618
1619 static bool find_andx_cmd_ofs(uint8_t *buf, size_t *pofs)
1620 {
1621         uint8_t cmd;
1622         size_t ofs;
1623
1624         cmd = CVAL(buf, smb_com);
1625
1626         SMB_ASSERT(is_andx_req(cmd));
1627
1628         ofs = smb_vwv0;
1629
1630         while (CVAL(buf, ofs) != 0xff) {
1631
1632                 if (!is_andx_req(CVAL(buf, ofs))) {
1633                         return false;
1634                 }
1635
1636                 /*
1637                  * ofs is from start of smb header, so add the 4 length
1638                  * bytes. The next cmd is right after the wct field.
1639                  */
1640                 ofs = SVAL(buf, ofs+2) + 4 + 1;
1641
1642                 SMB_ASSERT(ofs+4 < talloc_get_size(buf));
1643         }
1644
1645         *pofs = ofs;
1646         return true;
1647 }
1648
1649 /**
1650  * @brief Do the smb chaining at a buffer level
1651  * @param[in] poutbuf           Pointer to the talloc'ed buffer to be modified
1652  * @param[in] smb_command       The command that we want to issue
1653  * @param[in] wct               How many words?
1654  * @param[in] vwv               The words, already in network order
1655  * @param[in] bytes_alignment   How shall we align "bytes"?
1656  * @param[in] num_bytes         How many bytes?
1657  * @param[in] bytes             The data the request ships
1658  *
1659  * smb_splice_chain() adds the vwv and bytes to the request already present in
1660  * *poutbuf.
1661  */
1662
1663 static bool smb_splice_chain(uint8_t **poutbuf, uint8_t smb_command,
1664                              uint8_t wct, const uint16_t *vwv,
1665                              size_t bytes_alignment,
1666                              uint32_t num_bytes, const uint8_t *bytes)
1667 {
1668         uint8_t *outbuf;
1669         size_t old_size, new_size;
1670         size_t ofs;
1671         size_t chain_padding = 0;
1672         size_t bytes_padding = 0;
1673         bool first_request;
1674
1675         old_size = talloc_get_size(*poutbuf);
1676
1677         /*
1678          * old_size == smb_wct means we're pushing the first request in for
1679          * libsmb/
1680          */
1681
1682         first_request = (old_size == smb_wct);
1683
1684         if (!first_request && ((old_size % 4) != 0)) {
1685                 /*
1686                  * Align the wct field of subsequent requests to a 4-byte
1687                  * boundary
1688                  */
1689                 chain_padding = 4 - (old_size % 4);
1690         }
1691
1692         /*
1693          * After the old request comes the new wct field (1 byte), the vwv's
1694          * and the num_bytes field. After at we might need to align the bytes
1695          * given to us to "bytes_alignment", increasing the num_bytes value.
1696          */
1697
1698         new_size = old_size + chain_padding + 1 + wct * sizeof(uint16_t) + 2;
1699
1700         if ((bytes_alignment != 0) && ((new_size % bytes_alignment) != 0)) {
1701                 bytes_padding = bytes_alignment - (new_size % bytes_alignment);
1702         }
1703
1704         new_size += bytes_padding + num_bytes;
1705
1706         if ((smb_command != SMBwriteX) && (new_size > 0xffff)) {
1707                 DEBUG(1, ("splice_chain: %u bytes won't fit\n",
1708                           (unsigned)new_size));
1709                 return false;
1710         }
1711
1712         outbuf = TALLOC_REALLOC_ARRAY(NULL, *poutbuf, uint8_t, new_size);
1713         if (outbuf == NULL) {
1714                 DEBUG(0, ("talloc failed\n"));
1715                 return false;
1716         }
1717         *poutbuf = outbuf;
1718
1719         if (first_request) {
1720                 SCVAL(outbuf, smb_com, smb_command);
1721         } else {
1722                 size_t andx_cmd_ofs;
1723
1724                 if (!find_andx_cmd_ofs(outbuf, &andx_cmd_ofs)) {
1725                         DEBUG(1, ("invalid command chain\n"));
1726                         *poutbuf = TALLOC_REALLOC_ARRAY(
1727                                 NULL, *poutbuf, uint8_t, old_size);
1728                         return false;
1729                 }
1730
1731                 if (chain_padding != 0) {
1732                         memset(outbuf + old_size, 0, chain_padding);
1733                         old_size += chain_padding;
1734                 }
1735
1736                 SCVAL(outbuf, andx_cmd_ofs, smb_command);
1737                 SSVAL(outbuf, andx_cmd_ofs + 2, old_size - 4);
1738         }
1739
1740         ofs = old_size;
1741
1742         /*
1743          * Push the chained request:
1744          *
1745          * wct field
1746          */
1747
1748         SCVAL(outbuf, ofs, wct);
1749         ofs += 1;
1750
1751         /*
1752          * vwv array
1753          */
1754
1755         memcpy(outbuf + ofs, vwv, sizeof(uint16_t) * wct);
1756         ofs += sizeof(uint16_t) * wct;
1757
1758         /*
1759          * bcc (byte count)
1760          */
1761
1762         SSVAL(outbuf, ofs, num_bytes + bytes_padding);
1763         ofs += sizeof(uint16_t);
1764
1765         /*
1766          * padding
1767          */
1768
1769         if (bytes_padding != 0) {
1770                 memset(outbuf + ofs, 0, bytes_padding);
1771                 ofs += bytes_padding;
1772         }
1773
1774         /*
1775          * The bytes field
1776          */
1777
1778         memcpy(outbuf + ofs, bytes, num_bytes);
1779
1780         return true;
1781 }
1782
1783 /****************************************************************************
1784  Construct a chained reply and add it to the already made reply
1785 ****************************************************************************/
1786
1787 void chain_reply(struct smb_request *req)
1788 {
1789         size_t smblen = smb_len(req->inbuf);
1790         size_t already_used, length_needed;
1791         uint8_t chain_cmd;
1792         uint32_t chain_offset;  /* uint32_t to avoid overflow */
1793
1794         uint8_t wct;
1795         uint16_t *vwv;
1796         uint16_t buflen;
1797         uint8_t *buf;
1798
1799         if (IVAL(req->outbuf, smb_rcls) != 0) {
1800                 fixup_chain_error_packet(req);
1801         }
1802
1803         /*
1804          * Any of the AndX requests and replies have at least a wct of
1805          * 2. vwv[0] is the next command, vwv[1] is the offset from the
1806          * beginning of the SMB header to the next wct field.
1807          *
1808          * None of the AndX requests put anything valuable in vwv[0] and [1],
1809          * so we can overwrite it here to form the chain.
1810          */
1811
1812         if ((req->wct < 2) || (CVAL(req->outbuf, smb_wct) < 2)) {
1813                 goto error;
1814         }
1815
1816         /*
1817          * Here we assume that this is the end of the chain. For that we need
1818          * to set "next command" to 0xff and the offset to 0. If we later find
1819          * more commands in the chain, this will be overwritten again.
1820          */
1821
1822         SCVAL(req->outbuf, smb_vwv0, 0xff);
1823         SCVAL(req->outbuf, smb_vwv0+1, 0);
1824         SSVAL(req->outbuf, smb_vwv1, 0);
1825
1826         if (req->chain_outbuf == NULL) {
1827                 /*
1828                  * In req->chain_outbuf we collect all the replies. Start the
1829                  * chain by copying in the first reply.
1830                  *
1831                  * We do the realloc because later on we depend on
1832                  * talloc_get_size to determine the length of
1833                  * chain_outbuf. The reply_xxx routines might have
1834                  * over-allocated (reply_pipe_read_and_X used to be such an
1835                  * example).
1836                  */
1837                 req->chain_outbuf = TALLOC_REALLOC_ARRAY(
1838                         req, req->outbuf, uint8_t, smb_len(req->outbuf) + 4);
1839                 if (req->chain_outbuf == NULL) {
1840                         goto error;
1841                 }
1842                 req->outbuf = NULL;
1843         } else {
1844                 /*
1845                  * Update smb headers where subsequent chained commands
1846                  * may have updated them.
1847                  */
1848                 SCVAL(req->chain_outbuf, smb_tid, CVAL(req->outbuf, smb_tid));
1849                 SCVAL(req->chain_outbuf, smb_uid, CVAL(req->outbuf, smb_uid));
1850
1851                 if (!smb_splice_chain(&req->chain_outbuf,
1852                                       CVAL(req->outbuf, smb_com),
1853                                       CVAL(req->outbuf, smb_wct),
1854                                       (uint16_t *)(req->outbuf + smb_vwv),
1855                                       0, smb_buflen(req->outbuf),
1856                                       (uint8_t *)smb_buf(req->outbuf))) {
1857                         goto error;
1858                 }
1859                 TALLOC_FREE(req->outbuf);
1860         }
1861
1862         /*
1863          * We use the old request's vwv field to grab the next chained command
1864          * and offset into the chained fields.
1865          */
1866
1867         chain_cmd = CVAL(req->vwv+0, 0);
1868         chain_offset = SVAL(req->vwv+1, 0);
1869
1870         if (chain_cmd == 0xff) {
1871                 /*
1872                  * End of chain, no more requests from the client. So ship the
1873                  * replies.
1874                  */
1875                 smb_setlen((char *)(req->chain_outbuf),
1876                            talloc_get_size(req->chain_outbuf) - 4);
1877
1878                 if (!srv_send_smb(smbd_server_fd(), (char *)req->chain_outbuf,
1879                                   true, req->seqnum+1,
1880                                   IS_CONN_ENCRYPTED(req->conn)
1881                                   ||req->encrypted,
1882                                   &req->pcd)) {
1883                         exit_server_cleanly("chain_reply: srv_send_smb "
1884                                             "failed.");
1885                 }
1886                 TALLOC_FREE(req->chain_outbuf);
1887                 req->done = true;
1888                 return;
1889         }
1890
1891         /* add a new perfcounter for this element of chain */
1892         SMB_PERFCOUNT_ADD(&req->pcd);
1893         SMB_PERFCOUNT_SET_OP(&req->pcd, chain_cmd);
1894         SMB_PERFCOUNT_SET_MSGLEN_IN(&req->pcd, smblen);
1895
1896         /*
1897          * Check if the client tries to fool us. The request so far uses the
1898          * space to the end of the byte buffer in the request just
1899          * processed. The chain_offset can't point into that area. If that was
1900          * the case, we could end up with an endless processing of the chain,
1901          * we would always handle the same request.
1902          */
1903
1904         already_used = PTR_DIFF(req->buf+req->buflen, smb_base(req->inbuf));
1905         if (chain_offset < already_used) {
1906                 goto error;
1907         }
1908
1909         /*
1910          * Next check: Make sure the chain offset does not point beyond the
1911          * overall smb request length.
1912          */
1913
1914         length_needed = chain_offset+1; /* wct */
1915         if (length_needed > smblen) {
1916                 goto error;
1917         }
1918
1919         /*
1920          * Now comes the pointer magic. Goal here is to set up req->vwv and
1921          * req->buf correctly again to be able to call the subsequent
1922          * switch_message(). The chain offset (the former vwv[1]) points at
1923          * the new wct field.
1924          */
1925
1926         wct = CVAL(smb_base(req->inbuf), chain_offset);
1927
1928         /*
1929          * Next consistency check: Make the new vwv array fits in the overall
1930          * smb request.
1931          */
1932
1933         length_needed += (wct+1)*sizeof(uint16_t); /* vwv+buflen */
1934         if (length_needed > smblen) {
1935                 goto error;
1936         }
1937         vwv = (uint16_t *)(smb_base(req->inbuf) + chain_offset + 1);
1938
1939         /*
1940          * Now grab the new byte buffer....
1941          */
1942
1943         buflen = SVAL(vwv+wct, 0);
1944
1945         /*
1946          * .. and check that it fits.
1947          */
1948
1949         length_needed += buflen;
1950         if (length_needed > smblen) {
1951                 goto error;
1952         }
1953         buf = (uint8_t *)(vwv+wct+1);
1954
1955         req->cmd = chain_cmd;
1956         req->wct = wct;
1957         req->vwv = vwv;
1958         req->buflen = buflen;
1959         req->buf = buf;
1960
1961         switch_message(chain_cmd, req, smblen);
1962
1963         if (req->outbuf == NULL) {
1964                 /*
1965                  * This happens if the chained command has suspended itself or
1966                  * if it has called srv_send_smb() itself.
1967                  */
1968                 return;
1969         }
1970
1971         /*
1972          * We end up here if the chained command was not itself chained or
1973          * suspended, but for example a close() command. We now need to splice
1974          * the chained commands' outbuf into the already built up chain_outbuf
1975          * and ship the result.
1976          */
1977         goto done;
1978
1979  error:
1980         /*
1981          * We end up here if there's any error in the chain syntax. Report a
1982          * DOS error, just like Windows does.
1983          */
1984         reply_force_doserror(req, ERRSRV, ERRerror);
1985         fixup_chain_error_packet(req);
1986
1987  done:
1988         /*
1989          * This scary statement intends to set the
1990          * FLAGS2_32_BIT_ERROR_CODES flg2 field in req->chain_outbuf
1991          * to the value req->outbuf carries
1992          */
1993         SSVAL(req->chain_outbuf, smb_flg2,
1994               (SVAL(req->chain_outbuf, smb_flg2) & ~FLAGS2_32_BIT_ERROR_CODES)
1995               | (SVAL(req->outbuf, smb_flg2) & FLAGS2_32_BIT_ERROR_CODES));
1996
1997         /*
1998          * Transfer the error codes from the subrequest to the main one
1999          */
2000         SSVAL(req->chain_outbuf, smb_rcls, SVAL(req->outbuf, smb_rcls));
2001         SSVAL(req->chain_outbuf, smb_err, SVAL(req->outbuf, smb_err));
2002
2003         if (!smb_splice_chain(&req->chain_outbuf,
2004                               CVAL(req->outbuf, smb_com),
2005                               CVAL(req->outbuf, smb_wct),
2006                               (uint16_t *)(req->outbuf + smb_vwv),
2007                               0, smb_buflen(req->outbuf),
2008                               (uint8_t *)smb_buf(req->outbuf))) {
2009                 exit_server_cleanly("chain_reply: smb_splice_chain failed\n");
2010         }
2011         TALLOC_FREE(req->outbuf);
2012
2013         smb_setlen((char *)(req->chain_outbuf),
2014                    talloc_get_size(req->chain_outbuf) - 4);
2015
2016         show_msg((char *)(req->chain_outbuf));
2017
2018         if (!srv_send_smb(smbd_server_fd(), (char *)req->chain_outbuf,
2019                           true, req->seqnum+1,
2020                           IS_CONN_ENCRYPTED(req->conn)||req->encrypted,
2021                           &req->pcd)) {
2022                 exit_server_cleanly("construct_reply: srv_send_smb failed.");
2023         }
2024         TALLOC_FREE(req->chain_outbuf);
2025         req->done = true;
2026 }
2027
2028 /****************************************************************************
2029  Check if services need reloading.
2030 ****************************************************************************/
2031
2032 void check_reload(time_t t)
2033 {
2034         time_t printcap_cache_time = (time_t)lp_printcap_cache_time();
2035
2036         if(last_smb_conf_reload_time == 0) {
2037                 last_smb_conf_reload_time = t;
2038                 /* Our printing subsystem might not be ready at smbd start up.
2039                    Then no printer is available till the first printers check
2040                    is performed.  A lower initial interval circumvents this. */
2041                 if ( printcap_cache_time > 60 )
2042                         last_printer_reload_time = t - printcap_cache_time + 60;
2043                 else
2044                         last_printer_reload_time = t;
2045         }
2046
2047         if (mypid != getpid()) { /* First time or fork happened meanwhile */
2048                 /* randomize over 60 second the printcap reload to avoid all
2049                  * process hitting cupsd at the same time */
2050                 int time_range = 60;
2051
2052                 last_printer_reload_time += random() % time_range;
2053                 mypid = getpid();
2054         }
2055
2056         if (t >= last_smb_conf_reload_time+SMBD_RELOAD_CHECK) {
2057                 reload_services(True);
2058                 last_smb_conf_reload_time = t;
2059         }
2060
2061         /* 'printcap cache time = 0' disable the feature */
2062         
2063         if ( printcap_cache_time != 0 )
2064         { 
2065                 /* see if it's time to reload or if the clock has been set back */
2066                 
2067                 if ( (t >= last_printer_reload_time+printcap_cache_time) 
2068                         || (t-last_printer_reload_time  < 0) ) 
2069                 {
2070                         DEBUG( 3,( "Printcap cache time expired.\n"));
2071                         reload_printers();
2072                         last_printer_reload_time = t;
2073                 }
2074         }
2075 }
2076
2077 static void smbd_server_connection_write_handler(struct smbd_server_connection *conn)
2078 {
2079         /* TODO: make write nonblocking */
2080 }
2081
2082 static void smbd_server_connection_read_handler(struct smbd_server_connection *conn)
2083 {
2084         uint8_t *inbuf = NULL;
2085         size_t inbuf_len = 0;
2086         size_t unread_bytes = 0;
2087         bool encrypted = false;
2088         TALLOC_CTX *mem_ctx = talloc_tos();
2089         NTSTATUS status;
2090         uint32_t seqnum;
2091
2092         /* TODO: make this completely nonblocking */
2093
2094         status = receive_smb_talloc(mem_ctx, smbd_server_fd(),
2095                                     (char **)(void *)&inbuf,
2096                                     0, /* timeout */
2097                                     &unread_bytes,
2098                                     &encrypted,
2099                                     &inbuf_len, &seqnum);
2100         if (NT_STATUS_EQUAL(status, NT_STATUS_RETRY)) {
2101                 goto process;
2102         }
2103         if (NT_STATUS_IS_ERR(status)) {
2104                 exit_server_cleanly("failed to receive smb request");
2105         }
2106         if (!NT_STATUS_IS_OK(status)) {
2107                 return;
2108         }
2109
2110 process:
2111         process_smb(conn, inbuf, inbuf_len, unread_bytes,
2112                     seqnum, encrypted, NULL);
2113 }
2114
2115 static void smbd_server_connection_handler(struct event_context *ev,
2116                                            struct fd_event *fde,
2117                                            uint16_t flags,
2118                                            void *private_data)
2119 {
2120         struct smbd_server_connection *conn = talloc_get_type(private_data,
2121                                               struct smbd_server_connection);
2122
2123         if (flags & EVENT_FD_WRITE) {
2124                 smbd_server_connection_write_handler(conn);
2125         } else if (flags & EVENT_FD_READ) {
2126                 smbd_server_connection_read_handler(conn);
2127         }
2128 }
2129
2130
2131 /****************************************************************************
2132 received when we should release a specific IP
2133 ****************************************************************************/
2134 static void release_ip(const char *ip, void *priv)
2135 {
2136         char addr[INET6_ADDRSTRLEN];
2137         char *p = addr;
2138
2139         client_socket_addr(get_client_fd(),addr,sizeof(addr));
2140
2141         if (strncmp("::ffff:", addr, 7) == 0) {
2142                 p = addr + 7;
2143         }
2144
2145         if ((strcmp(p, ip) == 0) || ((p != addr) && strcmp(addr, ip) == 0)) {
2146                 /* we can't afford to do a clean exit - that involves
2147                    database writes, which would potentially mean we
2148                    are still running after the failover has finished -
2149                    we have to get rid of this process ID straight
2150                    away */
2151                 DEBUG(0,("Got release IP message for our IP %s - exiting immediately\n",
2152                         ip));
2153                 /* note we must exit with non-zero status so the unclean handler gets
2154                    called in the parent, so that the brl database is tickled */
2155                 _exit(1);
2156         }
2157 }
2158
2159 static void msg_release_ip(struct messaging_context *msg_ctx, void *private_data,
2160                            uint32_t msg_type, struct server_id server_id, DATA_BLOB *data)
2161 {
2162         release_ip((char *)data->data, NULL);
2163 }
2164
2165 #ifdef CLUSTER_SUPPORT
2166 static int client_get_tcp_info(struct sockaddr_storage *server,
2167                                struct sockaddr_storage *client)
2168 {
2169         socklen_t length;
2170         if (server_fd == -1) {
2171                 return -1;
2172         }
2173         length = sizeof(*server);
2174         if (getsockname(server_fd, (struct sockaddr *)server, &length) != 0) {
2175                 return -1;
2176         }
2177         length = sizeof(*client);
2178         if (getpeername(server_fd, (struct sockaddr *)client, &length) != 0) {
2179                 return -1;
2180         }
2181         return 0;
2182 }
2183 #endif
2184
2185 /*
2186  * Send keepalive packets to our client
2187  */
2188 static bool keepalive_fn(const struct timeval *now, void *private_data)
2189 {
2190         if (!send_keepalive(smbd_server_fd())) {
2191                 DEBUG( 2, ( "Keepalive failed - exiting.\n" ) );
2192                 return False;
2193         }
2194         return True;
2195 }
2196
2197 /*
2198  * Do the recurring check if we're idle
2199  */
2200 static bool deadtime_fn(const struct timeval *now, void *private_data)
2201 {
2202         struct smbd_server_connection *sconn = smbd_server_conn;
2203         if ((conn_num_open(sconn) == 0)
2204             || (conn_idle_all(sconn, now->tv_sec))) {
2205                 DEBUG( 2, ( "Closing idle connection\n" ) );
2206                 messaging_send(smbd_messaging_context(), procid_self(),
2207                                MSG_SHUTDOWN, &data_blob_null);
2208                 return False;
2209         }
2210
2211         return True;
2212 }
2213
2214 /*
2215  * Do the recurring log file and smb.conf reload checks.
2216  */
2217
2218 static bool housekeeping_fn(const struct timeval *now, void *private_data)
2219 {
2220         change_to_root_user();
2221
2222         /* update printer queue caches if necessary */
2223         update_monitored_printq_cache();
2224
2225         /* check if we need to reload services */
2226         check_reload(time(NULL));
2227
2228         /* Change machine password if neccessary. */
2229         attempt_machine_password_change();
2230
2231         /*
2232          * Force a log file check.
2233          */
2234         force_check_log_size();
2235         check_log_size();
2236         return true;
2237 }
2238
2239 /****************************************************************************
2240  Process commands from the client
2241 ****************************************************************************/
2242
2243 void smbd_process(void)
2244 {
2245         TALLOC_CTX *frame = talloc_stackframe();
2246         char remaddr[INET6_ADDRSTRLEN];
2247
2248         if (lp_maxprotocol() == PROTOCOL_SMB2 &&
2249             lp_security() != SEC_SHARE) {
2250                 smbd_server_conn->allow_smb2 = true;
2251         }
2252
2253         /* Ensure child is set to blocking mode */
2254         set_blocking(smbd_server_fd(),True);
2255
2256         set_socket_options(smbd_server_fd(),"SO_KEEPALIVE");
2257         set_socket_options(smbd_server_fd(), lp_socket_options());
2258
2259         /* this is needed so that we get decent entries
2260            in smbstatus for port 445 connects */
2261         set_remote_machine_name(get_peer_addr(smbd_server_fd(),
2262                                               remaddr,
2263                                               sizeof(remaddr)),
2264                                               false);
2265         reload_services(true);
2266
2267         /*
2268          * Before the first packet, check the global hosts allow/ hosts deny
2269          * parameters before doing any parsing of packets passed to us by the
2270          * client. This prevents attacks on our parsing code from hosts not in
2271          * the hosts allow list.
2272          */
2273
2274         if (!check_access(smbd_server_fd(), lp_hostsallow(-1),
2275                           lp_hostsdeny(-1))) {
2276                 char addr[INET6_ADDRSTRLEN];
2277
2278                 /*
2279                  * send a negative session response "not listening on calling
2280                  * name"
2281                  */
2282                 unsigned char buf[5] = {0x83, 0, 0, 1, 0x81};
2283                 DEBUG( 1, ("Connection denied from %s\n",
2284                            client_addr(get_client_fd(),addr,sizeof(addr)) ) );
2285                 (void)srv_send_smb(smbd_server_fd(),(char *)buf, false,
2286                                    0, false, NULL);
2287                 exit_server_cleanly("connection denied");
2288         }
2289
2290         static_init_rpc;
2291
2292         init_modules();
2293
2294         smb_perfcount_init();
2295
2296         if (!init_account_policy()) {
2297                 exit_server("Could not open account policy tdb.\n");
2298         }
2299
2300         if (*lp_rootdir()) {
2301                 if (chroot(lp_rootdir()) != 0) {
2302                         DEBUG(0,("Failed to change root to %s\n", lp_rootdir()));
2303                         exit_server("Failed to chroot()");
2304                 }
2305                 if (chdir("/") == -1) {
2306                         DEBUG(0,("Failed to chdir to / on chroot to %s\n", lp_rootdir()));
2307                         exit_server("Failed to chroot()");
2308                 }
2309                 DEBUG(0,("Changed root to %s\n", lp_rootdir()));
2310         }
2311
2312         if (!srv_init_signing(smbd_server_conn)) {
2313                 exit_server("Failed to init smb_signing");
2314         }
2315
2316         /* Setup oplocks */
2317         if (!init_oplocks(smbd_messaging_context()))
2318                 exit_server("Failed to init oplocks");
2319
2320         /* Setup aio signal handler. */
2321         initialize_async_io_handler();
2322
2323         /* register our message handlers */
2324         messaging_register(smbd_messaging_context(), NULL,
2325                            MSG_SMB_FORCE_TDIS, msg_force_tdis);
2326         messaging_register(smbd_messaging_context(), NULL,
2327                            MSG_SMB_RELEASE_IP, msg_release_ip);
2328         messaging_register(smbd_messaging_context(), NULL,
2329                            MSG_SMB_CLOSE_FILE, msg_close_file);
2330
2331         /*
2332          * Use the default MSG_DEBUG handler to avoid rebroadcasting
2333          * MSGs to all child processes
2334          */
2335         messaging_deregister(smbd_messaging_context(),
2336                              MSG_DEBUG, NULL);
2337         messaging_register(smbd_messaging_context(), NULL,
2338                            MSG_DEBUG, debug_message);
2339
2340         if ((lp_keepalive() != 0)
2341             && !(event_add_idle(smbd_event_context(), NULL,
2342                                 timeval_set(lp_keepalive(), 0),
2343                                 "keepalive", keepalive_fn,
2344                                 NULL))) {
2345                 DEBUG(0, ("Could not add keepalive event\n"));
2346                 exit(1);
2347         }
2348
2349         if (!(event_add_idle(smbd_event_context(), NULL,
2350                              timeval_set(IDLE_CLOSED_TIMEOUT, 0),
2351                              "deadtime", deadtime_fn, NULL))) {
2352                 DEBUG(0, ("Could not add deadtime event\n"));
2353                 exit(1);
2354         }
2355
2356         if (!(event_add_idle(smbd_event_context(), NULL,
2357                              timeval_set(SMBD_SELECT_TIMEOUT, 0),
2358                              "housekeeping", housekeeping_fn, NULL))) {
2359                 DEBUG(0, ("Could not add housekeeping event\n"));
2360                 exit(1);
2361         }
2362
2363 #ifdef CLUSTER_SUPPORT
2364
2365         if (lp_clustering()) {
2366                 /*
2367                  * We need to tell ctdb about our client's TCP
2368                  * connection, so that for failover ctdbd can send
2369                  * tickle acks, triggering a reconnection by the
2370                  * client.
2371                  */
2372
2373                 struct sockaddr_storage srv, clnt;
2374
2375                 if (client_get_tcp_info(&srv, &clnt) == 0) {
2376
2377                         NTSTATUS status;
2378
2379                         status = ctdbd_register_ips(
2380                                 messaging_ctdbd_connection(),
2381                                 &srv, &clnt, release_ip, NULL);
2382
2383                         if (!NT_STATUS_IS_OK(status)) {
2384                                 DEBUG(0, ("ctdbd_register_ips failed: %s\n",
2385                                           nt_errstr(status)));
2386                         }
2387                 } else
2388                 {
2389                         DEBUG(0,("Unable to get tcp info for "
2390                                  "CTDB_CONTROL_TCP_CLIENT: %s\n",
2391                                  strerror(errno)));
2392                 }
2393         }
2394
2395 #endif
2396
2397         smbd_server_conn->nbt.got_session = false;
2398
2399         smbd_server_conn->smb1.negprot.max_recv = MIN(lp_maxxmit(),BUFFER_SIZE);
2400
2401         smbd_server_conn->smb1.sessions.done_sesssetup = false;
2402         smbd_server_conn->smb1.sessions.max_send = BUFFER_SIZE;
2403         smbd_server_conn->smb1.sessions.last_session_tag = UID_FIELD_INVALID;
2404         /* users from session setup */
2405         smbd_server_conn->smb1.sessions.session_userlist = NULL;
2406         /* workgroup from session setup. */
2407         smbd_server_conn->smb1.sessions.session_workgroup = NULL;
2408         /* this holds info on user ids that are already validated for this VC */
2409         smbd_server_conn->smb1.sessions.validated_users = NULL;
2410         smbd_server_conn->smb1.sessions.next_vuid = VUID_OFFSET;
2411         smbd_server_conn->smb1.sessions.num_validated_vuids = 0;
2412 #ifdef HAVE_NETGROUP
2413         smbd_server_conn->smb1.sessions.my_yp_domain = NULL;
2414 #endif
2415
2416         conn_init(smbd_server_conn);
2417         if (!init_dptrs(smbd_server_conn)) {
2418                 exit_server("init_dptrs() failed");
2419         }
2420
2421         smbd_server_conn->smb1.fde = event_add_fd(smbd_event_context(),
2422                                                   smbd_server_conn,
2423                                                   smbd_server_fd(),
2424                                                   EVENT_FD_READ,
2425                                                   smbd_server_connection_handler,
2426                                                   smbd_server_conn);
2427         if (!smbd_server_conn->smb1.fde) {
2428                 exit_server("failed to create smbd_server_connection fde");
2429         }
2430
2431         TALLOC_FREE(frame);
2432
2433         while (True) {
2434                 NTSTATUS status;
2435
2436                 frame = talloc_stackframe_pool(8192);
2437
2438                 errno = 0;
2439
2440                 status = smbd_server_connection_loop_once(smbd_server_conn);
2441                 if (!NT_STATUS_EQUAL(status, NT_STATUS_RETRY) &&
2442                     !NT_STATUS_IS_OK(status)) {
2443                         DEBUG(3, ("smbd_server_connection_loop_once failed: %s,"
2444                                   " exiting\n", nt_errstr(status)));
2445                         break;
2446                 }
2447
2448                 TALLOC_FREE(frame);
2449         }
2450
2451         exit_server_cleanly(NULL);
2452 }
2453
2454 bool req_is_in_chain(struct smb_request *req)
2455 {
2456         if (req->vwv != (uint16_t *)(req->inbuf+smb_vwv)) {
2457                 /*
2458                  * We're right now handling a subsequent request, so we must
2459                  * be in a chain
2460                  */
2461                 return true;
2462         }
2463
2464         if (!is_andx_req(req->cmd)) {
2465                 return false;
2466         }
2467
2468         if (req->wct < 2) {
2469                 /*
2470                  * Okay, an illegal request, but definitely not chained :-)
2471                  */
2472                 return false;
2473         }
2474
2475         return (CVAL(req->vwv+0, 0) != 0xFF);
2476 }