6d53bbe929e6054e4dd5a8aefeb40a9608ad4c92
[jra/samba/.git] / source3 / smbd / process.c
1 /* 
2    Unix SMB/CIFS implementation.
3    process incoming packets - main loop
4    Copyright (C) Andrew Tridgell 1992-1998
5    Copyright (C) Volker Lendecke 2005-2007
6    
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License as published by
9    the Free Software Foundation; either version 3 of the License, or
10    (at your option) any later version.
11    
12    This program is distributed in the hope that it will be useful,
13    but WITHOUT ANY WARRANTY; without even the implied warranty of
14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15    GNU General Public License for more details.
16    
17    You should have received a copy of the GNU General Public License
18    along with this program.  If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include "smbd/globals.h"
23
24 extern bool global_machine_password_needs_changing;
25
26 static void construct_reply_common(struct smb_request *req, const char *inbuf,
27                                    char *outbuf);
28
29 /* Accessor function for smb_read_error for smbd functions. */
30
31 /****************************************************************************
32  Send an smb to a fd.
33 ****************************************************************************/
34
35 bool srv_send_smb(int fd, char *buffer, bool do_encrypt,
36                   struct smb_perfcount_data *pcd)
37 {
38         size_t len = 0;
39         size_t nwritten=0;
40         ssize_t ret;
41         char *buf_out = buffer;
42
43         /* Sign the outgoing packet if required. */
44         srv_calculate_sign_mac(buf_out);
45
46         if (do_encrypt) {
47                 NTSTATUS status = srv_encrypt_buffer(buffer, &buf_out);
48                 if (!NT_STATUS_IS_OK(status)) {
49                         DEBUG(0, ("send_smb: SMB encryption failed "
50                                 "on outgoing packet! Error %s\n",
51                                 nt_errstr(status) ));
52                         goto out;
53                 }
54         }
55
56         len = smb_len(buf_out) + 4;
57
58         while (nwritten < len) {
59                 ret = write_data(fd,buf_out+nwritten,len - nwritten);
60                 if (ret <= 0) {
61                         DEBUG(0,("Error writing %d bytes to client. %d. (%s)\n",
62                                 (int)len,(int)ret, strerror(errno) ));
63                         srv_free_enc_buffer(buf_out);
64                         goto out;
65                 }
66                 nwritten += ret;
67         }
68
69         SMB_PERFCOUNT_SET_MSGLEN_OUT(pcd, len);
70         srv_free_enc_buffer(buf_out);
71 out:
72         SMB_PERFCOUNT_END(pcd);
73         return true;
74 }
75
76 /*******************************************************************
77  Setup the word count and byte count for a smb message.
78 ********************************************************************/
79
80 int srv_set_message(char *buf,
81                         int num_words,
82                         int num_bytes,
83                         bool zero)
84 {
85         if (zero && (num_words || num_bytes)) {
86                 memset(buf + smb_size,'\0',num_words*2 + num_bytes);
87         }
88         SCVAL(buf,smb_wct,num_words);
89         SSVAL(buf,smb_vwv + num_words*SIZEOFWORD,num_bytes);
90         smb_setlen(buf,(smb_size + num_words*2 + num_bytes - 4));
91         return (smb_size + num_words*2 + num_bytes);
92 }
93
94 static bool valid_smb_header(const uint8_t *inbuf)
95 {
96         if (is_encrypted_packet(inbuf)) {
97                 return true;
98         }
99         /*
100          * This used to be (strncmp(smb_base(inbuf),"\377SMB",4) == 0)
101          * but it just looks weird to call strncmp for this one.
102          */
103         return (IVAL(smb_base(inbuf), 0) == 0x424D53FF);
104 }
105
106 /* Socket functions for smbd packet processing. */
107
108 static bool valid_packet_size(size_t len)
109 {
110         /*
111          * A WRITEX with CAP_LARGE_WRITEX can be 64k worth of data plus 65 bytes
112          * of header. Don't print the error if this fits.... JRA.
113          */
114
115         if (len > (BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE)) {
116                 DEBUG(0,("Invalid packet length! (%lu bytes).\n",
117                                         (unsigned long)len));
118                 return false;
119         }
120         return true;
121 }
122
123 static NTSTATUS read_packet_remainder(int fd, char *buffer,
124                                       unsigned int timeout, ssize_t len)
125 {
126         if (len <= 0) {
127                 return NT_STATUS_OK;
128         }
129
130         return read_socket_with_timeout(fd, buffer, len, len, timeout, NULL);
131 }
132
133 /****************************************************************************
134  Attempt a zerocopy writeX read. We know here that len > smb_size-4
135 ****************************************************************************/
136
137 /*
138  * Unfortunately, earlier versions of smbclient/libsmbclient
139  * don't send this "standard" writeX header. I've fixed this
140  * for 3.2 but we'll use the old method with earlier versions.
141  * Windows and CIFSFS at least use this standard size. Not
142  * sure about MacOSX.
143  */
144
145 #define STANDARD_WRITE_AND_X_HEADER_SIZE (smb_size - 4 + /* basic header */ \
146                                 (2*14) + /* word count (including bcc) */ \
147                                 1 /* pad byte */)
148
149 static NTSTATUS receive_smb_raw_talloc_partial_read(TALLOC_CTX *mem_ctx,
150                                                     const char lenbuf[4],
151                                                     int fd, char **buffer,
152                                                     unsigned int timeout,
153                                                     size_t *p_unread,
154                                                     size_t *len_ret)
155 {
156         /* Size of a WRITEX call (+4 byte len). */
157         char writeX_header[4 + STANDARD_WRITE_AND_X_HEADER_SIZE];
158         ssize_t len = smb_len_large(lenbuf); /* Could be a UNIX large writeX. */
159         ssize_t toread;
160         NTSTATUS status;
161
162         memcpy(writeX_header, lenbuf, 4);
163
164         status = read_socket_with_timeout(
165                 fd, writeX_header + 4,
166                 STANDARD_WRITE_AND_X_HEADER_SIZE,
167                 STANDARD_WRITE_AND_X_HEADER_SIZE,
168                 timeout, NULL);
169
170         if (!NT_STATUS_IS_OK(status)) {
171                 return status;
172         }
173
174         /*
175          * Ok - now try and see if this is a possible
176          * valid writeX call.
177          */
178
179         if (is_valid_writeX_buffer((uint8_t *)writeX_header)) {
180                 /*
181                  * If the data offset is beyond what
182                  * we've read, drain the extra bytes.
183                  */
184                 uint16_t doff = SVAL(writeX_header,smb_vwv11);
185                 ssize_t newlen;
186
187                 if (doff > STANDARD_WRITE_AND_X_HEADER_SIZE) {
188                         size_t drain = doff - STANDARD_WRITE_AND_X_HEADER_SIZE;
189                         if (drain_socket(smbd_server_fd(), drain) != drain) {
190                                 smb_panic("receive_smb_raw_talloc_partial_read:"
191                                         " failed to drain pending bytes");
192                         }
193                 } else {
194                         doff = STANDARD_WRITE_AND_X_HEADER_SIZE;
195                 }
196
197                 /* Spoof down the length and null out the bcc. */
198                 set_message_bcc(writeX_header, 0);
199                 newlen = smb_len(writeX_header);
200
201                 /* Copy the header we've written. */
202
203                 *buffer = (char *)TALLOC_MEMDUP(mem_ctx,
204                                 writeX_header,
205                                 sizeof(writeX_header));
206
207                 if (*buffer == NULL) {
208                         DEBUG(0, ("Could not allocate inbuf of length %d\n",
209                                   (int)sizeof(writeX_header)));
210                         return NT_STATUS_NO_MEMORY;
211                 }
212
213                 /* Work out the remaining bytes. */
214                 *p_unread = len - STANDARD_WRITE_AND_X_HEADER_SIZE;
215                 *len_ret = newlen + 4;
216                 return NT_STATUS_OK;
217         }
218
219         if (!valid_packet_size(len)) {
220                 return NT_STATUS_INVALID_PARAMETER;
221         }
222
223         /*
224          * Not a valid writeX call. Just do the standard
225          * talloc and return.
226          */
227
228         *buffer = TALLOC_ARRAY(mem_ctx, char, len+4);
229
230         if (*buffer == NULL) {
231                 DEBUG(0, ("Could not allocate inbuf of length %d\n",
232                           (int)len+4));
233                 return NT_STATUS_NO_MEMORY;
234         }
235
236         /* Copy in what we already read. */
237         memcpy(*buffer,
238                 writeX_header,
239                 4 + STANDARD_WRITE_AND_X_HEADER_SIZE);
240         toread = len - STANDARD_WRITE_AND_X_HEADER_SIZE;
241
242         if(toread > 0) {
243                 status = read_packet_remainder(
244                         fd, (*buffer) + 4 + STANDARD_WRITE_AND_X_HEADER_SIZE,
245                         timeout, toread);
246
247                 if (!NT_STATUS_IS_OK(status)) {
248                         DEBUG(10, ("receive_smb_raw_talloc_partial_read: %s\n",
249                                    nt_errstr(status)));
250                         return status;
251                 }
252         }
253
254         *len_ret = len + 4;
255         return NT_STATUS_OK;
256 }
257
258 static NTSTATUS receive_smb_raw_talloc(TALLOC_CTX *mem_ctx, int fd,
259                                        char **buffer, unsigned int timeout,
260                                        size_t *p_unread, size_t *plen)
261 {
262         char lenbuf[4];
263         size_t len;
264         int min_recv_size = lp_min_receive_file_size();
265         NTSTATUS status;
266
267         *p_unread = 0;
268
269         status = read_smb_length_return_keepalive(fd, lenbuf, timeout, &len);
270         if (!NT_STATUS_IS_OK(status)) {
271                 DEBUG(10, ("receive_smb_raw: %s\n", nt_errstr(status)));
272                 return status;
273         }
274
275         if (CVAL(lenbuf,0) == 0 && min_recv_size &&
276             (smb_len_large(lenbuf) > /* Could be a UNIX large writeX. */
277                 (min_recv_size + STANDARD_WRITE_AND_X_HEADER_SIZE)) &&
278             !srv_is_signing_active()) {
279
280                 return receive_smb_raw_talloc_partial_read(
281                         mem_ctx, lenbuf, fd, buffer, timeout, p_unread, plen);
282         }
283
284         if (!valid_packet_size(len)) {
285                 return NT_STATUS_INVALID_PARAMETER;
286         }
287
288         /*
289          * The +4 here can't wrap, we've checked the length above already.
290          */
291
292         *buffer = TALLOC_ARRAY(mem_ctx, char, len+4);
293
294         if (*buffer == NULL) {
295                 DEBUG(0, ("Could not allocate inbuf of length %d\n",
296                           (int)len+4));
297                 return NT_STATUS_NO_MEMORY;
298         }
299
300         memcpy(*buffer, lenbuf, sizeof(lenbuf));
301
302         status = read_packet_remainder(fd, (*buffer)+4, timeout, len);
303         if (!NT_STATUS_IS_OK(status)) {
304                 return status;
305         }
306
307         *plen = len + 4;
308         return NT_STATUS_OK;
309 }
310
311 static NTSTATUS receive_smb_talloc(TALLOC_CTX *mem_ctx, int fd,
312                                    char **buffer, unsigned int timeout,
313                                    size_t *p_unread, bool *p_encrypted,
314                                    size_t *p_len)
315 {
316         size_t len = 0;
317         NTSTATUS status;
318
319         *p_encrypted = false;
320
321         status = receive_smb_raw_talloc(mem_ctx, fd, buffer, timeout,
322                                         p_unread, &len);
323         if (!NT_STATUS_IS_OK(status)) {
324                 return status;
325         }
326
327         if (is_encrypted_packet((uint8_t *)*buffer)) {
328                 status = srv_decrypt_buffer(*buffer);
329                 if (!NT_STATUS_IS_OK(status)) {
330                         DEBUG(0, ("receive_smb_talloc: SMB decryption failed on "
331                                 "incoming packet! Error %s\n",
332                                 nt_errstr(status) ));
333                         return status;
334                 }
335                 *p_encrypted = true;
336         }
337
338         /* Check the incoming SMB signature. */
339         if (!srv_check_sign_mac(*buffer, true)) {
340                 DEBUG(0, ("receive_smb: SMB Signature verification failed on "
341                           "incoming packet!\n"));
342                 return NT_STATUS_INVALID_NETWORK_RESPONSE;
343         }
344
345         *p_len = len;
346         return NT_STATUS_OK;
347 }
348
349 /*
350  * Initialize a struct smb_request from an inbuf
351  */
352
353 void init_smb_request(struct smb_request *req,
354                         const uint8 *inbuf,
355                         size_t unread_bytes,
356                         bool encrypted)
357 {
358         size_t req_size = smb_len(inbuf) + 4;
359         /* Ensure we have at least smb_size bytes. */
360         if (req_size < smb_size) {
361                 DEBUG(0,("init_smb_request: invalid request size %u\n",
362                         (unsigned int)req_size ));
363                 exit_server_cleanly("Invalid SMB request");
364         }
365         req->cmd    = CVAL(inbuf, smb_com);
366         req->flags2 = SVAL(inbuf, smb_flg2);
367         req->smbpid = SVAL(inbuf, smb_pid);
368         req->mid    = SVAL(inbuf, smb_mid);
369         req->vuid   = SVAL(inbuf, smb_uid);
370         req->tid    = SVAL(inbuf, smb_tid);
371         req->wct    = CVAL(inbuf, smb_wct);
372         req->vwv    = (uint16_t *)(inbuf+smb_vwv);
373         req->buflen = smb_buflen(inbuf);
374         req->buf    = (const uint8_t *)smb_buf(inbuf);
375         req->unread_bytes = unread_bytes;
376         req->encrypted = encrypted;
377         req->conn = conn_find(req->tid);
378         req->chain_fsp = NULL;
379         req->chain_outbuf = NULL;
380         smb_init_perfcount_data(&req->pcd);
381
382         /* Ensure we have at least wct words and 2 bytes of bcc. */
383         if (smb_size + req->wct*2 > req_size) {
384                 DEBUG(0,("init_smb_request: invalid wct number %u (size %u)\n",
385                         (unsigned int)req->wct,
386                         (unsigned int)req_size));
387                 exit_server_cleanly("Invalid SMB request");
388         }
389         /* Ensure bcc is correct. */
390         if (((uint8 *)smb_buf(inbuf)) + req->buflen > inbuf + req_size) {
391                 DEBUG(0,("init_smb_request: invalid bcc number %u "
392                         "(wct = %u, size %u)\n",
393                         (unsigned int)req->buflen,
394                         (unsigned int)req->wct,
395                         (unsigned int)req_size));
396                 exit_server_cleanly("Invalid SMB request");
397         }
398
399         req->outbuf = NULL;
400 }
401
402 static void process_smb(struct smbd_server_connection *conn,
403                         uint8_t *inbuf, size_t nread, size_t unread_bytes,
404                         bool encrypted, struct smb_perfcount_data *deferred_pcd);
405
406 static void smbd_deferred_open_timer(struct event_context *ev,
407                                      struct timed_event *te,
408                                      struct timeval _tval,
409                                      void *private_data)
410 {
411         struct pending_message_list *msg = talloc_get_type(private_data,
412                                            struct pending_message_list);
413         TALLOC_CTX *mem_ctx = talloc_tos();
414         uint8_t *inbuf;
415
416         inbuf = (uint8_t *)talloc_memdup(mem_ctx, msg->buf.data,
417                                          msg->buf.length);
418         if (inbuf == NULL) {
419                 exit_server("smbd_deferred_open_timer: talloc failed\n");
420                 return;
421         }
422
423         /* We leave this message on the queue so the open code can
424            know this is a retry. */
425         DEBUG(5,("smbd_deferred_open_timer: trigger mid %u.\n",
426                 (unsigned int)SVAL(msg->buf.data,smb_mid)));
427
428         process_smb(smbd_server_conn, inbuf,
429                     msg->buf.length, 0,
430                     msg->encrypted, &msg->pcd);
431 }
432
433 /****************************************************************************
434  Function to push a message onto the tail of a linked list of smb messages ready
435  for processing.
436 ****************************************************************************/
437
438 static bool push_queued_message(struct smb_request *req,
439                                 struct timeval request_time,
440                                 struct timeval end_time,
441                                 char *private_data, size_t private_len)
442 {
443         int msg_len = smb_len(req->inbuf) + 4;
444         struct pending_message_list *msg;
445
446         msg = TALLOC_ZERO_P(NULL, struct pending_message_list);
447
448         if(msg == NULL) {
449                 DEBUG(0,("push_message: malloc fail (1)\n"));
450                 return False;
451         }
452
453         msg->buf = data_blob_talloc(msg, req->inbuf, msg_len);
454         if(msg->buf.data == NULL) {
455                 DEBUG(0,("push_message: malloc fail (2)\n"));
456                 TALLOC_FREE(msg);
457                 return False;
458         }
459
460         msg->request_time = request_time;
461         msg->encrypted = req->encrypted;
462         SMB_PERFCOUNT_DEFER_OP(&req->pcd, &msg->pcd);
463
464         if (private_data) {
465                 msg->private_data = data_blob_talloc(msg, private_data,
466                                                      private_len);
467                 if (msg->private_data.data == NULL) {
468                         DEBUG(0,("push_message: malloc fail (3)\n"));
469                         TALLOC_FREE(msg);
470                         return False;
471                 }
472         }
473
474         msg->te = event_add_timed(smbd_event_context(),
475                                   msg,
476                                   end_time,
477                                   smbd_deferred_open_timer,
478                                   msg);
479         if (!msg->te) {
480                 DEBUG(0,("push_message: event_add_timed failed\n"));
481                 TALLOC_FREE(msg);
482                 return false;
483         }
484
485         DLIST_ADD_END(deferred_open_queue, msg, struct pending_message_list *);
486
487         DEBUG(10,("push_message: pushed message length %u on "
488                   "deferred_open_queue\n", (unsigned int)msg_len));
489
490         return True;
491 }
492
493 /****************************************************************************
494  Function to delete a sharing violation open message by mid.
495 ****************************************************************************/
496
497 void remove_deferred_open_smb_message(uint16 mid)
498 {
499         struct pending_message_list *pml;
500
501         for (pml = deferred_open_queue; pml; pml = pml->next) {
502                 if (mid == SVAL(pml->buf.data,smb_mid)) {
503                         DEBUG(10,("remove_sharing_violation_open_smb_message: "
504                                   "deleting mid %u len %u\n",
505                                   (unsigned int)mid,
506                                   (unsigned int)pml->buf.length ));
507                         DLIST_REMOVE(deferred_open_queue, pml);
508                         TALLOC_FREE(pml);
509                         return;
510                 }
511         }
512 }
513
514 /****************************************************************************
515  Move a sharing violation open retry message to the front of the list and
516  schedule it for immediate processing.
517 ****************************************************************************/
518
519 void schedule_deferred_open_smb_message(uint16 mid)
520 {
521         struct pending_message_list *pml;
522         int i = 0;
523
524         for (pml = deferred_open_queue; pml; pml = pml->next) {
525                 uint16 msg_mid = SVAL(pml->buf.data,smb_mid);
526
527                 DEBUG(10,("schedule_deferred_open_smb_message: [%d] msg_mid = %u\n", i++,
528                         (unsigned int)msg_mid ));
529
530                 if (mid == msg_mid) {
531                         struct timed_event *te;
532
533                         DEBUG(10,("schedule_deferred_open_smb_message: scheduling mid %u\n",
534                                 mid ));
535
536                         te = event_add_timed(smbd_event_context(),
537                                              pml,
538                                              timeval_zero(),
539                                              smbd_deferred_open_timer,
540                                              pml);
541                         if (!te) {
542                                 DEBUG(10,("schedule_deferred_open_smb_message: "
543                                           "event_add_timed() failed, skipping mid %u\n",
544                                           mid ));
545                         }
546
547                         TALLOC_FREE(pml->te);
548                         pml->te = te;
549                         DLIST_PROMOTE(deferred_open_queue, pml);
550                         return;
551                 }
552         }
553
554         DEBUG(10,("schedule_deferred_open_smb_message: failed to find message mid %u\n",
555                 mid ));
556 }
557
558 /****************************************************************************
559  Return true if this mid is on the deferred queue.
560 ****************************************************************************/
561
562 bool open_was_deferred(uint16 mid)
563 {
564         struct pending_message_list *pml;
565
566         for (pml = deferred_open_queue; pml; pml = pml->next) {
567                 if (SVAL(pml->buf.data,smb_mid) == mid) {
568                         return True;
569                 }
570         }
571         return False;
572 }
573
574 /****************************************************************************
575  Return the message queued by this mid.
576 ****************************************************************************/
577
578 struct pending_message_list *get_open_deferred_message(uint16 mid)
579 {
580         struct pending_message_list *pml;
581
582         for (pml = deferred_open_queue; pml; pml = pml->next) {
583                 if (SVAL(pml->buf.data,smb_mid) == mid) {
584                         return pml;
585                 }
586         }
587         return NULL;
588 }
589
590 /****************************************************************************
591  Function to push a deferred open smb message onto a linked list of local smb
592  messages ready for processing.
593 ****************************************************************************/
594
595 bool push_deferred_smb_message(struct smb_request *req,
596                                struct timeval request_time,
597                                struct timeval timeout,
598                                char *private_data, size_t priv_len)
599 {
600         struct timeval end_time;
601
602         if (req->unread_bytes) {
603                 DEBUG(0,("push_deferred_smb_message: logic error ! "
604                         "unread_bytes = %u\n",
605                         (unsigned int)req->unread_bytes ));
606                 smb_panic("push_deferred_smb_message: "
607                         "logic error unread_bytes != 0" );
608         }
609
610         end_time = timeval_sum(&request_time, &timeout);
611
612         DEBUG(10,("push_deferred_open_smb_message: pushing message len %u mid %u "
613                   "timeout time [%u.%06u]\n",
614                   (unsigned int) smb_len(req->inbuf)+4, (unsigned int)req->mid,
615                   (unsigned int)end_time.tv_sec,
616                   (unsigned int)end_time.tv_usec));
617
618         return push_queued_message(req, request_time, end_time,
619                                    private_data, priv_len);
620 }
621
622 struct idle_event {
623         struct timed_event *te;
624         struct timeval interval;
625         char *name;
626         bool (*handler)(const struct timeval *now, void *private_data);
627         void *private_data;
628 };
629
630 static void smbd_idle_event_handler(struct event_context *ctx,
631                                     struct timed_event *te,
632                                     struct timeval now,
633                                     void *private_data)
634 {
635         struct idle_event *event =
636                 talloc_get_type_abort(private_data, struct idle_event);
637
638         TALLOC_FREE(event->te);
639
640         DEBUG(10,("smbd_idle_event_handler: %s %p called\n",
641                   event->name, event->te));
642
643         if (!event->handler(&now, event->private_data)) {
644                 DEBUG(10,("smbd_idle_event_handler: %s %p stopped\n",
645                           event->name, event->te));
646                 /* Don't repeat, delete ourselves */
647                 TALLOC_FREE(event);
648                 return;
649         }
650
651         DEBUG(10,("smbd_idle_event_handler: %s %p rescheduled\n",
652                   event->name, event->te));
653
654         event->te = event_add_timed(ctx, event,
655                                     timeval_sum(&now, &event->interval),
656                                     smbd_idle_event_handler, event);
657
658         /* We can't do much but fail here. */
659         SMB_ASSERT(event->te != NULL);
660 }
661
662 struct idle_event *event_add_idle(struct event_context *event_ctx,
663                                   TALLOC_CTX *mem_ctx,
664                                   struct timeval interval,
665                                   const char *name,
666                                   bool (*handler)(const struct timeval *now,
667                                                   void *private_data),
668                                   void *private_data)
669 {
670         struct idle_event *result;
671         struct timeval now = timeval_current();
672
673         result = TALLOC_P(mem_ctx, struct idle_event);
674         if (result == NULL) {
675                 DEBUG(0, ("talloc failed\n"));
676                 return NULL;
677         }
678
679         result->interval = interval;
680         result->handler = handler;
681         result->private_data = private_data;
682
683         if (!(result->name = talloc_asprintf(result, "idle_evt(%s)", name))) {
684                 DEBUG(0, ("talloc failed\n"));
685                 TALLOC_FREE(result);
686                 return NULL;
687         }
688
689         result->te = event_add_timed(event_ctx, result,
690                                      timeval_sum(&now, &interval),
691                                      smbd_idle_event_handler, result);
692         if (result->te == NULL) {
693                 DEBUG(0, ("event_add_timed failed\n"));
694                 TALLOC_FREE(result);
695                 return NULL;
696         }
697
698         DEBUG(10,("event_add_idle: %s %p\n", result->name, result->te));
699         return result;
700 }
701
702 static void smbd_sig_term_handler(struct tevent_context *ev,
703                                   struct tevent_signal *se,
704                                   int signum,
705                                   int count,
706                                   void *siginfo,
707                                   void *private_data)
708 {
709         exit_server_cleanly("termination signal");
710 }
711
712 void smbd_setup_sig_term_handler(void)
713 {
714         struct tevent_signal *se;
715
716         se = tevent_add_signal(smbd_event_context(),
717                                smbd_event_context(),
718                                SIGTERM, 0,
719                                smbd_sig_term_handler,
720                                NULL);
721         if (!se) {
722                 exit_server("failed to setup SIGTERM handler");
723         }
724 }
725
726 static void smbd_sig_hup_handler(struct tevent_context *ev,
727                                   struct tevent_signal *se,
728                                   int signum,
729                                   int count,
730                                   void *siginfo,
731                                   void *private_data)
732 {
733         change_to_root_user();
734         DEBUG(1,("Reloading services after SIGHUP\n"));
735         reload_services(False);
736 }
737
738 void smbd_setup_sig_hup_handler(void)
739 {
740         struct tevent_signal *se;
741
742         se = tevent_add_signal(smbd_event_context(),
743                                smbd_event_context(),
744                                SIGHUP, 0,
745                                smbd_sig_hup_handler,
746                                NULL);
747         if (!se) {
748                 exit_server("failed to setup SIGHUP handler");
749         }
750 }
751
752 static NTSTATUS smbd_server_connection_loop_once(struct smbd_server_connection *conn)
753 {
754         fd_set r_fds, w_fds;
755         int selrtn;
756         struct timeval to;
757         int maxfd = 0;
758
759         to.tv_sec = SMBD_SELECT_TIMEOUT;
760         to.tv_usec = 0;
761
762         /*
763          * Setup the select fd sets.
764          */
765
766         FD_ZERO(&r_fds);
767         FD_ZERO(&w_fds);
768
769         /*
770          * Are there any timed events waiting ? If so, ensure we don't
771          * select for longer than it would take to wait for them.
772          */
773
774         {
775                 struct timeval now;
776                 GetTimeOfDay(&now);
777
778                 event_add_to_select_args(smbd_event_context(), &now,
779                                          &r_fds, &w_fds, &to, &maxfd);
780         }
781
782         /* Process a signal and timed events now... */
783         if (run_events(smbd_event_context(), 0, NULL, NULL)) {
784                 return NT_STATUS_RETRY;
785         }
786
787         {
788                 int sav;
789                 START_PROFILE(smbd_idle);
790
791                 selrtn = sys_select(maxfd+1,&r_fds,&w_fds,NULL,&to);
792                 sav = errno;
793
794                 END_PROFILE(smbd_idle);
795                 errno = sav;
796         }
797
798         if (run_events(smbd_event_context(), selrtn, &r_fds, &w_fds)) {
799                 return NT_STATUS_RETRY;
800         }
801
802         /* Check if error */
803         if (selrtn == -1) {
804                 /* something is wrong. Maybe the socket is dead? */
805                 return map_nt_error_from_unix(errno);
806         }
807
808         /* Did we timeout ? */
809         if (selrtn == 0) {
810                 return NT_STATUS_RETRY;
811         }
812
813         /* should not be reached */
814         return NT_STATUS_INTERNAL_ERROR;
815 }
816
817 /*
818  * Only allow 5 outstanding trans requests. We're allocating memory, so
819  * prevent a DoS.
820  */
821
822 NTSTATUS allow_new_trans(struct trans_state *list, int mid)
823 {
824         int count = 0;
825         for (; list != NULL; list = list->next) {
826
827                 if (list->mid == mid) {
828                         return NT_STATUS_INVALID_PARAMETER;
829                 }
830
831                 count += 1;
832         }
833         if (count > 5) {
834                 return NT_STATUS_INSUFFICIENT_RESOURCES;
835         }
836
837         return NT_STATUS_OK;
838 }
839
840 /*
841 These flags determine some of the permissions required to do an operation 
842
843 Note that I don't set NEED_WRITE on some write operations because they
844 are used by some brain-dead clients when printing, and I don't want to
845 force write permissions on print services.
846 */
847 #define AS_USER (1<<0)
848 #define NEED_WRITE (1<<1) /* Must be paired with AS_USER */
849 #define TIME_INIT (1<<2)
850 #define CAN_IPC (1<<3) /* Must be paired with AS_USER */
851 #define AS_GUEST (1<<5) /* Must *NOT* be paired with AS_USER */
852 #define DO_CHDIR (1<<6)
853
854 /* 
855    define a list of possible SMB messages and their corresponding
856    functions. Any message that has a NULL function is unimplemented -
857    please feel free to contribute implementations!
858 */
859 static const struct smb_message_struct {
860         const char *name;
861         void (*fn)(struct smb_request *req);
862         int flags;
863 } smb_messages[256] = {
864
865 /* 0x00 */ { "SMBmkdir",reply_mkdir,AS_USER | NEED_WRITE},
866 /* 0x01 */ { "SMBrmdir",reply_rmdir,AS_USER | NEED_WRITE},
867 /* 0x02 */ { "SMBopen",reply_open,AS_USER },
868 /* 0x03 */ { "SMBcreate",reply_mknew,AS_USER},
869 /* 0x04 */ { "SMBclose",reply_close,AS_USER | CAN_IPC },
870 /* 0x05 */ { "SMBflush",reply_flush,AS_USER},
871 /* 0x06 */ { "SMBunlink",reply_unlink,AS_USER | NEED_WRITE },
872 /* 0x07 */ { "SMBmv",reply_mv,AS_USER | NEED_WRITE },
873 /* 0x08 */ { "SMBgetatr",reply_getatr,AS_USER},
874 /* 0x09 */ { "SMBsetatr",reply_setatr,AS_USER | NEED_WRITE},
875 /* 0x0a */ { "SMBread",reply_read,AS_USER},
876 /* 0x0b */ { "SMBwrite",reply_write,AS_USER | CAN_IPC },
877 /* 0x0c */ { "SMBlock",reply_lock,AS_USER},
878 /* 0x0d */ { "SMBunlock",reply_unlock,AS_USER},
879 /* 0x0e */ { "SMBctemp",reply_ctemp,AS_USER },
880 /* 0x0f */ { "SMBmknew",reply_mknew,AS_USER},
881 /* 0x10 */ { "SMBcheckpath",reply_checkpath,AS_USER},
882 /* 0x11 */ { "SMBexit",reply_exit,DO_CHDIR},
883 /* 0x12 */ { "SMBlseek",reply_lseek,AS_USER},
884 /* 0x13 */ { "SMBlockread",reply_lockread,AS_USER},
885 /* 0x14 */ { "SMBwriteunlock",reply_writeunlock,AS_USER},
886 /* 0x15 */ { NULL, NULL, 0 },
887 /* 0x16 */ { NULL, NULL, 0 },
888 /* 0x17 */ { NULL, NULL, 0 },
889 /* 0x18 */ { NULL, NULL, 0 },
890 /* 0x19 */ { NULL, NULL, 0 },
891 /* 0x1a */ { "SMBreadbraw",reply_readbraw,AS_USER},
892 /* 0x1b */ { "SMBreadBmpx",reply_readbmpx,AS_USER},
893 /* 0x1c */ { "SMBreadBs",reply_readbs,AS_USER },
894 /* 0x1d */ { "SMBwritebraw",reply_writebraw,AS_USER},
895 /* 0x1e */ { "SMBwriteBmpx",reply_writebmpx,AS_USER},
896 /* 0x1f */ { "SMBwriteBs",reply_writebs,AS_USER},
897 /* 0x20 */ { "SMBwritec", NULL,0},
898 /* 0x21 */ { NULL, NULL, 0 },
899 /* 0x22 */ { "SMBsetattrE",reply_setattrE,AS_USER | NEED_WRITE },
900 /* 0x23 */ { "SMBgetattrE",reply_getattrE,AS_USER },
901 /* 0x24 */ { "SMBlockingX",reply_lockingX,AS_USER },
902 /* 0x25 */ { "SMBtrans",reply_trans,AS_USER | CAN_IPC },
903 /* 0x26 */ { "SMBtranss",reply_transs,AS_USER | CAN_IPC},
904 /* 0x27 */ { "SMBioctl",reply_ioctl,0},
905 /* 0x28 */ { "SMBioctls", NULL,AS_USER},
906 /* 0x29 */ { "SMBcopy",reply_copy,AS_USER | NEED_WRITE },
907 /* 0x2a */ { "SMBmove", NULL,AS_USER | NEED_WRITE },
908 /* 0x2b */ { "SMBecho",reply_echo,0},
909 /* 0x2c */ { "SMBwriteclose",reply_writeclose,AS_USER},
910 /* 0x2d */ { "SMBopenX",reply_open_and_X,AS_USER | CAN_IPC },
911 /* 0x2e */ { "SMBreadX",reply_read_and_X,AS_USER | CAN_IPC },
912 /* 0x2f */ { "SMBwriteX",reply_write_and_X,AS_USER | CAN_IPC },
913 /* 0x30 */ { NULL, NULL, 0 },
914 /* 0x31 */ { NULL, NULL, 0 },
915 /* 0x32 */ { "SMBtrans2",reply_trans2, AS_USER | CAN_IPC },
916 /* 0x33 */ { "SMBtranss2",reply_transs2, AS_USER | CAN_IPC },
917 /* 0x34 */ { "SMBfindclose",reply_findclose,AS_USER},
918 /* 0x35 */ { "SMBfindnclose",reply_findnclose,AS_USER},
919 /* 0x36 */ { NULL, NULL, 0 },
920 /* 0x37 */ { NULL, NULL, 0 },
921 /* 0x38 */ { NULL, NULL, 0 },
922 /* 0x39 */ { NULL, NULL, 0 },
923 /* 0x3a */ { NULL, NULL, 0 },
924 /* 0x3b */ { NULL, NULL, 0 },
925 /* 0x3c */ { NULL, NULL, 0 },
926 /* 0x3d */ { NULL, NULL, 0 },
927 /* 0x3e */ { NULL, NULL, 0 },
928 /* 0x3f */ { NULL, NULL, 0 },
929 /* 0x40 */ { NULL, NULL, 0 },
930 /* 0x41 */ { NULL, NULL, 0 },
931 /* 0x42 */ { NULL, NULL, 0 },
932 /* 0x43 */ { NULL, NULL, 0 },
933 /* 0x44 */ { NULL, NULL, 0 },
934 /* 0x45 */ { NULL, NULL, 0 },
935 /* 0x46 */ { NULL, NULL, 0 },
936 /* 0x47 */ { NULL, NULL, 0 },
937 /* 0x48 */ { NULL, NULL, 0 },
938 /* 0x49 */ { NULL, NULL, 0 },
939 /* 0x4a */ { NULL, NULL, 0 },
940 /* 0x4b */ { NULL, NULL, 0 },
941 /* 0x4c */ { NULL, NULL, 0 },
942 /* 0x4d */ { NULL, NULL, 0 },
943 /* 0x4e */ { NULL, NULL, 0 },
944 /* 0x4f */ { NULL, NULL, 0 },
945 /* 0x50 */ { NULL, NULL, 0 },
946 /* 0x51 */ { NULL, NULL, 0 },
947 /* 0x52 */ { NULL, NULL, 0 },
948 /* 0x53 */ { NULL, NULL, 0 },
949 /* 0x54 */ { NULL, NULL, 0 },
950 /* 0x55 */ { NULL, NULL, 0 },
951 /* 0x56 */ { NULL, NULL, 0 },
952 /* 0x57 */ { NULL, NULL, 0 },
953 /* 0x58 */ { NULL, NULL, 0 },
954 /* 0x59 */ { NULL, NULL, 0 },
955 /* 0x5a */ { NULL, NULL, 0 },
956 /* 0x5b */ { NULL, NULL, 0 },
957 /* 0x5c */ { NULL, NULL, 0 },
958 /* 0x5d */ { NULL, NULL, 0 },
959 /* 0x5e */ { NULL, NULL, 0 },
960 /* 0x5f */ { NULL, NULL, 0 },
961 /* 0x60 */ { NULL, NULL, 0 },
962 /* 0x61 */ { NULL, NULL, 0 },
963 /* 0x62 */ { NULL, NULL, 0 },
964 /* 0x63 */ { NULL, NULL, 0 },
965 /* 0x64 */ { NULL, NULL, 0 },
966 /* 0x65 */ { NULL, NULL, 0 },
967 /* 0x66 */ { NULL, NULL, 0 },
968 /* 0x67 */ { NULL, NULL, 0 },
969 /* 0x68 */ { NULL, NULL, 0 },
970 /* 0x69 */ { NULL, NULL, 0 },
971 /* 0x6a */ { NULL, NULL, 0 },
972 /* 0x6b */ { NULL, NULL, 0 },
973 /* 0x6c */ { NULL, NULL, 0 },
974 /* 0x6d */ { NULL, NULL, 0 },
975 /* 0x6e */ { NULL, NULL, 0 },
976 /* 0x6f */ { NULL, NULL, 0 },
977 /* 0x70 */ { "SMBtcon",reply_tcon,0},
978 /* 0x71 */ { "SMBtdis",reply_tdis,DO_CHDIR},
979 /* 0x72 */ { "SMBnegprot",reply_negprot,0},
980 /* 0x73 */ { "SMBsesssetupX",reply_sesssetup_and_X,0},
981 /* 0x74 */ { "SMBulogoffX",reply_ulogoffX, 0}, /* ulogoff doesn't give a valid TID */
982 /* 0x75 */ { "SMBtconX",reply_tcon_and_X,0},
983 /* 0x76 */ { NULL, NULL, 0 },
984 /* 0x77 */ { NULL, NULL, 0 },
985 /* 0x78 */ { NULL, NULL, 0 },
986 /* 0x79 */ { NULL, NULL, 0 },
987 /* 0x7a */ { NULL, NULL, 0 },
988 /* 0x7b */ { NULL, NULL, 0 },
989 /* 0x7c */ { NULL, NULL, 0 },
990 /* 0x7d */ { NULL, NULL, 0 },
991 /* 0x7e */ { NULL, NULL, 0 },
992 /* 0x7f */ { NULL, NULL, 0 },
993 /* 0x80 */ { "SMBdskattr",reply_dskattr,AS_USER},
994 /* 0x81 */ { "SMBsearch",reply_search,AS_USER},
995 /* 0x82 */ { "SMBffirst",reply_search,AS_USER},
996 /* 0x83 */ { "SMBfunique",reply_search,AS_USER},
997 /* 0x84 */ { "SMBfclose",reply_fclose,AS_USER},
998 /* 0x85 */ { NULL, NULL, 0 },
999 /* 0x86 */ { NULL, NULL, 0 },
1000 /* 0x87 */ { NULL, NULL, 0 },
1001 /* 0x88 */ { NULL, NULL, 0 },
1002 /* 0x89 */ { NULL, NULL, 0 },
1003 /* 0x8a */ { NULL, NULL, 0 },
1004 /* 0x8b */ { NULL, NULL, 0 },
1005 /* 0x8c */ { NULL, NULL, 0 },
1006 /* 0x8d */ { NULL, NULL, 0 },
1007 /* 0x8e */ { NULL, NULL, 0 },
1008 /* 0x8f */ { NULL, NULL, 0 },
1009 /* 0x90 */ { NULL, NULL, 0 },
1010 /* 0x91 */ { NULL, NULL, 0 },
1011 /* 0x92 */ { NULL, NULL, 0 },
1012 /* 0x93 */ { NULL, NULL, 0 },
1013 /* 0x94 */ { NULL, NULL, 0 },
1014 /* 0x95 */ { NULL, NULL, 0 },
1015 /* 0x96 */ { NULL, NULL, 0 },
1016 /* 0x97 */ { NULL, NULL, 0 },
1017 /* 0x98 */ { NULL, NULL, 0 },
1018 /* 0x99 */ { NULL, NULL, 0 },
1019 /* 0x9a */ { NULL, NULL, 0 },
1020 /* 0x9b */ { NULL, NULL, 0 },
1021 /* 0x9c */ { NULL, NULL, 0 },
1022 /* 0x9d */ { NULL, NULL, 0 },
1023 /* 0x9e */ { NULL, NULL, 0 },
1024 /* 0x9f */ { NULL, NULL, 0 },
1025 /* 0xa0 */ { "SMBnttrans",reply_nttrans, AS_USER | CAN_IPC },
1026 /* 0xa1 */ { "SMBnttranss",reply_nttranss, AS_USER | CAN_IPC },
1027 /* 0xa2 */ { "SMBntcreateX",reply_ntcreate_and_X, AS_USER | CAN_IPC },
1028 /* 0xa3 */ { NULL, NULL, 0 },
1029 /* 0xa4 */ { "SMBntcancel",reply_ntcancel, 0 },
1030 /* 0xa5 */ { "SMBntrename",reply_ntrename, AS_USER | NEED_WRITE },
1031 /* 0xa6 */ { NULL, NULL, 0 },
1032 /* 0xa7 */ { NULL, NULL, 0 },
1033 /* 0xa8 */ { NULL, NULL, 0 },
1034 /* 0xa9 */ { NULL, NULL, 0 },
1035 /* 0xaa */ { NULL, NULL, 0 },
1036 /* 0xab */ { NULL, NULL, 0 },
1037 /* 0xac */ { NULL, NULL, 0 },
1038 /* 0xad */ { NULL, NULL, 0 },
1039 /* 0xae */ { NULL, NULL, 0 },
1040 /* 0xaf */ { NULL, NULL, 0 },
1041 /* 0xb0 */ { NULL, NULL, 0 },
1042 /* 0xb1 */ { NULL, NULL, 0 },
1043 /* 0xb2 */ { NULL, NULL, 0 },
1044 /* 0xb3 */ { NULL, NULL, 0 },
1045 /* 0xb4 */ { NULL, NULL, 0 },
1046 /* 0xb5 */ { NULL, NULL, 0 },
1047 /* 0xb6 */ { NULL, NULL, 0 },
1048 /* 0xb7 */ { NULL, NULL, 0 },
1049 /* 0xb8 */ { NULL, NULL, 0 },
1050 /* 0xb9 */ { NULL, NULL, 0 },
1051 /* 0xba */ { NULL, NULL, 0 },
1052 /* 0xbb */ { NULL, NULL, 0 },
1053 /* 0xbc */ { NULL, NULL, 0 },
1054 /* 0xbd */ { NULL, NULL, 0 },
1055 /* 0xbe */ { NULL, NULL, 0 },
1056 /* 0xbf */ { NULL, NULL, 0 },
1057 /* 0xc0 */ { "SMBsplopen",reply_printopen,AS_USER},
1058 /* 0xc1 */ { "SMBsplwr",reply_printwrite,AS_USER},
1059 /* 0xc2 */ { "SMBsplclose",reply_printclose,AS_USER},
1060 /* 0xc3 */ { "SMBsplretq",reply_printqueue,AS_USER},
1061 /* 0xc4 */ { NULL, NULL, 0 },
1062 /* 0xc5 */ { NULL, NULL, 0 },
1063 /* 0xc6 */ { NULL, NULL, 0 },
1064 /* 0xc7 */ { NULL, NULL, 0 },
1065 /* 0xc8 */ { NULL, NULL, 0 },
1066 /* 0xc9 */ { NULL, NULL, 0 },
1067 /* 0xca */ { NULL, NULL, 0 },
1068 /* 0xcb */ { NULL, NULL, 0 },
1069 /* 0xcc */ { NULL, NULL, 0 },
1070 /* 0xcd */ { NULL, NULL, 0 },
1071 /* 0xce */ { NULL, NULL, 0 },
1072 /* 0xcf */ { NULL, NULL, 0 },
1073 /* 0xd0 */ { "SMBsends",reply_sends,AS_GUEST},
1074 /* 0xd1 */ { "SMBsendb", NULL,AS_GUEST},
1075 /* 0xd2 */ { "SMBfwdname", NULL,AS_GUEST},
1076 /* 0xd3 */ { "SMBcancelf", NULL,AS_GUEST},
1077 /* 0xd4 */ { "SMBgetmac", NULL,AS_GUEST},
1078 /* 0xd5 */ { "SMBsendstrt",reply_sendstrt,AS_GUEST},
1079 /* 0xd6 */ { "SMBsendend",reply_sendend,AS_GUEST},
1080 /* 0xd7 */ { "SMBsendtxt",reply_sendtxt,AS_GUEST},
1081 /* 0xd8 */ { NULL, NULL, 0 },
1082 /* 0xd9 */ { NULL, NULL, 0 },
1083 /* 0xda */ { NULL, NULL, 0 },
1084 /* 0xdb */ { NULL, NULL, 0 },
1085 /* 0xdc */ { NULL, NULL, 0 },
1086 /* 0xdd */ { NULL, NULL, 0 },
1087 /* 0xde */ { NULL, NULL, 0 },
1088 /* 0xdf */ { NULL, NULL, 0 },
1089 /* 0xe0 */ { NULL, NULL, 0 },
1090 /* 0xe1 */ { NULL, NULL, 0 },
1091 /* 0xe2 */ { NULL, NULL, 0 },
1092 /* 0xe3 */ { NULL, NULL, 0 },
1093 /* 0xe4 */ { NULL, NULL, 0 },
1094 /* 0xe5 */ { NULL, NULL, 0 },
1095 /* 0xe6 */ { NULL, NULL, 0 },
1096 /* 0xe7 */ { NULL, NULL, 0 },
1097 /* 0xe8 */ { NULL, NULL, 0 },
1098 /* 0xe9 */ { NULL, NULL, 0 },
1099 /* 0xea */ { NULL, NULL, 0 },
1100 /* 0xeb */ { NULL, NULL, 0 },
1101 /* 0xec */ { NULL, NULL, 0 },
1102 /* 0xed */ { NULL, NULL, 0 },
1103 /* 0xee */ { NULL, NULL, 0 },
1104 /* 0xef */ { NULL, NULL, 0 },
1105 /* 0xf0 */ { NULL, NULL, 0 },
1106 /* 0xf1 */ { NULL, NULL, 0 },
1107 /* 0xf2 */ { NULL, NULL, 0 },
1108 /* 0xf3 */ { NULL, NULL, 0 },
1109 /* 0xf4 */ { NULL, NULL, 0 },
1110 /* 0xf5 */ { NULL, NULL, 0 },
1111 /* 0xf6 */ { NULL, NULL, 0 },
1112 /* 0xf7 */ { NULL, NULL, 0 },
1113 /* 0xf8 */ { NULL, NULL, 0 },
1114 /* 0xf9 */ { NULL, NULL, 0 },
1115 /* 0xfa */ { NULL, NULL, 0 },
1116 /* 0xfb */ { NULL, NULL, 0 },
1117 /* 0xfc */ { NULL, NULL, 0 },
1118 /* 0xfd */ { NULL, NULL, 0 },
1119 /* 0xfe */ { NULL, NULL, 0 },
1120 /* 0xff */ { NULL, NULL, 0 }
1121
1122 };
1123
1124 /*******************************************************************
1125  allocate and initialize a reply packet
1126 ********************************************************************/
1127
1128 static bool create_outbuf(TALLOC_CTX *mem_ctx, struct smb_request *req,
1129                           const char *inbuf, char **outbuf, uint8_t num_words,
1130                           uint32_t num_bytes)
1131 {
1132         /*
1133          * Protect against integer wrap
1134          */
1135         if ((num_bytes > 0xffffff)
1136             || ((num_bytes + smb_size + num_words*2) > 0xffffff)) {
1137                 char *msg;
1138                 if (asprintf(&msg, "num_bytes too large: %u",
1139                              (unsigned)num_bytes) == -1) {
1140                         msg = CONST_DISCARD(char *, "num_bytes too large");
1141                 }
1142                 smb_panic(msg);
1143         }
1144
1145         *outbuf = TALLOC_ARRAY(mem_ctx, char,
1146                                smb_size + num_words*2 + num_bytes);
1147         if (*outbuf == NULL) {
1148                 return false;
1149         }
1150
1151         construct_reply_common(req, inbuf, *outbuf);
1152         srv_set_message(*outbuf, num_words, num_bytes, false);
1153         /*
1154          * Zero out the word area, the caller has to take care of the bcc area
1155          * himself
1156          */
1157         if (num_words != 0) {
1158                 memset(*outbuf + smb_vwv0, 0, num_words*2);
1159         }
1160
1161         return true;
1162 }
1163
1164 void reply_outbuf(struct smb_request *req, uint8 num_words, uint32 num_bytes)
1165 {
1166         char *outbuf;
1167         if (!create_outbuf(req, req, (char *)req->inbuf, &outbuf, num_words,
1168                            num_bytes)) {
1169                 smb_panic("could not allocate output buffer\n");
1170         }
1171         req->outbuf = (uint8_t *)outbuf;
1172 }
1173
1174
1175 /*******************************************************************
1176  Dump a packet to a file.
1177 ********************************************************************/
1178
1179 static void smb_dump(const char *name, int type, const char *data, ssize_t len)
1180 {
1181         int fd, i;
1182         char *fname = NULL;
1183         if (DEBUGLEVEL < 50) {
1184                 return;
1185         }
1186
1187         if (len < 4) len = smb_len(data)+4;
1188         for (i=1;i<100;i++) {
1189                 if (asprintf(&fname, "/tmp/%s.%d.%s", name, i,
1190                              type ? "req" : "resp") == -1) {
1191                         return;
1192                 }
1193                 fd = open(fname, O_WRONLY|O_CREAT|O_EXCL, 0644);
1194                 if (fd != -1 || errno != EEXIST) break;
1195         }
1196         if (fd != -1) {
1197                 ssize_t ret = write(fd, data, len);
1198                 if (ret != len)
1199                         DEBUG(0,("smb_dump: problem: write returned %d\n", (int)ret ));
1200                 close(fd);
1201                 DEBUG(0,("created %s len %lu\n", fname, (unsigned long)len));
1202         }
1203         SAFE_FREE(fname);
1204 }
1205
1206 /****************************************************************************
1207  Prepare everything for calling the actual request function, and potentially
1208  call the request function via the "new" interface.
1209
1210  Return False if the "legacy" function needs to be called, everything is
1211  prepared.
1212
1213  Return True if we're done.
1214
1215  I know this API sucks, but it is the one with the least code change I could
1216  find.
1217 ****************************************************************************/
1218
1219 static connection_struct *switch_message(uint8 type, struct smb_request *req, int size)
1220 {
1221         int flags;
1222         uint16 session_tag;
1223         connection_struct *conn = NULL;
1224
1225         errno = 0;
1226
1227         /* Make sure this is an SMB packet. smb_size contains NetBIOS header
1228          * so subtract 4 from it. */
1229         if (!valid_smb_header(req->inbuf)
1230             || (size < (smb_size - 4))) {
1231                 DEBUG(2,("Non-SMB packet of length %d. Terminating server\n",
1232                          smb_len(req->inbuf)));
1233                 exit_server_cleanly("Non-SMB packet");
1234         }
1235
1236         if (smb_messages[type].fn == NULL) {
1237                 DEBUG(0,("Unknown message type %d!\n",type));
1238                 smb_dump("Unknown", 1, (char *)req->inbuf, size);
1239                 reply_unknown_new(req, type);
1240                 return NULL;
1241         }
1242
1243         flags = smb_messages[type].flags;
1244
1245         /* In share mode security we must ignore the vuid. */
1246         session_tag = (lp_security() == SEC_SHARE)
1247                 ? UID_FIELD_INVALID : req->vuid;
1248         conn = req->conn;
1249
1250         DEBUG(3,("switch message %s (pid %d) conn 0x%lx\n", smb_fn_name(type),
1251                  (int)sys_getpid(), (unsigned long)conn));
1252
1253         smb_dump(smb_fn_name(type), 1, (char *)req->inbuf, size);
1254
1255         /* Ensure this value is replaced in the incoming packet. */
1256         SSVAL(req->inbuf,smb_uid,session_tag);
1257
1258         /*
1259          * Ensure the correct username is in current_user_info.  This is a
1260          * really ugly bugfix for problems with multiple session_setup_and_X's
1261          * being done and allowing %U and %G substitutions to work correctly.
1262          * There is a reason this code is done here, don't move it unless you
1263          * know what you're doing... :-).
1264          * JRA.
1265          */
1266
1267         if (session_tag != last_session_tag) {
1268                 user_struct *vuser = NULL;
1269
1270                 last_session_tag = session_tag;
1271                 if(session_tag != UID_FIELD_INVALID) {
1272                         vuser = get_valid_user_struct(session_tag);
1273                         if (vuser) {
1274                                 set_current_user_info(
1275                                         vuser->server_info->sanitized_username,
1276                                         vuser->server_info->unix_name,
1277                                         pdb_get_domain(vuser->server_info
1278                                                        ->sam_account));
1279                         }
1280                 }
1281         }
1282
1283         /* Does this call need to be run as the connected user? */
1284         if (flags & AS_USER) {
1285
1286                 /* Does this call need a valid tree connection? */
1287                 if (!conn) {
1288                         /*
1289                          * Amazingly, the error code depends on the command
1290                          * (from Samba4).
1291                          */
1292                         if (type == SMBntcreateX) {
1293                                 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
1294                         } else {
1295                                 reply_doserror(req, ERRSRV, ERRinvnid);
1296                         }
1297                         return NULL;
1298                 }
1299
1300                 if (!change_to_user(conn,session_tag)) {
1301                         reply_nterror(req, NT_STATUS_DOS(ERRSRV, ERRbaduid));
1302                         remove_deferred_open_smb_message(req->mid);
1303                         return conn;
1304                 }
1305
1306                 /* All NEED_WRITE and CAN_IPC flags must also have AS_USER. */
1307
1308                 /* Does it need write permission? */
1309                 if ((flags & NEED_WRITE) && !CAN_WRITE(conn)) {
1310                         reply_nterror(req, NT_STATUS_MEDIA_WRITE_PROTECTED);
1311                         return conn;
1312                 }
1313
1314                 /* IPC services are limited */
1315                 if (IS_IPC(conn) && !(flags & CAN_IPC)) {
1316                         reply_doserror(req, ERRSRV,ERRaccess);
1317                         return conn;
1318                 }
1319         } else {
1320                 /* This call needs to be run as root */
1321                 change_to_root_user();
1322         }
1323
1324         /* load service specific parameters */
1325         if (conn) {
1326                 if (req->encrypted) {
1327                         conn->encrypted_tid = true;
1328                         /* encrypted required from now on. */
1329                         conn->encrypt_level = Required;
1330                 } else if (ENCRYPTION_REQUIRED(conn)) {
1331                         if (req->cmd != SMBtrans2 && req->cmd != SMBtranss2) {
1332                                 exit_server_cleanly("encryption required "
1333                                         "on connection");
1334                                 return conn;
1335                         }
1336                 }
1337
1338                 if (!set_current_service(conn,SVAL(req->inbuf,smb_flg),
1339                                          (flags & (AS_USER|DO_CHDIR)
1340                                           ?True:False))) {
1341                         reply_doserror(req, ERRSRV, ERRaccess);
1342                         return conn;
1343                 }
1344                 conn->num_smb_operations++;
1345         }
1346
1347         /* does this protocol need to be run as guest? */
1348         if ((flags & AS_GUEST)
1349             && (!change_to_guest() ||
1350                 !check_access(smbd_server_fd(), lp_hostsallow(-1),
1351                               lp_hostsdeny(-1)))) {
1352                 reply_doserror(req, ERRSRV, ERRaccess);
1353                 return conn;
1354         }
1355
1356         smb_messages[type].fn(req);
1357         return req->conn;
1358 }
1359
1360 /****************************************************************************
1361  Construct a reply to the incoming packet.
1362 ****************************************************************************/
1363
1364 static void construct_reply(char *inbuf, int size, size_t unread_bytes,
1365                             bool encrypted,
1366                             struct smb_perfcount_data *deferred_pcd)
1367 {
1368         connection_struct *conn;
1369         struct smb_request *req;
1370
1371         if (!(req = talloc(talloc_tos(), struct smb_request))) {
1372                 smb_panic("could not allocate smb_request");
1373         }
1374
1375         init_smb_request(req, (uint8 *)inbuf, unread_bytes, encrypted);
1376         req->inbuf  = (uint8_t *)talloc_move(req, &inbuf);
1377
1378         /* we popped this message off the queue - keep original perf data */
1379         if (deferred_pcd)
1380                 req->pcd = *deferred_pcd;
1381         else {
1382                 SMB_PERFCOUNT_START(&req->pcd);
1383                 SMB_PERFCOUNT_SET_OP(&req->pcd, req->cmd);
1384                 SMB_PERFCOUNT_SET_MSGLEN_IN(&req->pcd, size);
1385         }
1386
1387         conn = switch_message(req->cmd, req, size);
1388
1389         if (req->unread_bytes) {
1390                 /* writeX failed. drain socket. */
1391                 if (drain_socket(smbd_server_fd(), req->unread_bytes) !=
1392                                 req->unread_bytes) {
1393                         smb_panic("failed to drain pending bytes");
1394                 }
1395                 req->unread_bytes = 0;
1396         }
1397
1398         if (req->outbuf == NULL) {
1399                 return;
1400         }
1401
1402         if (CVAL(req->outbuf,0) == 0) {
1403                 show_msg((char *)req->outbuf);
1404         }
1405
1406         if (!srv_send_smb(smbd_server_fd(),
1407                         (char *)req->outbuf,
1408                         IS_CONN_ENCRYPTED(conn)||req->encrypted,
1409                         &req->pcd)) {
1410                 exit_server_cleanly("construct_reply: srv_send_smb failed.");
1411         }
1412
1413         TALLOC_FREE(req);
1414
1415         return;
1416 }
1417
1418 /****************************************************************************
1419  Process an smb from the client
1420 ****************************************************************************/
1421 static void process_smb(struct smbd_server_connection *conn,
1422                         uint8_t *inbuf, size_t nread, size_t unread_bytes,
1423                         bool encrypted, struct smb_perfcount_data *deferred_pcd)
1424 {
1425         int msg_type = CVAL(inbuf,0);
1426
1427         DO_PROFILE_INC(smb_count);
1428
1429         DEBUG( 6, ( "got message type 0x%x of len 0x%x\n", msg_type,
1430                     smb_len(inbuf) ) );
1431         DEBUG( 3, ( "Transaction %d of length %d (%u toread)\n", trans_num,
1432                                 (int)nread,
1433                                 (unsigned int)unread_bytes ));
1434
1435         if (msg_type != 0) {
1436                 /*
1437                  * NetBIOS session request, keepalive, etc.
1438                  */
1439                 reply_special((char *)inbuf);
1440                 goto done;
1441         }
1442
1443         show_msg((char *)inbuf);
1444
1445         construct_reply((char *)inbuf,nread,unread_bytes,encrypted,deferred_pcd);
1446         trans_num++;
1447
1448 done:
1449         conn->num_requests++;
1450
1451         /* The timeout_processing function isn't run nearly
1452            often enough to implement 'max log size' without
1453            overrunning the size of the file by many megabytes.
1454            This is especially true if we are running at debug
1455            level 10.  Checking every 50 SMBs is a nice
1456            tradeoff of performance vs log file size overrun. */
1457
1458         if ((conn->num_requests % 50) == 0 &&
1459             need_to_check_log_size()) {
1460                 change_to_root_user();
1461                 check_log_size();
1462         }
1463 }
1464
1465 /****************************************************************************
1466  Return a string containing the function name of a SMB command.
1467 ****************************************************************************/
1468
1469 const char *smb_fn_name(int type)
1470 {
1471         const char *unknown_name = "SMBunknown";
1472
1473         if (smb_messages[type].name == NULL)
1474                 return(unknown_name);
1475
1476         return(smb_messages[type].name);
1477 }
1478
1479 /****************************************************************************
1480  Helper functions for contruct_reply.
1481 ****************************************************************************/
1482
1483 void add_to_common_flags2(uint32 v)
1484 {
1485         common_flags2 |= v;
1486 }
1487
1488 void remove_from_common_flags2(uint32 v)
1489 {
1490         common_flags2 &= ~v;
1491 }
1492
1493 static void construct_reply_common(struct smb_request *req, const char *inbuf,
1494                                    char *outbuf)
1495 {
1496         srv_set_message(outbuf,0,0,false);
1497         
1498         SCVAL(outbuf, smb_com, req->cmd);
1499         SIVAL(outbuf,smb_rcls,0);
1500         SCVAL(outbuf,smb_flg, FLAG_REPLY | (CVAL(inbuf,smb_flg) & FLAG_CASELESS_PATHNAMES)); 
1501         SSVAL(outbuf,smb_flg2,
1502                 (SVAL(inbuf,smb_flg2) & FLAGS2_UNICODE_STRINGS) |
1503                 common_flags2);
1504         memset(outbuf+smb_pidhigh,'\0',(smb_tid-smb_pidhigh));
1505
1506         SSVAL(outbuf,smb_tid,SVAL(inbuf,smb_tid));
1507         SSVAL(outbuf,smb_pid,SVAL(inbuf,smb_pid));
1508         SSVAL(outbuf,smb_uid,SVAL(inbuf,smb_uid));
1509         SSVAL(outbuf,smb_mid,SVAL(inbuf,smb_mid));
1510 }
1511
1512 void construct_reply_common_req(struct smb_request *req, char *outbuf)
1513 {
1514         construct_reply_common(req, (char *)req->inbuf, outbuf);
1515 }
1516
1517 /*
1518  * How many bytes have we already accumulated up to the current wct field
1519  * offset?
1520  */
1521
1522 size_t req_wct_ofs(struct smb_request *req)
1523 {
1524         size_t buf_size;
1525
1526         if (req->chain_outbuf == NULL) {
1527                 return smb_wct - 4;
1528         }
1529         buf_size = talloc_get_size(req->chain_outbuf);
1530         if ((buf_size % 4) != 0) {
1531                 buf_size += (4 - (buf_size % 4));
1532         }
1533         return buf_size - 4;
1534 }
1535
1536 /*
1537  * Hack around reply_nterror & friends not being aware of chained requests,
1538  * generating illegal (i.e. wct==0) chain replies.
1539  */
1540
1541 static void fixup_chain_error_packet(struct smb_request *req)
1542 {
1543         uint8_t *outbuf = req->outbuf;
1544         req->outbuf = NULL;
1545         reply_outbuf(req, 2, 0);
1546         memcpy(req->outbuf, outbuf, smb_wct);
1547         TALLOC_FREE(outbuf);
1548         SCVAL(req->outbuf, smb_vwv0, 0xff);
1549 }
1550
1551 /****************************************************************************
1552  Construct a chained reply and add it to the already made reply
1553 ****************************************************************************/
1554
1555 void chain_reply(struct smb_request *req)
1556 {
1557         size_t smblen = smb_len(req->inbuf);
1558         size_t already_used, length_needed;
1559         uint8_t chain_cmd;
1560         uint32_t chain_offset;  /* uint32_t to avoid overflow */
1561
1562         uint8_t wct;
1563         uint16_t *vwv;
1564         uint16_t buflen;
1565         uint8_t *buf;
1566
1567         if (IVAL(req->outbuf, smb_rcls) != 0) {
1568                 fixup_chain_error_packet(req);
1569         }
1570
1571         /*
1572          * Any of the AndX requests and replies have at least a wct of
1573          * 2. vwv[0] is the next command, vwv[1] is the offset from the
1574          * beginning of the SMB header to the next wct field.
1575          *
1576          * None of the AndX requests put anything valuable in vwv[0] and [1],
1577          * so we can overwrite it here to form the chain.
1578          */
1579
1580         if ((req->wct < 2) || (CVAL(req->outbuf, smb_wct) < 2)) {
1581                 goto error;
1582         }
1583
1584         /*
1585          * Here we assume that this is the end of the chain. For that we need
1586          * to set "next command" to 0xff and the offset to 0. If we later find
1587          * more commands in the chain, this will be overwritten again.
1588          */
1589
1590         SCVAL(req->outbuf, smb_vwv0, 0xff);
1591         SCVAL(req->outbuf, smb_vwv0+1, 0);
1592         SSVAL(req->outbuf, smb_vwv1, 0);
1593
1594         if (req->chain_outbuf == NULL) {
1595                 /*
1596                  * In req->chain_outbuf we collect all the replies. Start the
1597                  * chain by copying in the first reply.
1598                  *
1599                  * We do the realloc because later on we depend on
1600                  * talloc_get_size to determine the length of
1601                  * chain_outbuf. The reply_xxx routines might have
1602                  * over-allocated (reply_pipe_read_and_X used to be such an
1603                  * example).
1604                  */
1605                 req->chain_outbuf = TALLOC_REALLOC_ARRAY(
1606                         req, req->outbuf, uint8_t, smb_len(req->outbuf) + 4);
1607                 if (req->chain_outbuf == NULL) {
1608                         goto error;
1609                 }
1610                 req->outbuf = NULL;
1611         } else {
1612                 if (!smb_splice_chain(&req->chain_outbuf,
1613                                       CVAL(req->outbuf, smb_com),
1614                                       CVAL(req->outbuf, smb_wct),
1615                                       (uint16_t *)(req->outbuf + smb_vwv),
1616                                       0, smb_buflen(req->outbuf),
1617                                       (uint8_t *)smb_buf(req->outbuf))) {
1618                         goto error;
1619                 }
1620                 TALLOC_FREE(req->outbuf);
1621         }
1622
1623         /*
1624          * We use the old request's vwv field to grab the next chained command
1625          * and offset into the chained fields.
1626          */
1627
1628         chain_cmd = CVAL(req->vwv+0, 0);
1629         chain_offset = SVAL(req->vwv+1, 0);
1630
1631         if (chain_cmd == 0xff) {
1632                 /*
1633                  * End of chain, no more requests from the client. So ship the
1634                  * replies.
1635                  */
1636                 smb_setlen((char *)(req->chain_outbuf),
1637                            talloc_get_size(req->chain_outbuf) - 4);
1638
1639                 if (!srv_send_smb(smbd_server_fd(), (char *)req->chain_outbuf,
1640                                   IS_CONN_ENCRYPTED(req->conn)
1641                                   ||req->encrypted,
1642                                   &req->pcd)) {
1643                         exit_server_cleanly("chain_reply: srv_send_smb "
1644                                             "failed.");
1645                 }
1646                 TALLOC_FREE(req);
1647
1648                 return;
1649         }
1650
1651         /* add a new perfcounter for this element of chain */
1652         SMB_PERFCOUNT_ADD(&req->pcd);
1653         SMB_PERFCOUNT_SET_OP(&req->pcd, chain_cmd);
1654         SMB_PERFCOUNT_SET_MSGLEN_IN(&req->pcd, smblen);
1655
1656         /*
1657          * Check if the client tries to fool us. The request so far uses the
1658          * space to the end of the byte buffer in the request just
1659          * processed. The chain_offset can't point into that area. If that was
1660          * the case, we could end up with an endless processing of the chain,
1661          * we would always handle the same request.
1662          */
1663
1664         already_used = PTR_DIFF(req->buf+req->buflen, smb_base(req->inbuf));
1665         if (chain_offset < already_used) {
1666                 goto error;
1667         }
1668
1669         /*
1670          * Next check: Make sure the chain offset does not point beyond the
1671          * overall smb request length.
1672          */
1673
1674         length_needed = chain_offset+1; /* wct */
1675         if (length_needed > smblen) {
1676                 goto error;
1677         }
1678
1679         /*
1680          * Now comes the pointer magic. Goal here is to set up req->vwv and
1681          * req->buf correctly again to be able to call the subsequent
1682          * switch_message(). The chain offset (the former vwv[1]) points at
1683          * the new wct field.
1684          */
1685
1686         wct = CVAL(smb_base(req->inbuf), chain_offset);
1687
1688         /*
1689          * Next consistency check: Make the new vwv array fits in the overall
1690          * smb request.
1691          */
1692
1693         length_needed += (wct+1)*sizeof(uint16_t); /* vwv+buflen */
1694         if (length_needed > smblen) {
1695                 goto error;
1696         }
1697         vwv = (uint16_t *)(smb_base(req->inbuf) + chain_offset + 1);
1698
1699         /*
1700          * Now grab the new byte buffer....
1701          */
1702
1703         buflen = SVAL(vwv+wct, 0);
1704
1705         /*
1706          * .. and check that it fits.
1707          */
1708
1709         length_needed += buflen;
1710         if (length_needed > smblen) {
1711                 goto error;
1712         }
1713         buf = (uint8_t *)(vwv+wct+1);
1714
1715         req->cmd = chain_cmd;
1716         req->wct = wct;
1717         req->vwv = vwv;
1718         req->buflen = buflen;
1719         req->buf = buf;
1720
1721         switch_message(chain_cmd, req, smblen);
1722
1723         if (req->outbuf == NULL) {
1724                 /*
1725                  * This happens if the chained command has suspended itself or
1726                  * if it has called srv_send_smb() itself.
1727                  */
1728                 return;
1729         }
1730
1731         /*
1732          * We end up here if the chained command was not itself chained or
1733          * suspended, but for example a close() command. We now need to splice
1734          * the chained commands' outbuf into the already built up chain_outbuf
1735          * and ship the result.
1736          */
1737         goto done;
1738
1739  error:
1740         /*
1741          * We end up here if there's any error in the chain syntax. Report a
1742          * DOS error, just like Windows does.
1743          */
1744         reply_nterror(req, NT_STATUS_DOS(ERRSRV, ERRerror));
1745         fixup_chain_error_packet(req);
1746
1747  done:
1748         if (!smb_splice_chain(&req->chain_outbuf,
1749                               CVAL(req->outbuf, smb_com),
1750                               CVAL(req->outbuf, smb_wct),
1751                               (uint16_t *)(req->outbuf + smb_vwv),
1752                               0, smb_buflen(req->outbuf),
1753                               (uint8_t *)smb_buf(req->outbuf))) {
1754                 exit_server_cleanly("chain_reply: smb_splice_chain failed\n");
1755         }
1756         TALLOC_FREE(req->outbuf);
1757
1758         smb_setlen((char *)(req->chain_outbuf),
1759                    talloc_get_size(req->chain_outbuf) - 4);
1760
1761         show_msg((char *)(req->chain_outbuf));
1762
1763         if (!srv_send_smb(smbd_server_fd(), (char *)req->chain_outbuf,
1764                           IS_CONN_ENCRYPTED(req->conn)||req->encrypted,
1765                           &req->pcd)) {
1766                 exit_server_cleanly("construct_reply: srv_send_smb failed.");
1767         }
1768         TALLOC_FREE(req);
1769 }
1770
1771 /****************************************************************************
1772  Check if services need reloading.
1773 ****************************************************************************/
1774
1775 void check_reload(time_t t)
1776 {
1777         time_t printcap_cache_time = (time_t)lp_printcap_cache_time();
1778
1779         if(last_smb_conf_reload_time == 0) {
1780                 last_smb_conf_reload_time = t;
1781                 /* Our printing subsystem might not be ready at smbd start up.
1782                    Then no printer is available till the first printers check
1783                    is performed.  A lower initial interval circumvents this. */
1784                 if ( printcap_cache_time > 60 )
1785                         last_printer_reload_time = t - printcap_cache_time + 60;
1786                 else
1787                         last_printer_reload_time = t;
1788         }
1789
1790         if (mypid != getpid()) { /* First time or fork happened meanwhile */
1791                 /* randomize over 60 second the printcap reload to avoid all
1792                  * process hitting cupsd at the same time */
1793                 int time_range = 60;
1794
1795                 last_printer_reload_time += random() % time_range;
1796                 mypid = getpid();
1797         }
1798
1799         if (t >= last_smb_conf_reload_time+SMBD_RELOAD_CHECK) {
1800                 reload_services(True);
1801                 last_smb_conf_reload_time = t;
1802         }
1803
1804         /* 'printcap cache time = 0' disable the feature */
1805         
1806         if ( printcap_cache_time != 0 )
1807         { 
1808                 /* see if it's time to reload or if the clock has been set back */
1809                 
1810                 if ( (t >= last_printer_reload_time+printcap_cache_time) 
1811                         || (t-last_printer_reload_time  < 0) ) 
1812                 {
1813                         DEBUG( 3,( "Printcap cache time expired.\n"));
1814                         reload_printers();
1815                         last_printer_reload_time = t;
1816                 }
1817         }
1818 }
1819
1820 static void smbd_server_connection_write_handler(struct smbd_server_connection *conn)
1821 {
1822         /* TODO: make write nonblocking */
1823 }
1824
1825 static void smbd_server_connection_read_handler(struct smbd_server_connection *conn)
1826 {
1827         uint8_t *inbuf = NULL;
1828         size_t inbuf_len = 0;
1829         size_t unread_bytes = 0;
1830         bool encrypted = false;
1831         TALLOC_CTX *mem_ctx = talloc_tos();
1832         NTSTATUS status;
1833
1834         /* TODO: make this completely nonblocking */
1835
1836         status = receive_smb_talloc(mem_ctx, smbd_server_fd(),
1837                                     (char **)(void *)&inbuf,
1838                                     0, /* timeout */
1839                                     &unread_bytes,
1840                                     &encrypted,
1841                                     &inbuf_len);
1842         if (NT_STATUS_EQUAL(status, NT_STATUS_RETRY)) {
1843                 goto process;
1844         }
1845         if (NT_STATUS_IS_ERR(status)) {
1846                 exit_server_cleanly("failed to receive smb request");
1847         }
1848         if (!NT_STATUS_IS_OK(status)) {
1849                 return;
1850         }
1851
1852 process:
1853         process_smb(conn, inbuf, inbuf_len, unread_bytes, encrypted, NULL);
1854 }
1855
1856 static void smbd_server_connection_handler(struct event_context *ev,
1857                                            struct fd_event *fde,
1858                                            uint16_t flags,
1859                                            void *private_data)
1860 {
1861         struct smbd_server_connection *conn = talloc_get_type(private_data,
1862                                               struct smbd_server_connection);
1863
1864         if (flags & EVENT_FD_WRITE) {
1865                 smbd_server_connection_write_handler(conn);
1866         } else if (flags & EVENT_FD_READ) {
1867                 smbd_server_connection_read_handler(conn);
1868         }
1869 }
1870
1871
1872 /****************************************************************************
1873 received when we should release a specific IP
1874 ****************************************************************************/
1875 static void release_ip(const char *ip, void *priv)
1876 {
1877         char addr[INET6_ADDRSTRLEN];
1878
1879         if (strcmp(client_socket_addr(get_client_fd(),addr,sizeof(addr)), ip) == 0) {
1880                 /* we can't afford to do a clean exit - that involves
1881                    database writes, which would potentially mean we
1882                    are still running after the failover has finished -
1883                    we have to get rid of this process ID straight
1884                    away */
1885                 DEBUG(0,("Got release IP message for our IP %s - exiting immediately\n",
1886                         ip));
1887                 /* note we must exit with non-zero status so the unclean handler gets
1888                    called in the parent, so that the brl database is tickled */
1889                 _exit(1);
1890         }
1891 }
1892
1893 static void msg_release_ip(struct messaging_context *msg_ctx, void *private_data,
1894                            uint32_t msg_type, struct server_id server_id, DATA_BLOB *data)
1895 {
1896         release_ip((char *)data->data, NULL);
1897 }
1898
1899 #ifdef CLUSTER_SUPPORT
1900 static int client_get_tcp_info(struct sockaddr_storage *server,
1901                                struct sockaddr_storage *client)
1902 {
1903         socklen_t length;
1904         if (server_fd == -1) {
1905                 return -1;
1906         }
1907         length = sizeof(*server);
1908         if (getsockname(server_fd, (struct sockaddr *)server, &length) != 0) {
1909                 return -1;
1910         }
1911         length = sizeof(*client);
1912         if (getpeername(server_fd, (struct sockaddr *)client, &length) != 0) {
1913                 return -1;
1914         }
1915         return 0;
1916 }
1917 #endif
1918
1919 /*
1920  * Send keepalive packets to our client
1921  */
1922 static bool keepalive_fn(const struct timeval *now, void *private_data)
1923 {
1924         if (!send_keepalive(smbd_server_fd())) {
1925                 DEBUG( 2, ( "Keepalive failed - exiting.\n" ) );
1926                 return False;
1927         }
1928         return True;
1929 }
1930
1931 /*
1932  * Do the recurring check if we're idle
1933  */
1934 static bool deadtime_fn(const struct timeval *now, void *private_data)
1935 {
1936         if ((conn_num_open() == 0)
1937             || (conn_idle_all(now->tv_sec))) {
1938                 DEBUG( 2, ( "Closing idle connection\n" ) );
1939                 messaging_send(smbd_messaging_context(), procid_self(),
1940                                MSG_SHUTDOWN, &data_blob_null);
1941                 return False;
1942         }
1943
1944         return True;
1945 }
1946
1947 /*
1948  * Do the recurring log file and smb.conf reload checks.
1949  */
1950
1951 static bool housekeeping_fn(const struct timeval *now, void *private_data)
1952 {
1953         change_to_root_user();
1954
1955         /* update printer queue caches if necessary */
1956         update_monitored_printq_cache();
1957
1958         /* check if we need to reload services */
1959         check_reload(time(NULL));
1960
1961         /* Change machine password if neccessary. */
1962         attempt_machine_password_change();
1963
1964         /*
1965          * Force a log file check.
1966          */
1967         force_check_log_size();
1968         check_log_size();
1969         return true;
1970 }
1971
1972 /****************************************************************************
1973  Process commands from the client
1974 ****************************************************************************/
1975
1976 void smbd_process(void)
1977 {
1978         TALLOC_CTX *frame = talloc_stackframe();
1979         char remaddr[INET6_ADDRSTRLEN];
1980
1981         smbd_server_conn = talloc_zero(smbd_event_context(), struct smbd_server_connection);
1982         if (!smbd_server_conn) {
1983                 exit_server("failed to create smbd_server_connection");
1984         }
1985
1986         /* Ensure child is set to blocking mode */
1987         set_blocking(smbd_server_fd(),True);
1988
1989         set_socket_options(smbd_server_fd(),"SO_KEEPALIVE");
1990         set_socket_options(smbd_server_fd(), lp_socket_options());
1991
1992         /* this is needed so that we get decent entries
1993            in smbstatus for port 445 connects */
1994         set_remote_machine_name(get_peer_addr(smbd_server_fd(),
1995                                               remaddr,
1996                                               sizeof(remaddr)),
1997                                               false);
1998         reload_services(true);
1999
2000         /*
2001          * Before the first packet, check the global hosts allow/ hosts deny
2002          * parameters before doing any parsing of packets passed to us by the
2003          * client. This prevents attacks on our parsing code from hosts not in
2004          * the hosts allow list.
2005          */
2006
2007         if (!check_access(smbd_server_fd(), lp_hostsallow(-1),
2008                           lp_hostsdeny(-1))) {
2009                 char addr[INET6_ADDRSTRLEN];
2010
2011                 /*
2012                  * send a negative session response "not listening on calling
2013                  * name"
2014                  */
2015                 unsigned char buf[5] = {0x83, 0, 0, 1, 0x81};
2016                 DEBUG( 1, ("Connection denied from %s\n",
2017                            client_addr(get_client_fd(),addr,sizeof(addr)) ) );
2018                 (void)srv_send_smb(smbd_server_fd(),(char *)buf,false, NULL);
2019                 exit_server_cleanly("connection denied");
2020         }
2021
2022         static_init_rpc;
2023
2024         init_modules();
2025
2026         smb_perfcount_init();
2027
2028         if (!init_account_policy()) {
2029                 exit_server("Could not open account policy tdb.\n");
2030         }
2031
2032         if (*lp_rootdir()) {
2033                 if (chroot(lp_rootdir()) != 0) {
2034                         DEBUG(0,("Failed to change root to %s\n", lp_rootdir()));
2035                         exit_server("Failed to chroot()");
2036                 }
2037                 if (chdir("/") == -1) {
2038                         DEBUG(0,("Failed to chdir to / on chroot to %s\n", lp_rootdir()));
2039                         exit_server("Failed to chroot()");
2040                 }
2041                 DEBUG(0,("Changed root to %s\n", lp_rootdir()));
2042         }
2043
2044         /* Setup oplocks */
2045         if (!init_oplocks(smbd_messaging_context()))
2046                 exit_server("Failed to init oplocks");
2047
2048         /* Setup aio signal handler. */
2049         initialize_async_io_handler();
2050
2051         /* register our message handlers */
2052         messaging_register(smbd_messaging_context(), NULL,
2053                            MSG_SMB_FORCE_TDIS, msg_force_tdis);
2054         messaging_register(smbd_messaging_context(), NULL,
2055                            MSG_SMB_RELEASE_IP, msg_release_ip);
2056         messaging_register(smbd_messaging_context(), NULL,
2057                            MSG_SMB_CLOSE_FILE, msg_close_file);
2058
2059         if ((lp_keepalive() != 0)
2060             && !(event_add_idle(smbd_event_context(), NULL,
2061                                 timeval_set(lp_keepalive(), 0),
2062                                 "keepalive", keepalive_fn,
2063                                 NULL))) {
2064                 DEBUG(0, ("Could not add keepalive event\n"));
2065                 exit(1);
2066         }
2067
2068         if (!(event_add_idle(smbd_event_context(), NULL,
2069                              timeval_set(IDLE_CLOSED_TIMEOUT, 0),
2070                              "deadtime", deadtime_fn, NULL))) {
2071                 DEBUG(0, ("Could not add deadtime event\n"));
2072                 exit(1);
2073         }
2074
2075         if (!(event_add_idle(smbd_event_context(), NULL,
2076                              timeval_set(SMBD_SELECT_TIMEOUT, 0),
2077                              "housekeeping", housekeeping_fn, NULL))) {
2078                 DEBUG(0, ("Could not add housekeeping event\n"));
2079                 exit(1);
2080         }
2081
2082 #ifdef CLUSTER_SUPPORT
2083
2084         if (lp_clustering()) {
2085                 /*
2086                  * We need to tell ctdb about our client's TCP
2087                  * connection, so that for failover ctdbd can send
2088                  * tickle acks, triggering a reconnection by the
2089                  * client.
2090                  */
2091
2092                 struct sockaddr_storage srv, clnt;
2093
2094                 if (client_get_tcp_info(&srv, &clnt) == 0) {
2095
2096                         NTSTATUS status;
2097
2098                         status = ctdbd_register_ips(
2099                                 messaging_ctdbd_connection(),
2100                                 &srv, &clnt, release_ip, NULL);
2101
2102                         if (!NT_STATUS_IS_OK(status)) {
2103                                 DEBUG(0, ("ctdbd_register_ips failed: %s\n",
2104                                           nt_errstr(status)));
2105                         }
2106                 } else
2107                 {
2108                         DEBUG(0,("Unable to get tcp info for "
2109                                  "CTDB_CONTROL_TCP_CLIENT: %s\n",
2110                                  strerror(errno)));
2111                 }
2112         }
2113
2114 #endif
2115
2116         max_recv = MIN(lp_maxxmit(),BUFFER_SIZE);
2117
2118         smbd_server_conn->fde = event_add_fd(smbd_event_context(),
2119                                              smbd_server_conn,
2120                                              smbd_server_fd(),
2121                                              EVENT_FD_READ,
2122                                              smbd_server_connection_handler,
2123                                              smbd_server_conn);
2124         if (!smbd_server_conn->fde) {
2125                 exit_server("failed to create smbd_server_connection fde");
2126         }
2127
2128         TALLOC_FREE(frame);
2129
2130         while (True) {
2131                 NTSTATUS status;
2132
2133                 frame = talloc_stackframe_pool(8192);
2134
2135                 errno = 0;
2136
2137                 status = smbd_server_connection_loop_once(smbd_server_conn);
2138                 if (!NT_STATUS_EQUAL(status, NT_STATUS_RETRY) &&
2139                     !NT_STATUS_IS_OK(status)) {
2140                         DEBUG(3, ("smbd_server_connection_loop_once failed: %s,"
2141                                   " exiting\n", nt_errstr(status)));
2142                         break;
2143                 }
2144
2145                 TALLOC_FREE(frame);
2146         }
2147
2148         exit_server_cleanly(NULL);
2149 }
2150
2151 bool req_is_in_chain(struct smb_request *req)
2152 {
2153         if (req->vwv != (uint16_t *)(req->inbuf+smb_vwv)) {
2154                 /*
2155                  * We're right now handling a subsequent request, so we must
2156                  * be in a chain
2157                  */
2158                 return true;
2159         }
2160
2161         if (!is_andx_req(req->cmd)) {
2162                 return false;
2163         }
2164
2165         if (req->wct < 2) {
2166                 /*
2167                  * Okay, an illegal request, but definitely not chained :-)
2168                  */
2169                 return false;
2170         }
2171
2172         return (CVAL(req->vwv+0, 0) != 0xFF);
2173 }