s3: include smbd/smbd.h where needed.
[kai/samba-autobuild/.git] / source3 / smbd / process.c
1 /* 
2    Unix SMB/CIFS implementation.
3    process incoming packets - main loop
4    Copyright (C) Andrew Tridgell 1992-1998
5    Copyright (C) Volker Lendecke 2005-2007
6
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License as published by
9    the Free Software Foundation; either version 3 of the License, or
10    (at your option) any later version.
11
12    This program is distributed in the hope that it will be useful,
13    but WITHOUT ANY WARRANTY; without even the implied warranty of
14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15    GNU General Public License for more details.
16
17    You should have received a copy of the GNU General Public License
18    along with this program.  If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include "system/filesys.h"
23 #include "smbd/smbd.h"
24 #include "smbd/globals.h"
25 #include "librpc/gen_ndr/netlogon.h"
26 #include "librpc/gen_ndr/messaging.h"
27 #include "../lib/async_req/async_sock.h"
28 #include "ctdbd_conn.h"
29 #include "../lib/util/select.h"
30 #include "printing/pcap.h"
31 #include "system/select.h"
32 #include "passdb.h"
33
34 extern bool global_machine_password_needs_changing;
35
36 static void construct_reply_common(struct smb_request *req, const char *inbuf,
37                                    char *outbuf);
38 static struct pending_message_list *get_deferred_open_message_smb(uint64_t mid);
39
40 static bool smbd_lock_socket_internal(struct smbd_server_connection *sconn)
41 {
42         bool ok;
43
44         if (sconn->smb1.echo_handler.socket_lock_fd == -1) {
45                 return true;
46         }
47
48         sconn->smb1.echo_handler.ref_count++;
49
50         if (sconn->smb1.echo_handler.ref_count > 1) {
51                 return true;
52         }
53
54         DEBUG(10,("pid[%d] wait for socket lock\n", (int)sys_getpid()));
55
56         do {
57                 ok = fcntl_lock(
58                         sconn->smb1.echo_handler.socket_lock_fd,
59                         SMB_F_SETLKW, 0, 0, F_WRLCK);
60         } while (!ok && (errno == EINTR));
61
62         if (!ok) {
63                 DEBUG(1, ("fcntl_lock failed: %s\n", strerror(errno)));
64                 return false;
65         }
66
67         DEBUG(10,("pid[%d] got for socket lock\n", (int)sys_getpid()));
68
69         return true;
70 }
71
72 void smbd_lock_socket(struct smbd_server_connection *sconn)
73 {
74         if (!smbd_lock_socket_internal(sconn)) {
75                 exit_server_cleanly("failed to lock socket");
76         }
77 }
78
79 static bool smbd_unlock_socket_internal(struct smbd_server_connection *sconn)
80 {
81         bool ok;
82
83         if (sconn->smb1.echo_handler.socket_lock_fd == -1) {
84                 return true;
85         }
86
87         sconn->smb1.echo_handler.ref_count--;
88
89         if (sconn->smb1.echo_handler.ref_count > 0) {
90                 return true;
91         }
92
93         do {
94                 ok = fcntl_lock(
95                         sconn->smb1.echo_handler.socket_lock_fd,
96                         SMB_F_SETLKW, 0, 0, F_UNLCK);
97         } while (!ok && (errno == EINTR));
98
99         if (!ok) {
100                 DEBUG(1, ("fcntl_lock failed: %s\n", strerror(errno)));
101                 return false;
102         }
103
104         DEBUG(10,("pid[%d] unlocked socket\n", (int)sys_getpid()));
105
106         return true;
107 }
108
109 void smbd_unlock_socket(struct smbd_server_connection *sconn)
110 {
111         if (!smbd_unlock_socket_internal(sconn)) {
112                 exit_server_cleanly("failed to unlock socket");
113         }
114 }
115
116 /* Accessor function for smb_read_error for smbd functions. */
117
118 /****************************************************************************
119  Send an smb to a fd.
120 ****************************************************************************/
121
122 bool srv_send_smb(struct smbd_server_connection *sconn, char *buffer,
123                   bool do_signing, uint32_t seqnum,
124                   bool do_encrypt,
125                   struct smb_perfcount_data *pcd)
126 {
127         size_t len = 0;
128         size_t nwritten=0;
129         ssize_t ret;
130         char *buf_out = buffer;
131
132         smbd_lock_socket(sconn);
133
134         if (do_signing) {
135                 /* Sign the outgoing packet if required. */
136                 srv_calculate_sign_mac(sconn, buf_out, seqnum);
137         }
138
139         if (do_encrypt) {
140                 NTSTATUS status = srv_encrypt_buffer(buffer, &buf_out);
141                 if (!NT_STATUS_IS_OK(status)) {
142                         DEBUG(0, ("send_smb: SMB encryption failed "
143                                 "on outgoing packet! Error %s\n",
144                                 nt_errstr(status) ));
145                         goto out;
146                 }
147         }
148
149         len = smb_len(buf_out) + 4;
150
151         ret = write_data(sconn->sock, buf_out+nwritten, len - nwritten);
152         if (ret <= 0) {
153
154                 char addr[INET6_ADDRSTRLEN];
155                 /*
156                  * Try and give an error message saying what
157                  * client failed.
158                  */
159                 DEBUG(1,("pid[%d] Error writing %d bytes to client %s. %d. (%s)\n",
160                          (int)sys_getpid(), (int)len,
161                          get_peer_addr(sconn->sock, addr, sizeof(addr)),
162                          (int)ret, strerror(errno) ));
163
164                 srv_free_enc_buffer(buf_out);
165                 goto out;
166         }
167
168         SMB_PERFCOUNT_SET_MSGLEN_OUT(pcd, len);
169         srv_free_enc_buffer(buf_out);
170 out:
171         SMB_PERFCOUNT_END(pcd);
172
173         smbd_unlock_socket(sconn);
174         return true;
175 }
176
177 /*******************************************************************
178  Setup the word count and byte count for a smb message.
179 ********************************************************************/
180
181 int srv_set_message(char *buf,
182                         int num_words,
183                         int num_bytes,
184                         bool zero)
185 {
186         if (zero && (num_words || num_bytes)) {
187                 memset(buf + smb_size,'\0',num_words*2 + num_bytes);
188         }
189         SCVAL(buf,smb_wct,num_words);
190         SSVAL(buf,smb_vwv + num_words*SIZEOFWORD,num_bytes);
191         smb_setlen(buf,(smb_size + num_words*2 + num_bytes - 4));
192         return (smb_size + num_words*2 + num_bytes);
193 }
194
195 static bool valid_smb_header(const uint8_t *inbuf)
196 {
197         if (is_encrypted_packet(inbuf)) {
198                 return true;
199         }
200         /*
201          * This used to be (strncmp(smb_base(inbuf),"\377SMB",4) == 0)
202          * but it just looks weird to call strncmp for this one.
203          */
204         return (IVAL(smb_base(inbuf), 0) == 0x424D53FF);
205 }
206
207 /* Socket functions for smbd packet processing. */
208
209 static bool valid_packet_size(size_t len)
210 {
211         /*
212          * A WRITEX with CAP_LARGE_WRITEX can be 64k worth of data plus 65 bytes
213          * of header. Don't print the error if this fits.... JRA.
214          */
215
216         if (len > (BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE)) {
217                 DEBUG(0,("Invalid packet length! (%lu bytes).\n",
218                                         (unsigned long)len));
219                 return false;
220         }
221         return true;
222 }
223
224 static NTSTATUS read_packet_remainder(int fd, char *buffer,
225                                       unsigned int timeout, ssize_t len)
226 {
227         NTSTATUS status;
228
229         if (len <= 0) {
230                 return NT_STATUS_OK;
231         }
232
233         status = read_fd_with_timeout(fd, buffer, len, len, timeout, NULL);
234         if (!NT_STATUS_IS_OK(status)) {
235                 char addr[INET6_ADDRSTRLEN];
236                 DEBUG(0, ("read_fd_with_timeout failed for client %s read "
237                           "error = %s.\n",
238                           get_peer_addr(fd, addr, sizeof(addr)),
239                           nt_errstr(status)));
240         }
241         return status;
242 }
243
244 /****************************************************************************
245  Attempt a zerocopy writeX read. We know here that len > smb_size-4
246 ****************************************************************************/
247
248 /*
249  * Unfortunately, earlier versions of smbclient/libsmbclient
250  * don't send this "standard" writeX header. I've fixed this
251  * for 3.2 but we'll use the old method with earlier versions.
252  * Windows and CIFSFS at least use this standard size. Not
253  * sure about MacOSX.
254  */
255
256 #define STANDARD_WRITE_AND_X_HEADER_SIZE (smb_size - 4 + /* basic header */ \
257                                 (2*14) + /* word count (including bcc) */ \
258                                 1 /* pad byte */)
259
260 static NTSTATUS receive_smb_raw_talloc_partial_read(TALLOC_CTX *mem_ctx,
261                                                     const char lenbuf[4],
262                                                     struct smbd_server_connection *sconn,
263                                                     char **buffer,
264                                                     unsigned int timeout,
265                                                     size_t *p_unread,
266                                                     size_t *len_ret)
267 {
268         /* Size of a WRITEX call (+4 byte len). */
269         char writeX_header[4 + STANDARD_WRITE_AND_X_HEADER_SIZE];
270         ssize_t len = smb_len_large(lenbuf); /* Could be a UNIX large writeX. */
271         ssize_t toread;
272         NTSTATUS status;
273
274         memcpy(writeX_header, lenbuf, 4);
275
276         status = read_fd_with_timeout(
277                 sconn->sock, writeX_header + 4,
278                 STANDARD_WRITE_AND_X_HEADER_SIZE,
279                 STANDARD_WRITE_AND_X_HEADER_SIZE,
280                 timeout, NULL);
281
282         if (!NT_STATUS_IS_OK(status)) {
283                 DEBUG(0, ("read_fd_with_timeout failed for client %s read "
284                           "error = %s.\n", sconn->client_id.addr,
285                           nt_errstr(status)));
286                 return status;
287         }
288
289         /*
290          * Ok - now try and see if this is a possible
291          * valid writeX call.
292          */
293
294         if (is_valid_writeX_buffer(sconn, (uint8_t *)writeX_header)) {
295                 /*
296                  * If the data offset is beyond what
297                  * we've read, drain the extra bytes.
298                  */
299                 uint16_t doff = SVAL(writeX_header,smb_vwv11);
300                 ssize_t newlen;
301
302                 if (doff > STANDARD_WRITE_AND_X_HEADER_SIZE) {
303                         size_t drain = doff - STANDARD_WRITE_AND_X_HEADER_SIZE;
304                         if (drain_socket(sconn->sock, drain) != drain) {
305                                 smb_panic("receive_smb_raw_talloc_partial_read:"
306                                         " failed to drain pending bytes");
307                         }
308                 } else {
309                         doff = STANDARD_WRITE_AND_X_HEADER_SIZE;
310                 }
311
312                 /* Spoof down the length and null out the bcc. */
313                 set_message_bcc(writeX_header, 0);
314                 newlen = smb_len(writeX_header);
315
316                 /* Copy the header we've written. */
317
318                 *buffer = (char *)TALLOC_MEMDUP(mem_ctx,
319                                 writeX_header,
320                                 sizeof(writeX_header));
321
322                 if (*buffer == NULL) {
323                         DEBUG(0, ("Could not allocate inbuf of length %d\n",
324                                   (int)sizeof(writeX_header)));
325                         return NT_STATUS_NO_MEMORY;
326                 }
327
328                 /* Work out the remaining bytes. */
329                 *p_unread = len - STANDARD_WRITE_AND_X_HEADER_SIZE;
330                 *len_ret = newlen + 4;
331                 return NT_STATUS_OK;
332         }
333
334         if (!valid_packet_size(len)) {
335                 return NT_STATUS_INVALID_PARAMETER;
336         }
337
338         /*
339          * Not a valid writeX call. Just do the standard
340          * talloc and return.
341          */
342
343         *buffer = TALLOC_ARRAY(mem_ctx, char, len+4);
344
345         if (*buffer == NULL) {
346                 DEBUG(0, ("Could not allocate inbuf of length %d\n",
347                           (int)len+4));
348                 return NT_STATUS_NO_MEMORY;
349         }
350
351         /* Copy in what we already read. */
352         memcpy(*buffer,
353                 writeX_header,
354                 4 + STANDARD_WRITE_AND_X_HEADER_SIZE);
355         toread = len - STANDARD_WRITE_AND_X_HEADER_SIZE;
356
357         if(toread > 0) {
358                 status = read_packet_remainder(
359                         sconn->sock,
360                         (*buffer) + 4 + STANDARD_WRITE_AND_X_HEADER_SIZE,
361                         timeout, toread);
362
363                 if (!NT_STATUS_IS_OK(status)) {
364                         DEBUG(10, ("receive_smb_raw_talloc_partial_read: %s\n",
365                                    nt_errstr(status)));
366                         return status;
367                 }
368         }
369
370         *len_ret = len + 4;
371         return NT_STATUS_OK;
372 }
373
374 static NTSTATUS receive_smb_raw_talloc(TALLOC_CTX *mem_ctx,
375                                        struct smbd_server_connection *sconn,
376                                        char **buffer, unsigned int timeout,
377                                        size_t *p_unread, size_t *plen)
378 {
379         char lenbuf[4];
380         size_t len;
381         int min_recv_size = lp_min_receive_file_size();
382         NTSTATUS status;
383
384         *p_unread = 0;
385
386         status = read_smb_length_return_keepalive(sconn->sock, lenbuf, timeout,
387                                                   &len);
388         if (!NT_STATUS_IS_OK(status)) {
389                 return status;
390         }
391
392         if (CVAL(lenbuf,0) == 0 && min_recv_size &&
393             (smb_len_large(lenbuf) > /* Could be a UNIX large writeX. */
394                 (min_recv_size + STANDARD_WRITE_AND_X_HEADER_SIZE)) &&
395             !srv_is_signing_active(sconn) &&
396             sconn->smb1.echo_handler.trusted_fde == NULL) {
397
398                 return receive_smb_raw_talloc_partial_read(
399                         mem_ctx, lenbuf, sconn, buffer, timeout,
400                         p_unread, plen);
401         }
402
403         if (!valid_packet_size(len)) {
404                 return NT_STATUS_INVALID_PARAMETER;
405         }
406
407         /*
408          * The +4 here can't wrap, we've checked the length above already.
409          */
410
411         *buffer = TALLOC_ARRAY(mem_ctx, char, len+4);
412
413         if (*buffer == NULL) {
414                 DEBUG(0, ("Could not allocate inbuf of length %d\n",
415                           (int)len+4));
416                 return NT_STATUS_NO_MEMORY;
417         }
418
419         memcpy(*buffer, lenbuf, sizeof(lenbuf));
420
421         status = read_packet_remainder(sconn->sock, (*buffer)+4, timeout, len);
422         if (!NT_STATUS_IS_OK(status)) {
423                 return status;
424         }
425
426         *plen = len + 4;
427         return NT_STATUS_OK;
428 }
429
430 static NTSTATUS receive_smb_talloc(TALLOC_CTX *mem_ctx,
431                                    struct smbd_server_connection *sconn,
432                                    char **buffer, unsigned int timeout,
433                                    size_t *p_unread, bool *p_encrypted,
434                                    size_t *p_len,
435                                    uint32_t *seqnum,
436                                    bool trusted_channel)
437 {
438         size_t len = 0;
439         NTSTATUS status;
440
441         *p_encrypted = false;
442
443         status = receive_smb_raw_talloc(mem_ctx, sconn, buffer, timeout,
444                                         p_unread, &len);
445         if (!NT_STATUS_IS_OK(status)) {
446                 DEBUG(1, ("read_smb_length_return_keepalive failed for "
447                           "client %s read error = %s.\n",
448                           sconn->client_id.addr, nt_errstr(status)));
449                 return status;
450         }
451
452         if (is_encrypted_packet((uint8_t *)*buffer)) {
453                 status = srv_decrypt_buffer(*buffer);
454                 if (!NT_STATUS_IS_OK(status)) {
455                         DEBUG(0, ("receive_smb_talloc: SMB decryption failed on "
456                                 "incoming packet! Error %s\n",
457                                 nt_errstr(status) ));
458                         return status;
459                 }
460                 *p_encrypted = true;
461         }
462
463         /* Check the incoming SMB signature. */
464         if (!srv_check_sign_mac(sconn, *buffer, seqnum, trusted_channel)) {
465                 DEBUG(0, ("receive_smb: SMB Signature verification failed on "
466                           "incoming packet!\n"));
467                 return NT_STATUS_INVALID_NETWORK_RESPONSE;
468         }
469
470         *p_len = len;
471         return NT_STATUS_OK;
472 }
473
474 /*
475  * Initialize a struct smb_request from an inbuf
476  */
477
478 static bool init_smb_request(struct smb_request *req,
479                              struct smbd_server_connection *sconn,
480                              const uint8 *inbuf,
481                              size_t unread_bytes, bool encrypted,
482                              uint32_t seqnum)
483 {
484         size_t req_size = smb_len(inbuf) + 4;
485         /* Ensure we have at least smb_size bytes. */
486         if (req_size < smb_size) {
487                 DEBUG(0,("init_smb_request: invalid request size %u\n",
488                         (unsigned int)req_size ));
489                 return false;
490         }
491         req->cmd    = CVAL(inbuf, smb_com);
492         req->flags2 = SVAL(inbuf, smb_flg2);
493         req->smbpid = SVAL(inbuf, smb_pid);
494         req->mid    = (uint64_t)SVAL(inbuf, smb_mid);
495         req->seqnum = seqnum;
496         req->vuid   = SVAL(inbuf, smb_uid);
497         req->tid    = SVAL(inbuf, smb_tid);
498         req->wct    = CVAL(inbuf, smb_wct);
499         req->vwv    = (uint16_t *)(inbuf+smb_vwv);
500         req->buflen = smb_buflen(inbuf);
501         req->buf    = (const uint8_t *)smb_buf(inbuf);
502         req->unread_bytes = unread_bytes;
503         req->encrypted = encrypted;
504         req->sconn = sconn;
505         req->conn = conn_find(sconn,req->tid);
506         req->chain_fsp = NULL;
507         req->chain_outbuf = NULL;
508         req->done = false;
509         req->smb2req = NULL;
510         smb_init_perfcount_data(&req->pcd);
511
512         /* Ensure we have at least wct words and 2 bytes of bcc. */
513         if (smb_size + req->wct*2 > req_size) {
514                 DEBUG(0,("init_smb_request: invalid wct number %u (size %u)\n",
515                         (unsigned int)req->wct,
516                         (unsigned int)req_size));
517                 return false;
518         }
519         /* Ensure bcc is correct. */
520         if (((uint8 *)smb_buf(inbuf)) + req->buflen > inbuf + req_size) {
521                 DEBUG(0,("init_smb_request: invalid bcc number %u "
522                         "(wct = %u, size %u)\n",
523                         (unsigned int)req->buflen,
524                         (unsigned int)req->wct,
525                         (unsigned int)req_size));
526                 return false;
527         }
528
529         req->outbuf = NULL;
530         return true;
531 }
532
533 static void process_smb(struct smbd_server_connection *conn,
534                         uint8_t *inbuf, size_t nread, size_t unread_bytes,
535                         uint32_t seqnum, bool encrypted,
536                         struct smb_perfcount_data *deferred_pcd);
537
538 static void smbd_deferred_open_timer(struct event_context *ev,
539                                      struct timed_event *te,
540                                      struct timeval _tval,
541                                      void *private_data)
542 {
543         struct pending_message_list *msg = talloc_get_type(private_data,
544                                            struct pending_message_list);
545         TALLOC_CTX *mem_ctx = talloc_tos();
546         uint64_t mid = (uint64_t)SVAL(msg->buf.data,smb_mid);
547         uint8_t *inbuf;
548
549         inbuf = (uint8_t *)talloc_memdup(mem_ctx, msg->buf.data,
550                                          msg->buf.length);
551         if (inbuf == NULL) {
552                 exit_server("smbd_deferred_open_timer: talloc failed\n");
553                 return;
554         }
555
556         /* We leave this message on the queue so the open code can
557            know this is a retry. */
558         DEBUG(5,("smbd_deferred_open_timer: trigger mid %llu.\n",
559                 (unsigned long long)mid ));
560
561         /* Mark the message as processed so this is not
562          * re-processed in error. */
563         msg->processed = true;
564
565         process_smb(smbd_server_conn, inbuf,
566                     msg->buf.length, 0,
567                     msg->seqnum, msg->encrypted, &msg->pcd);
568
569         /* If it's still there and was processed, remove it. */
570         msg = get_deferred_open_message_smb(mid);
571         if (msg && msg->processed) {
572                 remove_deferred_open_message_smb(mid);
573         }
574 }
575
576 /****************************************************************************
577  Function to push a message onto the tail of a linked list of smb messages ready
578  for processing.
579 ****************************************************************************/
580
581 static bool push_queued_message(struct smb_request *req,
582                                 struct timeval request_time,
583                                 struct timeval end_time,
584                                 char *private_data, size_t private_len)
585 {
586         int msg_len = smb_len(req->inbuf) + 4;
587         struct pending_message_list *msg;
588
589         msg = TALLOC_ZERO_P(NULL, struct pending_message_list);
590
591         if(msg == NULL) {
592                 DEBUG(0,("push_message: malloc fail (1)\n"));
593                 return False;
594         }
595
596         msg->buf = data_blob_talloc(msg, req->inbuf, msg_len);
597         if(msg->buf.data == NULL) {
598                 DEBUG(0,("push_message: malloc fail (2)\n"));
599                 TALLOC_FREE(msg);
600                 return False;
601         }
602
603         msg->request_time = request_time;
604         msg->seqnum = req->seqnum;
605         msg->encrypted = req->encrypted;
606         msg->processed = false;
607         SMB_PERFCOUNT_DEFER_OP(&req->pcd, &msg->pcd);
608
609         if (private_data) {
610                 msg->private_data = data_blob_talloc(msg, private_data,
611                                                      private_len);
612                 if (msg->private_data.data == NULL) {
613                         DEBUG(0,("push_message: malloc fail (3)\n"));
614                         TALLOC_FREE(msg);
615                         return False;
616                 }
617         }
618
619         msg->te = event_add_timed(smbd_event_context(),
620                                   msg,
621                                   end_time,
622                                   smbd_deferred_open_timer,
623                                   msg);
624         if (!msg->te) {
625                 DEBUG(0,("push_message: event_add_timed failed\n"));
626                 TALLOC_FREE(msg);
627                 return false;
628         }
629
630         DLIST_ADD_END(deferred_open_queue, msg, struct pending_message_list *);
631
632         DEBUG(10,("push_message: pushed message length %u on "
633                   "deferred_open_queue\n", (unsigned int)msg_len));
634
635         return True;
636 }
637
638 /****************************************************************************
639  Function to delete a sharing violation open message by mid.
640 ****************************************************************************/
641
642 void remove_deferred_open_message_smb(uint64_t mid)
643 {
644         struct pending_message_list *pml;
645
646         if (smbd_server_conn->using_smb2) {
647                 remove_deferred_open_message_smb2(smbd_server_conn, mid);
648                 return;
649         }
650
651         for (pml = deferred_open_queue; pml; pml = pml->next) {
652                 if (mid == (uint64_t)SVAL(pml->buf.data,smb_mid)) {
653                         DEBUG(10,("remove_deferred_open_message_smb: "
654                                   "deleting mid %llu len %u\n",
655                                   (unsigned long long)mid,
656                                   (unsigned int)pml->buf.length ));
657                         DLIST_REMOVE(deferred_open_queue, pml);
658                         TALLOC_FREE(pml);
659                         return;
660                 }
661         }
662 }
663
664 /****************************************************************************
665  Move a sharing violation open retry message to the front of the list and
666  schedule it for immediate processing.
667 ****************************************************************************/
668
669 void schedule_deferred_open_message_smb(uint64_t mid)
670 {
671         struct pending_message_list *pml;
672         int i = 0;
673
674         if (smbd_server_conn->using_smb2) {
675                 schedule_deferred_open_message_smb2(smbd_server_conn, mid);
676                 return;
677         }
678
679         for (pml = deferred_open_queue; pml; pml = pml->next) {
680                 uint64_t msg_mid = (uint64_t)SVAL(pml->buf.data,smb_mid);
681
682                 DEBUG(10,("schedule_deferred_open_message_smb: [%d] "
683                         "msg_mid = %llu\n",
684                         i++,
685                         (unsigned long long)msg_mid ));
686
687                 if (mid == msg_mid) {
688                         struct timed_event *te;
689
690                         if (pml->processed) {
691                                 /* A processed message should not be
692                                  * rescheduled. */
693                                 DEBUG(0,("schedule_deferred_open_message_smb: LOGIC ERROR "
694                                         "message mid %llu was already processed\n",
695                                         (unsigned long long)msg_mid ));
696                                 continue;
697                         }
698
699                         DEBUG(10,("schedule_deferred_open_message_smb: "
700                                 "scheduling mid %llu\n",
701                                 (unsigned long long)mid ));
702
703                         te = event_add_timed(smbd_event_context(),
704                                              pml,
705                                              timeval_zero(),
706                                              smbd_deferred_open_timer,
707                                              pml);
708                         if (!te) {
709                                 DEBUG(10,("schedule_deferred_open_message_smb: "
710                                         "event_add_timed() failed, "
711                                         "skipping mid %llu\n",
712                                         (unsigned long long)msg_mid ));
713                         }
714
715                         TALLOC_FREE(pml->te);
716                         pml->te = te;
717                         DLIST_PROMOTE(deferred_open_queue, pml);
718                         return;
719                 }
720         }
721
722         DEBUG(10,("schedule_deferred_open_message_smb: failed to "
723                 "find message mid %llu\n",
724                 (unsigned long long)mid ));
725 }
726
727 /****************************************************************************
728  Return true if this mid is on the deferred queue and was not yet processed.
729 ****************************************************************************/
730
731 bool open_was_deferred(uint64_t mid)
732 {
733         struct pending_message_list *pml;
734
735         if (smbd_server_conn->using_smb2) {
736                 return open_was_deferred_smb2(smbd_server_conn, mid);
737         }
738
739         for (pml = deferred_open_queue; pml; pml = pml->next) {
740                 if (((uint64_t)SVAL(pml->buf.data,smb_mid)) == mid && !pml->processed) {
741                         return True;
742                 }
743         }
744         return False;
745 }
746
747 /****************************************************************************
748  Return the message queued by this mid.
749 ****************************************************************************/
750
751 static struct pending_message_list *get_deferred_open_message_smb(uint64_t mid)
752 {
753         struct pending_message_list *pml;
754
755         for (pml = deferred_open_queue; pml; pml = pml->next) {
756                 if (((uint64_t)SVAL(pml->buf.data,smb_mid)) == mid) {
757                         return pml;
758                 }
759         }
760         return NULL;
761 }
762
763 /****************************************************************************
764  Get the state data queued by this mid.
765 ****************************************************************************/
766
767 bool get_deferred_open_message_state(struct smb_request *smbreq,
768                                 struct timeval *p_request_time,
769                                 void **pp_state)
770 {
771         struct pending_message_list *pml;
772
773         if (smbd_server_conn->using_smb2) {
774                 return get_deferred_open_message_state_smb2(smbreq->smb2req,
775                                         p_request_time,
776                                         pp_state);
777         }
778
779         pml = get_deferred_open_message_smb(smbreq->mid);
780         if (!pml) {
781                 return false;
782         }
783         if (p_request_time) {
784                 *p_request_time = pml->request_time;
785         }
786         if (pp_state) {
787                 *pp_state = (void *)pml->private_data.data;
788         }
789         return true;
790 }
791
792 /****************************************************************************
793  Function to push a deferred open smb message onto a linked list of local smb
794  messages ready for processing.
795 ****************************************************************************/
796
797 bool push_deferred_open_message_smb(struct smb_request *req,
798                                struct timeval request_time,
799                                struct timeval timeout,
800                                struct file_id id,
801                                char *private_data, size_t priv_len)
802 {
803         struct timeval end_time;
804
805         if (req->smb2req) {
806                 return push_deferred_open_message_smb2(req->smb2req,
807                                                 request_time,
808                                                 timeout,
809                                                 id,
810                                                 private_data,
811                                                 priv_len);
812         }
813
814         if (req->unread_bytes) {
815                 DEBUG(0,("push_deferred_open_message_smb: logic error ! "
816                         "unread_bytes = %u\n",
817                         (unsigned int)req->unread_bytes ));
818                 smb_panic("push_deferred_open_message_smb: "
819                         "logic error unread_bytes != 0" );
820         }
821
822         end_time = timeval_sum(&request_time, &timeout);
823
824         DEBUG(10,("push_deferred_open_message_smb: pushing message "
825                 "len %u mid %llu timeout time [%u.%06u]\n",
826                 (unsigned int) smb_len(req->inbuf)+4,
827                 (unsigned long long)req->mid,
828                 (unsigned int)end_time.tv_sec,
829                 (unsigned int)end_time.tv_usec));
830
831         return push_queued_message(req, request_time, end_time,
832                                    private_data, priv_len);
833 }
834
835 struct idle_event {
836         struct timed_event *te;
837         struct timeval interval;
838         char *name;
839         bool (*handler)(const struct timeval *now, void *private_data);
840         void *private_data;
841 };
842
843 static void smbd_idle_event_handler(struct event_context *ctx,
844                                     struct timed_event *te,
845                                     struct timeval now,
846                                     void *private_data)
847 {
848         struct idle_event *event =
849                 talloc_get_type_abort(private_data, struct idle_event);
850
851         TALLOC_FREE(event->te);
852
853         DEBUG(10,("smbd_idle_event_handler: %s %p called\n",
854                   event->name, event->te));
855
856         if (!event->handler(&now, event->private_data)) {
857                 DEBUG(10,("smbd_idle_event_handler: %s %p stopped\n",
858                           event->name, event->te));
859                 /* Don't repeat, delete ourselves */
860                 TALLOC_FREE(event);
861                 return;
862         }
863
864         DEBUG(10,("smbd_idle_event_handler: %s %p rescheduled\n",
865                   event->name, event->te));
866
867         event->te = event_add_timed(ctx, event,
868                                     timeval_sum(&now, &event->interval),
869                                     smbd_idle_event_handler, event);
870
871         /* We can't do much but fail here. */
872         SMB_ASSERT(event->te != NULL);
873 }
874
875 struct idle_event *event_add_idle(struct event_context *event_ctx,
876                                   TALLOC_CTX *mem_ctx,
877                                   struct timeval interval,
878                                   const char *name,
879                                   bool (*handler)(const struct timeval *now,
880                                                   void *private_data),
881                                   void *private_data)
882 {
883         struct idle_event *result;
884         struct timeval now = timeval_current();
885
886         result = TALLOC_P(mem_ctx, struct idle_event);
887         if (result == NULL) {
888                 DEBUG(0, ("talloc failed\n"));
889                 return NULL;
890         }
891
892         result->interval = interval;
893         result->handler = handler;
894         result->private_data = private_data;
895
896         if (!(result->name = talloc_asprintf(result, "idle_evt(%s)", name))) {
897                 DEBUG(0, ("talloc failed\n"));
898                 TALLOC_FREE(result);
899                 return NULL;
900         }
901
902         result->te = event_add_timed(event_ctx, result,
903                                      timeval_sum(&now, &interval),
904                                      smbd_idle_event_handler, result);
905         if (result->te == NULL) {
906                 DEBUG(0, ("event_add_timed failed\n"));
907                 TALLOC_FREE(result);
908                 return NULL;
909         }
910
911         DEBUG(10,("event_add_idle: %s %p\n", result->name, result->te));
912         return result;
913 }
914
915 static void smbd_sig_term_handler(struct tevent_context *ev,
916                                   struct tevent_signal *se,
917                                   int signum,
918                                   int count,
919                                   void *siginfo,
920                                   void *private_data)
921 {
922         exit_server_cleanly("termination signal");
923 }
924
925 void smbd_setup_sig_term_handler(void)
926 {
927         struct tevent_signal *se;
928
929         se = tevent_add_signal(smbd_event_context(),
930                                smbd_event_context(),
931                                SIGTERM, 0,
932                                smbd_sig_term_handler,
933                                NULL);
934         if (!se) {
935                 exit_server("failed to setup SIGTERM handler");
936         }
937 }
938
939 static void smbd_sig_hup_handler(struct tevent_context *ev,
940                                   struct tevent_signal *se,
941                                   int signum,
942                                   int count,
943                                   void *siginfo,
944                                   void *private_data)
945 {
946         struct messaging_context *msg_ctx = talloc_get_type_abort(
947                 private_data, struct messaging_context);
948         change_to_root_user();
949         DEBUG(1,("Reloading services after SIGHUP\n"));
950         reload_services(msg_ctx, smbd_server_conn->sock, False);
951         if (am_parent) {
952                 pcap_cache_reload(ev, msg_ctx, &reload_pcap_change_notify);
953         }
954 }
955
956 void smbd_setup_sig_hup_handler(struct tevent_context *ev,
957                                 struct messaging_context *msg_ctx)
958 {
959         struct tevent_signal *se;
960
961         se = tevent_add_signal(ev, ev, SIGHUP, 0, smbd_sig_hup_handler,
962                                msg_ctx);
963         if (!se) {
964                 exit_server("failed to setup SIGHUP handler");
965         }
966 }
967
968 static NTSTATUS smbd_server_connection_loop_once(struct smbd_server_connection *conn)
969 {
970         int timeout;
971         int num_pfds = 0;
972         int ret;
973         bool retry;
974
975         timeout = SMBD_SELECT_TIMEOUT * 1000;
976
977         /*
978          * Are there any timed events waiting ? If so, ensure we don't
979          * select for longer than it would take to wait for them.
980          */
981
982         event_add_to_poll_args(smbd_event_context(), conn,
983                                &conn->pfds, &num_pfds, &timeout);
984
985         /* Process a signal and timed events now... */
986         if (run_events_poll(smbd_event_context(), 0, NULL, 0)) {
987                 return NT_STATUS_RETRY;
988         }
989
990         {
991                 int sav;
992                 START_PROFILE(smbd_idle);
993
994                 ret = sys_poll(conn->pfds, num_pfds, timeout);
995                 sav = errno;
996
997                 END_PROFILE(smbd_idle);
998                 errno = sav;
999         }
1000
1001         if (ret == -1 && errno != EINTR) {
1002                 return map_nt_error_from_unix(errno);
1003         }
1004
1005         retry = run_events_poll(smbd_event_context(), ret, conn->pfds,
1006                                 num_pfds);
1007         if (retry) {
1008                 return NT_STATUS_RETRY;
1009         }
1010
1011         /* Did we timeout ? */
1012         if (ret == 0) {
1013                 return NT_STATUS_RETRY;
1014         }
1015
1016         /* should not be reached */
1017         return NT_STATUS_INTERNAL_ERROR;
1018 }
1019
1020 /*
1021  * Only allow 5 outstanding trans requests. We're allocating memory, so
1022  * prevent a DoS.
1023  */
1024
1025 NTSTATUS allow_new_trans(struct trans_state *list, uint64_t mid)
1026 {
1027         int count = 0;
1028         for (; list != NULL; list = list->next) {
1029
1030                 if (list->mid == mid) {
1031                         return NT_STATUS_INVALID_PARAMETER;
1032                 }
1033
1034                 count += 1;
1035         }
1036         if (count > 5) {
1037                 return NT_STATUS_INSUFFICIENT_RESOURCES;
1038         }
1039
1040         return NT_STATUS_OK;
1041 }
1042
1043 /*
1044 These flags determine some of the permissions required to do an operation 
1045
1046 Note that I don't set NEED_WRITE on some write operations because they
1047 are used by some brain-dead clients when printing, and I don't want to
1048 force write permissions on print services.
1049 */
1050 #define AS_USER (1<<0)
1051 #define NEED_WRITE (1<<1) /* Must be paired with AS_USER */
1052 #define TIME_INIT (1<<2)
1053 #define CAN_IPC (1<<3) /* Must be paired with AS_USER */
1054 #define AS_GUEST (1<<5) /* Must *NOT* be paired with AS_USER */
1055 #define DO_CHDIR (1<<6)
1056
1057 /* 
1058    define a list of possible SMB messages and their corresponding
1059    functions. Any message that has a NULL function is unimplemented -
1060    please feel free to contribute implementations!
1061 */
1062 static const struct smb_message_struct {
1063         const char *name;
1064         void (*fn)(struct smb_request *req);
1065         int flags;
1066 } smb_messages[256] = {
1067
1068 /* 0x00 */ { "SMBmkdir",reply_mkdir,AS_USER | NEED_WRITE},
1069 /* 0x01 */ { "SMBrmdir",reply_rmdir,AS_USER | NEED_WRITE},
1070 /* 0x02 */ { "SMBopen",reply_open,AS_USER },
1071 /* 0x03 */ { "SMBcreate",reply_mknew,AS_USER},
1072 /* 0x04 */ { "SMBclose",reply_close,AS_USER | CAN_IPC },
1073 /* 0x05 */ { "SMBflush",reply_flush,AS_USER},
1074 /* 0x06 */ { "SMBunlink",reply_unlink,AS_USER | NEED_WRITE },
1075 /* 0x07 */ { "SMBmv",reply_mv,AS_USER | NEED_WRITE },
1076 /* 0x08 */ { "SMBgetatr",reply_getatr,AS_USER},
1077 /* 0x09 */ { "SMBsetatr",reply_setatr,AS_USER | NEED_WRITE},
1078 /* 0x0a */ { "SMBread",reply_read,AS_USER},
1079 /* 0x0b */ { "SMBwrite",reply_write,AS_USER | CAN_IPC },
1080 /* 0x0c */ { "SMBlock",reply_lock,AS_USER},
1081 /* 0x0d */ { "SMBunlock",reply_unlock,AS_USER},
1082 /* 0x0e */ { "SMBctemp",reply_ctemp,AS_USER },
1083 /* 0x0f */ { "SMBmknew",reply_mknew,AS_USER},
1084 /* 0x10 */ { "SMBcheckpath",reply_checkpath,AS_USER},
1085 /* 0x11 */ { "SMBexit",reply_exit,DO_CHDIR},
1086 /* 0x12 */ { "SMBlseek",reply_lseek,AS_USER},
1087 /* 0x13 */ { "SMBlockread",reply_lockread,AS_USER},
1088 /* 0x14 */ { "SMBwriteunlock",reply_writeunlock,AS_USER},
1089 /* 0x15 */ { NULL, NULL, 0 },
1090 /* 0x16 */ { NULL, NULL, 0 },
1091 /* 0x17 */ { NULL, NULL, 0 },
1092 /* 0x18 */ { NULL, NULL, 0 },
1093 /* 0x19 */ { NULL, NULL, 0 },
1094 /* 0x1a */ { "SMBreadbraw",reply_readbraw,AS_USER},
1095 /* 0x1b */ { "SMBreadBmpx",reply_readbmpx,AS_USER},
1096 /* 0x1c */ { "SMBreadBs",reply_readbs,AS_USER },
1097 /* 0x1d */ { "SMBwritebraw",reply_writebraw,AS_USER},
1098 /* 0x1e */ { "SMBwriteBmpx",reply_writebmpx,AS_USER},
1099 /* 0x1f */ { "SMBwriteBs",reply_writebs,AS_USER},
1100 /* 0x20 */ { "SMBwritec", NULL,0},
1101 /* 0x21 */ { NULL, NULL, 0 },
1102 /* 0x22 */ { "SMBsetattrE",reply_setattrE,AS_USER | NEED_WRITE },
1103 /* 0x23 */ { "SMBgetattrE",reply_getattrE,AS_USER },
1104 /* 0x24 */ { "SMBlockingX",reply_lockingX,AS_USER },
1105 /* 0x25 */ { "SMBtrans",reply_trans,AS_USER | CAN_IPC },
1106 /* 0x26 */ { "SMBtranss",reply_transs,AS_USER | CAN_IPC},
1107 /* 0x27 */ { "SMBioctl",reply_ioctl,0},
1108 /* 0x28 */ { "SMBioctls", NULL,AS_USER},
1109 /* 0x29 */ { "SMBcopy",reply_copy,AS_USER | NEED_WRITE },
1110 /* 0x2a */ { "SMBmove", NULL,AS_USER | NEED_WRITE },
1111 /* 0x2b */ { "SMBecho",reply_echo,0},
1112 /* 0x2c */ { "SMBwriteclose",reply_writeclose,AS_USER},
1113 /* 0x2d */ { "SMBopenX",reply_open_and_X,AS_USER | CAN_IPC },
1114 /* 0x2e */ { "SMBreadX",reply_read_and_X,AS_USER | CAN_IPC },
1115 /* 0x2f */ { "SMBwriteX",reply_write_and_X,AS_USER | CAN_IPC },
1116 /* 0x30 */ { NULL, NULL, 0 },
1117 /* 0x31 */ { NULL, NULL, 0 },
1118 /* 0x32 */ { "SMBtrans2",reply_trans2, AS_USER | CAN_IPC },
1119 /* 0x33 */ { "SMBtranss2",reply_transs2, AS_USER | CAN_IPC },
1120 /* 0x34 */ { "SMBfindclose",reply_findclose,AS_USER},
1121 /* 0x35 */ { "SMBfindnclose",reply_findnclose,AS_USER},
1122 /* 0x36 */ { NULL, NULL, 0 },
1123 /* 0x37 */ { NULL, NULL, 0 },
1124 /* 0x38 */ { NULL, NULL, 0 },
1125 /* 0x39 */ { NULL, NULL, 0 },
1126 /* 0x3a */ { NULL, NULL, 0 },
1127 /* 0x3b */ { NULL, NULL, 0 },
1128 /* 0x3c */ { NULL, NULL, 0 },
1129 /* 0x3d */ { NULL, NULL, 0 },
1130 /* 0x3e */ { NULL, NULL, 0 },
1131 /* 0x3f */ { NULL, NULL, 0 },
1132 /* 0x40 */ { NULL, NULL, 0 },
1133 /* 0x41 */ { NULL, NULL, 0 },
1134 /* 0x42 */ { NULL, NULL, 0 },
1135 /* 0x43 */ { NULL, NULL, 0 },
1136 /* 0x44 */ { NULL, NULL, 0 },
1137 /* 0x45 */ { NULL, NULL, 0 },
1138 /* 0x46 */ { NULL, NULL, 0 },
1139 /* 0x47 */ { NULL, NULL, 0 },
1140 /* 0x48 */ { NULL, NULL, 0 },
1141 /* 0x49 */ { NULL, NULL, 0 },
1142 /* 0x4a */ { NULL, NULL, 0 },
1143 /* 0x4b */ { NULL, NULL, 0 },
1144 /* 0x4c */ { NULL, NULL, 0 },
1145 /* 0x4d */ { NULL, NULL, 0 },
1146 /* 0x4e */ { NULL, NULL, 0 },
1147 /* 0x4f */ { NULL, NULL, 0 },
1148 /* 0x50 */ { NULL, NULL, 0 },
1149 /* 0x51 */ { NULL, NULL, 0 },
1150 /* 0x52 */ { NULL, NULL, 0 },
1151 /* 0x53 */ { NULL, NULL, 0 },
1152 /* 0x54 */ { NULL, NULL, 0 },
1153 /* 0x55 */ { NULL, NULL, 0 },
1154 /* 0x56 */ { NULL, NULL, 0 },
1155 /* 0x57 */ { NULL, NULL, 0 },
1156 /* 0x58 */ { NULL, NULL, 0 },
1157 /* 0x59 */ { NULL, NULL, 0 },
1158 /* 0x5a */ { NULL, NULL, 0 },
1159 /* 0x5b */ { NULL, NULL, 0 },
1160 /* 0x5c */ { NULL, NULL, 0 },
1161 /* 0x5d */ { NULL, NULL, 0 },
1162 /* 0x5e */ { NULL, NULL, 0 },
1163 /* 0x5f */ { NULL, NULL, 0 },
1164 /* 0x60 */ { NULL, NULL, 0 },
1165 /* 0x61 */ { NULL, NULL, 0 },
1166 /* 0x62 */ { NULL, NULL, 0 },
1167 /* 0x63 */ { NULL, NULL, 0 },
1168 /* 0x64 */ { NULL, NULL, 0 },
1169 /* 0x65 */ { NULL, NULL, 0 },
1170 /* 0x66 */ { NULL, NULL, 0 },
1171 /* 0x67 */ { NULL, NULL, 0 },
1172 /* 0x68 */ { NULL, NULL, 0 },
1173 /* 0x69 */ { NULL, NULL, 0 },
1174 /* 0x6a */ { NULL, NULL, 0 },
1175 /* 0x6b */ { NULL, NULL, 0 },
1176 /* 0x6c */ { NULL, NULL, 0 },
1177 /* 0x6d */ { NULL, NULL, 0 },
1178 /* 0x6e */ { NULL, NULL, 0 },
1179 /* 0x6f */ { NULL, NULL, 0 },
1180 /* 0x70 */ { "SMBtcon",reply_tcon,0},
1181 /* 0x71 */ { "SMBtdis",reply_tdis,DO_CHDIR},
1182 /* 0x72 */ { "SMBnegprot",reply_negprot,0},
1183 /* 0x73 */ { "SMBsesssetupX",reply_sesssetup_and_X,0},
1184 /* 0x74 */ { "SMBulogoffX",reply_ulogoffX, 0}, /* ulogoff doesn't give a valid TID */
1185 /* 0x75 */ { "SMBtconX",reply_tcon_and_X,0},
1186 /* 0x76 */ { NULL, NULL, 0 },
1187 /* 0x77 */ { NULL, NULL, 0 },
1188 /* 0x78 */ { NULL, NULL, 0 },
1189 /* 0x79 */ { NULL, NULL, 0 },
1190 /* 0x7a */ { NULL, NULL, 0 },
1191 /* 0x7b */ { NULL, NULL, 0 },
1192 /* 0x7c */ { NULL, NULL, 0 },
1193 /* 0x7d */ { NULL, NULL, 0 },
1194 /* 0x7e */ { NULL, NULL, 0 },
1195 /* 0x7f */ { NULL, NULL, 0 },
1196 /* 0x80 */ { "SMBdskattr",reply_dskattr,AS_USER},
1197 /* 0x81 */ { "SMBsearch",reply_search,AS_USER},
1198 /* 0x82 */ { "SMBffirst",reply_search,AS_USER},
1199 /* 0x83 */ { "SMBfunique",reply_search,AS_USER},
1200 /* 0x84 */ { "SMBfclose",reply_fclose,AS_USER},
1201 /* 0x85 */ { NULL, NULL, 0 },
1202 /* 0x86 */ { NULL, NULL, 0 },
1203 /* 0x87 */ { NULL, NULL, 0 },
1204 /* 0x88 */ { NULL, NULL, 0 },
1205 /* 0x89 */ { NULL, NULL, 0 },
1206 /* 0x8a */ { NULL, NULL, 0 },
1207 /* 0x8b */ { NULL, NULL, 0 },
1208 /* 0x8c */ { NULL, NULL, 0 },
1209 /* 0x8d */ { NULL, NULL, 0 },
1210 /* 0x8e */ { NULL, NULL, 0 },
1211 /* 0x8f */ { NULL, NULL, 0 },
1212 /* 0x90 */ { NULL, NULL, 0 },
1213 /* 0x91 */ { NULL, NULL, 0 },
1214 /* 0x92 */ { NULL, NULL, 0 },
1215 /* 0x93 */ { NULL, NULL, 0 },
1216 /* 0x94 */ { NULL, NULL, 0 },
1217 /* 0x95 */ { NULL, NULL, 0 },
1218 /* 0x96 */ { NULL, NULL, 0 },
1219 /* 0x97 */ { NULL, NULL, 0 },
1220 /* 0x98 */ { NULL, NULL, 0 },
1221 /* 0x99 */ { NULL, NULL, 0 },
1222 /* 0x9a */ { NULL, NULL, 0 },
1223 /* 0x9b */ { NULL, NULL, 0 },
1224 /* 0x9c */ { NULL, NULL, 0 },
1225 /* 0x9d */ { NULL, NULL, 0 },
1226 /* 0x9e */ { NULL, NULL, 0 },
1227 /* 0x9f */ { NULL, NULL, 0 },
1228 /* 0xa0 */ { "SMBnttrans",reply_nttrans, AS_USER | CAN_IPC },
1229 /* 0xa1 */ { "SMBnttranss",reply_nttranss, AS_USER | CAN_IPC },
1230 /* 0xa2 */ { "SMBntcreateX",reply_ntcreate_and_X, AS_USER | CAN_IPC },
1231 /* 0xa3 */ { NULL, NULL, 0 },
1232 /* 0xa4 */ { "SMBntcancel",reply_ntcancel, 0 },
1233 /* 0xa5 */ { "SMBntrename",reply_ntrename, AS_USER | NEED_WRITE },
1234 /* 0xa6 */ { NULL, NULL, 0 },
1235 /* 0xa7 */ { NULL, NULL, 0 },
1236 /* 0xa8 */ { NULL, NULL, 0 },
1237 /* 0xa9 */ { NULL, NULL, 0 },
1238 /* 0xaa */ { NULL, NULL, 0 },
1239 /* 0xab */ { NULL, NULL, 0 },
1240 /* 0xac */ { NULL, NULL, 0 },
1241 /* 0xad */ { NULL, NULL, 0 },
1242 /* 0xae */ { NULL, NULL, 0 },
1243 /* 0xaf */ { NULL, NULL, 0 },
1244 /* 0xb0 */ { NULL, NULL, 0 },
1245 /* 0xb1 */ { NULL, NULL, 0 },
1246 /* 0xb2 */ { NULL, NULL, 0 },
1247 /* 0xb3 */ { NULL, NULL, 0 },
1248 /* 0xb4 */ { NULL, NULL, 0 },
1249 /* 0xb5 */ { NULL, NULL, 0 },
1250 /* 0xb6 */ { NULL, NULL, 0 },
1251 /* 0xb7 */ { NULL, NULL, 0 },
1252 /* 0xb8 */ { NULL, NULL, 0 },
1253 /* 0xb9 */ { NULL, NULL, 0 },
1254 /* 0xba */ { NULL, NULL, 0 },
1255 /* 0xbb */ { NULL, NULL, 0 },
1256 /* 0xbc */ { NULL, NULL, 0 },
1257 /* 0xbd */ { NULL, NULL, 0 },
1258 /* 0xbe */ { NULL, NULL, 0 },
1259 /* 0xbf */ { NULL, NULL, 0 },
1260 /* 0xc0 */ { "SMBsplopen",reply_printopen,AS_USER},
1261 /* 0xc1 */ { "SMBsplwr",reply_printwrite,AS_USER},
1262 /* 0xc2 */ { "SMBsplclose",reply_printclose,AS_USER},
1263 /* 0xc3 */ { "SMBsplretq",reply_printqueue,AS_USER},
1264 /* 0xc4 */ { NULL, NULL, 0 },
1265 /* 0xc5 */ { NULL, NULL, 0 },
1266 /* 0xc6 */ { NULL, NULL, 0 },
1267 /* 0xc7 */ { NULL, NULL, 0 },
1268 /* 0xc8 */ { NULL, NULL, 0 },
1269 /* 0xc9 */ { NULL, NULL, 0 },
1270 /* 0xca */ { NULL, NULL, 0 },
1271 /* 0xcb */ { NULL, NULL, 0 },
1272 /* 0xcc */ { NULL, NULL, 0 },
1273 /* 0xcd */ { NULL, NULL, 0 },
1274 /* 0xce */ { NULL, NULL, 0 },
1275 /* 0xcf */ { NULL, NULL, 0 },
1276 /* 0xd0 */ { "SMBsends",reply_sends,AS_GUEST},
1277 /* 0xd1 */ { "SMBsendb", NULL,AS_GUEST},
1278 /* 0xd2 */ { "SMBfwdname", NULL,AS_GUEST},
1279 /* 0xd3 */ { "SMBcancelf", NULL,AS_GUEST},
1280 /* 0xd4 */ { "SMBgetmac", NULL,AS_GUEST},
1281 /* 0xd5 */ { "SMBsendstrt",reply_sendstrt,AS_GUEST},
1282 /* 0xd6 */ { "SMBsendend",reply_sendend,AS_GUEST},
1283 /* 0xd7 */ { "SMBsendtxt",reply_sendtxt,AS_GUEST},
1284 /* 0xd8 */ { NULL, NULL, 0 },
1285 /* 0xd9 */ { NULL, NULL, 0 },
1286 /* 0xda */ { NULL, NULL, 0 },
1287 /* 0xdb */ { NULL, NULL, 0 },
1288 /* 0xdc */ { NULL, NULL, 0 },
1289 /* 0xdd */ { NULL, NULL, 0 },
1290 /* 0xde */ { NULL, NULL, 0 },
1291 /* 0xdf */ { NULL, NULL, 0 },
1292 /* 0xe0 */ { NULL, NULL, 0 },
1293 /* 0xe1 */ { NULL, NULL, 0 },
1294 /* 0xe2 */ { NULL, NULL, 0 },
1295 /* 0xe3 */ { NULL, NULL, 0 },
1296 /* 0xe4 */ { NULL, NULL, 0 },
1297 /* 0xe5 */ { NULL, NULL, 0 },
1298 /* 0xe6 */ { NULL, NULL, 0 },
1299 /* 0xe7 */ { NULL, NULL, 0 },
1300 /* 0xe8 */ { NULL, NULL, 0 },
1301 /* 0xe9 */ { NULL, NULL, 0 },
1302 /* 0xea */ { NULL, NULL, 0 },
1303 /* 0xeb */ { NULL, NULL, 0 },
1304 /* 0xec */ { NULL, NULL, 0 },
1305 /* 0xed */ { NULL, NULL, 0 },
1306 /* 0xee */ { NULL, NULL, 0 },
1307 /* 0xef */ { NULL, NULL, 0 },
1308 /* 0xf0 */ { NULL, NULL, 0 },
1309 /* 0xf1 */ { NULL, NULL, 0 },
1310 /* 0xf2 */ { NULL, NULL, 0 },
1311 /* 0xf3 */ { NULL, NULL, 0 },
1312 /* 0xf4 */ { NULL, NULL, 0 },
1313 /* 0xf5 */ { NULL, NULL, 0 },
1314 /* 0xf6 */ { NULL, NULL, 0 },
1315 /* 0xf7 */ { NULL, NULL, 0 },
1316 /* 0xf8 */ { NULL, NULL, 0 },
1317 /* 0xf9 */ { NULL, NULL, 0 },
1318 /* 0xfa */ { NULL, NULL, 0 },
1319 /* 0xfb */ { NULL, NULL, 0 },
1320 /* 0xfc */ { NULL, NULL, 0 },
1321 /* 0xfd */ { NULL, NULL, 0 },
1322 /* 0xfe */ { NULL, NULL, 0 },
1323 /* 0xff */ { NULL, NULL, 0 }
1324
1325 };
1326
1327 /*******************************************************************
1328  allocate and initialize a reply packet
1329 ********************************************************************/
1330
1331 static bool create_outbuf(TALLOC_CTX *mem_ctx, struct smb_request *req,
1332                           const char *inbuf, char **outbuf, uint8_t num_words,
1333                           uint32_t num_bytes)
1334 {
1335         /*
1336          * Protect against integer wrap
1337          */
1338         if ((num_bytes > 0xffffff)
1339             || ((num_bytes + smb_size + num_words*2) > 0xffffff)) {
1340                 char *msg;
1341                 if (asprintf(&msg, "num_bytes too large: %u",
1342                              (unsigned)num_bytes) == -1) {
1343                         msg = CONST_DISCARD(char *, "num_bytes too large");
1344                 }
1345                 smb_panic(msg);
1346         }
1347
1348         *outbuf = TALLOC_ARRAY(mem_ctx, char,
1349                                smb_size + num_words*2 + num_bytes);
1350         if (*outbuf == NULL) {
1351                 return false;
1352         }
1353
1354         construct_reply_common(req, inbuf, *outbuf);
1355         srv_set_message(*outbuf, num_words, num_bytes, false);
1356         /*
1357          * Zero out the word area, the caller has to take care of the bcc area
1358          * himself
1359          */
1360         if (num_words != 0) {
1361                 memset(*outbuf + smb_vwv0, 0, num_words*2);
1362         }
1363
1364         return true;
1365 }
1366
1367 void reply_outbuf(struct smb_request *req, uint8 num_words, uint32 num_bytes)
1368 {
1369         char *outbuf;
1370         if (!create_outbuf(req, req, (char *)req->inbuf, &outbuf, num_words,
1371                            num_bytes)) {
1372                 smb_panic("could not allocate output buffer\n");
1373         }
1374         req->outbuf = (uint8_t *)outbuf;
1375 }
1376
1377
1378 /*******************************************************************
1379  Dump a packet to a file.
1380 ********************************************************************/
1381
1382 static void smb_dump(const char *name, int type, const char *data, ssize_t len)
1383 {
1384         int fd, i;
1385         char *fname = NULL;
1386         if (DEBUGLEVEL < 50) {
1387                 return;
1388         }
1389
1390         if (len < 4) len = smb_len(data)+4;
1391         for (i=1;i<100;i++) {
1392                 if (asprintf(&fname, "/tmp/%s.%d.%s", name, i,
1393                              type ? "req" : "resp") == -1) {
1394                         return;
1395                 }
1396                 fd = open(fname, O_WRONLY|O_CREAT|O_EXCL, 0644);
1397                 if (fd != -1 || errno != EEXIST) break;
1398         }
1399         if (fd != -1) {
1400                 ssize_t ret = write(fd, data, len);
1401                 if (ret != len)
1402                         DEBUG(0,("smb_dump: problem: write returned %d\n", (int)ret ));
1403                 close(fd);
1404                 DEBUG(0,("created %s len %lu\n", fname, (unsigned long)len));
1405         }
1406         SAFE_FREE(fname);
1407 }
1408
1409 /****************************************************************************
1410  Prepare everything for calling the actual request function, and potentially
1411  call the request function via the "new" interface.
1412
1413  Return False if the "legacy" function needs to be called, everything is
1414  prepared.
1415
1416  Return True if we're done.
1417
1418  I know this API sucks, but it is the one with the least code change I could
1419  find.
1420 ****************************************************************************/
1421
1422 static connection_struct *switch_message(uint8 type, struct smb_request *req, int size)
1423 {
1424         int flags;
1425         uint16 session_tag;
1426         connection_struct *conn = NULL;
1427         struct smbd_server_connection *sconn = req->sconn;
1428
1429         errno = 0;
1430
1431         /* Make sure this is an SMB packet. smb_size contains NetBIOS header
1432          * so subtract 4 from it. */
1433         if (!valid_smb_header(req->inbuf)
1434             || (size < (smb_size - 4))) {
1435                 DEBUG(2,("Non-SMB packet of length %d. Terminating server\n",
1436                          smb_len(req->inbuf)));
1437                 exit_server_cleanly("Non-SMB packet");
1438         }
1439
1440         if (smb_messages[type].fn == NULL) {
1441                 DEBUG(0,("Unknown message type %d!\n",type));
1442                 smb_dump("Unknown", 1, (char *)req->inbuf, size);
1443                 reply_unknown_new(req, type);
1444                 return NULL;
1445         }
1446
1447         flags = smb_messages[type].flags;
1448
1449         /* In share mode security we must ignore the vuid. */
1450         session_tag = (lp_security() == SEC_SHARE)
1451                 ? UID_FIELD_INVALID : req->vuid;
1452         conn = req->conn;
1453
1454         DEBUG(3,("switch message %s (pid %d) conn 0x%lx\n", smb_fn_name(type),
1455                  (int)sys_getpid(), (unsigned long)conn));
1456
1457         smb_dump(smb_fn_name(type), 1, (char *)req->inbuf, size);
1458
1459         /* Ensure this value is replaced in the incoming packet. */
1460         SSVAL(req->inbuf,smb_uid,session_tag);
1461
1462         /*
1463          * Ensure the correct username is in current_user_info.  This is a
1464          * really ugly bugfix for problems with multiple session_setup_and_X's
1465          * being done and allowing %U and %G substitutions to work correctly.
1466          * There is a reason this code is done here, don't move it unless you
1467          * know what you're doing... :-).
1468          * JRA.
1469          */
1470
1471         if (session_tag != sconn->smb1.sessions.last_session_tag) {
1472                 user_struct *vuser = NULL;
1473
1474                 sconn->smb1.sessions.last_session_tag = session_tag;
1475                 if(session_tag != UID_FIELD_INVALID) {
1476                         vuser = get_valid_user_struct(sconn, session_tag);
1477                         if (vuser) {
1478                                 set_current_user_info(
1479                                         vuser->session_info->sanitized_username,
1480                                         vuser->session_info->unix_name,
1481                                         vuser->session_info->info3->base.domain.string);
1482                         }
1483                 }
1484         }
1485
1486         /* Does this call need to be run as the connected user? */
1487         if (flags & AS_USER) {
1488
1489                 /* Does this call need a valid tree connection? */
1490                 if (!conn) {
1491                         /*
1492                          * Amazingly, the error code depends on the command
1493                          * (from Samba4).
1494                          */
1495                         if (type == SMBntcreateX) {
1496                                 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
1497                         } else {
1498                                 reply_nterror(req, NT_STATUS_NETWORK_NAME_DELETED);
1499                         }
1500                         return NULL;
1501                 }
1502
1503                 if (!change_to_user(conn,session_tag)) {
1504                         DEBUG(0, ("Error: Could not change to user. Removing "
1505                                 "deferred open, mid=%llu.\n",
1506                                 (unsigned long long)req->mid));
1507                         reply_force_doserror(req, ERRSRV, ERRbaduid);
1508                         return conn;
1509                 }
1510
1511                 /* All NEED_WRITE and CAN_IPC flags must also have AS_USER. */
1512
1513                 /* Does it need write permission? */
1514                 if ((flags & NEED_WRITE) && !CAN_WRITE(conn)) {
1515                         reply_nterror(req, NT_STATUS_MEDIA_WRITE_PROTECTED);
1516                         return conn;
1517                 }
1518
1519                 /* IPC services are limited */
1520                 if (IS_IPC(conn) && !(flags & CAN_IPC)) {
1521                         reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1522                         return conn;
1523                 }
1524         } else {
1525                 /* This call needs to be run as root */
1526                 change_to_root_user();
1527         }
1528
1529         /* load service specific parameters */
1530         if (conn) {
1531                 if (req->encrypted) {
1532                         conn->encrypted_tid = true;
1533                         /* encrypted required from now on. */
1534                         conn->encrypt_level = Required;
1535                 } else if (ENCRYPTION_REQUIRED(conn)) {
1536                         if (req->cmd != SMBtrans2 && req->cmd != SMBtranss2) {
1537                                 exit_server_cleanly("encryption required "
1538                                         "on connection");
1539                                 return conn;
1540                         }
1541                 }
1542
1543                 if (!set_current_service(conn,SVAL(req->inbuf,smb_flg),
1544                                          (flags & (AS_USER|DO_CHDIR)
1545                                           ?True:False))) {
1546                         reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1547                         return conn;
1548                 }
1549                 conn->num_smb_operations++;
1550         }
1551
1552         /* does this protocol need to be run as guest? */
1553         if ((flags & AS_GUEST)
1554             && (!change_to_guest() ||
1555                 !allow_access(lp_hostsdeny(-1), lp_hostsallow(-1),
1556                               sconn->client_id.name,
1557                               sconn->client_id.addr))) {
1558                 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1559                 return conn;
1560         }
1561
1562         smb_messages[type].fn(req);
1563         return req->conn;
1564 }
1565
1566 /****************************************************************************
1567  Construct a reply to the incoming packet.
1568 ****************************************************************************/
1569
1570 static void construct_reply(struct smbd_server_connection *sconn,
1571                             char *inbuf, int size, size_t unread_bytes,
1572                             uint32_t seqnum, bool encrypted,
1573                             struct smb_perfcount_data *deferred_pcd)
1574 {
1575         connection_struct *conn;
1576         struct smb_request *req;
1577
1578         if (!(req = talloc(talloc_tos(), struct smb_request))) {
1579                 smb_panic("could not allocate smb_request");
1580         }
1581
1582         if (!init_smb_request(req, sconn, (uint8 *)inbuf, unread_bytes,
1583                               encrypted, seqnum)) {
1584                 exit_server_cleanly("Invalid SMB request");
1585         }
1586
1587         req->inbuf  = (uint8_t *)talloc_move(req, &inbuf);
1588
1589         /* we popped this message off the queue - keep original perf data */
1590         if (deferred_pcd)
1591                 req->pcd = *deferred_pcd;
1592         else {
1593                 SMB_PERFCOUNT_START(&req->pcd);
1594                 SMB_PERFCOUNT_SET_OP(&req->pcd, req->cmd);
1595                 SMB_PERFCOUNT_SET_MSGLEN_IN(&req->pcd, size);
1596         }
1597
1598         conn = switch_message(req->cmd, req, size);
1599
1600         if (req->unread_bytes) {
1601                 /* writeX failed. drain socket. */
1602                 if (drain_socket(req->sconn->sock, req->unread_bytes) !=
1603                                 req->unread_bytes) {
1604                         smb_panic("failed to drain pending bytes");
1605                 }
1606                 req->unread_bytes = 0;
1607         }
1608
1609         if (req->done) {
1610                 TALLOC_FREE(req);
1611                 return;
1612         }
1613
1614         if (req->outbuf == NULL) {
1615                 return;
1616         }
1617
1618         if (CVAL(req->outbuf,0) == 0) {
1619                 show_msg((char *)req->outbuf);
1620         }
1621
1622         if (!srv_send_smb(req->sconn,
1623                         (char *)req->outbuf,
1624                         true, req->seqnum+1,
1625                         IS_CONN_ENCRYPTED(conn)||req->encrypted,
1626                         &req->pcd)) {
1627                 exit_server_cleanly("construct_reply: srv_send_smb failed.");
1628         }
1629
1630         TALLOC_FREE(req);
1631
1632         return;
1633 }
1634
1635 /****************************************************************************
1636  Process an smb from the client
1637 ****************************************************************************/
1638 static void process_smb(struct smbd_server_connection *sconn,
1639                         uint8_t *inbuf, size_t nread, size_t unread_bytes,
1640                         uint32_t seqnum, bool encrypted,
1641                         struct smb_perfcount_data *deferred_pcd)
1642 {
1643         int msg_type = CVAL(inbuf,0);
1644
1645         DO_PROFILE_INC(smb_count);
1646
1647         DEBUG( 6, ( "got message type 0x%x of len 0x%x\n", msg_type,
1648                     smb_len(inbuf) ) );
1649         DEBUG(3, ("Transaction %d of length %d (%u toread)\n",
1650                   sconn->trans_num, (int)nread, (unsigned int)unread_bytes));
1651
1652         if (msg_type != 0) {
1653                 /*
1654                  * NetBIOS session request, keepalive, etc.
1655                  */
1656                 reply_special(sconn, (char *)inbuf, nread);
1657                 goto done;
1658         }
1659
1660         if (sconn->using_smb2) {
1661                 /* At this point we're not really using smb2,
1662                  * we make the decision here.. */
1663                 if (smbd_is_smb2_header(inbuf, nread)) {
1664                         smbd_smb2_first_negprot(sconn, inbuf, nread);
1665                         return;
1666                 } else if (nread >= smb_size && valid_smb_header(inbuf)
1667                                 && CVAL(inbuf, smb_com) != 0x72) {
1668                         /* This is a non-negprot SMB1 packet.
1669                            Disable SMB2 from now on. */
1670                         sconn->using_smb2 = false;
1671                 }
1672         }
1673
1674         show_msg((char *)inbuf);
1675
1676         construct_reply(sconn, (char *)inbuf, nread, unread_bytes, seqnum,
1677                         encrypted, deferred_pcd);
1678         sconn->trans_num++;
1679
1680 done:
1681         sconn->smb1.num_requests++;
1682
1683         /* The timeout_processing function isn't run nearly
1684            often enough to implement 'max log size' without
1685            overrunning the size of the file by many megabytes.
1686            This is especially true if we are running at debug
1687            level 10.  Checking every 50 SMBs is a nice
1688            tradeoff of performance vs log file size overrun. */
1689
1690         if ((sconn->smb1.num_requests % 50) == 0 &&
1691             need_to_check_log_size()) {
1692                 change_to_root_user();
1693                 check_log_size();
1694         }
1695 }
1696
1697 /****************************************************************************
1698  Return a string containing the function name of a SMB command.
1699 ****************************************************************************/
1700
1701 const char *smb_fn_name(int type)
1702 {
1703         const char *unknown_name = "SMBunknown";
1704
1705         if (smb_messages[type].name == NULL)
1706                 return(unknown_name);
1707
1708         return(smb_messages[type].name);
1709 }
1710
1711 /****************************************************************************
1712  Helper functions for contruct_reply.
1713 ****************************************************************************/
1714
1715 void add_to_common_flags2(uint32 v)
1716 {
1717         common_flags2 |= v;
1718 }
1719
1720 void remove_from_common_flags2(uint32 v)
1721 {
1722         common_flags2 &= ~v;
1723 }
1724
1725 static void construct_reply_common(struct smb_request *req, const char *inbuf,
1726                                    char *outbuf)
1727 {
1728         srv_set_message(outbuf,0,0,false);
1729
1730         SCVAL(outbuf, smb_com, req->cmd);
1731         SIVAL(outbuf,smb_rcls,0);
1732         SCVAL(outbuf,smb_flg, FLAG_REPLY | (CVAL(inbuf,smb_flg) & FLAG_CASELESS_PATHNAMES)); 
1733         SSVAL(outbuf,smb_flg2,
1734                 (SVAL(inbuf,smb_flg2) & FLAGS2_UNICODE_STRINGS) |
1735                 common_flags2);
1736         memset(outbuf+smb_pidhigh,'\0',(smb_tid-smb_pidhigh));
1737
1738         SSVAL(outbuf,smb_tid,SVAL(inbuf,smb_tid));
1739         SSVAL(outbuf,smb_pid,SVAL(inbuf,smb_pid));
1740         SSVAL(outbuf,smb_uid,SVAL(inbuf,smb_uid));
1741         SSVAL(outbuf,smb_mid,SVAL(inbuf,smb_mid));
1742 }
1743
1744 void construct_reply_common_req(struct smb_request *req, char *outbuf)
1745 {
1746         construct_reply_common(req, (char *)req->inbuf, outbuf);
1747 }
1748
1749 /*
1750  * How many bytes have we already accumulated up to the current wct field
1751  * offset?
1752  */
1753
1754 size_t req_wct_ofs(struct smb_request *req)
1755 {
1756         size_t buf_size;
1757
1758         if (req->chain_outbuf == NULL) {
1759                 return smb_wct - 4;
1760         }
1761         buf_size = talloc_get_size(req->chain_outbuf);
1762         if ((buf_size % 4) != 0) {
1763                 buf_size += (4 - (buf_size % 4));
1764         }
1765         return buf_size - 4;
1766 }
1767
1768 /*
1769  * Hack around reply_nterror & friends not being aware of chained requests,
1770  * generating illegal (i.e. wct==0) chain replies.
1771  */
1772
1773 static void fixup_chain_error_packet(struct smb_request *req)
1774 {
1775         uint8_t *outbuf = req->outbuf;
1776         req->outbuf = NULL;
1777         reply_outbuf(req, 2, 0);
1778         memcpy(req->outbuf, outbuf, smb_wct);
1779         TALLOC_FREE(outbuf);
1780         SCVAL(req->outbuf, smb_vwv0, 0xff);
1781 }
1782
1783 /**
1784  * @brief Find the smb_cmd offset of the last command pushed
1785  * @param[in] buf       The buffer we're building up
1786  * @retval              Where can we put our next andx cmd?
1787  *
1788  * While chaining requests, the "next" request we're looking at needs to put
1789  * its SMB_Command before the data the previous request already built up added
1790  * to the chain. Find the offset to the place where we have to put our cmd.
1791  */
1792
1793 static bool find_andx_cmd_ofs(uint8_t *buf, size_t *pofs)
1794 {
1795         uint8_t cmd;
1796         size_t ofs;
1797
1798         cmd = CVAL(buf, smb_com);
1799
1800         SMB_ASSERT(is_andx_req(cmd));
1801
1802         ofs = smb_vwv0;
1803
1804         while (CVAL(buf, ofs) != 0xff) {
1805
1806                 if (!is_andx_req(CVAL(buf, ofs))) {
1807                         return false;
1808                 }
1809
1810                 /*
1811                  * ofs is from start of smb header, so add the 4 length
1812                  * bytes. The next cmd is right after the wct field.
1813                  */
1814                 ofs = SVAL(buf, ofs+2) + 4 + 1;
1815
1816                 SMB_ASSERT(ofs+4 < talloc_get_size(buf));
1817         }
1818
1819         *pofs = ofs;
1820         return true;
1821 }
1822
1823 /**
1824  * @brief Do the smb chaining at a buffer level
1825  * @param[in] poutbuf           Pointer to the talloc'ed buffer to be modified
1826  * @param[in] smb_command       The command that we want to issue
1827  * @param[in] wct               How many words?
1828  * @param[in] vwv               The words, already in network order
1829  * @param[in] bytes_alignment   How shall we align "bytes"?
1830  * @param[in] num_bytes         How many bytes?
1831  * @param[in] bytes             The data the request ships
1832  *
1833  * smb_splice_chain() adds the vwv and bytes to the request already present in
1834  * *poutbuf.
1835  */
1836
1837 static bool smb_splice_chain(uint8_t **poutbuf, uint8_t smb_command,
1838                              uint8_t wct, const uint16_t *vwv,
1839                              size_t bytes_alignment,
1840                              uint32_t num_bytes, const uint8_t *bytes)
1841 {
1842         uint8_t *outbuf;
1843         size_t old_size, new_size;
1844         size_t ofs;
1845         size_t chain_padding = 0;
1846         size_t bytes_padding = 0;
1847         bool first_request;
1848
1849         old_size = talloc_get_size(*poutbuf);
1850
1851         /*
1852          * old_size == smb_wct means we're pushing the first request in for
1853          * libsmb/
1854          */
1855
1856         first_request = (old_size == smb_wct);
1857
1858         if (!first_request && ((old_size % 4) != 0)) {
1859                 /*
1860                  * Align the wct field of subsequent requests to a 4-byte
1861                  * boundary
1862                  */
1863                 chain_padding = 4 - (old_size % 4);
1864         }
1865
1866         /*
1867          * After the old request comes the new wct field (1 byte), the vwv's
1868          * and the num_bytes field. After at we might need to align the bytes
1869          * given to us to "bytes_alignment", increasing the num_bytes value.
1870          */
1871
1872         new_size = old_size + chain_padding + 1 + wct * sizeof(uint16_t) + 2;
1873
1874         if ((bytes_alignment != 0) && ((new_size % bytes_alignment) != 0)) {
1875                 bytes_padding = bytes_alignment - (new_size % bytes_alignment);
1876         }
1877
1878         new_size += bytes_padding + num_bytes;
1879
1880         if ((smb_command != SMBwriteX) && (new_size > 0xffff)) {
1881                 DEBUG(1, ("splice_chain: %u bytes won't fit\n",
1882                           (unsigned)new_size));
1883                 return false;
1884         }
1885
1886         outbuf = TALLOC_REALLOC_ARRAY(NULL, *poutbuf, uint8_t, new_size);
1887         if (outbuf == NULL) {
1888                 DEBUG(0, ("talloc failed\n"));
1889                 return false;
1890         }
1891         *poutbuf = outbuf;
1892
1893         if (first_request) {
1894                 SCVAL(outbuf, smb_com, smb_command);
1895         } else {
1896                 size_t andx_cmd_ofs;
1897
1898                 if (!find_andx_cmd_ofs(outbuf, &andx_cmd_ofs)) {
1899                         DEBUG(1, ("invalid command chain\n"));
1900                         *poutbuf = TALLOC_REALLOC_ARRAY(
1901                                 NULL, *poutbuf, uint8_t, old_size);
1902                         return false;
1903                 }
1904
1905                 if (chain_padding != 0) {
1906                         memset(outbuf + old_size, 0, chain_padding);
1907                         old_size += chain_padding;
1908                 }
1909
1910                 SCVAL(outbuf, andx_cmd_ofs, smb_command);
1911                 SSVAL(outbuf, andx_cmd_ofs + 2, old_size - 4);
1912         }
1913
1914         ofs = old_size;
1915
1916         /*
1917          * Push the chained request:
1918          *
1919          * wct field
1920          */
1921
1922         SCVAL(outbuf, ofs, wct);
1923         ofs += 1;
1924
1925         /*
1926          * vwv array
1927          */
1928
1929         memcpy(outbuf + ofs, vwv, sizeof(uint16_t) * wct);
1930         ofs += sizeof(uint16_t) * wct;
1931
1932         /*
1933          * bcc (byte count)
1934          */
1935
1936         SSVAL(outbuf, ofs, num_bytes + bytes_padding);
1937         ofs += sizeof(uint16_t);
1938
1939         /*
1940          * padding
1941          */
1942
1943         if (bytes_padding != 0) {
1944                 memset(outbuf + ofs, 0, bytes_padding);
1945                 ofs += bytes_padding;
1946         }
1947
1948         /*
1949          * The bytes field
1950          */
1951
1952         memcpy(outbuf + ofs, bytes, num_bytes);
1953
1954         return true;
1955 }
1956
1957 /****************************************************************************
1958  Construct a chained reply and add it to the already made reply
1959 ****************************************************************************/
1960
1961 void chain_reply(struct smb_request *req)
1962 {
1963         size_t smblen = smb_len(req->inbuf);
1964         size_t already_used, length_needed;
1965         uint8_t chain_cmd;
1966         uint32_t chain_offset;  /* uint32_t to avoid overflow */
1967
1968         uint8_t wct;
1969         uint16_t *vwv;
1970         uint16_t buflen;
1971         uint8_t *buf;
1972
1973         if (IVAL(req->outbuf, smb_rcls) != 0) {
1974                 fixup_chain_error_packet(req);
1975         }
1976
1977         /*
1978          * Any of the AndX requests and replies have at least a wct of
1979          * 2. vwv[0] is the next command, vwv[1] is the offset from the
1980          * beginning of the SMB header to the next wct field.
1981          *
1982          * None of the AndX requests put anything valuable in vwv[0] and [1],
1983          * so we can overwrite it here to form the chain.
1984          */
1985
1986         if ((req->wct < 2) || (CVAL(req->outbuf, smb_wct) < 2)) {
1987                 if (req->chain_outbuf == NULL) {
1988                         req->chain_outbuf = TALLOC_REALLOC_ARRAY(
1989                                 req, req->outbuf, uint8_t,
1990                                 smb_len(req->outbuf) + 4);
1991                         if (req->chain_outbuf == NULL) {
1992                                 smb_panic("talloc failed");
1993                         }
1994                 }
1995                 req->outbuf = NULL;
1996                 goto error;
1997         }
1998
1999         /*
2000          * Here we assume that this is the end of the chain. For that we need
2001          * to set "next command" to 0xff and the offset to 0. If we later find
2002          * more commands in the chain, this will be overwritten again.
2003          */
2004
2005         SCVAL(req->outbuf, smb_vwv0, 0xff);
2006         SCVAL(req->outbuf, smb_vwv0+1, 0);
2007         SSVAL(req->outbuf, smb_vwv1, 0);
2008
2009         if (req->chain_outbuf == NULL) {
2010                 /*
2011                  * In req->chain_outbuf we collect all the replies. Start the
2012                  * chain by copying in the first reply.
2013                  *
2014                  * We do the realloc because later on we depend on
2015                  * talloc_get_size to determine the length of
2016                  * chain_outbuf. The reply_xxx routines might have
2017                  * over-allocated (reply_pipe_read_and_X used to be such an
2018                  * example).
2019                  */
2020                 req->chain_outbuf = TALLOC_REALLOC_ARRAY(
2021                         req, req->outbuf, uint8_t, smb_len(req->outbuf) + 4);
2022                 if (req->chain_outbuf == NULL) {
2023                         smb_panic("talloc failed");
2024                 }
2025                 req->outbuf = NULL;
2026         } else {
2027                 /*
2028                  * Update smb headers where subsequent chained commands
2029                  * may have updated them.
2030                  */
2031                 SSVAL(req->chain_outbuf, smb_tid, SVAL(req->outbuf, smb_tid));
2032                 SSVAL(req->chain_outbuf, smb_uid, SVAL(req->outbuf, smb_uid));
2033
2034                 if (!smb_splice_chain(&req->chain_outbuf,
2035                                       CVAL(req->outbuf, smb_com),
2036                                       CVAL(req->outbuf, smb_wct),
2037                                       (uint16_t *)(req->outbuf + smb_vwv),
2038                                       0, smb_buflen(req->outbuf),
2039                                       (uint8_t *)smb_buf(req->outbuf))) {
2040                         goto error;
2041                 }
2042                 TALLOC_FREE(req->outbuf);
2043         }
2044
2045         /*
2046          * We use the old request's vwv field to grab the next chained command
2047          * and offset into the chained fields.
2048          */
2049
2050         chain_cmd = CVAL(req->vwv+0, 0);
2051         chain_offset = SVAL(req->vwv+1, 0);
2052
2053         if (chain_cmd == 0xff) {
2054                 /*
2055                  * End of chain, no more requests from the client. So ship the
2056                  * replies.
2057                  */
2058                 smb_setlen((char *)(req->chain_outbuf),
2059                            talloc_get_size(req->chain_outbuf) - 4);
2060
2061                 if (!srv_send_smb(req->sconn, (char *)req->chain_outbuf,
2062                                   true, req->seqnum+1,
2063                                   IS_CONN_ENCRYPTED(req->conn)
2064                                   ||req->encrypted,
2065                                   &req->pcd)) {
2066                         exit_server_cleanly("chain_reply: srv_send_smb "
2067                                             "failed.");
2068                 }
2069                 TALLOC_FREE(req->chain_outbuf);
2070                 req->done = true;
2071                 return;
2072         }
2073
2074         /* add a new perfcounter for this element of chain */
2075         SMB_PERFCOUNT_ADD(&req->pcd);
2076         SMB_PERFCOUNT_SET_OP(&req->pcd, chain_cmd);
2077         SMB_PERFCOUNT_SET_MSGLEN_IN(&req->pcd, smblen);
2078
2079         /*
2080          * Check if the client tries to fool us. The request so far uses the
2081          * space to the end of the byte buffer in the request just
2082          * processed. The chain_offset can't point into that area. If that was
2083          * the case, we could end up with an endless processing of the chain,
2084          * we would always handle the same request.
2085          */
2086
2087         already_used = PTR_DIFF(req->buf+req->buflen, smb_base(req->inbuf));
2088         if (chain_offset < already_used) {
2089                 goto error;
2090         }
2091
2092         /*
2093          * Next check: Make sure the chain offset does not point beyond the
2094          * overall smb request length.
2095          */
2096
2097         length_needed = chain_offset+1; /* wct */
2098         if (length_needed > smblen) {
2099                 goto error;
2100         }
2101
2102         /*
2103          * Now comes the pointer magic. Goal here is to set up req->vwv and
2104          * req->buf correctly again to be able to call the subsequent
2105          * switch_message(). The chain offset (the former vwv[1]) points at
2106          * the new wct field.
2107          */
2108
2109         wct = CVAL(smb_base(req->inbuf), chain_offset);
2110
2111         /*
2112          * Next consistency check: Make the new vwv array fits in the overall
2113          * smb request.
2114          */
2115
2116         length_needed += (wct+1)*sizeof(uint16_t); /* vwv+buflen */
2117         if (length_needed > smblen) {
2118                 goto error;
2119         }
2120         vwv = (uint16_t *)(smb_base(req->inbuf) + chain_offset + 1);
2121
2122         /*
2123          * Now grab the new byte buffer....
2124          */
2125
2126         buflen = SVAL(vwv+wct, 0);
2127
2128         /*
2129          * .. and check that it fits.
2130          */
2131
2132         length_needed += buflen;
2133         if (length_needed > smblen) {
2134                 goto error;
2135         }
2136         buf = (uint8_t *)(vwv+wct+1);
2137
2138         req->cmd = chain_cmd;
2139         req->wct = wct;
2140         req->vwv = vwv;
2141         req->buflen = buflen;
2142         req->buf = buf;
2143
2144         switch_message(chain_cmd, req, smblen);
2145
2146         if (req->outbuf == NULL) {
2147                 /*
2148                  * This happens if the chained command has suspended itself or
2149                  * if it has called srv_send_smb() itself.
2150                  */
2151                 return;
2152         }
2153
2154         /*
2155          * We end up here if the chained command was not itself chained or
2156          * suspended, but for example a close() command. We now need to splice
2157          * the chained commands' outbuf into the already built up chain_outbuf
2158          * and ship the result.
2159          */
2160         goto done;
2161
2162  error:
2163         /*
2164          * We end up here if there's any error in the chain syntax. Report a
2165          * DOS error, just like Windows does.
2166          */
2167         reply_force_doserror(req, ERRSRV, ERRerror);
2168         fixup_chain_error_packet(req);
2169
2170  done:
2171         /*
2172          * This scary statement intends to set the
2173          * FLAGS2_32_BIT_ERROR_CODES flg2 field in req->chain_outbuf
2174          * to the value req->outbuf carries
2175          */
2176         SSVAL(req->chain_outbuf, smb_flg2,
2177               (SVAL(req->chain_outbuf, smb_flg2) & ~FLAGS2_32_BIT_ERROR_CODES)
2178               | (SVAL(req->outbuf, smb_flg2) & FLAGS2_32_BIT_ERROR_CODES));
2179
2180         /*
2181          * Transfer the error codes from the subrequest to the main one
2182          */
2183         SSVAL(req->chain_outbuf, smb_rcls, SVAL(req->outbuf, smb_rcls));
2184         SSVAL(req->chain_outbuf, smb_err, SVAL(req->outbuf, smb_err));
2185
2186         if (!smb_splice_chain(&req->chain_outbuf,
2187                               CVAL(req->outbuf, smb_com),
2188                               CVAL(req->outbuf, smb_wct),
2189                               (uint16_t *)(req->outbuf + smb_vwv),
2190                               0, smb_buflen(req->outbuf),
2191                               (uint8_t *)smb_buf(req->outbuf))) {
2192                 exit_server_cleanly("chain_reply: smb_splice_chain failed\n");
2193         }
2194         TALLOC_FREE(req->outbuf);
2195
2196         smb_setlen((char *)(req->chain_outbuf),
2197                    talloc_get_size(req->chain_outbuf) - 4);
2198
2199         show_msg((char *)(req->chain_outbuf));
2200
2201         if (!srv_send_smb(req->sconn, (char *)req->chain_outbuf,
2202                           true, req->seqnum+1,
2203                           IS_CONN_ENCRYPTED(req->conn)||req->encrypted,
2204                           &req->pcd)) {
2205                 exit_server_cleanly("chain_reply: srv_send_smb failed.");
2206         }
2207         TALLOC_FREE(req->chain_outbuf);
2208         req->done = true;
2209 }
2210
2211 /****************************************************************************
2212  Check if services need reloading.
2213 ****************************************************************************/
2214
2215 static void check_reload(struct smbd_server_connection *sconn, time_t t)
2216 {
2217
2218         if (last_smb_conf_reload_time == 0) {
2219                 last_smb_conf_reload_time = t;
2220         }
2221
2222         if (t >= last_smb_conf_reload_time+SMBD_RELOAD_CHECK) {
2223                 reload_services(sconn->msg_ctx, sconn->sock, True);
2224                 last_smb_conf_reload_time = t;
2225         }
2226 }
2227
2228 static bool fd_is_readable(int fd)
2229 {
2230         int ret, revents;
2231
2232         ret = poll_one_fd(fd, POLLIN|POLLHUP, 0, &revents);
2233
2234         return ((ret > 0) && ((revents & (POLLIN|POLLHUP|POLLERR)) != 0));
2235
2236 }
2237
2238 static void smbd_server_connection_write_handler(struct smbd_server_connection *conn)
2239 {
2240         /* TODO: make write nonblocking */
2241 }
2242
2243 static void smbd_server_connection_read_handler(
2244         struct smbd_server_connection *conn, int fd)
2245 {
2246         uint8_t *inbuf = NULL;
2247         size_t inbuf_len = 0;
2248         size_t unread_bytes = 0;
2249         bool encrypted = false;
2250         TALLOC_CTX *mem_ctx = talloc_tos();
2251         NTSTATUS status;
2252         uint32_t seqnum;
2253
2254         bool from_client = (conn->sock == fd);
2255
2256         if (from_client) {
2257                 smbd_lock_socket(conn);
2258
2259                 if (lp_async_smb_echo_handler() && !fd_is_readable(fd)) {
2260                         DEBUG(10,("the echo listener was faster\n"));
2261                         smbd_unlock_socket(conn);
2262                         return;
2263                 }
2264
2265                 /* TODO: make this completely nonblocking */
2266                 status = receive_smb_talloc(mem_ctx, conn,
2267                                             (char **)(void *)&inbuf,
2268                                             0, /* timeout */
2269                                             &unread_bytes,
2270                                             &encrypted,
2271                                             &inbuf_len, &seqnum,
2272                                             false /* trusted channel */);
2273                 smbd_unlock_socket(conn);
2274         } else {
2275                 /* TODO: make this completely nonblocking */
2276                 status = receive_smb_talloc(mem_ctx, conn,
2277                                             (char **)(void *)&inbuf,
2278                                             0, /* timeout */
2279                                             &unread_bytes,
2280                                             &encrypted,
2281                                             &inbuf_len, &seqnum,
2282                                             true /* trusted channel */);
2283         }
2284
2285         if (NT_STATUS_EQUAL(status, NT_STATUS_RETRY)) {
2286                 goto process;
2287         }
2288         if (NT_STATUS_IS_ERR(status)) {
2289                 exit_server_cleanly("failed to receive smb request");
2290         }
2291         if (!NT_STATUS_IS_OK(status)) {
2292                 return;
2293         }
2294
2295 process:
2296         process_smb(conn, inbuf, inbuf_len, unread_bytes,
2297                     seqnum, encrypted, NULL);
2298 }
2299
2300 static void smbd_server_connection_handler(struct event_context *ev,
2301                                            struct fd_event *fde,
2302                                            uint16_t flags,
2303                                            void *private_data)
2304 {
2305         struct smbd_server_connection *conn = talloc_get_type(private_data,
2306                                               struct smbd_server_connection);
2307
2308         if (flags & EVENT_FD_WRITE) {
2309                 smbd_server_connection_write_handler(conn);
2310                 return;
2311         }
2312         if (flags & EVENT_FD_READ) {
2313                 smbd_server_connection_read_handler(conn, conn->sock);
2314                 return;
2315         }
2316 }
2317
2318 static void smbd_server_echo_handler(struct event_context *ev,
2319                                      struct fd_event *fde,
2320                                      uint16_t flags,
2321                                      void *private_data)
2322 {
2323         struct smbd_server_connection *conn = talloc_get_type(private_data,
2324                                               struct smbd_server_connection);
2325
2326         if (flags & EVENT_FD_WRITE) {
2327                 smbd_server_connection_write_handler(conn);
2328                 return;
2329         }
2330         if (flags & EVENT_FD_READ) {
2331                 smbd_server_connection_read_handler(
2332                         conn, conn->smb1.echo_handler.trusted_fd);
2333                 return;
2334         }
2335 }
2336
2337 /****************************************************************************
2338 received when we should release a specific IP
2339 ****************************************************************************/
2340 static void release_ip(const char *ip, void *priv)
2341 {
2342         const char *addr = (const char *)priv;
2343         const char *p = addr;
2344
2345         if (strncmp("::ffff:", addr, 7) == 0) {
2346                 p = addr + 7;
2347         }
2348
2349         if ((strcmp(p, ip) == 0) || ((p != addr) && strcmp(addr, ip) == 0)) {
2350                 /* we can't afford to do a clean exit - that involves
2351                    database writes, which would potentially mean we
2352                    are still running after the failover has finished -
2353                    we have to get rid of this process ID straight
2354                    away */
2355                 DEBUG(0,("Got release IP message for our IP %s - exiting immediately\n",
2356                         ip));
2357                 /* note we must exit with non-zero status so the unclean handler gets
2358                    called in the parent, so that the brl database is tickled */
2359                 _exit(1);
2360         }
2361 }
2362
2363 static void msg_release_ip(struct messaging_context *msg_ctx, void *private_data,
2364                            uint32_t msg_type, struct server_id server_id, DATA_BLOB *data)
2365 {
2366         struct smbd_server_connection *sconn = talloc_get_type_abort(
2367                 private_data, struct smbd_server_connection);
2368
2369         release_ip((char *)data->data, sconn->client_id.addr);
2370 }
2371
2372 #ifdef CLUSTER_SUPPORT
2373 static int client_get_tcp_info(int sock, struct sockaddr_storage *server,
2374                                struct sockaddr_storage *client)
2375 {
2376         socklen_t length;
2377         length = sizeof(*server);
2378         if (getsockname(sock, (struct sockaddr *)server, &length) != 0) {
2379                 return -1;
2380         }
2381         length = sizeof(*client);
2382         if (getpeername(sock, (struct sockaddr *)client, &length) != 0) {
2383                 return -1;
2384         }
2385         return 0;
2386 }
2387 #endif
2388
2389 /*
2390  * Send keepalive packets to our client
2391  */
2392 static bool keepalive_fn(const struct timeval *now, void *private_data)
2393 {
2394         struct smbd_server_connection *sconn = smbd_server_conn;
2395         bool ret;
2396
2397         if (sconn->using_smb2) {
2398                 /* Don't do keepalives on an SMB2 connection. */
2399                 return false;
2400         }
2401
2402         smbd_lock_socket(smbd_server_conn);
2403         ret = send_keepalive(sconn->sock);
2404         smbd_unlock_socket(smbd_server_conn);
2405
2406         if (!ret) {
2407                 char addr[INET6_ADDRSTRLEN];
2408                 /*
2409                  * Try and give an error message saying what
2410                  * client failed.
2411                  */
2412                 DEBUG(0, ("send_keepalive failed for client %s. "
2413                           "Error %s - exiting\n",
2414                           get_peer_addr(sconn->sock, addr, sizeof(addr)),
2415                           strerror(errno)));
2416                 return False;
2417         }
2418         return True;
2419 }
2420
2421 /*
2422  * Do the recurring check if we're idle
2423  */
2424 static bool deadtime_fn(const struct timeval *now, void *private_data)
2425 {
2426         struct smbd_server_connection *sconn =
2427                 (struct smbd_server_connection *)private_data;
2428
2429         if ((conn_num_open(sconn) == 0)
2430             || (conn_idle_all(sconn, now->tv_sec))) {
2431                 DEBUG( 2, ( "Closing idle connection\n" ) );
2432                 messaging_send(sconn->msg_ctx,
2433                                messaging_server_id(sconn->msg_ctx),
2434                                MSG_SHUTDOWN, &data_blob_null);
2435                 return False;
2436         }
2437
2438         return True;
2439 }
2440
2441 /*
2442  * Do the recurring log file and smb.conf reload checks.
2443  */
2444
2445 static bool housekeeping_fn(const struct timeval *now, void *private_data)
2446 {
2447         struct smbd_server_connection *sconn = talloc_get_type_abort(
2448                 private_data, struct smbd_server_connection);
2449
2450         DEBUG(5, ("housekeeping\n"));
2451
2452         change_to_root_user();
2453
2454         /* update printer queue caches if necessary */
2455         update_monitored_printq_cache(sconn->msg_ctx);
2456
2457         /* check if we need to reload services */
2458         check_reload(sconn, time_mono(NULL));
2459
2460         /* Change machine password if neccessary. */
2461         attempt_machine_password_change();
2462
2463         /*
2464          * Force a log file check.
2465          */
2466         force_check_log_size();
2467         check_log_size();
2468         return true;
2469 }
2470
2471 static int create_unlink_tmp(const char *dir)
2472 {
2473         char *fname;
2474         int fd;
2475
2476         fname = talloc_asprintf(talloc_tos(), "%s/listenerlock_XXXXXX", dir);
2477         if (fname == NULL) {
2478                 errno = ENOMEM;
2479                 return -1;
2480         }
2481         fd = mkstemp(fname);
2482         if (fd == -1) {
2483                 TALLOC_FREE(fname);
2484                 return -1;
2485         }
2486         if (unlink(fname) == -1) {
2487                 int sys_errno = errno;
2488                 close(fd);
2489                 TALLOC_FREE(fname);
2490                 errno = sys_errno;
2491                 return -1;
2492         }
2493         TALLOC_FREE(fname);
2494         return fd;
2495 }
2496
2497 struct smbd_echo_state {
2498         struct tevent_context *ev;
2499         struct iovec *pending;
2500         struct smbd_server_connection *sconn;
2501         int parent_pipe;
2502
2503         struct tevent_fd *parent_fde;
2504
2505         struct tevent_fd *read_fde;
2506         struct tevent_req *write_req;
2507 };
2508
2509 static void smbd_echo_writer_done(struct tevent_req *req);
2510
2511 static void smbd_echo_activate_writer(struct smbd_echo_state *state)
2512 {
2513         int num_pending;
2514
2515         if (state->write_req != NULL) {
2516                 return;
2517         }
2518
2519         num_pending = talloc_array_length(state->pending);
2520         if (num_pending == 0) {
2521                 return;
2522         }
2523
2524         state->write_req = writev_send(state, state->ev, NULL,
2525                                        state->parent_pipe, false,
2526                                        state->pending, num_pending);
2527         if (state->write_req == NULL) {
2528                 DEBUG(1, ("writev_send failed\n"));
2529                 exit(1);
2530         }
2531
2532         talloc_steal(state->write_req, state->pending);
2533         state->pending = NULL;
2534
2535         tevent_req_set_callback(state->write_req, smbd_echo_writer_done,
2536                                 state);
2537 }
2538
2539 static void smbd_echo_writer_done(struct tevent_req *req)
2540 {
2541         struct smbd_echo_state *state = tevent_req_callback_data(
2542                 req, struct smbd_echo_state);
2543         ssize_t written;
2544         int err;
2545
2546         written = writev_recv(req, &err);
2547         TALLOC_FREE(req);
2548         state->write_req = NULL;
2549         if (written == -1) {
2550                 DEBUG(1, ("writev to parent failed: %s\n", strerror(err)));
2551                 exit(1);
2552         }
2553         DEBUG(10,("echo_handler[%d]: forwarded pdu to main\n", (int)sys_getpid()));
2554         smbd_echo_activate_writer(state);
2555 }
2556
2557 static bool smbd_echo_reply(uint8_t *inbuf, size_t inbuf_len,
2558                             uint32_t seqnum)
2559 {
2560         struct smb_request req;
2561         uint16_t num_replies;
2562         size_t out_len;
2563         char *outbuf;
2564         bool ok;
2565
2566         if ((inbuf_len == 4) && (CVAL(inbuf, 0) == SMBkeepalive)) {
2567                 DEBUG(10, ("Got netbios keepalive\n"));
2568                 /*
2569                  * Just swallow it
2570                  */
2571                 return true;
2572         }
2573
2574         if (inbuf_len < smb_size) {
2575                 DEBUG(10, ("Got short packet: %d bytes\n", (int)inbuf_len));
2576                 return false;
2577         }
2578         if (!valid_smb_header(inbuf)) {
2579                 DEBUG(10, ("Got invalid SMB header\n"));
2580                 return false;
2581         }
2582
2583         if (!init_smb_request(&req, smbd_server_conn, inbuf, 0, false,
2584                               seqnum)) {
2585                 return false;
2586         }
2587         req.inbuf = inbuf;
2588
2589         DEBUG(10, ("smbecho handler got cmd %d (%s)\n", (int)req.cmd,
2590                    smb_messages[req.cmd].name
2591                    ? smb_messages[req.cmd].name : "unknown"));
2592
2593         if (req.cmd != SMBecho) {
2594                 return false;
2595         }
2596         if (req.wct < 1) {
2597                 return false;
2598         }
2599
2600         num_replies = SVAL(req.vwv+0, 0);
2601         if (num_replies != 1) {
2602                 /* Not a Windows "Hey, you're still there?" request */
2603                 return false;
2604         }
2605
2606         if (!create_outbuf(talloc_tos(), &req, (char *)req.inbuf, &outbuf,
2607                            1, req.buflen)) {
2608                 DEBUG(10, ("create_outbuf failed\n"));
2609                 return false;
2610         }
2611         req.outbuf = (uint8_t *)outbuf;
2612
2613         SSVAL(req.outbuf, smb_vwv0, num_replies);
2614
2615         if (req.buflen > 0) {
2616                 memcpy(smb_buf(req.outbuf), req.buf, req.buflen);
2617         }
2618
2619         out_len = smb_len(req.outbuf) + 4;
2620
2621         ok = srv_send_smb(req.sconn,
2622                           (char *)outbuf,
2623                           true, seqnum+1,
2624                           false, &req.pcd);
2625         TALLOC_FREE(outbuf);
2626         if (!ok) {
2627                 exit(1);
2628         }
2629
2630         return true;
2631 }
2632
2633 static void smbd_echo_exit(struct tevent_context *ev,
2634                            struct tevent_fd *fde, uint16_t flags,
2635                            void *private_data)
2636 {
2637         DEBUG(2, ("smbd_echo_exit: lost connection to parent\n"));
2638         exit(0);
2639 }
2640
2641 static void smbd_echo_reader(struct tevent_context *ev,
2642                              struct tevent_fd *fde, uint16_t flags,
2643                              void *private_data)
2644 {
2645         struct smbd_echo_state *state = talloc_get_type_abort(
2646                 private_data, struct smbd_echo_state);
2647         struct smbd_server_connection *sconn = state->sconn;
2648         size_t unread, num_pending;
2649         NTSTATUS status;
2650         struct iovec *tmp;
2651         size_t iov_len;
2652         uint32_t seqnum = 0;
2653         bool reply;
2654         bool ok;
2655         bool encrypted = false;
2656
2657         smb_msleep(1000);
2658
2659         ok = smbd_lock_socket_internal(sconn);
2660         if (!ok) {
2661                 DEBUG(0, ("%s: failed to lock socket\n",
2662                         __location__));
2663                 exit(1);
2664         }
2665
2666         if (!fd_is_readable(sconn->sock)) {
2667                 DEBUG(10,("echo_handler[%d] the parent smbd was faster\n",
2668                           (int)sys_getpid()));
2669                 ok = smbd_unlock_socket_internal(sconn);
2670                 if (!ok) {
2671                         DEBUG(1, ("%s: failed to unlock socket in\n",
2672                                 __location__));
2673                         exit(1);
2674                 }
2675                 return;
2676         }
2677
2678         num_pending = talloc_array_length(state->pending);
2679         tmp = talloc_realloc(state, state->pending, struct iovec,
2680                              num_pending+1);
2681         if (tmp == NULL) {
2682                 DEBUG(1, ("talloc_realloc failed\n"));
2683                 exit(1);
2684         }
2685         state->pending = tmp;
2686
2687         DEBUG(10,("echo_handler[%d]: reading pdu\n", (int)sys_getpid()));
2688
2689         status = receive_smb_talloc(state->pending, sconn,
2690                                     (char **)(void *)&state->pending[num_pending].iov_base,
2691                                     0 /* timeout */,
2692                                     &unread,
2693                                     &encrypted,
2694                                     &iov_len,
2695                                     &seqnum,
2696                                     false /* trusted_channel*/);
2697         if (!NT_STATUS_IS_OK(status)) {
2698                 DEBUG(1, ("echo_handler[%d]: receive_smb_raw_talloc failed: %s\n",
2699                           (int)sys_getpid(), nt_errstr(status)));
2700                 exit(1);
2701         }
2702         state->pending[num_pending].iov_len = iov_len;
2703
2704         ok = smbd_unlock_socket_internal(sconn);
2705         if (!ok) {
2706                 DEBUG(1, ("%s: failed to unlock socket in\n",
2707                         __location__));
2708                 exit(1);
2709         }
2710
2711         reply = smbd_echo_reply((uint8_t *)state->pending[num_pending].iov_base,
2712                                 state->pending[num_pending].iov_len,
2713                                 seqnum);
2714         if (reply) {
2715                 DEBUG(10,("echo_handler[%d]: replied to client\n", (int)sys_getpid()));
2716                 /* no check, shrinking by some bytes does not fail */
2717                 state->pending = talloc_realloc(state, state->pending,
2718                                                 struct iovec,
2719                                                 num_pending);
2720                 return;
2721         }
2722
2723         if (state->pending[num_pending].iov_len >= smb_size) {
2724                 /*
2725                  * place the seqnum in the packet so that the main process
2726                  * can reply with signing
2727                  */
2728                 SIVAL((uint8_t *)state->pending[num_pending].iov_base,
2729                       smb_ss_field, seqnum);
2730                 SIVAL((uint8_t *)state->pending[num_pending].iov_base,
2731                       smb_ss_field+4, NT_STATUS_V(NT_STATUS_OK));
2732         }
2733
2734         DEBUG(10,("echo_handler[%d]: forward to main\n", (int)sys_getpid()));
2735         smbd_echo_activate_writer(state);
2736 }
2737
2738 static void smbd_echo_loop(struct smbd_server_connection *sconn,
2739                            int parent_pipe)
2740 {
2741         struct smbd_echo_state *state;
2742
2743         state = talloc_zero(sconn, struct smbd_echo_state);
2744         if (state == NULL) {
2745                 DEBUG(1, ("talloc failed\n"));
2746                 return;
2747         }
2748         state->sconn = sconn;
2749         state->parent_pipe = parent_pipe;
2750         state->ev = s3_tevent_context_init(state);
2751         if (state->ev == NULL) {
2752                 DEBUG(1, ("tevent_context_init failed\n"));
2753                 TALLOC_FREE(state);
2754                 return;
2755         }
2756         state->parent_fde = tevent_add_fd(state->ev, state, parent_pipe,
2757                                         TEVENT_FD_READ, smbd_echo_exit,
2758                                         state);
2759         if (state->parent_fde == NULL) {
2760                 DEBUG(1, ("tevent_add_fd failed\n"));
2761                 TALLOC_FREE(state);
2762                 return;
2763         }
2764         state->read_fde = tevent_add_fd(state->ev, state, sconn->sock,
2765                                         TEVENT_FD_READ, smbd_echo_reader,
2766                                         state);
2767         if (state->read_fde == NULL) {
2768                 DEBUG(1, ("tevent_add_fd failed\n"));
2769                 TALLOC_FREE(state);
2770                 return;
2771         }
2772
2773         while (true) {
2774                 if (tevent_loop_once(state->ev) == -1) {
2775                         DEBUG(1, ("tevent_loop_once failed: %s\n",
2776                                   strerror(errno)));
2777                         break;
2778                 }
2779         }
2780         TALLOC_FREE(state);
2781 }
2782
2783 /*
2784  * Handle SMBecho requests in a forked child process
2785  */
2786 static bool fork_echo_handler(struct smbd_server_connection *sconn)
2787 {
2788         int listener_pipe[2];
2789         int res;
2790         pid_t child;
2791
2792         res = pipe(listener_pipe);
2793         if (res == -1) {
2794                 DEBUG(1, ("pipe() failed: %s\n", strerror(errno)));
2795                 return false;
2796         }
2797         sconn->smb1.echo_handler.socket_lock_fd = create_unlink_tmp(lp_lockdir());
2798         if (sconn->smb1.echo_handler.socket_lock_fd == -1) {
2799                 DEBUG(1, ("Could not create lock fd: %s\n", strerror(errno)));
2800                 goto fail;
2801         }
2802
2803         child = sys_fork();
2804         if (child == 0) {
2805                 NTSTATUS status;
2806
2807                 close(listener_pipe[0]);
2808                 set_blocking(listener_pipe[1], false);
2809
2810                 status = reinit_after_fork(sconn->msg_ctx,
2811                                            smbd_event_context(),
2812                                            procid_self(), false);
2813                 if (!NT_STATUS_IS_OK(status)) {
2814                         DEBUG(1, ("reinit_after_fork failed: %s\n",
2815                                   nt_errstr(status)));
2816                         exit(1);
2817                 }
2818                 smbd_echo_loop(sconn, listener_pipe[1]);
2819                 exit(0);
2820         }
2821         close(listener_pipe[1]);
2822         listener_pipe[1] = -1;
2823         sconn->smb1.echo_handler.trusted_fd = listener_pipe[0];
2824
2825         DEBUG(10,("fork_echo_handler: main[%d] echo_child[%d]\n", (int)sys_getpid(), child));
2826
2827         /*
2828          * Without smb signing this is the same as the normal smbd
2829          * listener. This needs to change once signing comes in.
2830          */
2831         sconn->smb1.echo_handler.trusted_fde = event_add_fd(smbd_event_context(),
2832                                         sconn,
2833                                         sconn->smb1.echo_handler.trusted_fd,
2834                                         EVENT_FD_READ,
2835                                         smbd_server_echo_handler,
2836                                         sconn);
2837         if (sconn->smb1.echo_handler.trusted_fde == NULL) {
2838                 DEBUG(1, ("event_add_fd failed\n"));
2839                 goto fail;
2840         }
2841
2842         return true;
2843
2844 fail:
2845         if (listener_pipe[0] != -1) {
2846                 close(listener_pipe[0]);
2847         }
2848         if (listener_pipe[1] != -1) {
2849                 close(listener_pipe[1]);
2850         }
2851         sconn->smb1.echo_handler.trusted_fd = -1;
2852         if (sconn->smb1.echo_handler.socket_lock_fd != -1) {
2853                 close(sconn->smb1.echo_handler.socket_lock_fd);
2854         }
2855         sconn->smb1.echo_handler.trusted_fd = -1;
2856         sconn->smb1.echo_handler.socket_lock_fd = -1;
2857         return false;
2858 }
2859
2860 #if CLUSTER_SUPPORT
2861
2862 static NTSTATUS smbd_register_ips(struct smbd_server_connection *sconn,
2863                                   struct sockaddr_storage *srv,
2864                                   struct sockaddr_storage *clnt)
2865 {
2866         struct ctdbd_connection *cconn;
2867         char tmp_addr[INET6_ADDRSTRLEN];
2868         char *addr;
2869
2870         cconn = messaging_ctdbd_connection();
2871         if (cconn == NULL) {
2872                 return NT_STATUS_NO_MEMORY;
2873         }
2874
2875         client_socket_addr(sconn->sock, tmp_addr, sizeof(tmp_addr));
2876         addr = talloc_strdup(cconn, tmp_addr);
2877         if (addr == NULL) {
2878                 return NT_STATUS_NO_MEMORY;
2879         }
2880         return ctdbd_register_ips(cconn, srv, clnt, release_ip, addr);
2881 }
2882
2883 #endif
2884
2885 /****************************************************************************
2886  Process commands from the client
2887 ****************************************************************************/
2888
2889 void smbd_process(struct smbd_server_connection *sconn)
2890 {
2891         TALLOC_CTX *frame = talloc_stackframe();
2892         struct sockaddr_storage ss;
2893         struct sockaddr *sa = NULL;
2894         socklen_t sa_socklen;
2895         struct tsocket_address *local_address = NULL;
2896         struct tsocket_address *remote_address = NULL;
2897         const char *remaddr = NULL;
2898         int ret;
2899
2900         if (lp_maxprotocol() == PROTOCOL_SMB2 &&
2901             !lp_async_smb_echo_handler()) {
2902                 /*
2903                  * We're not making the desion here,
2904                  * we're just allowing the client
2905                  * to decide between SMB1 and SMB2
2906                  * with the first negprot
2907                  * packet.
2908                  */
2909                 sconn->using_smb2 = true;
2910         }
2911
2912         /* Ensure child is set to blocking mode */
2913         set_blocking(sconn->sock,True);
2914
2915         set_socket_options(sconn->sock, "SO_KEEPALIVE");
2916         set_socket_options(sconn->sock, lp_socket_options());
2917
2918         sa = (struct sockaddr *)(void *)&ss;
2919         sa_socklen = sizeof(ss);
2920         ret = getpeername(sconn->sock, sa, &sa_socklen);
2921         if (ret != 0) {
2922                 int level = (errno == ENOTCONN)?2:0;
2923                 DEBUG(level,("getpeername() failed - %s\n", strerror(errno)));
2924                 exit_server_cleanly("getpeername() failed.\n");
2925         }
2926         ret = tsocket_address_bsd_from_sockaddr(sconn,
2927                                                 sa, sa_socklen,
2928                                                 &remote_address);
2929         if (ret != 0) {
2930                 DEBUG(0,("%s: tsocket_address_bsd_from_sockaddr remote failed - %s\n",
2931                         __location__, strerror(errno)));
2932                 exit_server_cleanly("tsocket_address_bsd_from_sockaddr remote failed.\n");
2933         }
2934
2935         sa = (struct sockaddr *)(void *)&ss;
2936         sa_socklen = sizeof(ss);
2937         ret = getsockname(sconn->sock, sa, &sa_socklen);
2938         if (ret != 0) {
2939                 int level = (errno == ENOTCONN)?2:0;
2940                 DEBUG(level,("getsockname() failed - %s\n", strerror(errno)));
2941                 exit_server_cleanly("getsockname() failed.\n");
2942         }
2943         ret = tsocket_address_bsd_from_sockaddr(sconn,
2944                                                 sa, sa_socklen,
2945                                                 &local_address);
2946         if (ret != 0) {
2947                 DEBUG(0,("%s: tsocket_address_bsd_from_sockaddr remote failed - %s\n",
2948                         __location__, strerror(errno)));
2949                 exit_server_cleanly("tsocket_address_bsd_from_sockaddr remote failed.\n");
2950         }
2951
2952         sconn->local_address = local_address;
2953         sconn->remote_address = remote_address;
2954
2955         if (tsocket_address_is_inet(remote_address, "ip")) {
2956                 remaddr = tsocket_address_inet_addr_string(
2957                                 sconn->remote_address,
2958                                 talloc_tos());
2959                 if (remaddr == NULL) {
2960
2961                 }
2962         } else {
2963                 remaddr = "0.0.0.0";
2964         }
2965
2966         /* this is needed so that we get decent entries
2967            in smbstatus for port 445 connects */
2968         set_remote_machine_name(remaddr, false);
2969         reload_services(sconn->msg_ctx, sconn->sock, true);
2970
2971         /*
2972          * Before the first packet, check the global hosts allow/ hosts deny
2973          * parameters before doing any parsing of packets passed to us by the
2974          * client. This prevents attacks on our parsing code from hosts not in
2975          * the hosts allow list.
2976          */
2977
2978         if (!allow_access(lp_hostsdeny(-1), lp_hostsallow(-1),
2979                           sconn->client_id.name,
2980                           sconn->client_id.addr)) {
2981                 /*
2982                  * send a negative session response "not listening on calling
2983                  * name"
2984                  */
2985                 unsigned char buf[5] = {0x83, 0, 0, 1, 0x81};
2986                 DEBUG( 1, ("Connection denied from %s to %s\n",
2987                            tsocket_address_string(remote_address, talloc_tos()),
2988                            tsocket_address_string(local_address, talloc_tos())));
2989                 (void)srv_send_smb(sconn,(char *)buf, false,
2990                                    0, false, NULL);
2991                 exit_server_cleanly("connection denied");
2992         }
2993
2994         DEBUG(10, ("Connection allowed from %s to %s\n",
2995                    tsocket_address_string(remote_address, talloc_tos()),
2996                    tsocket_address_string(local_address, talloc_tos())));
2997
2998         init_modules();
2999
3000         smb_perfcount_init();
3001
3002         if (!init_account_policy()) {
3003                 exit_server("Could not open account policy tdb.\n");
3004         }
3005
3006         if (*lp_rootdir()) {
3007                 if (chroot(lp_rootdir()) != 0) {
3008                         DEBUG(0,("Failed to change root to %s\n", lp_rootdir()));
3009                         exit_server("Failed to chroot()");
3010                 }
3011                 if (chdir("/") == -1) {
3012                         DEBUG(0,("Failed to chdir to / on chroot to %s\n", lp_rootdir()));
3013                         exit_server("Failed to chroot()");
3014                 }
3015                 DEBUG(0,("Changed root to %s\n", lp_rootdir()));
3016         }
3017
3018         if (!srv_init_signing(sconn)) {
3019                 exit_server("Failed to init smb_signing");
3020         }
3021
3022         if (lp_async_smb_echo_handler() && !fork_echo_handler(sconn)) {
3023                 exit_server("Failed to fork echo handler");
3024         }
3025
3026         /* Setup oplocks */
3027         if (!init_oplocks(sconn->msg_ctx))
3028                 exit_server("Failed to init oplocks");
3029
3030         /* register our message handlers */
3031         messaging_register(sconn->msg_ctx, NULL,
3032                            MSG_SMB_FORCE_TDIS, msg_force_tdis);
3033         messaging_register(sconn->msg_ctx, sconn,
3034                            MSG_SMB_RELEASE_IP, msg_release_ip);
3035         messaging_register(sconn->msg_ctx, NULL,
3036                            MSG_SMB_CLOSE_FILE, msg_close_file);
3037
3038         /*
3039          * Use the default MSG_DEBUG handler to avoid rebroadcasting
3040          * MSGs to all child processes
3041          */
3042         messaging_deregister(sconn->msg_ctx,
3043                              MSG_DEBUG, NULL);
3044         messaging_register(sconn->msg_ctx, NULL,
3045                            MSG_DEBUG, debug_message);
3046
3047         if ((lp_keepalive() != 0)
3048             && !(event_add_idle(smbd_event_context(), NULL,
3049                                 timeval_set(lp_keepalive(), 0),
3050                                 "keepalive", keepalive_fn,
3051                                 NULL))) {
3052                 DEBUG(0, ("Could not add keepalive event\n"));
3053                 exit(1);
3054         }
3055
3056         if (!(event_add_idle(smbd_event_context(), NULL,
3057                              timeval_set(IDLE_CLOSED_TIMEOUT, 0),
3058                              "deadtime", deadtime_fn, sconn))) {
3059                 DEBUG(0, ("Could not add deadtime event\n"));
3060                 exit(1);
3061         }
3062
3063         if (!(event_add_idle(smbd_event_context(), NULL,
3064                              timeval_set(SMBD_HOUSEKEEPING_INTERVAL, 0),
3065                              "housekeeping", housekeeping_fn, sconn))) {
3066                 DEBUG(0, ("Could not add housekeeping event\n"));
3067                 exit(1);
3068         }
3069
3070 #ifdef CLUSTER_SUPPORT
3071
3072         if (lp_clustering()) {
3073                 /*
3074                  * We need to tell ctdb about our client's TCP
3075                  * connection, so that for failover ctdbd can send
3076                  * tickle acks, triggering a reconnection by the
3077                  * client.
3078                  */
3079
3080                 struct sockaddr_storage srv, clnt;
3081
3082                 if (client_get_tcp_info(sconn->sock, &srv, &clnt) == 0) {
3083                         NTSTATUS status;
3084                         status = smbd_register_ips(sconn, &srv, &clnt);
3085                         if (!NT_STATUS_IS_OK(status)) {
3086                                 DEBUG(0, ("ctdbd_register_ips failed: %s\n",
3087                                           nt_errstr(status)));
3088                         }
3089                 } else
3090                 {
3091                         DEBUG(0,("Unable to get tcp info for "
3092                                  "CTDB_CONTROL_TCP_CLIENT: %s\n",
3093                                  strerror(errno)));
3094                 }
3095         }
3096
3097 #endif
3098
3099         sconn->nbt.got_session = false;
3100
3101         sconn->smb1.negprot.max_recv = MIN(lp_maxxmit(),BUFFER_SIZE);
3102
3103         sconn->smb1.sessions.done_sesssetup = false;
3104         sconn->smb1.sessions.max_send = BUFFER_SIZE;
3105         sconn->smb1.sessions.last_session_tag = UID_FIELD_INVALID;
3106         /* users from session setup */
3107         sconn->smb1.sessions.session_userlist = NULL;
3108         /* workgroup from session setup. */
3109         sconn->smb1.sessions.session_workgroup = NULL;
3110         /* this holds info on user ids that are already validated for this VC */
3111         sconn->smb1.sessions.validated_users = NULL;
3112         sconn->smb1.sessions.next_vuid = VUID_OFFSET;
3113         sconn->smb1.sessions.num_validated_vuids = 0;
3114
3115         conn_init(sconn);
3116         if (!init_dptrs(sconn)) {
3117                 exit_server("init_dptrs() failed");
3118         }
3119
3120         sconn->smb1.fde = event_add_fd(smbd_event_context(),
3121                                                   sconn,
3122                                                   sconn->sock,
3123                                                   EVENT_FD_READ,
3124                                                   smbd_server_connection_handler,
3125                                                   sconn);
3126         if (!sconn->smb1.fde) {
3127                 exit_server("failed to create smbd_server_connection fde");
3128         }
3129
3130         TALLOC_FREE(frame);
3131
3132         while (True) {
3133                 NTSTATUS status;
3134
3135                 frame = talloc_stackframe_pool(8192);
3136
3137                 errno = 0;
3138
3139                 status = smbd_server_connection_loop_once(sconn);
3140                 if (!NT_STATUS_EQUAL(status, NT_STATUS_RETRY) &&
3141                     !NT_STATUS_IS_OK(status)) {
3142                         DEBUG(3, ("smbd_server_connection_loop_once failed: %s,"
3143                                   " exiting\n", nt_errstr(status)));
3144                         break;
3145                 }
3146
3147                 TALLOC_FREE(frame);
3148         }
3149
3150         exit_server_cleanly(NULL);
3151 }
3152
3153 bool req_is_in_chain(struct smb_request *req)
3154 {
3155         if (req->vwv != (uint16_t *)(req->inbuf+smb_vwv)) {
3156                 /*
3157                  * We're right now handling a subsequent request, so we must
3158                  * be in a chain
3159                  */
3160                 return true;
3161         }
3162
3163         if (!is_andx_req(req->cmd)) {
3164                 return false;
3165         }
3166
3167         if (req->wct < 2) {
3168                 /*
3169                  * Okay, an illegal request, but definitely not chained :-)
3170                  */