68bd3e4b61cac4454a246fb4a0748bbbfc29a881
[kai/samba-autobuild/.git] / source3 / smbd / process.c
1 /* 
2    Unix SMB/CIFS implementation.
3    process incoming packets - main loop
4    Copyright (C) Andrew Tridgell 1992-1998
5    Copyright (C) Volker Lendecke 2005-2007
6
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License as published by
9    the Free Software Foundation; either version 3 of the License, or
10    (at your option) any later version.
11
12    This program is distributed in the hope that it will be useful,
13    but WITHOUT ANY WARRANTY; without even the implied warranty of
14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15    GNU General Public License for more details.
16
17    You should have received a copy of the GNU General Public License
18    along with this program.  If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include "../lib/tsocket/tsocket.h"
23 #include "system/filesys.h"
24 #include "smbd/smbd.h"
25 #include "smbd/globals.h"
26 #include "librpc/gen_ndr/netlogon.h"
27 #include "../lib/async_req/async_sock.h"
28 #include "ctdbd_conn.h"
29 #include "../lib/util/select.h"
30 #include "printing/queue_process.h"
31 #include "system/select.h"
32 #include "passdb.h"
33 #include "auth.h"
34 #include "messages.h"
35 #include "smbprofile.h"
36 #include "rpc_server/spoolss/srv_spoolss_nt.h"
37 #include "libsmb/libsmb.h"
38 #include "../lib/util/tevent_ntstatus.h"
39 #include "../libcli/security/dom_sid.h"
40 #include "../libcli/security/security_token.h"
41 #include "lib/id_cache.h"
42 #include "serverid.h"
43 #include "system/threads.h"
44
45 /* Internal message queue for deferred opens. */
46 struct pending_message_list {
47         struct pending_message_list *next, *prev;
48         struct timeval request_time; /* When was this first issued? */
49         struct smbd_server_connection *sconn;
50         struct smbXsrv_connection *xconn;
51         struct tevent_timer *te;
52         struct smb_perfcount_data pcd;
53         uint32_t seqnum;
54         bool encrypted;
55         bool processed;
56         DATA_BLOB buf;
57         struct deferred_open_record *open_rec;
58 };
59
60 static void construct_reply_common(struct smb_request *req, const char *inbuf,
61                                    char *outbuf);
62 static struct pending_message_list *get_deferred_open_message_smb(
63         struct smbd_server_connection *sconn, uint64_t mid);
64 static bool smb_splice_chain(uint8_t **poutbuf, const uint8_t *andx_buf);
65
66 static void smbd_echo_init(struct smbXsrv_connection *xconn)
67 {
68         xconn->smb1.echo_handler.trusted_fd = -1;
69         xconn->smb1.echo_handler.socket_lock_fd = -1;
70 #ifdef HAVE_ROBUST_MUTEXES
71         xconn->smb1.echo_handler.socket_mutex = NULL;
72 #endif
73 }
74
75 static bool smbd_echo_active(struct smbXsrv_connection *xconn)
76 {
77         if (xconn->smb1.echo_handler.socket_lock_fd != -1) {
78                 return true;
79         }
80
81 #ifdef HAVE_ROBUST_MUTEXES
82         if (xconn->smb1.echo_handler.socket_mutex != NULL) {
83                 return true;
84         }
85 #endif
86
87         return false;
88 }
89
90 static bool smbd_lock_socket_internal(struct smbXsrv_connection *xconn)
91 {
92         if (!smbd_echo_active(xconn)) {
93                 return true;
94         }
95
96         xconn->smb1.echo_handler.ref_count++;
97
98         if (xconn->smb1.echo_handler.ref_count > 1) {
99                 return true;
100         }
101
102         DEBUG(10,("pid[%d] wait for socket lock\n", (int)getpid()));
103
104 #ifdef HAVE_ROBUST_MUTEXES
105         if (xconn->smb1.echo_handler.socket_mutex != NULL) {
106                 int ret = EINTR;
107
108                 while (ret == EINTR) {
109                         ret = pthread_mutex_lock(
110                                 xconn->smb1.echo_handler.socket_mutex);
111                         if (ret == 0) {
112                                 break;
113                         }
114                 }
115                 if (ret != 0) {
116                         DEBUG(1, ("pthread_mutex_lock failed: %s\n",
117                                   strerror(ret)));
118                         return false;
119                 }
120         }
121 #endif
122
123         if (xconn->smb1.echo_handler.socket_lock_fd != -1) {
124                 bool ok;
125
126                 do {
127                         ok = fcntl_lock(
128                                 xconn->smb1.echo_handler.socket_lock_fd,
129                                 F_SETLKW, 0, 0, F_WRLCK);
130                 } while (!ok && (errno == EINTR));
131
132                 if (!ok) {
133                         DEBUG(1, ("fcntl_lock failed: %s\n", strerror(errno)));
134                         return false;
135                 }
136         }
137
138         DEBUG(10,("pid[%d] got socket lock\n", (int)getpid()));
139
140         return true;
141 }
142
143 void smbd_lock_socket(struct smbXsrv_connection *xconn)
144 {
145         if (!smbd_lock_socket_internal(xconn)) {
146                 exit_server_cleanly("failed to lock socket");
147         }
148 }
149
150 static bool smbd_unlock_socket_internal(struct smbXsrv_connection *xconn)
151 {
152         if (!smbd_echo_active(xconn)) {
153                 return true;
154         }
155
156         xconn->smb1.echo_handler.ref_count--;
157
158         if (xconn->smb1.echo_handler.ref_count > 0) {
159                 return true;
160         }
161
162 #ifdef HAVE_ROBUST_MUTEXES
163         if (xconn->smb1.echo_handler.socket_mutex != NULL) {
164                 int ret = EINTR;
165
166                 while (ret == EINTR) {
167                         ret = pthread_mutex_unlock(
168                                 xconn->smb1.echo_handler.socket_mutex);
169                         if (ret == 0) {
170                                 break;
171                         }
172                 }
173                 if (ret != 0) {
174                         DEBUG(1, ("pthread_mutex_unlock failed: %s\n",
175                                   strerror(ret)));
176                         return false;
177                 }
178         }
179 #endif
180
181         if (xconn->smb1.echo_handler.socket_lock_fd != -1) {
182                 bool ok;
183
184                 do {
185                         ok = fcntl_lock(
186                                 xconn->smb1.echo_handler.socket_lock_fd,
187                                 F_SETLKW, 0, 0, F_UNLCK);
188                 } while (!ok && (errno == EINTR));
189
190                 if (!ok) {
191                         DEBUG(1, ("fcntl_lock failed: %s\n", strerror(errno)));
192                         return false;
193                 }
194         }
195
196         DEBUG(10,("pid[%d] unlocked socket\n", (int)getpid()));
197
198         return true;
199 }
200
201 void smbd_unlock_socket(struct smbXsrv_connection *xconn)
202 {
203         if (!smbd_unlock_socket_internal(xconn)) {
204                 exit_server_cleanly("failed to unlock socket");
205         }
206 }
207
208 /* Accessor function for smb_read_error for smbd functions. */
209
210 /****************************************************************************
211  Send an smb to a fd.
212 ****************************************************************************/
213
214 bool srv_send_smb(struct smbXsrv_connection *xconn, char *buffer,
215                   bool do_signing, uint32_t seqnum,
216                   bool do_encrypt,
217                   struct smb_perfcount_data *pcd)
218 {
219         size_t len = 0;
220         ssize_t ret;
221         char *buf_out = buffer;
222
223         if (!NT_STATUS_IS_OK(xconn->transport.status)) {
224                 /*
225                  * we're not supposed to do any io
226                  */
227                 return true;
228         }
229
230         smbd_lock_socket(xconn);
231
232         if (do_signing) {
233                 /* Sign the outgoing packet if required. */
234                 srv_calculate_sign_mac(xconn, buf_out, seqnum);
235         }
236
237         if (do_encrypt) {
238                 NTSTATUS status = srv_encrypt_buffer(xconn, buffer, &buf_out);
239                 if (!NT_STATUS_IS_OK(status)) {
240                         DEBUG(0, ("send_smb: SMB encryption failed "
241                                 "on outgoing packet! Error %s\n",
242                                 nt_errstr(status) ));
243                         ret = -1;
244                         goto out;
245                 }
246         }
247
248         len = smb_len_large(buf_out) + 4;
249
250         ret = write_data(xconn->transport.sock, buf_out, len);
251         if (ret <= 0) {
252                 int saved_errno = errno;
253                 /*
254                  * Try and give an error message saying what
255                  * client failed.
256                  */
257                 DEBUG(1,("pid[%d] Error writing %d bytes to client %s. %d. (%s)\n",
258                          (int)getpid(), (int)len,
259                          smbXsrv_connection_dbg(xconn),
260                          (int)ret, strerror(saved_errno)));
261                 errno = saved_errno;
262
263                 srv_free_enc_buffer(xconn, buf_out);
264                 goto out;
265         }
266
267         SMB_PERFCOUNT_SET_MSGLEN_OUT(pcd, len);
268         srv_free_enc_buffer(xconn, buf_out);
269 out:
270         SMB_PERFCOUNT_END(pcd);
271
272         smbd_unlock_socket(xconn);
273         return (ret > 0);
274 }
275
276 /*******************************************************************
277  Setup the word count and byte count for a smb message.
278 ********************************************************************/
279
280 int srv_set_message(char *buf,
281                         int num_words,
282                         int num_bytes,
283                         bool zero)
284 {
285         if (zero && (num_words || num_bytes)) {
286                 memset(buf + smb_size,'\0',num_words*2 + num_bytes);
287         }
288         SCVAL(buf,smb_wct,num_words);
289         SSVAL(buf,smb_vwv + num_words*SIZEOFWORD,num_bytes);
290         smb_setlen(buf,(smb_size + num_words*2 + num_bytes - 4));
291         return (smb_size + num_words*2 + num_bytes);
292 }
293
294 static bool valid_smb_header(const uint8_t *inbuf)
295 {
296         if (is_encrypted_packet(inbuf)) {
297                 return true;
298         }
299         /*
300          * This used to be (strncmp(smb_base(inbuf),"\377SMB",4) == 0)
301          * but it just looks weird to call strncmp for this one.
302          */
303         return (IVAL(smb_base(inbuf), 0) == 0x424D53FF);
304 }
305
306 /* Socket functions for smbd packet processing. */
307
308 static bool valid_packet_size(size_t len)
309 {
310         /*
311          * A WRITEX with CAP_LARGE_WRITEX can be 64k worth of data plus 65 bytes
312          * of header. Don't print the error if this fits.... JRA.
313          */
314
315         if (len > (LARGE_WRITEX_BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE)) {
316                 DEBUG(0,("Invalid packet length! (%lu bytes).\n",
317                                         (unsigned long)len));
318                 return false;
319         }
320         return true;
321 }
322
323 static NTSTATUS read_packet_remainder(int fd, char *buffer,
324                                       unsigned int timeout, ssize_t len)
325 {
326         NTSTATUS status;
327
328         if (len <= 0) {
329                 return NT_STATUS_OK;
330         }
331
332         status = read_fd_with_timeout(fd, buffer, len, len, timeout, NULL);
333         if (!NT_STATUS_IS_OK(status)) {
334                 char addr[INET6_ADDRSTRLEN];
335                 DEBUG(0, ("read_fd_with_timeout failed for client %s read "
336                           "error = %s.\n",
337                           get_peer_addr(fd, addr, sizeof(addr)),
338                           nt_errstr(status)));
339         }
340         return status;
341 }
342
343 /****************************************************************************
344  Attempt a zerocopy writeX read. We know here that len > smb_size-4
345 ****************************************************************************/
346
347 /*
348  * Unfortunately, earlier versions of smbclient/libsmbclient
349  * don't send this "standard" writeX header. I've fixed this
350  * for 3.2 but we'll use the old method with earlier versions.
351  * Windows and CIFSFS at least use this standard size. Not
352  * sure about MacOSX.
353  */
354
355 #define STANDARD_WRITE_AND_X_HEADER_SIZE (smb_size - 4 + /* basic header */ \
356                                 (2*14) + /* word count (including bcc) */ \
357                                 1 /* pad byte */)
358
359 static NTSTATUS receive_smb_raw_talloc_partial_read(TALLOC_CTX *mem_ctx,
360                                                     const char lenbuf[4],
361                                                     struct smbXsrv_connection *xconn,
362                                                     int sock,
363                                                     char **buffer,
364                                                     unsigned int timeout,
365                                                     size_t *p_unread,
366                                                     size_t *len_ret)
367 {
368         /* Size of a WRITEX call (+4 byte len). */
369         char writeX_header[4 + STANDARD_WRITE_AND_X_HEADER_SIZE];
370         ssize_t len = smb_len_large(lenbuf); /* Could be a UNIX large writeX. */
371         ssize_t toread;
372         NTSTATUS status;
373
374         memcpy(writeX_header, lenbuf, 4);
375
376         status = read_fd_with_timeout(
377                 sock, writeX_header + 4,
378                 STANDARD_WRITE_AND_X_HEADER_SIZE,
379                 STANDARD_WRITE_AND_X_HEADER_SIZE,
380                 timeout, NULL);
381
382         if (!NT_STATUS_IS_OK(status)) {
383                 DEBUG(0, ("read_fd_with_timeout failed for client %s read "
384                           "error = %s.\n",
385                           smbXsrv_connection_dbg(xconn),
386                           nt_errstr(status)));
387                 return status;
388         }
389
390         /*
391          * Ok - now try and see if this is a possible
392          * valid writeX call.
393          */
394
395         if (is_valid_writeX_buffer(xconn, (uint8_t *)writeX_header)) {
396                 /*
397                  * If the data offset is beyond what
398                  * we've read, drain the extra bytes.
399                  */
400                 uint16_t doff = SVAL(writeX_header,smb_vwv11);
401                 ssize_t newlen;
402
403                 if (doff > STANDARD_WRITE_AND_X_HEADER_SIZE) {
404                         size_t drain = doff - STANDARD_WRITE_AND_X_HEADER_SIZE;
405                         if (drain_socket(sock, drain) != drain) {
406                                 smb_panic("receive_smb_raw_talloc_partial_read:"
407                                         " failed to drain pending bytes");
408                         }
409                 } else {
410                         doff = STANDARD_WRITE_AND_X_HEADER_SIZE;
411                 }
412
413                 /* Spoof down the length and null out the bcc. */
414                 set_message_bcc(writeX_header, 0);
415                 newlen = smb_len(writeX_header);
416
417                 /* Copy the header we've written. */
418
419                 *buffer = (char *)talloc_memdup(mem_ctx,
420                                 writeX_header,
421                                 sizeof(writeX_header));
422
423                 if (*buffer == NULL) {
424                         DEBUG(0, ("Could not allocate inbuf of length %d\n",
425                                   (int)sizeof(writeX_header)));
426                         return NT_STATUS_NO_MEMORY;
427                 }
428
429                 /* Work out the remaining bytes. */
430                 *p_unread = len - STANDARD_WRITE_AND_X_HEADER_SIZE;
431                 *len_ret = newlen + 4;
432                 return NT_STATUS_OK;
433         }
434
435         if (!valid_packet_size(len)) {
436                 return NT_STATUS_INVALID_PARAMETER;
437         }
438
439         /*
440          * Not a valid writeX call. Just do the standard
441          * talloc and return.
442          */
443
444         *buffer = talloc_array(mem_ctx, char, len+4);
445
446         if (*buffer == NULL) {
447                 DEBUG(0, ("Could not allocate inbuf of length %d\n",
448                           (int)len+4));
449                 return NT_STATUS_NO_MEMORY;
450         }
451
452         /* Copy in what we already read. */
453         memcpy(*buffer,
454                 writeX_header,
455                 4 + STANDARD_WRITE_AND_X_HEADER_SIZE);
456         toread = len - STANDARD_WRITE_AND_X_HEADER_SIZE;
457
458         if(toread > 0) {
459                 status = read_packet_remainder(
460                         sock,
461                         (*buffer) + 4 + STANDARD_WRITE_AND_X_HEADER_SIZE,
462                         timeout, toread);
463
464                 if (!NT_STATUS_IS_OK(status)) {
465                         DEBUG(10, ("receive_smb_raw_talloc_partial_read: %s\n",
466                                    nt_errstr(status)));
467                         return status;
468                 }
469         }
470
471         *len_ret = len + 4;
472         return NT_STATUS_OK;
473 }
474
475 static NTSTATUS receive_smb_raw_talloc(TALLOC_CTX *mem_ctx,
476                                        struct smbXsrv_connection *xconn,
477                                        int sock,
478                                        char **buffer, unsigned int timeout,
479                                        size_t *p_unread, size_t *plen)
480 {
481         char lenbuf[4];
482         size_t len;
483         int min_recv_size = lp_min_receive_file_size();
484         NTSTATUS status;
485
486         *p_unread = 0;
487
488         status = read_smb_length_return_keepalive(sock, lenbuf, timeout,
489                                                   &len);
490         if (!NT_STATUS_IS_OK(status)) {
491                 return status;
492         }
493
494         if (CVAL(lenbuf,0) == 0 && min_recv_size &&
495             (smb_len_large(lenbuf) > /* Could be a UNIX large writeX. */
496                 (min_recv_size + STANDARD_WRITE_AND_X_HEADER_SIZE)) &&
497             !srv_is_signing_active(xconn) &&
498             xconn->smb1.echo_handler.trusted_fde == NULL) {
499
500                 return receive_smb_raw_talloc_partial_read(
501                         mem_ctx, lenbuf, xconn, sock, buffer, timeout,
502                         p_unread, plen);
503         }
504
505         if (!valid_packet_size(len)) {
506                 return NT_STATUS_INVALID_PARAMETER;
507         }
508
509         /*
510          * The +4 here can't wrap, we've checked the length above already.
511          */
512
513         *buffer = talloc_array(mem_ctx, char, len+4);
514
515         if (*buffer == NULL) {
516                 DEBUG(0, ("Could not allocate inbuf of length %d\n",
517                           (int)len+4));
518                 return NT_STATUS_NO_MEMORY;
519         }
520
521         memcpy(*buffer, lenbuf, sizeof(lenbuf));
522
523         status = read_packet_remainder(sock, (*buffer)+4, timeout, len);
524         if (!NT_STATUS_IS_OK(status)) {
525                 return status;
526         }
527
528         *plen = len + 4;
529         return NT_STATUS_OK;
530 }
531
532 static NTSTATUS receive_smb_talloc(TALLOC_CTX *mem_ctx,
533                                    struct smbXsrv_connection *xconn,
534                                    int sock,
535                                    char **buffer, unsigned int timeout,
536                                    size_t *p_unread, bool *p_encrypted,
537                                    size_t *p_len,
538                                    uint32_t *seqnum,
539                                    bool trusted_channel)
540 {
541         size_t len = 0;
542         NTSTATUS status;
543
544         *p_encrypted = false;
545
546         status = receive_smb_raw_talloc(mem_ctx, xconn, sock, buffer, timeout,
547                                         p_unread, &len);
548         if (!NT_STATUS_IS_OK(status)) {
549                 DEBUG(NT_STATUS_EQUAL(status, NT_STATUS_END_OF_FILE)?5:1,
550                       ("receive_smb_raw_talloc failed for client %s "
551                        "read error = %s.\n",
552                        smbXsrv_connection_dbg(xconn),
553                        nt_errstr(status)) );
554                 return status;
555         }
556
557         if (is_encrypted_packet((uint8_t *)*buffer)) {
558                 status = srv_decrypt_buffer(xconn, *buffer);
559                 if (!NT_STATUS_IS_OK(status)) {
560                         DEBUG(0, ("receive_smb_talloc: SMB decryption failed on "
561                                 "incoming packet! Error %s\n",
562                                 nt_errstr(status) ));
563                         return status;
564                 }
565                 *p_encrypted = true;
566         }
567
568         /* Check the incoming SMB signature. */
569         if (!srv_check_sign_mac(xconn, *buffer, seqnum, trusted_channel)) {
570                 DEBUG(0, ("receive_smb: SMB Signature verification failed on "
571                           "incoming packet!\n"));
572                 return NT_STATUS_INVALID_NETWORK_RESPONSE;
573         }
574
575         *p_len = len;
576         return NT_STATUS_OK;
577 }
578
579 /*
580  * Initialize a struct smb_request from an inbuf
581  */
582
583 static bool init_smb_request(struct smb_request *req,
584                              struct smbd_server_connection *sconn,
585                              struct smbXsrv_connection *xconn,
586                              const uint8 *inbuf,
587                              size_t unread_bytes, bool encrypted,
588                              uint32_t seqnum)
589 {
590         struct smbXsrv_tcon *tcon;
591         NTSTATUS status;
592         NTTIME now;
593         size_t req_size = smb_len(inbuf) + 4;
594
595         /* Ensure we have at least smb_size bytes. */
596         if (req_size < smb_size) {
597                 DEBUG(0,("init_smb_request: invalid request size %u\n",
598                         (unsigned int)req_size ));
599                 return false;
600         }
601
602         req->request_time = timeval_current();
603         now = timeval_to_nttime(&req->request_time);
604
605         req->cmd    = CVAL(inbuf, smb_com);
606         req->flags2 = SVAL(inbuf, smb_flg2);
607         req->smbpid = SVAL(inbuf, smb_pid);
608         req->mid    = (uint64_t)SVAL(inbuf, smb_mid);
609         req->seqnum = seqnum;
610         req->vuid   = SVAL(inbuf, smb_uid);
611         req->tid    = SVAL(inbuf, smb_tid);
612         req->wct    = CVAL(inbuf, smb_wct);
613         req->vwv    = (const uint16_t *)(inbuf+smb_vwv);
614         req->buflen = smb_buflen(inbuf);
615         req->buf    = (const uint8_t *)smb_buf_const(inbuf);
616         req->unread_bytes = unread_bytes;
617         req->encrypted = encrypted;
618         req->sconn = sconn;
619         req->xconn = xconn;
620         status = smb1srv_tcon_lookup(xconn, req->tid, now, &tcon);
621         if (NT_STATUS_IS_OK(status)) {
622                 req->conn = tcon->compat;
623         } else {
624                 req->conn = NULL;
625         }
626         req->chain_fsp = NULL;
627         req->smb2req = NULL;
628         req->priv_paths = NULL;
629         req->chain = NULL;
630         smb_init_perfcount_data(&req->pcd);
631
632         /* Ensure we have at least wct words and 2 bytes of bcc. */
633         if (smb_size + req->wct*2 > req_size) {
634                 DEBUG(0,("init_smb_request: invalid wct number %u (size %u)\n",
635                         (unsigned int)req->wct,
636                         (unsigned int)req_size));
637                 return false;
638         }
639         /* Ensure bcc is correct. */
640         if (((const uint8_t *)smb_buf_const(inbuf)) + req->buflen > inbuf + req_size) {
641                 DEBUG(0,("init_smb_request: invalid bcc number %u "
642                         "(wct = %u, size %u)\n",
643                         (unsigned int)req->buflen,
644                         (unsigned int)req->wct,
645                         (unsigned int)req_size));
646                 return false;
647         }
648
649         req->outbuf = NULL;
650         return true;
651 }
652
653 static void process_smb(struct smbXsrv_connection *xconn,
654                         uint8_t *inbuf, size_t nread, size_t unread_bytes,
655                         uint32_t seqnum, bool encrypted,
656                         struct smb_perfcount_data *deferred_pcd);
657
658 static void smbd_deferred_open_timer(struct tevent_context *ev,
659                                      struct tevent_timer *te,
660                                      struct timeval _tval,
661                                      void *private_data)
662 {
663         struct pending_message_list *msg = talloc_get_type(private_data,
664                                            struct pending_message_list);
665         struct smbd_server_connection *sconn = msg->sconn;
666         struct smbXsrv_connection *xconn = msg->xconn;
667         TALLOC_CTX *mem_ctx = talloc_tos();
668         uint64_t mid = (uint64_t)SVAL(msg->buf.data,smb_mid);
669         uint8_t *inbuf;
670
671         inbuf = (uint8_t *)talloc_memdup(mem_ctx, msg->buf.data,
672                                          msg->buf.length);
673         if (inbuf == NULL) {
674                 exit_server("smbd_deferred_open_timer: talloc failed\n");
675                 return;
676         }
677
678         /* We leave this message on the queue so the open code can
679            know this is a retry. */
680         DEBUG(5,("smbd_deferred_open_timer: trigger mid %llu.\n",
681                 (unsigned long long)mid ));
682
683         /* Mark the message as processed so this is not
684          * re-processed in error. */
685         msg->processed = true;
686
687         process_smb(xconn, inbuf,
688                     msg->buf.length, 0,
689                     msg->seqnum, msg->encrypted, &msg->pcd);
690
691         /* If it's still there and was processed, remove it. */
692         msg = get_deferred_open_message_smb(sconn, mid);
693         if (msg && msg->processed) {
694                 remove_deferred_open_message_smb(sconn, mid);
695         }
696 }
697
698 /****************************************************************************
699  Function to push a message onto the tail of a linked list of smb messages ready
700  for processing.
701 ****************************************************************************/
702
703 static bool push_queued_message(struct smb_request *req,
704                                 struct timeval request_time,
705                                 struct timeval end_time,
706                                 struct deferred_open_record *open_rec)
707 {
708         int msg_len = smb_len(req->inbuf) + 4;
709         struct pending_message_list *msg;
710
711         msg = talloc_zero(NULL, struct pending_message_list);
712
713         if(msg == NULL) {
714                 DEBUG(0,("push_message: malloc fail (1)\n"));
715                 return False;
716         }
717         msg->sconn = req->sconn;
718         msg->xconn = req->xconn;
719
720         msg->buf = data_blob_talloc(msg, req->inbuf, msg_len);
721         if(msg->buf.data == NULL) {
722                 DEBUG(0,("push_message: malloc fail (2)\n"));
723                 TALLOC_FREE(msg);
724                 return False;
725         }
726
727         msg->request_time = request_time;
728         msg->seqnum = req->seqnum;
729         msg->encrypted = req->encrypted;
730         msg->processed = false;
731         SMB_PERFCOUNT_DEFER_OP(&req->pcd, &msg->pcd);
732
733         if (open_rec) {
734                 msg->open_rec = talloc_move(msg, &open_rec);
735         }
736
737 #if 0
738         msg->te = tevent_add_timer(msg->sconn->ev_ctx,
739                                    msg,
740                                    end_time,
741                                    smbd_deferred_open_timer,
742                                    msg);
743         if (!msg->te) {
744                 DEBUG(0,("push_message: event_add_timed failed\n"));
745                 TALLOC_FREE(msg);
746                 return false;
747         }
748 #endif
749
750         DLIST_ADD_END(req->sconn->deferred_open_queue, msg,
751                       struct pending_message_list *);
752
753         DEBUG(10,("push_message: pushed message length %u on "
754                   "deferred_open_queue\n", (unsigned int)msg_len));
755
756         return True;
757 }
758
759 /****************************************************************************
760  Function to delete a sharing violation open message by mid.
761 ****************************************************************************/
762
763 void remove_deferred_open_message_smb(struct smbd_server_connection *sconn,
764                                       uint64_t mid)
765 {
766         struct pending_message_list *pml;
767
768         if (sconn->using_smb2) {
769                 remove_deferred_open_message_smb2(sconn, mid);
770                 return;
771         }
772
773         for (pml = sconn->deferred_open_queue; pml; pml = pml->next) {
774                 if (mid == (uint64_t)SVAL(pml->buf.data,smb_mid)) {
775                         DEBUG(10,("remove_deferred_open_message_smb: "
776                                   "deleting mid %llu len %u\n",
777                                   (unsigned long long)mid,
778                                   (unsigned int)pml->buf.length ));
779                         DLIST_REMOVE(sconn->deferred_open_queue, pml);
780                         TALLOC_FREE(pml);
781                         return;
782                 }
783         }
784 }
785
786 /****************************************************************************
787  Move a sharing violation open retry message to the front of the list and
788  schedule it for immediate processing.
789 ****************************************************************************/
790
791 bool schedule_deferred_open_message_smb(struct smbd_server_connection *sconn,
792                                         uint64_t mid)
793 {
794         struct pending_message_list *pml;
795         int i = 0;
796
797         if (sconn->using_smb2) {
798                 return schedule_deferred_open_message_smb2(sconn, mid);
799         }
800
801         for (pml = sconn->deferred_open_queue; pml; pml = pml->next) {
802                 uint64_t msg_mid = (uint64_t)SVAL(pml->buf.data,smb_mid);
803
804                 DEBUG(10,("schedule_deferred_open_message_smb: [%d] "
805                         "msg_mid = %llu\n",
806                         i++,
807                         (unsigned long long)msg_mid ));
808
809                 if (mid == msg_mid) {
810                         struct tevent_timer *te;
811
812                         if (pml->processed) {
813                                 /* A processed message should not be
814                                  * rescheduled. */
815                                 DEBUG(0,("schedule_deferred_open_message_smb: LOGIC ERROR "
816                                         "message mid %llu was already processed\n",
817                                         (unsigned long long)msg_mid ));
818                                 continue;
819                         }
820
821                         DEBUG(10,("schedule_deferred_open_message_smb: "
822                                 "scheduling mid %llu\n",
823                                 (unsigned long long)mid ));
824
825                         te = tevent_add_timer(pml->sconn->ev_ctx,
826                                               pml,
827                                               timeval_zero(),
828                                               smbd_deferred_open_timer,
829                                               pml);
830                         if (!te) {
831                                 DEBUG(10,("schedule_deferred_open_message_smb: "
832                                         "event_add_timed() failed, "
833                                         "skipping mid %llu\n",
834                                         (unsigned long long)msg_mid ));
835                         }
836
837                         TALLOC_FREE(pml->te);
838                         pml->te = te;
839                         DLIST_PROMOTE(sconn->deferred_open_queue, pml);
840                         return true;
841                 }
842         }
843
844         DEBUG(10,("schedule_deferred_open_message_smb: failed to "
845                 "find message mid %llu\n",
846                 (unsigned long long)mid ));
847
848         return false;
849 }
850
851 /****************************************************************************
852  Return true if this mid is on the deferred queue and was not yet processed.
853 ****************************************************************************/
854
855 bool open_was_deferred(struct smbd_server_connection *sconn, uint64_t mid)
856 {
857         struct pending_message_list *pml;
858
859         if (sconn->using_smb2) {
860                 return open_was_deferred_smb2(sconn, mid);
861         }
862
863         for (pml = sconn->deferred_open_queue; pml; pml = pml->next) {
864                 if (((uint64_t)SVAL(pml->buf.data,smb_mid)) == mid && !pml->processed) {
865                         return True;
866                 }
867         }
868         return False;
869 }
870
871 /****************************************************************************
872  Return the message queued by this mid.
873 ****************************************************************************/
874
875 static struct pending_message_list *get_deferred_open_message_smb(
876         struct smbd_server_connection *sconn, uint64_t mid)
877 {
878         struct pending_message_list *pml;
879
880         for (pml = sconn->deferred_open_queue; pml; pml = pml->next) {
881                 if (((uint64_t)SVAL(pml->buf.data,smb_mid)) == mid) {
882                         return pml;
883                 }
884         }
885         return NULL;
886 }
887
888 /****************************************************************************
889  Get the state data queued by this mid.
890 ****************************************************************************/
891
892 bool get_deferred_open_message_state(struct smb_request *smbreq,
893                                 struct timeval *p_request_time,
894                                 struct deferred_open_record **open_rec)
895 {
896         struct pending_message_list *pml;
897
898         if (smbreq->sconn->using_smb2) {
899                 return get_deferred_open_message_state_smb2(smbreq->smb2req,
900                                         p_request_time,
901                                         open_rec);
902         }
903
904         pml = get_deferred_open_message_smb(smbreq->sconn, smbreq->mid);
905         if (!pml) {
906                 return false;
907         }
908         if (p_request_time) {
909                 *p_request_time = pml->request_time;
910         }
911         if (open_rec != NULL) {
912                 *open_rec = pml->open_rec;
913         }
914         return true;
915 }
916
917 /****************************************************************************
918  Function to push a deferred open smb message onto a linked list of local smb
919  messages ready for processing.
920 ****************************************************************************/
921
922 bool push_deferred_open_message_smb(struct smb_request *req,
923                                struct timeval request_time,
924                                struct timeval timeout,
925                                struct file_id id,
926                                struct deferred_open_record *open_rec)
927 {
928         struct timeval end_time;
929
930         if (req->smb2req) {
931                 return push_deferred_open_message_smb2(req->smb2req,
932                                                 request_time,
933                                                 timeout,
934                                                 id,
935                                                 open_rec);
936         }
937
938         if (req->unread_bytes) {
939                 DEBUG(0,("push_deferred_open_message_smb: logic error ! "
940                         "unread_bytes = %u\n",
941                         (unsigned int)req->unread_bytes ));
942                 smb_panic("push_deferred_open_message_smb: "
943                         "logic error unread_bytes != 0" );
944         }
945
946         end_time = timeval_sum(&request_time, &timeout);
947
948         DEBUG(10,("push_deferred_open_message_smb: pushing message "
949                 "len %u mid %llu timeout time [%u.%06u]\n",
950                 (unsigned int) smb_len(req->inbuf)+4,
951                 (unsigned long long)req->mid,
952                 (unsigned int)end_time.tv_sec,
953                 (unsigned int)end_time.tv_usec));
954
955         return push_queued_message(req, request_time, end_time, open_rec);
956 }
957
958 static void smbd_sig_term_handler(struct tevent_context *ev,
959                                   struct tevent_signal *se,
960                                   int signum,
961                                   int count,
962                                   void *siginfo,
963                                   void *private_data)
964 {
965         exit_server_cleanly("termination signal");
966 }
967
968 void smbd_setup_sig_term_handler(struct smbd_server_connection *sconn)
969 {
970         struct tevent_signal *se;
971
972         se = tevent_add_signal(sconn->ev_ctx,
973                                sconn,
974                                SIGTERM, 0,
975                                smbd_sig_term_handler,
976                                sconn);
977         if (!se) {
978                 exit_server("failed to setup SIGTERM handler");
979         }
980 }
981
982 static void smbd_sig_hup_handler(struct tevent_context *ev,
983                                   struct tevent_signal *se,
984                                   int signum,
985                                   int count,
986                                   void *siginfo,
987                                   void *private_data)
988 {
989         struct smbd_server_connection *sconn =
990                 talloc_get_type_abort(private_data,
991                 struct smbd_server_connection);
992
993         change_to_root_user();
994         DEBUG(1,("Reloading services after SIGHUP\n"));
995         reload_services(sconn, conn_snum_used, false);
996 }
997
998 void smbd_setup_sig_hup_handler(struct smbd_server_connection *sconn)
999 {
1000         struct tevent_signal *se;
1001
1002         se = tevent_add_signal(sconn->ev_ctx,
1003                                sconn,
1004                                SIGHUP, 0,
1005                                smbd_sig_hup_handler,
1006                                sconn);
1007         if (!se) {
1008                 exit_server("failed to setup SIGHUP handler");
1009         }
1010 }
1011
1012 static void smbd_conf_updated(struct messaging_context *msg,
1013                               void *private_data,
1014                               uint32_t msg_type,
1015                               struct server_id server_id,
1016                               DATA_BLOB *data)
1017 {
1018         struct smbd_server_connection *sconn =
1019                 talloc_get_type_abort(private_data,
1020                 struct smbd_server_connection);
1021
1022         DEBUG(10,("smbd_conf_updated: Got message saying smb.conf was "
1023                   "updated. Reloading.\n"));
1024         change_to_root_user();
1025         reload_services(sconn, conn_snum_used, false);
1026 }
1027
1028 /*
1029  * Only allow 5 outstanding trans requests. We're allocating memory, so
1030  * prevent a DoS.
1031  */
1032
1033 NTSTATUS allow_new_trans(struct trans_state *list, uint64_t mid)
1034 {
1035         int count = 0;
1036         for (; list != NULL; list = list->next) {
1037
1038                 if (list->mid == mid) {
1039                         return NT_STATUS_INVALID_PARAMETER;
1040                 }
1041
1042                 count += 1;
1043         }
1044         if (count > 5) {
1045                 return NT_STATUS_INSUFFICIENT_RESOURCES;
1046         }
1047
1048         return NT_STATUS_OK;
1049 }
1050
1051 /*
1052 These flags determine some of the permissions required to do an operation 
1053
1054 Note that I don't set NEED_WRITE on some write operations because they
1055 are used by some brain-dead clients when printing, and I don't want to
1056 force write permissions on print services.
1057 */
1058 #define AS_USER (1<<0)
1059 #define NEED_WRITE (1<<1) /* Must be paired with AS_USER */
1060 #define TIME_INIT (1<<2)
1061 #define CAN_IPC (1<<3) /* Must be paired with AS_USER */
1062 #define AS_GUEST (1<<5) /* Must *NOT* be paired with AS_USER */
1063 #define DO_CHDIR (1<<6)
1064
1065 /* 
1066    define a list of possible SMB messages and their corresponding
1067    functions. Any message that has a NULL function is unimplemented -
1068    please feel free to contribute implementations!
1069 */
1070 static const struct smb_message_struct {
1071         const char *name;
1072         void (*fn)(struct smb_request *req);
1073         int flags;
1074 } smb_messages[256] = {
1075
1076 /* 0x00 */ { "SMBmkdir",reply_mkdir,AS_USER | NEED_WRITE},
1077 /* 0x01 */ { "SMBrmdir",reply_rmdir,AS_USER | NEED_WRITE},
1078 /* 0x02 */ { "SMBopen",reply_open,AS_USER },
1079 /* 0x03 */ { "SMBcreate",reply_mknew,AS_USER},
1080 /* 0x04 */ { "SMBclose",reply_close,AS_USER | CAN_IPC },
1081 /* 0x05 */ { "SMBflush",reply_flush,AS_USER},
1082 /* 0x06 */ { "SMBunlink",reply_unlink,AS_USER | NEED_WRITE },
1083 /* 0x07 */ { "SMBmv",reply_mv,AS_USER | NEED_WRITE },
1084 /* 0x08 */ { "SMBgetatr",reply_getatr,AS_USER},
1085 /* 0x09 */ { "SMBsetatr",reply_setatr,AS_USER | NEED_WRITE},
1086 /* 0x0a */ { "SMBread",reply_read,AS_USER},
1087 /* 0x0b */ { "SMBwrite",reply_write,AS_USER | CAN_IPC },
1088 /* 0x0c */ { "SMBlock",reply_lock,AS_USER},
1089 /* 0x0d */ { "SMBunlock",reply_unlock,AS_USER},
1090 /* 0x0e */ { "SMBctemp",reply_ctemp,AS_USER },
1091 /* 0x0f */ { "SMBmknew",reply_mknew,AS_USER},
1092 /* 0x10 */ { "SMBcheckpath",reply_checkpath,AS_USER},
1093 /* 0x11 */ { "SMBexit",reply_exit,DO_CHDIR},
1094 /* 0x12 */ { "SMBlseek",reply_lseek,AS_USER},
1095 /* 0x13 */ { "SMBlockread",reply_lockread,AS_USER},
1096 /* 0x14 */ { "SMBwriteunlock",reply_writeunlock,AS_USER},
1097 /* 0x15 */ { NULL, NULL, 0 },
1098 /* 0x16 */ { NULL, NULL, 0 },
1099 /* 0x17 */ { NULL, NULL, 0 },
1100 /* 0x18 */ { NULL, NULL, 0 },
1101 /* 0x19 */ { NULL, NULL, 0 },
1102 /* 0x1a */ { "SMBreadbraw",reply_readbraw,AS_USER},
1103 /* 0x1b */ { "SMBreadBmpx",reply_readbmpx,AS_USER},
1104 /* 0x1c */ { "SMBreadBs",reply_readbs,AS_USER },
1105 /* 0x1d */ { "SMBwritebraw",reply_writebraw,AS_USER},
1106 /* 0x1e */ { "SMBwriteBmpx",reply_writebmpx,AS_USER},
1107 /* 0x1f */ { "SMBwriteBs",reply_writebs,AS_USER},
1108 /* 0x20 */ { "SMBwritec", NULL,0},
1109 /* 0x21 */ { NULL, NULL, 0 },
1110 /* 0x22 */ { "SMBsetattrE",reply_setattrE,AS_USER | NEED_WRITE },
1111 /* 0x23 */ { "SMBgetattrE",reply_getattrE,AS_USER },
1112 /* 0x24 */ { "SMBlockingX",reply_lockingX,AS_USER },
1113 /* 0x25 */ { "SMBtrans",reply_trans,AS_USER | CAN_IPC },
1114 /* 0x26 */ { "SMBtranss",reply_transs,AS_USER | CAN_IPC},
1115 /* 0x27 */ { "SMBioctl",reply_ioctl,0},
1116 /* 0x28 */ { "SMBioctls", NULL,AS_USER},
1117 /* 0x29 */ { "SMBcopy",reply_copy,AS_USER | NEED_WRITE },
1118 /* 0x2a */ { "SMBmove", NULL,AS_USER | NEED_WRITE },
1119 /* 0x2b */ { "SMBecho",reply_echo,0},
1120 /* 0x2c */ { "SMBwriteclose",reply_writeclose,AS_USER},
1121 /* 0x2d */ { "SMBopenX",reply_open_and_X,AS_USER | CAN_IPC },
1122 /* 0x2e */ { "SMBreadX",reply_read_and_X,AS_USER | CAN_IPC },
1123 /* 0x2f */ { "SMBwriteX",reply_write_and_X,AS_USER | CAN_IPC },
1124 /* 0x30 */ { NULL, NULL, 0 },
1125 /* 0x31 */ { NULL, NULL, 0 },
1126 /* 0x32 */ { "SMBtrans2",reply_trans2, AS_USER | CAN_IPC },
1127 /* 0x33 */ { "SMBtranss2",reply_transs2, AS_USER | CAN_IPC },
1128 /* 0x34 */ { "SMBfindclose",reply_findclose,AS_USER},
1129 /* 0x35 */ { "SMBfindnclose",reply_findnclose,AS_USER},
1130 /* 0x36 */ { NULL, NULL, 0 },
1131 /* 0x37 */ { NULL, NULL, 0 },
1132 /* 0x38 */ { NULL, NULL, 0 },
1133 /* 0x39 */ { NULL, NULL, 0 },
1134 /* 0x3a */ { NULL, NULL, 0 },
1135 /* 0x3b */ { NULL, NULL, 0 },
1136 /* 0x3c */ { NULL, NULL, 0 },
1137 /* 0x3d */ { NULL, NULL, 0 },
1138 /* 0x3e */ { NULL, NULL, 0 },
1139 /* 0x3f */ { NULL, NULL, 0 },
1140 /* 0x40 */ { NULL, NULL, 0 },
1141 /* 0x41 */ { NULL, NULL, 0 },
1142 /* 0x42 */ { NULL, NULL, 0 },
1143 /* 0x43 */ { NULL, NULL, 0 },
1144 /* 0x44 */ { NULL, NULL, 0 },
1145 /* 0x45 */ { NULL, NULL, 0 },
1146 /* 0x46 */ { NULL, NULL, 0 },
1147 /* 0x47 */ { NULL, NULL, 0 },
1148 /* 0x48 */ { NULL, NULL, 0 },
1149 /* 0x49 */ { NULL, NULL, 0 },
1150 /* 0x4a */ { NULL, NULL, 0 },
1151 /* 0x4b */ { NULL, NULL, 0 },
1152 /* 0x4c */ { NULL, NULL, 0 },
1153 /* 0x4d */ { NULL, NULL, 0 },
1154 /* 0x4e */ { NULL, NULL, 0 },
1155 /* 0x4f */ { NULL, NULL, 0 },
1156 /* 0x50 */ { NULL, NULL, 0 },
1157 /* 0x51 */ { NULL, NULL, 0 },
1158 /* 0x52 */ { NULL, NULL, 0 },
1159 /* 0x53 */ { NULL, NULL, 0 },
1160 /* 0x54 */ { NULL, NULL, 0 },
1161 /* 0x55 */ { NULL, NULL, 0 },
1162 /* 0x56 */ { NULL, NULL, 0 },
1163 /* 0x57 */ { NULL, NULL, 0 },
1164 /* 0x58 */ { NULL, NULL, 0 },
1165 /* 0x59 */ { NULL, NULL, 0 },
1166 /* 0x5a */ { NULL, NULL, 0 },
1167 /* 0x5b */ { NULL, NULL, 0 },
1168 /* 0x5c */ { NULL, NULL, 0 },
1169 /* 0x5d */ { NULL, NULL, 0 },
1170 /* 0x5e */ { NULL, NULL, 0 },
1171 /* 0x5f */ { NULL, NULL, 0 },
1172 /* 0x60 */ { NULL, NULL, 0 },
1173 /* 0x61 */ { NULL, NULL, 0 },
1174 /* 0x62 */ { NULL, NULL, 0 },
1175 /* 0x63 */ { NULL, NULL, 0 },
1176 /* 0x64 */ { NULL, NULL, 0 },
1177 /* 0x65 */ { NULL, NULL, 0 },
1178 /* 0x66 */ { NULL, NULL, 0 },
1179 /* 0x67 */ { NULL, NULL, 0 },
1180 /* 0x68 */ { NULL, NULL, 0 },
1181 /* 0x69 */ { NULL, NULL, 0 },
1182 /* 0x6a */ { NULL, NULL, 0 },
1183 /* 0x6b */ { NULL, NULL, 0 },
1184 /* 0x6c */ { NULL, NULL, 0 },
1185 /* 0x6d */ { NULL, NULL, 0 },
1186 /* 0x6e */ { NULL, NULL, 0 },
1187 /* 0x6f */ { NULL, NULL, 0 },
1188 /* 0x70 */ { "SMBtcon",reply_tcon,0},
1189 /* 0x71 */ { "SMBtdis",reply_tdis,DO_CHDIR},
1190 /* 0x72 */ { "SMBnegprot",reply_negprot,0},
1191 /* 0x73 */ { "SMBsesssetupX",reply_sesssetup_and_X,0},
1192 /* 0x74 */ { "SMBulogoffX",reply_ulogoffX, 0}, /* ulogoff doesn't give a valid TID */
1193 /* 0x75 */ { "SMBtconX",reply_tcon_and_X,0},
1194 /* 0x76 */ { NULL, NULL, 0 },
1195 /* 0x77 */ { NULL, NULL, 0 },
1196 /* 0x78 */ { NULL, NULL, 0 },
1197 /* 0x79 */ { NULL, NULL, 0 },
1198 /* 0x7a */ { NULL, NULL, 0 },
1199 /* 0x7b */ { NULL, NULL, 0 },
1200 /* 0x7c */ { NULL, NULL, 0 },
1201 /* 0x7d */ { NULL, NULL, 0 },
1202 /* 0x7e */ { NULL, NULL, 0 },
1203 /* 0x7f */ { NULL, NULL, 0 },
1204 /* 0x80 */ { "SMBdskattr",reply_dskattr,AS_USER},
1205 /* 0x81 */ { "SMBsearch",reply_search,AS_USER},
1206 /* 0x82 */ { "SMBffirst",reply_search,AS_USER},
1207 /* 0x83 */ { "SMBfunique",reply_search,AS_USER},
1208 /* 0x84 */ { "SMBfclose",reply_fclose,AS_USER},
1209 /* 0x85 */ { NULL, NULL, 0 },
1210 /* 0x86 */ { NULL, NULL, 0 },
1211 /* 0x87 */ { NULL, NULL, 0 },
1212 /* 0x88 */ { NULL, NULL, 0 },
1213 /* 0x89 */ { NULL, NULL, 0 },
1214 /* 0x8a */ { NULL, NULL, 0 },
1215 /* 0x8b */ { NULL, NULL, 0 },
1216 /* 0x8c */ { NULL, NULL, 0 },
1217 /* 0x8d */ { NULL, NULL, 0 },
1218 /* 0x8e */ { NULL, NULL, 0 },
1219 /* 0x8f */ { NULL, NULL, 0 },
1220 /* 0x90 */ { NULL, NULL, 0 },
1221 /* 0x91 */ { NULL, NULL, 0 },
1222 /* 0x92 */ { NULL, NULL, 0 },
1223 /* 0x93 */ { NULL, NULL, 0 },
1224 /* 0x94 */ { NULL, NULL, 0 },
1225 /* 0x95 */ { NULL, NULL, 0 },
1226 /* 0x96 */ { NULL, NULL, 0 },
1227 /* 0x97 */ { NULL, NULL, 0 },
1228 /* 0x98 */ { NULL, NULL, 0 },
1229 /* 0x99 */ { NULL, NULL, 0 },
1230 /* 0x9a */ { NULL, NULL, 0 },
1231 /* 0x9b */ { NULL, NULL, 0 },
1232 /* 0x9c */ { NULL, NULL, 0 },
1233 /* 0x9d */ { NULL, NULL, 0 },
1234 /* 0x9e */ { NULL, NULL, 0 },
1235 /* 0x9f */ { NULL, NULL, 0 },
1236 /* 0xa0 */ { "SMBnttrans",reply_nttrans, AS_USER | CAN_IPC },
1237 /* 0xa1 */ { "SMBnttranss",reply_nttranss, AS_USER | CAN_IPC },
1238 /* 0xa2 */ { "SMBntcreateX",reply_ntcreate_and_X, AS_USER | CAN_IPC },
1239 /* 0xa3 */ { NULL, NULL, 0 },
1240 /* 0xa4 */ { "SMBntcancel",reply_ntcancel, 0 },
1241 /* 0xa5 */ { "SMBntrename",reply_ntrename, AS_USER | NEED_WRITE },
1242 /* 0xa6 */ { NULL, NULL, 0 },
1243 /* 0xa7 */ { NULL, NULL, 0 },
1244 /* 0xa8 */ { NULL, NULL, 0 },
1245 /* 0xa9 */ { NULL, NULL, 0 },
1246 /* 0xaa */ { NULL, NULL, 0 },
1247 /* 0xab */ { NULL, NULL, 0 },
1248 /* 0xac */ { NULL, NULL, 0 },
1249 /* 0xad */ { NULL, NULL, 0 },
1250 /* 0xae */ { NULL, NULL, 0 },
1251 /* 0xaf */ { NULL, NULL, 0 },
1252 /* 0xb0 */ { NULL, NULL, 0 },
1253 /* 0xb1 */ { NULL, NULL, 0 },
1254 /* 0xb2 */ { NULL, NULL, 0 },
1255 /* 0xb3 */ { NULL, NULL, 0 },
1256 /* 0xb4 */ { NULL, NULL, 0 },
1257 /* 0xb5 */ { NULL, NULL, 0 },
1258 /* 0xb6 */ { NULL, NULL, 0 },
1259 /* 0xb7 */ { NULL, NULL, 0 },
1260 /* 0xb8 */ { NULL, NULL, 0 },
1261 /* 0xb9 */ { NULL, NULL, 0 },
1262 /* 0xba */ { NULL, NULL, 0 },
1263 /* 0xbb */ { NULL, NULL, 0 },
1264 /* 0xbc */ { NULL, NULL, 0 },
1265 /* 0xbd */ { NULL, NULL, 0 },
1266 /* 0xbe */ { NULL, NULL, 0 },
1267 /* 0xbf */ { NULL, NULL, 0 },
1268 /* 0xc0 */ { "SMBsplopen",reply_printopen,AS_USER},
1269 /* 0xc1 */ { "SMBsplwr",reply_printwrite,AS_USER},
1270 /* 0xc2 */ { "SMBsplclose",reply_printclose,AS_USER},
1271 /* 0xc3 */ { "SMBsplretq",reply_printqueue,AS_USER},
1272 /* 0xc4 */ { NULL, NULL, 0 },
1273 /* 0xc5 */ { NULL, NULL, 0 },
1274 /* 0xc6 */ { NULL, NULL, 0 },
1275 /* 0xc7 */ { NULL, NULL, 0 },
1276 /* 0xc8 */ { NULL, NULL, 0 },
1277 /* 0xc9 */ { NULL, NULL, 0 },
1278 /* 0xca */ { NULL, NULL, 0 },
1279 /* 0xcb */ { NULL, NULL, 0 },
1280 /* 0xcc */ { NULL, NULL, 0 },
1281 /* 0xcd */ { NULL, NULL, 0 },
1282 /* 0xce */ { NULL, NULL, 0 },
1283 /* 0xcf */ { NULL, NULL, 0 },
1284 /* 0xd0 */ { "SMBsends",reply_sends,AS_GUEST},
1285 /* 0xd1 */ { "SMBsendb", NULL,AS_GUEST},
1286 /* 0xd2 */ { "SMBfwdname", NULL,AS_GUEST},
1287 /* 0xd3 */ { "SMBcancelf", NULL,AS_GUEST},
1288 /* 0xd4 */ { "SMBgetmac", NULL,AS_GUEST},
1289 /* 0xd5 */ { "SMBsendstrt",reply_sendstrt,AS_GUEST},
1290 /* 0xd6 */ { "SMBsendend",reply_sendend,AS_GUEST},
1291 /* 0xd7 */ { "SMBsendtxt",reply_sendtxt,AS_GUEST},
1292 /* 0xd8 */ { NULL, NULL, 0 },
1293 /* 0xd9 */ { NULL, NULL, 0 },
1294 /* 0xda */ { NULL, NULL, 0 },
1295 /* 0xdb */ { NULL, NULL, 0 },
1296 /* 0xdc */ { NULL, NULL, 0 },
1297 /* 0xdd */ { NULL, NULL, 0 },
1298 /* 0xde */ { NULL, NULL, 0 },
1299 /* 0xdf */ { NULL, NULL, 0 },
1300 /* 0xe0 */ { NULL, NULL, 0 },
1301 /* 0xe1 */ { NULL, NULL, 0 },
1302 /* 0xe2 */ { NULL, NULL, 0 },
1303 /* 0xe3 */ { NULL, NULL, 0 },
1304 /* 0xe4 */ { NULL, NULL, 0 },
1305 /* 0xe5 */ { NULL, NULL, 0 },
1306 /* 0xe6 */ { NULL, NULL, 0 },
1307 /* 0xe7 */ { NULL, NULL, 0 },
1308 /* 0xe8 */ { NULL, NULL, 0 },
1309 /* 0xe9 */ { NULL, NULL, 0 },
1310 /* 0xea */ { NULL, NULL, 0 },
1311 /* 0xeb */ { NULL, NULL, 0 },
1312 /* 0xec */ { NULL, NULL, 0 },
1313 /* 0xed */ { NULL, NULL, 0 },
1314 /* 0xee */ { NULL, NULL, 0 },
1315 /* 0xef */ { NULL, NULL, 0 },
1316 /* 0xf0 */ { NULL, NULL, 0 },
1317 /* 0xf1 */ { NULL, NULL, 0 },
1318 /* 0xf2 */ { NULL, NULL, 0 },
1319 /* 0xf3 */ { NULL, NULL, 0 },
1320 /* 0xf4 */ { NULL, NULL, 0 },
1321 /* 0xf5 */ { NULL, NULL, 0 },
1322 /* 0xf6 */ { NULL, NULL, 0 },
1323 /* 0xf7 */ { NULL, NULL, 0 },
1324 /* 0xf8 */ { NULL, NULL, 0 },
1325 /* 0xf9 */ { NULL, NULL, 0 },
1326 /* 0xfa */ { NULL, NULL, 0 },
1327 /* 0xfb */ { NULL, NULL, 0 },
1328 /* 0xfc */ { NULL, NULL, 0 },
1329 /* 0xfd */ { NULL, NULL, 0 },
1330 /* 0xfe */ { NULL, NULL, 0 },
1331 /* 0xff */ { NULL, NULL, 0 }
1332
1333 };
1334
1335 /*******************************************************************
1336  allocate and initialize a reply packet
1337 ********************************************************************/
1338
1339 static bool create_outbuf(TALLOC_CTX *mem_ctx, struct smb_request *req,
1340                           const char *inbuf, char **outbuf, uint8_t num_words,
1341                           uint32_t num_bytes)
1342 {
1343         size_t smb_len = MIN_SMB_SIZE + VWV(num_words) + num_bytes;
1344
1345         /*
1346          * Protect against integer wrap.
1347          * The SMB layer reply can be up to 0xFFFFFF bytes.
1348          */
1349         if ((num_bytes > 0xffffff) || (smb_len > 0xffffff)) {
1350                 char *msg;
1351                 if (asprintf(&msg, "num_bytes too large: %u",
1352                              (unsigned)num_bytes) == -1) {
1353                         msg = discard_const_p(char, "num_bytes too large");
1354                 }
1355                 smb_panic(msg);
1356         }
1357
1358         /*
1359          * Here we include the NBT header for now.
1360          */
1361         *outbuf = talloc_array(mem_ctx, char,
1362                                NBT_HDR_SIZE + smb_len);
1363         if (*outbuf == NULL) {
1364                 return false;
1365         }
1366
1367         construct_reply_common(req, inbuf, *outbuf);
1368         srv_set_message(*outbuf, num_words, num_bytes, false);
1369         /*
1370          * Zero out the word area, the caller has to take care of the bcc area
1371          * himself
1372          */
1373         if (num_words != 0) {
1374                 memset(*outbuf + (NBT_HDR_SIZE + HDR_VWV), 0, VWV(num_words));
1375         }
1376
1377         return true;
1378 }
1379
1380 void reply_outbuf(struct smb_request *req, uint8 num_words, uint32 num_bytes)
1381 {
1382         char *outbuf;
1383         if (!create_outbuf(req, req, (const char *)req->inbuf, &outbuf, num_words,
1384                            num_bytes)) {
1385                 smb_panic("could not allocate output buffer\n");
1386         }
1387         req->outbuf = (uint8_t *)outbuf;
1388 }
1389
1390
1391 /*******************************************************************
1392  Dump a packet to a file.
1393 ********************************************************************/
1394
1395 static void smb_dump(const char *name, int type, const char *data)
1396 {
1397         size_t len;
1398         int fd, i;
1399         char *fname = NULL;
1400         if (DEBUGLEVEL < 50) {
1401                 return;
1402         }
1403
1404         len = smb_len_tcp(data)+4;
1405         for (i=1;i<100;i++) {
1406                 fname = talloc_asprintf(talloc_tos(),
1407                                 "/tmp/%s.%d.%s",
1408                                 name,
1409                                 i,
1410                                 type ? "req" : "resp");
1411                 if (fname == NULL) {
1412                         return;
1413                 }
1414                 fd = open(fname, O_WRONLY|O_CREAT|O_EXCL, 0644);
1415                 if (fd != -1 || errno != EEXIST) break;
1416                 TALLOC_FREE(fname);
1417         }
1418         if (fd != -1) {
1419                 ssize_t ret = write(fd, data, len);
1420                 if (ret != len)
1421                         DEBUG(0,("smb_dump: problem: write returned %d\n", (int)ret ));
1422                 close(fd);
1423                 DEBUG(0,("created %s len %lu\n", fname, (unsigned long)len));
1424         }
1425         TALLOC_FREE(fname);
1426 }
1427
1428 /****************************************************************************
1429  Prepare everything for calling the actual request function, and potentially
1430  call the request function via the "new" interface.
1431
1432  Return False if the "legacy" function needs to be called, everything is
1433  prepared.
1434
1435  Return True if we're done.
1436
1437  I know this API sucks, but it is the one with the least code change I could
1438  find.
1439 ****************************************************************************/
1440
1441 static connection_struct *switch_message(uint8 type, struct smb_request *req)
1442 {
1443         int flags;
1444         uint64_t session_tag;
1445         connection_struct *conn = NULL;
1446         struct smbXsrv_connection *xconn = req->xconn;
1447         NTTIME now = timeval_to_nttime(&req->request_time);
1448         struct smbXsrv_session *session = NULL;
1449         NTSTATUS status;
1450
1451         errno = 0;
1452
1453         if (!xconn->smb1.negprot.done) {
1454                 switch (type) {
1455                         /*
1456                          * Without a negprot the request must
1457                          * either be a negprot, or one of the
1458                          * evil old SMB mailslot messaging types.
1459                          */
1460                         case SMBnegprot:
1461                         case SMBsendstrt:
1462                         case SMBsendend:
1463                         case SMBsendtxt:
1464                                 break;
1465                         default:
1466                                 exit_server_cleanly("The first request "
1467                                         "should be a negprot");
1468                 }
1469         }
1470
1471         if (smb_messages[type].fn == NULL) {
1472                 DEBUG(0,("Unknown message type %d!\n",type));
1473                 smb_dump("Unknown", 1, (const char *)req->inbuf);
1474                 reply_unknown_new(req, type);
1475                 return NULL;
1476         }
1477
1478         flags = smb_messages[type].flags;
1479
1480         /* In share mode security we must ignore the vuid. */
1481         session_tag = req->vuid;
1482         conn = req->conn;
1483
1484         DEBUG(3,("switch message %s (pid %d) conn 0x%lx\n", smb_fn_name(type),
1485                  (int)getpid(), (unsigned long)conn));
1486
1487         smb_dump(smb_fn_name(type), 1, (const char *)req->inbuf);
1488
1489         /* Ensure this value is replaced in the incoming packet. */
1490         SSVAL(discard_const_p(uint8_t, req->inbuf),smb_uid,session_tag);
1491
1492         /*
1493          * Ensure the correct username is in current_user_info.  This is a
1494          * really ugly bugfix for problems with multiple session_setup_and_X's
1495          * being done and allowing %U and %G substitutions to work correctly.
1496          * There is a reason this code is done here, don't move it unless you
1497          * know what you're doing... :-).
1498          * JRA.
1499          */
1500
1501         /*
1502          * lookup an existing session
1503          *
1504          * Note: for now we only check for NT_STATUS_NETWORK_SESSION_EXPIRED
1505          * here, the main check is still in change_to_user()
1506          */
1507         status = smb1srv_session_lookup(xconn,
1508                                         session_tag,
1509                                         now,
1510                                         &session);
1511         if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED)) {
1512                 switch (type) {
1513                 case SMBsesssetupX:
1514                         status = NT_STATUS_OK;
1515                         break;
1516                 default:
1517                         DEBUG(1,("Error: session %llu is expired, mid=%llu.\n",
1518                                  (unsigned long long)session_tag,
1519                                  (unsigned long long)req->mid));
1520                         reply_nterror(req, NT_STATUS_NETWORK_SESSION_EXPIRED);
1521                         return conn;
1522                 }
1523         }
1524
1525         if (session_tag != xconn->last_session_id) {
1526                 struct user_struct *vuser = NULL;
1527
1528                 xconn->last_session_id = session_tag;
1529                 if (session) {
1530                         vuser = session->compat;
1531                 }
1532                 if (vuser) {
1533                         set_current_user_info(
1534                                 vuser->session_info->unix_info->sanitized_username,
1535                                 vuser->session_info->unix_info->unix_name,
1536                                 vuser->session_info->info->domain_name);
1537                 }
1538         }
1539
1540         /* Does this call need to be run as the connected user? */
1541         if (flags & AS_USER) {
1542
1543                 /* Does this call need a valid tree connection? */
1544                 if (!conn) {
1545                         /*
1546                          * Amazingly, the error code depends on the command
1547                          * (from Samba4).
1548                          */
1549                         if (type == SMBntcreateX) {
1550                                 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
1551                         } else {
1552                                 reply_nterror(req, NT_STATUS_NETWORK_NAME_DELETED);
1553                         }
1554                         return NULL;
1555                 }
1556
1557                 if (!change_to_user(conn,session_tag)) {
1558                         DEBUG(0, ("Error: Could not change to user. Removing "
1559                                 "deferred open, mid=%llu.\n",
1560                                 (unsigned long long)req->mid));
1561                         reply_force_doserror(req, ERRSRV, ERRbaduid);
1562                         return conn;
1563                 }
1564
1565                 /* All NEED_WRITE and CAN_IPC flags must also have AS_USER. */
1566
1567                 /* Does it need write permission? */
1568                 if ((flags & NEED_WRITE) && !CAN_WRITE(conn)) {
1569                         reply_nterror(req, NT_STATUS_MEDIA_WRITE_PROTECTED);
1570                         return conn;
1571                 }
1572
1573                 /* IPC services are limited */
1574                 if (IS_IPC(conn) && !(flags & CAN_IPC)) {
1575                         reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1576                         return conn;
1577                 }
1578         } else {
1579                 /* This call needs to be run as root */
1580                 change_to_root_user();
1581         }
1582
1583         /* load service specific parameters */
1584         if (conn) {
1585                 if (req->encrypted) {
1586                         conn->encrypted_tid = true;
1587                         /* encrypted required from now on. */
1588                         conn->encrypt_level = SMB_SIGNING_REQUIRED;
1589                 } else if (ENCRYPTION_REQUIRED(conn)) {
1590                         if (req->cmd != SMBtrans2 && req->cmd != SMBtranss2) {
1591                                 DEBUG(1,("service[%s] requires encryption"
1592                                         "%s ACCESS_DENIED. mid=%llu\n",
1593                                         lp_servicename(talloc_tos(), SNUM(conn)),
1594                                         smb_fn_name(type),
1595                                         (unsigned long long)req->mid));
1596                                 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1597                                 return conn;
1598                         }
1599                 }
1600
1601                 if (!set_current_service(conn,SVAL(req->inbuf,smb_flg),
1602                                          (flags & (AS_USER|DO_CHDIR)
1603                                           ?True:False))) {
1604                         reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1605                         return conn;
1606                 }
1607                 conn->num_smb_operations++;
1608         }
1609
1610         /*
1611          * Does this protocol need to be run as guest? (Only archane
1612          * messenger service requests have this...)
1613          */
1614         if (flags & AS_GUEST) {
1615                 char *raddr;
1616                 bool ok;
1617
1618                 if (!change_to_guest()) {
1619                         reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1620                         return conn;
1621                 }
1622
1623                 raddr = tsocket_address_inet_addr_string(xconn->remote_address,
1624                                                          talloc_tos());
1625                 if (raddr == NULL) {
1626                         reply_nterror(req, NT_STATUS_NO_MEMORY);
1627                         return conn;
1628                 }
1629
1630                 /*
1631                  * Haven't we checked this in smbd_process already???
1632                  */
1633
1634                 ok = allow_access(lp_hosts_deny(-1), lp_hosts_allow(-1),
1635                                   xconn->remote_hostname, raddr);
1636                 TALLOC_FREE(raddr);
1637
1638                 if (!ok) {
1639                         reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1640                         return conn;
1641                 }
1642         }
1643
1644         smb_messages[type].fn(req);
1645         return req->conn;
1646 }
1647
1648 /****************************************************************************
1649  Construct a reply to the incoming packet.
1650 ****************************************************************************/
1651
1652 static void construct_reply(struct smbd_server_connection *sconn,
1653                             char *inbuf, int size, size_t unread_bytes,
1654                             uint32_t seqnum, bool encrypted,
1655                             struct smb_perfcount_data *deferred_pcd)
1656 {
1657         struct smbXsrv_connection *xconn = sconn->conn;
1658         struct smb_request *req;
1659
1660         if (!(req = talloc(talloc_tos(), struct smb_request))) {
1661                 smb_panic("could not allocate smb_request");
1662         }
1663
1664         if (!init_smb_request(req, sconn, xconn, (uint8 *)inbuf, unread_bytes,
1665                               encrypted, seqnum)) {
1666                 exit_server_cleanly("Invalid SMB request");
1667         }
1668
1669         req->inbuf  = (uint8_t *)talloc_move(req, &inbuf);
1670
1671         /* we popped this message off the queue - keep original perf data */
1672         if (deferred_pcd)
1673                 req->pcd = *deferred_pcd;
1674         else {
1675                 SMB_PERFCOUNT_START(&req->pcd);
1676                 SMB_PERFCOUNT_SET_OP(&req->pcd, req->cmd);
1677                 SMB_PERFCOUNT_SET_MSGLEN_IN(&req->pcd, size);
1678         }
1679
1680         req->conn = switch_message(req->cmd, req);
1681
1682         if (req->outbuf == NULL) {
1683                 /*
1684                  * Request has suspended itself, will come
1685                  * back here.
1686                  */
1687                 return;
1688         }
1689         if (CVAL(req->outbuf,0) == 0) {
1690                 show_msg((char *)req->outbuf);
1691         }
1692         smb_request_done(req);
1693 }
1694
1695 static void construct_reply_chain(struct smbd_server_connection *sconn,
1696                                   char *inbuf, int size, uint32_t seqnum,
1697                                   bool encrypted,
1698                                   struct smb_perfcount_data *deferred_pcd)
1699 {
1700         struct smbXsrv_connection *xconn = sconn->conn;
1701         struct smb_request **reqs = NULL;
1702         struct smb_request *req;
1703         unsigned num_reqs;
1704         bool ok;
1705
1706         ok = smb1_parse_chain(talloc_tos(), (uint8_t *)inbuf, sconn, encrypted,
1707                               seqnum, &reqs, &num_reqs);
1708         if (!ok) {
1709                 char errbuf[smb_size];
1710                 error_packet(errbuf, 0, 0, NT_STATUS_INVALID_PARAMETER,
1711                              __LINE__, __FILE__);
1712                 if (!srv_send_smb(xconn, errbuf, true, seqnum, encrypted,
1713                                   NULL)) {
1714                         exit_server_cleanly("construct_reply_chain: "
1715                                             "srv_send_smb failed.");
1716                 }
1717                 return;
1718         }
1719
1720         req = reqs[0];
1721         req->inbuf = (uint8_t *)talloc_move(reqs, &inbuf);
1722
1723         req->conn = switch_message(req->cmd, req);
1724
1725         if (req->outbuf == NULL) {
1726                 /*
1727                  * Request has suspended itself, will come
1728                  * back here.
1729                  */
1730                 return;
1731         }
1732         smb_request_done(req);
1733 }
1734
1735 /*
1736  * To be called from an async SMB handler that is potentially chained
1737  * when it is finished for shipping.
1738  */
1739
1740 void smb_request_done(struct smb_request *req)
1741 {
1742         struct smb_request **reqs = NULL;
1743         struct smb_request *first_req;
1744         size_t i, num_reqs, next_index;
1745         NTSTATUS status;
1746
1747         if (req->chain == NULL) {
1748                 first_req = req;
1749                 goto shipit;
1750         }
1751
1752         reqs = req->chain;
1753         num_reqs = talloc_array_length(reqs);
1754
1755         for (i=0; i<num_reqs; i++) {
1756                 if (reqs[i] == req) {
1757                         break;
1758                 }
1759         }
1760         if (i == num_reqs) {
1761                 /*
1762                  * Invalid chain, should not happen
1763                  */
1764                 status = NT_STATUS_INTERNAL_ERROR;
1765                 goto error;
1766         }
1767         next_index = i+1;
1768
1769         while ((next_index < num_reqs) && (IVAL(req->outbuf, smb_rcls) == 0)) {
1770                 struct smb_request *next = reqs[next_index];
1771                 struct smbXsrv_tcon *tcon;
1772                 NTTIME now = timeval_to_nttime(&req->request_time);
1773
1774                 next->vuid = SVAL(req->outbuf, smb_uid);
1775                 next->tid  = SVAL(req->outbuf, smb_tid);
1776                 status = smb1srv_tcon_lookup(req->xconn, req->tid,
1777                                              now, &tcon);
1778                 if (NT_STATUS_IS_OK(status)) {
1779                         req->conn = tcon->compat;
1780                 } else {
1781                         req->conn = NULL;
1782                 }
1783                 next->chain_fsp = req->chain_fsp;
1784                 next->inbuf = req->inbuf;
1785
1786                 req = next;
1787                 req->conn = switch_message(req->cmd, req);
1788
1789                 if (req->outbuf == NULL) {
1790                         /*
1791                          * Request has suspended itself, will come
1792                          * back here.
1793                          */
1794                         return;
1795                 }
1796                 next_index += 1;
1797         }
1798
1799         first_req = reqs[0];
1800
1801         for (i=1; i<next_index; i++) {
1802                 bool ok;
1803
1804                 ok = smb_splice_chain(&first_req->outbuf, reqs[i]->outbuf);
1805                 if (!ok) {
1806                         status = NT_STATUS_INTERNAL_ERROR;
1807                         goto error;
1808                 }
1809         }
1810
1811         SSVAL(first_req->outbuf, smb_uid, SVAL(req->outbuf, smb_uid));
1812         SSVAL(first_req->outbuf, smb_tid, SVAL(req->outbuf, smb_tid));
1813
1814         /*
1815          * This scary statement intends to set the
1816          * FLAGS2_32_BIT_ERROR_CODES flg2 field in first_req->outbuf
1817          * to the value last_req->outbuf carries
1818          */
1819         SSVAL(first_req->outbuf, smb_flg2,
1820               (SVAL(first_req->outbuf, smb_flg2) & ~FLAGS2_32_BIT_ERROR_CODES)
1821               |(SVAL(req->outbuf, smb_flg2) & FLAGS2_32_BIT_ERROR_CODES));
1822
1823         /*
1824          * Transfer the error codes from the subrequest to the main one
1825          */
1826         SSVAL(first_req->outbuf, smb_rcls, SVAL(req->outbuf, smb_rcls));
1827         SSVAL(first_req->outbuf, smb_err,  SVAL(req->outbuf, smb_err));
1828
1829         _smb_setlen_large(
1830                 first_req->outbuf, talloc_get_size(first_req->outbuf) - 4);
1831
1832 shipit:
1833         if (!srv_send_smb(first_req->xconn,
1834                           (char *)first_req->outbuf,
1835                           true, first_req->seqnum+1,
1836                           IS_CONN_ENCRYPTED(req->conn)||first_req->encrypted,
1837                           &first_req->pcd)) {
1838                 exit_server_cleanly("construct_reply_chain: srv_send_smb "
1839                                     "failed.");
1840         }
1841         TALLOC_FREE(req);       /* non-chained case */
1842         TALLOC_FREE(reqs);      /* chained case */
1843         return;
1844
1845 error:
1846         {
1847                 char errbuf[smb_size];
1848                 error_packet(errbuf, 0, 0, status, __LINE__, __FILE__);
1849                 if (!srv_send_smb(req->xconn, errbuf, true,
1850                                   req->seqnum+1, req->encrypted,
1851                                   NULL)) {
1852                         exit_server_cleanly("construct_reply_chain: "
1853                                             "srv_send_smb failed.");
1854                 }
1855         }
1856         TALLOC_FREE(req);       /* non-chained case */
1857         TALLOC_FREE(reqs);      /* chained case */
1858 }
1859
1860 /****************************************************************************
1861  Process an smb from the client
1862 ****************************************************************************/
1863 static void process_smb(struct smbXsrv_connection *xconn,
1864                         uint8_t *inbuf, size_t nread, size_t unread_bytes,
1865                         uint32_t seqnum, bool encrypted,
1866                         struct smb_perfcount_data *deferred_pcd)
1867 {
1868         struct smbd_server_connection *sconn = xconn->sconn;
1869         int msg_type = CVAL(inbuf,0);
1870
1871         DO_PROFILE_INC(smb_count);
1872
1873         DEBUG( 6, ( "got message type 0x%x of len 0x%x\n", msg_type,
1874                     smb_len(inbuf) ) );
1875         DEBUG(3, ("Transaction %d of length %d (%u toread)\n",
1876                   sconn->trans_num, (int)nread, (unsigned int)unread_bytes));
1877
1878         if (msg_type != NBSSmessage) {
1879                 /*
1880                  * NetBIOS session request, keepalive, etc.
1881                  */
1882                 reply_special(xconn, (char *)inbuf, nread);
1883                 goto done;
1884         }
1885
1886         if (sconn->using_smb2) {
1887                 /* At this point we're not really using smb2,
1888                  * we make the decision here.. */
1889                 if (smbd_is_smb2_header(inbuf, nread)) {
1890                         const uint8_t *inpdu = inbuf + NBT_HDR_SIZE;
1891                         size_t pdulen = nread - NBT_HDR_SIZE;
1892                         smbd_smb2_first_negprot(xconn, inpdu, pdulen);
1893                         return;
1894                 } else if (nread >= smb_size && valid_smb_header(inbuf)
1895                                 && CVAL(inbuf, smb_com) != 0x72) {
1896                         /* This is a non-negprot SMB1 packet.
1897                            Disable SMB2 from now on. */
1898                         sconn->using_smb2 = false;
1899                 }
1900         }
1901
1902         /* Make sure this is an SMB packet. smb_size contains NetBIOS header
1903          * so subtract 4 from it. */
1904         if ((nread < (smb_size - 4)) || !valid_smb_header(inbuf)) {
1905                 DEBUG(2,("Non-SMB packet of length %d. Terminating server\n",
1906                          smb_len(inbuf)));
1907
1908                 /* special magic for immediate exit */
1909                 if ((nread == 9) &&
1910                     (IVAL(inbuf, 4) == 0x74697865) &&
1911                     lp_parm_bool(-1, "smbd", "suicide mode", false)) {
1912                         uint8_t exitcode = CVAL(inbuf, 8);
1913                         DEBUG(1, ("Exiting immediately with code %d\n",
1914                                   (int)exitcode));
1915                         exit(exitcode);
1916                 }
1917
1918                 exit_server_cleanly("Non-SMB packet");
1919         }
1920
1921         show_msg((char *)inbuf);
1922
1923         if ((unread_bytes == 0) && smb1_is_chain(inbuf)) {
1924                 construct_reply_chain(sconn, (char *)inbuf, nread,
1925                                       seqnum, encrypted, deferred_pcd);
1926         } else {
1927                 construct_reply(sconn, (char *)inbuf, nread, unread_bytes,
1928                                 seqnum, encrypted, deferred_pcd);
1929         }
1930
1931         sconn->trans_num++;
1932
1933 done:
1934         sconn->num_requests++;
1935
1936         /* The timeout_processing function isn't run nearly
1937            often enough to implement 'max log size' without
1938            overrunning the size of the file by many megabytes.
1939            This is especially true if we are running at debug
1940            level 10.  Checking every 50 SMBs is a nice
1941            tradeoff of performance vs log file size overrun. */
1942
1943         if ((sconn->num_requests % 50) == 0 &&
1944             need_to_check_log_size()) {
1945                 change_to_root_user();
1946                 check_log_size();
1947         }
1948 }
1949
1950 /****************************************************************************
1951  Return a string containing the function name of a SMB command.
1952 ****************************************************************************/
1953
1954 const char *smb_fn_name(int type)
1955 {
1956         const char *unknown_name = "SMBunknown";
1957
1958         if (smb_messages[type].name == NULL)
1959                 return(unknown_name);
1960
1961         return(smb_messages[type].name);
1962 }
1963
1964 /****************************************************************************
1965  Helper functions for contruct_reply.
1966 ****************************************************************************/
1967
1968 void add_to_common_flags2(uint32 v)
1969 {
1970         common_flags2 |= v;
1971 }
1972
1973 void remove_from_common_flags2(uint32 v)
1974 {
1975         common_flags2 &= ~v;
1976 }
1977
1978 static void construct_reply_common(struct smb_request *req, const char *inbuf,
1979                                    char *outbuf)
1980 {
1981         uint16_t in_flags2 = SVAL(inbuf,smb_flg2);
1982         uint16_t out_flags2 = common_flags2;
1983
1984         out_flags2 |= in_flags2 & FLAGS2_UNICODE_STRINGS;
1985         out_flags2 |= in_flags2 & FLAGS2_SMB_SECURITY_SIGNATURES;
1986         out_flags2 |= in_flags2 & FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED;
1987
1988         srv_set_message(outbuf,0,0,false);
1989
1990         SCVAL(outbuf, smb_com, req->cmd);
1991         SIVAL(outbuf,smb_rcls,0);
1992         SCVAL(outbuf,smb_flg, FLAG_REPLY | (CVAL(inbuf,smb_flg) & FLAG_CASELESS_PATHNAMES)); 
1993         SSVAL(outbuf,smb_flg2, out_flags2);
1994         memset(outbuf+smb_pidhigh,'\0',(smb_tid-smb_pidhigh));
1995         memcpy(outbuf+smb_ss_field, inbuf+smb_ss_field, 8);
1996
1997         SSVAL(outbuf,smb_tid,SVAL(inbuf,smb_tid));
1998         SSVAL(outbuf,smb_pid,SVAL(inbuf,smb_pid));
1999         SSVAL(outbuf,smb_uid,SVAL(inbuf,smb_uid));
2000         SSVAL(outbuf,smb_mid,SVAL(inbuf,smb_mid));
2001 }
2002
2003 void construct_reply_common_req(struct smb_request *req, char *outbuf)
2004 {
2005         construct_reply_common(req, (const char *)req->inbuf, outbuf);
2006 }
2007
2008 /**
2009  * @brief Find the smb_cmd offset of the last command pushed
2010  * @param[in] buf       The buffer we're building up
2011  * @retval              Where can we put our next andx cmd?
2012  *
2013  * While chaining requests, the "next" request we're looking at needs to put
2014  * its SMB_Command before the data the previous request already built up added
2015  * to the chain. Find the offset to the place where we have to put our cmd.
2016  */
2017
2018 static bool find_andx_cmd_ofs(uint8_t *buf, size_t *pofs)
2019 {
2020         uint8_t cmd;
2021         size_t ofs;
2022
2023         cmd = CVAL(buf, smb_com);
2024
2025         if (!is_andx_req(cmd)) {
2026                 return false;
2027         }
2028
2029         ofs = smb_vwv0;
2030
2031         while (CVAL(buf, ofs) != 0xff) {
2032
2033                 if (!is_andx_req(CVAL(buf, ofs))) {
2034                         return false;
2035                 }
2036
2037                 /*
2038                  * ofs is from start of smb header, so add the 4 length
2039                  * bytes. The next cmd is right after the wct field.
2040                  */
2041                 ofs = SVAL(buf, ofs+2) + 4 + 1;
2042
2043                 if (ofs+4 >= talloc_get_size(buf)) {
2044                         return false;
2045                 }
2046         }
2047
2048         *pofs = ofs;
2049         return true;
2050 }
2051
2052 /**
2053  * @brief Do the smb chaining at a buffer level
2054  * @param[in] poutbuf           Pointer to the talloc'ed buffer to be modified
2055  * @param[in] andx_buf          Buffer to be appended
2056  */
2057
2058 static bool smb_splice_chain(uint8_t **poutbuf, const uint8_t *andx_buf)
2059 {
2060         uint8_t smb_command     = CVAL(andx_buf, smb_com);
2061         uint8_t wct             = CVAL(andx_buf, smb_wct);
2062         const uint16_t *vwv     = (const uint16_t *)(andx_buf + smb_vwv);
2063         uint32_t num_bytes      = smb_buflen(andx_buf);
2064         const uint8_t *bytes    = (const uint8_t *)smb_buf_const(andx_buf);
2065
2066         uint8_t *outbuf;
2067         size_t old_size, new_size;
2068         size_t ofs;
2069         size_t chain_padding = 0;
2070         size_t andx_cmd_ofs;
2071
2072
2073         old_size = talloc_get_size(*poutbuf);
2074
2075         if ((old_size % 4) != 0) {
2076                 /*
2077                  * Align the wct field of subsequent requests to a 4-byte
2078                  * boundary
2079                  */
2080                 chain_padding = 4 - (old_size % 4);
2081         }
2082
2083         /*
2084          * After the old request comes the new wct field (1 byte), the vwv's
2085          * and the num_bytes field.
2086          */
2087
2088         new_size = old_size + chain_padding + 1 + wct * sizeof(uint16_t) + 2;
2089         new_size += num_bytes;
2090
2091         if ((smb_command != SMBwriteX) && (new_size > 0xffff)) {
2092                 DEBUG(1, ("smb_splice_chain: %u bytes won't fit\n",
2093                           (unsigned)new_size));
2094                 return false;
2095         }
2096
2097         outbuf = talloc_realloc(NULL, *poutbuf, uint8_t, new_size);
2098         if (outbuf == NULL) {
2099                 DEBUG(0, ("talloc failed\n"));
2100                 return false;
2101         }
2102         *poutbuf = outbuf;
2103
2104         if (!find_andx_cmd_ofs(outbuf, &andx_cmd_ofs)) {
2105                 DEBUG(1, ("invalid command chain\n"));
2106                 *poutbuf = talloc_realloc(NULL, *poutbuf, uint8_t, old_size);
2107                 return false;
2108         }
2109
2110         if (chain_padding != 0) {
2111                 memset(outbuf + old_size, 0, chain_padding);
2112                 old_size += chain_padding;
2113         }
2114
2115         SCVAL(outbuf, andx_cmd_ofs, smb_command);
2116         SSVAL(outbuf, andx_cmd_ofs + 2, old_size - 4);
2117
2118         ofs = old_size;
2119
2120         /*
2121          * Push the chained request:
2122          *
2123          * wct field
2124          */
2125
2126         SCVAL(outbuf, ofs, wct);
2127         ofs += 1;
2128
2129         /*
2130          * vwv array
2131          */
2132
2133         memcpy(outbuf + ofs, vwv, sizeof(uint16_t) * wct);
2134
2135         /*
2136          * HACK ALERT
2137          *
2138          * Read&X has an offset into its data buffer at
2139          * vwv[6]. reply_read_andx has no idea anymore that it's
2140          * running from within a chain, so we have to fix up the
2141          * offset here.
2142          *
2143          * Although it looks disgusting at this place, I want to keep
2144          * it here. The alternative would be to push knowledge about
2145          * the andx chain down into read&x again.
2146          */
2147
2148         if (smb_command == SMBreadX) {
2149                 uint8_t *bytes_addr;
2150
2151                 if (wct < 7) {
2152                         /*
2153                          * Invalid read&x response
2154                          */
2155                         return false;
2156                 }
2157
2158                 bytes_addr = outbuf + ofs        /* vwv start */
2159                         + sizeof(uint16_t) * wct /* vwv array */
2160                         + sizeof(uint16_t)       /* bcc */
2161                         + 1;                     /* padding byte */
2162
2163                 SSVAL(outbuf + ofs, 6 * sizeof(uint16_t),
2164                       bytes_addr - outbuf - 4);
2165         }
2166
2167         ofs += sizeof(uint16_t) * wct;
2168
2169         /*
2170          * bcc (byte count)
2171          */
2172
2173         SSVAL(outbuf, ofs, num_bytes);
2174         ofs += sizeof(uint16_t);
2175
2176         /*
2177          * The bytes field
2178          */
2179
2180         memcpy(outbuf + ofs, bytes, num_bytes);
2181
2182         return true;
2183 }
2184
2185 bool smb1_is_chain(const uint8_t *buf)
2186 {
2187         uint8_t cmd, wct, andx_cmd;
2188
2189         cmd = CVAL(buf, smb_com);
2190         if (!is_andx_req(cmd)) {
2191                 return false;
2192         }
2193         wct = CVAL(buf, smb_wct);
2194         if (wct < 2) {
2195                 return false;
2196         }
2197         andx_cmd = CVAL(buf, smb_vwv);
2198         return (andx_cmd != 0xFF);
2199 }
2200
2201 bool smb1_walk_chain(const uint8_t *buf,
2202                      bool (*fn)(uint8_t cmd,
2203                                 uint8_t wct, const uint16_t *vwv,
2204                                 uint16_t num_bytes, const uint8_t *bytes,
2205                                 void *private_data),
2206                      void *private_data)
2207 {
2208         size_t smblen = smb_len(buf);
2209         const char *smb_buf = smb_base(buf);
2210         uint8_t cmd, chain_cmd;
2211         uint8_t wct;
2212         const uint16_t *vwv;
2213         uint16_t num_bytes;
2214         const uint8_t *bytes;
2215
2216         cmd = CVAL(buf, smb_com);
2217         wct = CVAL(buf, smb_wct);
2218         vwv = (const uint16_t *)(buf + smb_vwv);
2219         num_bytes = smb_buflen(buf);
2220         bytes = (const uint8_t *)smb_buf_const(buf);
2221
2222         if (!fn(cmd, wct, vwv, num_bytes, bytes, private_data)) {
2223                 return false;
2224         }
2225
2226         if (!is_andx_req(cmd)) {
2227                 return true;
2228         }
2229         if (wct < 2) {
2230                 return false;
2231         }
2232
2233         chain_cmd = CVAL(vwv, 0);
2234
2235         while (chain_cmd != 0xff) {
2236                 uint32_t chain_offset;  /* uint32_t to avoid overflow */
2237                 size_t length_needed;
2238                 ptrdiff_t vwv_offset;
2239
2240                 chain_offset = SVAL(vwv+1, 0);
2241
2242                 /*
2243                  * Check if the client tries to fool us. The chain
2244                  * offset needs to point beyond the current request in
2245                  * the chain, it needs to strictly grow. Otherwise we
2246                  * might be tricked into an endless loop always
2247                  * processing the same request over and over again. We
2248                  * used to assume that vwv and the byte buffer array
2249                  * in a chain are always attached, but OS/2 the
2250                  * Write&X/Read&X chain puts the Read&X vwv array
2251                  * right behind the Write&X vwv chain. The Write&X bcc
2252                  * array is put behind the Read&X vwv array. So now we
2253                  * check whether the chain offset points strictly
2254                  * behind the previous vwv array. req->buf points
2255                  * right after the vwv array of the previous
2256                  * request. See
2257                  * https://bugzilla.samba.org/show_bug.cgi?id=8360 for
2258                  * more information.
2259                  */
2260
2261                 vwv_offset = ((const char *)vwv - smb_buf);
2262                 if (chain_offset <= vwv_offset) {
2263                         return false;
2264                 }
2265
2266                 /*
2267                  * Next check: Make sure the chain offset does not
2268                  * point beyond the overall smb request length.
2269                  */
2270
2271                 length_needed = chain_offset+1; /* wct */
2272                 if (length_needed > smblen) {
2273                         return false;
2274                 }
2275
2276                 /*
2277                  * Now comes the pointer magic. Goal here is to set up
2278                  * vwv and buf correctly again. The chain offset (the
2279                  * former vwv[1]) points at the new wct field.
2280                  */
2281
2282                 wct = CVAL(smb_buf, chain_offset);
2283
2284                 if (is_andx_req(chain_cmd) && (wct < 2)) {
2285                         return false;
2286                 }
2287
2288                 /*
2289                  * Next consistency check: Make the new vwv array fits
2290                  * in the overall smb request.
2291                  */
2292
2293                 length_needed += (wct+1)*sizeof(uint16_t); /* vwv+buflen */
2294                 if (length_needed > smblen) {
2295                         return false;
2296                 }
2297                 vwv = (const uint16_t *)(smb_buf + chain_offset + 1);
2298
2299                 /*
2300                  * Now grab the new byte buffer....
2301                  */
2302
2303                 num_bytes = SVAL(vwv+wct, 0);
2304
2305                 /*
2306                  * .. and check that it fits.
2307                  */
2308
2309                 length_needed += num_bytes;
2310                 if (length_needed > smblen) {
2311                         return false;
2312                 }
2313                 bytes = (const uint8_t *)(vwv+wct+1);
2314
2315                 if (!fn(chain_cmd, wct, vwv, num_bytes, bytes, private_data)) {
2316                         return false;
2317                 }
2318
2319                 if (!is_andx_req(chain_cmd)) {
2320                         return true;
2321                 }
2322                 chain_cmd = CVAL(vwv, 0);
2323         }
2324         return true;
2325 }
2326
2327 static bool smb1_chain_length_cb(uint8_t cmd,
2328                                  uint8_t wct, const uint16_t *vwv,
2329                                  uint16_t num_bytes, const uint8_t *bytes,
2330                                  void *private_data)
2331 {
2332         unsigned *count = (unsigned *)private_data;
2333         *count += 1;
2334         return true;
2335 }
2336
2337 unsigned smb1_chain_length(const uint8_t *buf)
2338 {
2339         unsigned count = 0;
2340
2341         if (!smb1_walk_chain(buf, smb1_chain_length_cb, &count)) {
2342                 return 0;
2343         }
2344         return count;
2345 }
2346
2347 struct smb1_parse_chain_state {
2348         TALLOC_CTX *mem_ctx;
2349         const uint8_t *buf;
2350         struct smbd_server_connection *sconn;
2351         struct smbXsrv_connection *xconn;
2352         bool encrypted;
2353         uint32_t seqnum;
2354
2355         struct smb_request **reqs;
2356         unsigned num_reqs;
2357 };
2358
2359 static bool smb1_parse_chain_cb(uint8_t cmd,
2360                                 uint8_t wct, const uint16_t *vwv,
2361                                 uint16_t num_bytes, const uint8_t *bytes,
2362                                 void *private_data)
2363 {
2364         struct smb1_parse_chain_state *state =
2365                 (struct smb1_parse_chain_state *)private_data;
2366         struct smb_request **reqs;
2367         struct smb_request *req;
2368         bool ok;
2369
2370         reqs = talloc_realloc(state->mem_ctx, state->reqs,
2371                               struct smb_request *, state->num_reqs+1);
2372         if (reqs == NULL) {
2373                 return false;
2374         }
2375         state->reqs = reqs;
2376
2377         req = talloc(reqs, struct smb_request);
2378         if (req == NULL) {
2379                 return false;
2380         }
2381
2382         ok = init_smb_request(req, state->sconn, state->xconn, state->buf, 0,
2383                               state->encrypted, state->seqnum);
2384         if (!ok) {
2385                 return false;
2386         }
2387         req->cmd = cmd;
2388         req->wct = wct;
2389         req->vwv = vwv;
2390         req->buflen = num_bytes;
2391         req->buf = bytes;
2392
2393         reqs[state->num_reqs] = req;
2394         state->num_reqs += 1;
2395         return true;
2396 }
2397
2398 bool smb1_parse_chain(TALLOC_CTX *mem_ctx, const uint8_t *buf,
2399                       struct smbd_server_connection *sconn,
2400                       bool encrypted, uint32_t seqnum,
2401                       struct smb_request ***reqs, unsigned *num_reqs)
2402 {
2403         struct smbXsrv_connection *xconn = sconn->conn;
2404         struct smb1_parse_chain_state state;
2405         unsigned i;
2406
2407         state.mem_ctx = mem_ctx;
2408         state.buf = buf;
2409         state.sconn = sconn;
2410         state.xconn = xconn;
2411         state.encrypted = encrypted;
2412         state.seqnum = seqnum;
2413         state.reqs = NULL;
2414         state.num_reqs = 0;
2415
2416         if (!smb1_walk_chain(buf, smb1_parse_chain_cb, &state)) {
2417                 TALLOC_FREE(state.reqs);
2418                 return false;
2419         }
2420         for (i=0; i<state.num_reqs; i++) {
2421                 state.reqs[i]->chain = state.reqs;
2422         }
2423         *reqs = state.reqs;
2424         *num_reqs = state.num_reqs;
2425         return true;
2426 }
2427
2428 /****************************************************************************
2429  Check if services need reloading.
2430 ****************************************************************************/
2431
2432 static void check_reload(struct smbd_server_connection *sconn, time_t t)
2433 {
2434
2435         if (last_smb_conf_reload_time == 0) {
2436                 last_smb_conf_reload_time = t;
2437         }
2438
2439         if (t >= last_smb_conf_reload_time+SMBD_RELOAD_CHECK) {
2440                 reload_services(sconn, conn_snum_used, true);
2441                 last_smb_conf_reload_time = t;
2442         }
2443 }
2444
2445 static bool fd_is_readable(int fd)
2446 {
2447         int ret, revents;
2448
2449         ret = poll_one_fd(fd, POLLIN|POLLHUP, 0, &revents);
2450
2451         return ((ret > 0) && ((revents & (POLLIN|POLLHUP|POLLERR)) != 0));
2452
2453 }
2454
2455 static void smbd_server_connection_write_handler(
2456         struct smbXsrv_connection *xconn)
2457 {
2458         /* TODO: make write nonblocking */
2459 }
2460
2461 static void smbd_server_connection_read_handler(
2462         struct smbXsrv_connection *xconn, int fd)
2463 {
2464         uint8_t *inbuf = NULL;
2465         size_t inbuf_len = 0;
2466         size_t unread_bytes = 0;
2467         bool encrypted = false;
2468         TALLOC_CTX *mem_ctx = talloc_tos();
2469         NTSTATUS status;
2470         uint32_t seqnum;
2471
2472         bool async_echo = lp_async_smb_echo_handler();
2473         bool from_client = false;
2474
2475         if (async_echo) {
2476                 if (fd_is_readable(xconn->smb1.echo_handler.trusted_fd)) {
2477                         /*
2478                          * This is the super-ugly hack to prefer the packets
2479                          * forwarded by the echo handler over the ones by the
2480                          * client directly
2481                          */
2482                         fd = xconn->smb1.echo_handler.trusted_fd;
2483                 }
2484         }
2485
2486         from_client = (xconn->transport.sock == fd);
2487
2488         if (async_echo && from_client) {
2489                 smbd_lock_socket(xconn);
2490
2491                 if (!fd_is_readable(fd)) {
2492                         DEBUG(10,("the echo listener was faster\n"));
2493                         smbd_unlock_socket(xconn);
2494                         return;
2495                 }
2496         }
2497
2498         /* TODO: make this completely nonblocking */
2499         status = receive_smb_talloc(mem_ctx, xconn, fd,
2500                                     (char **)(void *)&inbuf,
2501                                     0, /* timeout */
2502                                     &unread_bytes,
2503                                     &encrypted,
2504                                     &inbuf_len, &seqnum,
2505                                     !from_client /* trusted channel */);
2506
2507         if (async_echo && from_client) {
2508                 smbd_unlock_socket(xconn);
2509         }
2510
2511         if (NT_STATUS_EQUAL(status, NT_STATUS_RETRY)) {
2512                 goto process;
2513         }
2514         if (NT_STATUS_IS_ERR(status)) {
2515                 exit_server_cleanly("failed to receive smb request");
2516         }
2517         if (!NT_STATUS_IS_OK(status)) {
2518                 return;
2519         }
2520
2521 process:
2522         process_smb(xconn, inbuf, inbuf_len, unread_bytes,
2523                     seqnum, encrypted, NULL);
2524 }
2525
2526 static void smbd_server_connection_handler(struct tevent_context *ev,
2527                                            struct tevent_fd *fde,
2528                                            uint16_t flags,
2529                                            void *private_data)
2530 {
2531         struct smbXsrv_connection *xconn =
2532                 talloc_get_type_abort(private_data,
2533                 struct smbXsrv_connection);
2534
2535         if (!NT_STATUS_IS_OK(xconn->transport.status)) {
2536                 /*
2537                  * we're not supposed to do any io
2538                  */
2539                 TEVENT_FD_NOT_READABLE(xconn->transport.fde);
2540                 TEVENT_FD_NOT_WRITEABLE(xconn->transport.fde);
2541                 return;
2542         }
2543
2544         if (flags & TEVENT_FD_WRITE) {
2545                 smbd_server_connection_write_handler(xconn);
2546                 return;
2547         }
2548         if (flags & TEVENT_FD_READ) {
2549                 smbd_server_connection_read_handler(xconn, xconn->transport.sock);
2550                 return;
2551         }
2552 }
2553
2554 static void smbd_server_echo_handler(struct tevent_context *ev,
2555                                      struct tevent_fd *fde,
2556                                      uint16_t flags,
2557                                      void *private_data)
2558 {
2559         struct smbXsrv_connection *xconn =
2560                 talloc_get_type_abort(private_data,
2561                 struct smbXsrv_connection);
2562
2563         if (!NT_STATUS_IS_OK(xconn->transport.status)) {
2564                 /*
2565                  * we're not supposed to do any io
2566                  */
2567                 TEVENT_FD_NOT_READABLE(xconn->smb1.echo_handler.trusted_fde);
2568                 TEVENT_FD_NOT_WRITEABLE(xconn->smb1.echo_handler.trusted_fde);
2569                 return;
2570         }
2571
2572         if (flags & TEVENT_FD_WRITE) {
2573                 smbd_server_connection_write_handler(xconn);
2574                 return;
2575         }
2576         if (flags & TEVENT_FD_READ) {
2577                 smbd_server_connection_read_handler(
2578                         xconn, xconn->smb1.echo_handler.trusted_fd);
2579                 return;
2580         }
2581 }
2582
2583 struct smbd_release_ip_state {
2584         struct smbXsrv_connection *xconn;
2585         struct tevent_immediate *im;
2586         char addr[INET6_ADDRSTRLEN];
2587 };
2588
2589 static void smbd_release_ip_immediate(struct tevent_context *ctx,
2590                                       struct tevent_immediate *im,
2591                                       void *private_data)
2592 {
2593         struct smbd_release_ip_state *state =
2594                 talloc_get_type_abort(private_data,
2595                 struct smbd_release_ip_state);
2596         struct smbXsrv_connection *xconn = state->xconn;
2597
2598         if (!NT_STATUS_EQUAL(xconn->transport.status, NT_STATUS_ADDRESS_CLOSED)) {
2599                 /*
2600                  * smbd_server_connection_terminate() already triggered ?
2601                  */
2602                 return;
2603         }
2604
2605         smbd_server_connection_terminate(xconn, "CTDB_SRVID_RELEASE_IP");
2606 }
2607
2608 /****************************************************************************
2609 received when we should release a specific IP
2610 ****************************************************************************/
2611 static bool release_ip(const char *ip, void *priv)
2612 {
2613         struct smbd_release_ip_state *state =
2614                 talloc_get_type_abort(priv,
2615                 struct smbd_release_ip_state);
2616         struct smbXsrv_connection *xconn = state->xconn;
2617         const char *addr = state->addr;
2618         const char *p = addr;
2619
2620         if (!NT_STATUS_IS_OK(xconn->transport.status)) {
2621                 /* avoid recursion */
2622                 return false;
2623         }
2624
2625         if (strncmp("::ffff:", addr, 7) == 0) {
2626                 p = addr + 7;
2627         }
2628
2629         DEBUG(10, ("Got release IP message for %s, "
2630                    "our address is %s\n", ip, p));
2631
2632         if ((strcmp(p, ip) == 0) || ((p != addr) && strcmp(addr, ip) == 0)) {
2633                 DEBUG(0,("Got release IP message for our IP %s - exiting immediately\n",
2634                         ip));
2635                 /*
2636                  * With SMB2 we should do a clean disconnect,
2637                  * the previous_session_id in the session setup
2638                  * will cleanup the old session, tcons and opens.
2639                  *
2640                  * A clean disconnect is needed in order to support
2641                  * durable handles.
2642                  *
2643                  * Note: typically this is never triggered
2644                  *       as we got a TCP RST (triggered by ctdb event scripts)
2645                  *       before we get CTDB_SRVID_RELEASE_IP.
2646                  *
2647                  * We used to call _exit(1) here, but as this was mostly never
2648                  * triggered and has implication on our process model,
2649                  * we can just use smbd_server_connection_terminate()
2650                  * (also for SMB1).
2651                  *
2652                  * We don't call smbd_server_connection_terminate() directly
2653                  * as we might be called from within ctdbd_migrate(),
2654                  * we need to defer our action to the next event loop
2655                  */
2656                 tevent_schedule_immediate(state->im, xconn->ev_ctx,
2657                                           smbd_release_ip_immediate, state);
2658
2659                 /*
2660                  * Make sure we don't get any io on the connection.
2661                  */
2662                 xconn->transport.status = NT_STATUS_ADDRESS_CLOSED;
2663                 return true;
2664         }
2665
2666         return false;
2667 }
2668
2669 static NTSTATUS smbd_register_ips(struct smbXsrv_connection *xconn,
2670                                   struct sockaddr_storage *srv,
2671                                   struct sockaddr_storage *clnt)
2672 {
2673         struct smbd_release_ip_state *state;
2674         struct ctdbd_connection *cconn;
2675
2676         cconn = messaging_ctdbd_connection();
2677         if (cconn == NULL) {
2678                 return NT_STATUS_NO_MEMORY;
2679         }
2680
2681         state = talloc_zero(xconn, struct smbd_release_ip_state);
2682         if (state == NULL) {
2683                 return NT_STATUS_NO_MEMORY;
2684         }
2685         state->xconn = xconn;
2686         state->im = tevent_create_immediate(state);
2687         if (state->im == NULL) {
2688                 return NT_STATUS_NO_MEMORY;
2689         }
2690         if (print_sockaddr(state->addr, sizeof(state->addr), srv) == NULL) {
2691                 return NT_STATUS_NO_MEMORY;
2692         }
2693
2694         return ctdbd_register_ips(cconn, srv, clnt, release_ip, state);
2695 }
2696
2697 static void msg_kill_client_ip(struct messaging_context *msg_ctx,
2698                                   void *private_data, uint32_t msg_type,
2699                                   struct server_id server_id, DATA_BLOB *data)
2700 {
2701         struct smbd_server_connection *sconn = talloc_get_type_abort(
2702                 private_data, struct smbd_server_connection);
2703         const char *ip = (char *) data->data;
2704         char *client_ip;
2705
2706         DEBUG(10, ("Got kill request for client IP %s\n", ip));
2707
2708         client_ip = tsocket_address_inet_addr_string(sconn->remote_address,
2709                                                      talloc_tos());
2710         if (client_ip == NULL) {
2711                 return;
2712         }
2713
2714         if (strequal(ip, client_ip)) {
2715                 DEBUG(1, ("Got kill client message for %s - "
2716                           "exiting immediately\n", ip));
2717                 exit_server_cleanly("Forced disconnect for client");
2718         }
2719
2720         TALLOC_FREE(client_ip);
2721 }
2722
2723 /*
2724  * Send keepalive packets to our client
2725  */
2726 static bool keepalive_fn(const struct timeval *now, void *private_data)
2727 {
2728         struct smbd_server_connection *sconn = talloc_get_type_abort(
2729                 private_data, struct smbd_server_connection);
2730         struct smbXsrv_connection *xconn = sconn->conn;
2731         bool ret;
2732
2733         if (sconn->using_smb2) {
2734                 /* Don't do keepalives on an SMB2 connection. */
2735                 return false;
2736         }
2737
2738         smbd_lock_socket(xconn);
2739         ret = send_keepalive(xconn->transport.sock);
2740         smbd_unlock_socket(xconn);
2741
2742         if (!ret) {
2743                 int saved_errno = errno;
2744                 /*
2745                  * Try and give an error message saying what
2746                  * client failed.
2747                  */
2748                 DEBUG(0, ("send_keepalive failed for client %s. "
2749                           "Error %s - exiting\n",
2750                           smbXsrv_connection_dbg(xconn),
2751                           strerror(saved_errno)));
2752                 errno = saved_errno;
2753                 return False;
2754         }
2755         return True;
2756 }
2757
2758 /*
2759  * Do the recurring check if we're idle
2760  */
2761 static bool deadtime_fn(const struct timeval *now, void *private_data)
2762 {
2763         struct smbd_server_connection *sconn =
2764                 (struct smbd_server_connection *)private_data;
2765
2766         if ((conn_num_open(sconn) == 0)
2767             || (conn_idle_all(sconn, now->tv_sec))) {
2768                 DEBUG( 2, ( "Closing idle connection\n" ) );
2769                 messaging_send(sconn->msg_ctx,
2770                                messaging_server_id(sconn->msg_ctx),
2771                                MSG_SHUTDOWN, &data_blob_null);
2772                 return False;
2773         }
2774
2775         return True;
2776 }
2777
2778 /*
2779  * Do the recurring log file and smb.conf reload checks.
2780  */
2781
2782 static bool housekeeping_fn(const struct timeval *now, void *private_data)
2783 {
2784         struct smbd_server_connection *sconn = talloc_get_type_abort(
2785                 private_data, struct smbd_server_connection);
2786
2787         DEBUG(5, ("housekeeping\n"));
2788
2789         change_to_root_user();
2790
2791         /* update printer queue caches if necessary */
2792         update_monitored_printq_cache(sconn->msg_ctx);
2793
2794         /* check if we need to reload services */
2795         check_reload(sconn, time_mono(NULL));
2796
2797         /*
2798          * Force a log file check.
2799          */
2800         force_check_log_size();
2801         check_log_size();
2802         return true;
2803 }
2804
2805 /*
2806  * Read an smb packet in the echo handler child, giving the parent
2807  * smbd one second to react once the socket becomes readable.
2808  */
2809
2810 struct smbd_echo_read_state {
2811         struct tevent_context *ev;
2812         struct smbd_server_connection *sconn;
2813
2814         char *buf;
2815         size_t buflen;
2816         uint32_t seqnum;
2817 };
2818
2819 static void smbd_echo_read_readable(struct tevent_req *subreq);
2820 static void smbd_echo_read_waited(struct tevent_req *subreq);
2821
2822 static struct tevent_req *smbd_echo_read_send(
2823         TALLOC_CTX *mem_ctx, struct tevent_context *ev,
2824         struct smbd_server_connection *sconn)
2825 {
2826         struct tevent_req *req, *subreq;
2827         struct smbd_echo_read_state *state;
2828         struct smbXsrv_connection *xconn = sconn->conn;
2829
2830         req = tevent_req_create(mem_ctx, &state,
2831                                 struct smbd_echo_read_state);
2832         if (req == NULL) {
2833                 return NULL;
2834         }
2835         state->ev = ev;
2836         state->sconn = sconn;
2837
2838         subreq = wait_for_read_send(state, ev, xconn->transport.sock);
2839         if (tevent_req_nomem(subreq, req)) {
2840                 return tevent_req_post(req, ev);
2841         }
2842         tevent_req_set_callback(subreq, smbd_echo_read_readable, req);
2843         return req;
2844 }
2845
2846 static void smbd_echo_read_readable(struct tevent_req *subreq)
2847 {
2848         struct tevent_req *req = tevent_req_callback_data(
2849                 subreq, struct tevent_req);
2850         struct smbd_echo_read_state *state = tevent_req_data(
2851                 req, struct smbd_echo_read_state);
2852         bool ok;
2853         int err;
2854
2855         ok = wait_for_read_recv(subreq, &err);
2856         TALLOC_FREE(subreq);
2857         if (!ok) {
2858                 tevent_req_nterror(req, map_nt_error_from_unix(err));
2859                 return;
2860         }
2861
2862         /*
2863          * Give the parent smbd one second to step in
2864          */
2865
2866         subreq = tevent_wakeup_send(
2867                 state, state->ev, timeval_current_ofs(1, 0));
2868         if (tevent_req_nomem(subreq, req)) {
2869                 return;
2870         }
2871         tevent_req_set_callback(subreq, smbd_echo_read_waited, req);
2872 }
2873
2874 static void smbd_echo_read_waited(struct tevent_req *subreq)
2875 {
2876         struct tevent_req *req = tevent_req_callback_data(
2877                 subreq, struct tevent_req);
2878         struct smbd_echo_read_state *state = tevent_req_data(
2879                 req, struct smbd_echo_read_state);
2880         struct smbd_server_connection *sconn = state->sconn;
2881         struct smbXsrv_connection *xconn = sconn->conn;
2882         bool ok;
2883         NTSTATUS status;
2884         size_t unread = 0;
2885         bool encrypted;
2886
2887         ok = tevent_wakeup_recv(subreq);
2888         TALLOC_FREE(subreq);
2889         if (!ok) {
2890                 tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
2891                 return;
2892         }
2893
2894         ok = smbd_lock_socket_internal(xconn);
2895         if (!ok) {
2896                 tevent_req_nterror(req, map_nt_error_from_unix(errno));
2897                 DEBUG(0, ("%s: failed to lock socket\n", __location__));
2898                 return;
2899         }
2900
2901         if (!fd_is_readable(xconn->transport.sock)) {
2902                 DEBUG(10,("echo_handler[%d] the parent smbd was faster\n",
2903                           (int)getpid()));
2904
2905                 ok = smbd_unlock_socket_internal(xconn);
2906                 if (!ok) {
2907                         tevent_req_nterror(req, map_nt_error_from_unix(errno));
2908                         DEBUG(1, ("%s: failed to unlock socket\n",
2909                                 __location__));
2910                         return;
2911                 }
2912
2913                 subreq = wait_for_read_send(state, state->ev,
2914                                             xconn->transport.sock);
2915                 if (tevent_req_nomem(subreq, req)) {
2916                         return;
2917                 }
2918                 tevent_req_set_callback(subreq, smbd_echo_read_readable, req);
2919                 return;
2920         }
2921
2922         status = receive_smb_talloc(state, xconn,
2923                                     xconn->transport.sock,
2924                                     &state->buf,
2925                                     0 /* timeout */,
2926                                     &unread,
2927                                     &encrypted,
2928                                     &state->buflen,
2929                                     &state->seqnum,
2930                                     false /* trusted_channel*/);
2931
2932         if (tevent_req_nterror(req, status)) {
2933                 tevent_req_nterror(req, status);
2934                 DEBUG(1, ("echo_handler[%d]: receive_smb_raw_talloc failed: %s\n",
2935                           (int)getpid(), nt_errstr(status)));
2936                 return;
2937         }
2938
2939         ok = smbd_unlock_socket_internal(xconn);
2940         if (!ok) {
2941                 tevent_req_nterror(req, map_nt_error_from_unix(errno));
2942                 DEBUG(1, ("%s: failed to unlock socket\n", __location__));
2943                 return;
2944         }
2945         tevent_req_done(req);
2946 }
2947
2948 static NTSTATUS smbd_echo_read_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
2949                                     char **pbuf, size_t *pbuflen, uint32_t *pseqnum)
2950 {
2951         struct smbd_echo_read_state *state = tevent_req_data(
2952                 req, struct smbd_echo_read_state);
2953         NTSTATUS status;
2954
2955         if (tevent_req_is_nterror(req, &status)) {
2956                 return status;
2957         }
2958         *pbuf = talloc_move(mem_ctx, &state->buf);
2959         *pbuflen = state->buflen;
2960         *pseqnum = state->seqnum;
2961         return NT_STATUS_OK;
2962 }
2963
2964 struct smbd_echo_state {
2965         struct tevent_context *ev;
2966         struct iovec *pending;
2967         struct smbd_server_connection *sconn;
2968         struct smbXsrv_connection *xconn;
2969         int parent_pipe;
2970
2971         struct tevent_fd *parent_fde;
2972
2973         struct tevent_req *write_req;
2974 };
2975
2976 static void smbd_echo_writer_done(struct tevent_req *req);
2977
2978 static void smbd_echo_activate_writer(struct smbd_echo_state *state)
2979 {
2980         int num_pending;
2981
2982         if (state->write_req != NULL) {
2983                 return;
2984         }
2985
2986         num_pending = talloc_array_length(state->pending);
2987         if (num_pending == 0) {
2988                 return;
2989         }
2990
2991         state->write_req = writev_send(state, state->ev, NULL,
2992                                        state->parent_pipe, false,
2993                                        state->pending, num_pending);
2994         if (state->write_req == NULL) {
2995                 DEBUG(1, ("writev_send failed\n"));
2996                 exit(1);
2997         }
2998
2999         talloc_steal(state->write_req, state->pending);
3000         state->pending = NULL;
3001
3002         tevent_req_set_callback(state->write_req, smbd_echo_writer_done,
3003                                 state);
3004 }
3005
3006 static void smbd_echo_writer_done(struct tevent_req *req)
3007 {
3008         struct smbd_echo_state *state = tevent_req_callback_data(
3009                 req, struct smbd_echo_state);
3010         ssize_t written;
3011         int err;
3012
3013         written = writev_recv(req, &err);
3014         TALLOC_FREE(req);
3015         state->write_req = NULL;
3016         if (written == -1) {
3017                 DEBUG(1, ("writev to parent failed: %s\n", strerror(err)));
3018                 exit(1);
3019         }
3020         DEBUG(10,("echo_handler[%d]: forwarded pdu to main\n", (int)getpid()));
3021         smbd_echo_activate_writer(state);
3022 }
3023
3024 static bool smbd_echo_reply(struct smbd_echo_state *state,
3025                             uint8_t *inbuf, size_t inbuf_len,
3026                             uint32_t seqnum)
3027 {
3028         struct smb_request req;
3029         uint16_t num_replies;
3030         char *outbuf;
3031         bool ok;
3032
3033         if ((inbuf_len == 4) && (CVAL(inbuf, 0) == NBSSkeepalive)) {
3034                 DEBUG(10, ("Got netbios keepalive\n"));
3035                 /*
3036                  * Just swallow it
3037                  */
3038                 return true;
3039         }
3040
3041         if (inbuf_len < smb_size) {
3042                 DEBUG(10, ("Got short packet: %d bytes\n", (int)inbuf_len));
3043                 return false;
3044         }
3045         if (!valid_smb_header(inbuf)) {
3046                 DEBUG(10, ("Got invalid SMB header\n"));
3047                 return false;
3048         }
3049
3050         if (!init_smb_request(&req, state->sconn, state->xconn, inbuf, 0, false,
3051                               seqnum)) {
3052                 return false;
3053         }
3054         req.inbuf = inbuf;
3055
3056         DEBUG(10, ("smbecho handler got cmd %d (%s)\n", (int)req.cmd,
3057                    smb_messages[req.cmd].name
3058                    ? smb_messages[req.cmd].name : "unknown"));
3059
3060         if (req.cmd != SMBecho) {
3061                 return false;
3062         }
3063         if (req.wct < 1) {
3064                 return false;
3065         }
3066
3067         num_replies = SVAL(req.vwv+0, 0);
3068         if (num_replies != 1) {
3069                 /* Not a Windows "Hey, you're still there?" request */
3070                 return false;
3071         }
3072
3073         if (!create_outbuf(talloc_tos(), &req, (const char *)req.inbuf, &outbuf,
3074                            1, req.buflen)) {
3075                 DEBUG(10, ("create_outbuf failed\n"));
3076                 return false;
3077         }
3078         req.outbuf = (uint8_t *)outbuf;
3079
3080         SSVAL(req.outbuf, smb_vwv0, num_replies);
3081
3082         if (req.buflen > 0) {
3083                 memcpy(smb_buf(req.outbuf), req.buf, req.buflen);
3084         }
3085
3086         ok = srv_send_smb(req.xconn,
3087                           (char *)outbuf,
3088                           true, seqnum+1,
3089                           false, &req.pcd);
3090         TALLOC_FREE(outbuf);
3091         if (!ok) {
3092                 exit(1);
3093         }
3094
3095         return true;
3096 }
3097
3098 static void smbd_echo_exit(struct tevent_context *ev,
3099                            struct tevent_fd *fde, uint16_t flags,
3100                            void *private_data)
3101 {
3102         DEBUG(2, ("smbd_echo_exit: lost connection to parent\n"));
3103         exit(0);
3104 }
3105
3106 static void smbd_echo_got_packet(struct tevent_req *req);
3107
3108 static void smbd_echo_loop(struct smbd_server_connection *sconn,
3109                            int parent_pipe)
3110 {
3111         struct smbXsrv_connection *xconn = sconn->conn;
3112         struct smbd_echo_state *state;
3113         struct tevent_req *read_req;
3114
3115         state = talloc_zero(sconn, struct smbd_echo_state);
3116         if (state == NULL) {
3117                 DEBUG(1, ("talloc failed\n"));
3118                 return;
3119         }
3120         state->sconn = sconn;
3121         state->xconn = xconn;
3122         state->parent_pipe = parent_pipe;
3123         state->ev = s3_tevent_context_init(state);
3124         if (state->ev == NULL) {
3125                 DEBUG(1, ("tevent_context_init failed\n"));
3126                 TALLOC_FREE(state);
3127                 return;
3128         }
3129         state->parent_fde = tevent_add_fd(state->ev, state, parent_pipe,
3130                                         TEVENT_FD_READ, smbd_echo_exit,
3131                                         state);
3132         if (state->parent_fde == NULL) {
3133                 DEBUG(1, ("tevent_add_fd failed\n"));
3134                 TALLOC_FREE(state);
3135                 return;
3136         }
3137
3138         read_req = smbd_echo_read_send(state, state->ev, sconn);
3139         if (read_req == NULL) {
3140                 DEBUG(1, ("smbd_echo_read_send failed\n"));
3141                 TALLOC_FREE(state);
3142                 return;
3143         }
3144         tevent_req_set_callback(read_req, smbd_echo_got_packet, state);
3145
3146         while (true) {
3147                 if (tevent_loop_once(state->ev) == -1) {
3148                         DEBUG(1, ("tevent_loop_once failed: %s\n",
3149                                   strerror(errno)));
3150                         break;
3151                 }
3152         }
3153         TALLOC_FREE(state);
3154 }
3155
3156 static void smbd_echo_got_packet(struct tevent_req *req)
3157 {
3158         struct smbd_echo_state *state = tevent_req_callback_data(
3159                 req, struct smbd_echo_state);
3160         NTSTATUS status;
3161         char *buf = NULL;
3162         size_t buflen = 0;
3163         uint32_t seqnum = 0;
3164         bool reply;
3165
3166         status = smbd_echo_read_recv(req, state, &buf, &buflen, &seqnum);
3167         TALLOC_FREE(req);
3168         if (!NT_STATUS_IS_OK(status)) {
3169                 DEBUG(1, ("smbd_echo_read_recv returned %s\n",
3170                           nt_errstr(status)));
3171                 exit(1);
3172         }
3173
3174         reply = smbd_echo_reply(state, (uint8_t *)buf, buflen, seqnum);
3175         if (!reply) {
3176                 size_t num_pending;
3177                 struct iovec *tmp;
3178                 struct iovec *iov;
3179
3180                 num_pending = talloc_array_length(state->pending);
3181                 tmp = talloc_realloc(state, state->pending, struct iovec,
3182                                      num_pending+1);
3183                 if (tmp == NULL) {
3184                         DEBUG(1, ("talloc_realloc failed\n"));
3185                         exit(1);
3186                 }
3187                 state->pending = tmp;
3188
3189                 if (buflen >= smb_size) {
3190                         /*
3191                          * place the seqnum in the packet so that the main process
3192                          * can reply with signing
3193                          */
3194                         SIVAL(buf, smb_ss_field, seqnum);
3195                         SIVAL(buf, smb_ss_field+4, NT_STATUS_V(NT_STATUS_OK));
3196                 }
3197
3198                 iov = &state->pending[num_pending];
3199                 iov->iov_base = talloc_move(state->pending, &buf);
3200                 iov->iov_len = buflen;
3201
3202                 DEBUG(10,("echo_handler[%d]: forward to main\n",
3203                           (int)getpid()));
3204                 smbd_echo_activate_writer(state);
3205         }
3206
3207         req = smbd_echo_read_send(state, state->ev, state->sconn);
3208         if (req == NULL) {
3209                 DEBUG(1, ("smbd_echo_read_send failed\n"));
3210                 exit(1);
3211         }
3212         tevent_req_set_callback(req, smbd_echo_got_packet, state);
3213 }
3214
3215
3216 /*
3217  * Handle SMBecho requests in a forked child process
3218  */
3219 bool fork_echo_handler(struct smbd_server_connection *sconn)
3220 {
3221         struct smbXsrv_connection *xconn = sconn->conn;
3222         int listener_pipe[2];
3223         int res;
3224         pid_t child;
3225         bool use_mutex = false;
3226
3227         res = pipe(listener_pipe);
3228         if (res == -1) {
3229                 DEBUG(1, ("pipe() failed: %s\n", strerror(errno)));
3230                 return false;
3231         }
3232
3233 #ifdef HAVE_ROBUST_MUTEXES
3234         use_mutex = tdb_runtime_check_for_robust_mutexes();
3235
3236         if (use_mutex) {
3237                 pthread_mutexattr_t a;
3238
3239                 xconn->smb1.echo_handler.socket_mutex =
3240                         anonymous_shared_allocate(sizeof(pthread_mutex_t));
3241                 if (xconn->smb1.echo_handler.socket_mutex == NULL) {
3242                         DEBUG(1, ("Could not create mutex shared memory: %s\n",
3243                                   strerror(errno)));
3244                         goto fail;
3245                 }
3246
3247                 res = pthread_mutexattr_init(&a);
3248                 if (res != 0) {
3249                         DEBUG(1, ("pthread_mutexattr_init failed: %s\n",
3250                                   strerror(res)));
3251                         goto fail;
3252                 }
3253                 res = pthread_mutexattr_settype(&a, PTHREAD_MUTEX_ERRORCHECK);
3254                 if (res != 0) {
3255                         DEBUG(1, ("pthread_mutexattr_settype failed: %s\n",
3256                                   strerror(res)));
3257                         pthread_mutexattr_destroy(&a);
3258                         goto fail;
3259                 }
3260                 res = pthread_mutexattr_setpshared(&a, PTHREAD_PROCESS_SHARED);
3261                 if (res != 0) {
3262                         DEBUG(1, ("pthread_mutexattr_setpshared failed: %s\n",
3263                                   strerror(res)));
3264                         pthread_mutexattr_destroy(&a);
3265                         goto fail;
3266                 }
3267                 res = pthread_mutexattr_setrobust(&a, PTHREAD_MUTEX_ROBUST);
3268                 if (res != 0) {
3269                         DEBUG(1, ("pthread_mutexattr_setrobust failed: "
3270                                   "%s\n", strerror(res)));
3271                         pthread_mutexattr_destroy(&a);
3272                         goto fail;
3273                 }
3274                 res = pthread_mutex_init(xconn->smb1.echo_handler.socket_mutex,
3275                                          &a);
3276                 pthread_mutexattr_destroy(&a);
3277                 if (res != 0) {
3278                         DEBUG(1, ("pthread_mutex_init failed: %s\n",
3279                                   strerror(res)));
3280                         goto fail;
3281                 }
3282         }
3283 #endif
3284
3285         if (!use_mutex) {
3286                 xconn->smb1.echo_handler.socket_lock_fd =
3287                         create_unlink_tmp(lp_lock_directory());
3288                 if (xconn->smb1.echo_handler.socket_lock_fd == -1) {
3289                         DEBUG(1, ("Could not create lock fd: %s\n",
3290                                   strerror(errno)));
3291                         goto fail;
3292                 }
3293         }
3294
3295         child = fork();
3296         if (child == 0) {
3297                 NTSTATUS status;
3298
3299                 close(listener_pipe[0]);
3300                 set_blocking(listener_pipe[1], false);
3301
3302                 status = reinit_after_fork(sconn->msg_ctx,
3303                                            sconn->ev_ctx,
3304                                            true);
3305                 if (!NT_STATUS_IS_OK(status)) {
3306                         DEBUG(1, ("reinit_after_fork failed: %s\n",
3307                                   nt_errstr(status)));
3308                         exit(1);
3309                 }
3310                 smbd_echo_loop(sconn, listener_pipe[1]);
3311                 exit(0);
3312         }
3313         close(listener_pipe[1]);
3314         listener_pipe[1] = -1;
3315         xconn->smb1.echo_handler.trusted_fd = listener_pipe[0];
3316
3317         DEBUG(10,("fork_echo_handler: main[%d] echo_child[%d]\n", (int)getpid(), (int)child));
3318
3319         /*
3320          * Without smb signing this is the same as the normal smbd
3321          * listener. This needs to change once signing comes in.
3322          */
3323         xconn->smb1.echo_handler.trusted_fde = tevent_add_fd(xconn->ev_ctx,
3324                                         xconn,
3325                                         xconn->smb1.echo_handler.trusted_fd,
3326                                         TEVENT_FD_READ,
3327                                         smbd_server_echo_handler,
3328                                         xconn);
3329         if (xconn->smb1.echo_handler.trusted_fde == NULL) {
3330                 DEBUG(1, ("event_add_fd failed\n"));
3331                 goto fail;
3332         }
3333
3334         return true;
3335
3336 fail:
3337         if (listener_pipe[0] != -1) {
3338                 close(listener_pipe[0]);
3339         }
3340         if (listener_pipe[1] != -1) {
3341                 close(listener_pipe[1]);
3342         }
3343         if (xconn->smb1.echo_handler.socket_lock_fd != -1) {
3344                 close(xconn->smb1.echo_handler.socket_lock_fd);
3345         }
3346 #ifdef HAVE_ROBUST_MUTEXES
3347         if (xconn->smb1.echo_handler.socket_mutex != NULL) {
3348                 pthread_mutex_destroy(xconn->smb1.echo_handler.socket_mutex);
3349                 anonymous_shared_free(xconn->smb1.echo_handler.socket_mutex);
3350         }
3351 #endif
3352         smbd_echo_init(xconn);
3353
3354         return false;
3355 }
3356
3357 static bool uid_in_use(const struct user_struct *user, uid_t uid)
3358 {
3359         while (user) {
3360                 if (user->session_info &&
3361                     (user->session_info->unix_token->uid == uid)) {
3362                         return true;
3363                 }
3364                 user = user->next;
3365         }
3366         return false;
3367 }
3368
3369 static bool gid_in_use(const struct user_struct *user, gid_t gid)
3370 {
3371         while (user) {
3372                 if (user->session_info != NULL) {
3373                         int i;
3374                         struct security_unix_token *utok;
3375
3376                         utok = user->session_info->unix_token;
3377                         if (utok->gid == gid) {
3378                                 return true;
3379                         }
3380                         for(i=0; i<utok->ngroups; i++) {
3381                                 if (utok->groups[i] == gid) {
3382                                         return true;
3383                                 }
3384                         }
3385                 }
3386                 user = user->next;
3387         }
3388         return false;
3389 }
3390
3391 static bool sid_in_use(const struct user_struct *user,
3392                        const struct dom_sid *psid)
3393 {
3394         while (user) {
3395                 struct security_token *tok;
3396
3397                 if (user->session_info == NULL) {
3398                         continue;
3399                 }
3400                 tok = user->session_info->security_token;
3401                 if (tok == NULL) {
3402                         /*
3403                          * Not sure session_info->security_token can
3404                          * ever be NULL. This check might be not
3405                          * necessary.
3406                          */
3407                         continue;
3408                 }
3409                 if (security_token_has_sid(tok, psid)) {
3410                         return true;
3411                 }
3412                 user = user->next;
3413         }
3414         return false;
3415 }
3416
3417 static bool id_in_use(const struct user_struct *user,
3418                       const struct id_cache_ref *id)
3419 {
3420         switch(id->type) {
3421         case UID:
3422                 return uid_in_use(user, id->id.uid);
3423         case GID:
3424                 return gid_in_use(user, id->id.gid);
3425         case SID:
3426                 return sid_in_use(user, &id->id.sid);
3427         default:
3428                 break;
3429         }
3430         return false;
3431 }
3432
3433 static void smbd_id_cache_kill(struct messaging_context *msg_ctx,
3434                                void *private_data,
3435                                uint32_t msg_type,
3436                                struct server_id server_id,
3437                                DATA_BLOB* data)
3438 {
3439         const char *msg = (data && data->data)
3440                 ? (const char *)data->data : "<NULL>";
3441         struct id_cache_ref id;
3442         struct smbd_server_connection *sconn =
3443                 talloc_get_type_abort(private_data,
3444                 struct smbd_server_connection);
3445
3446         if (!id_cache_ref_parse(msg, &id)) {
3447                 DEBUG(0, ("Invalid ?ID: %s\n", msg));
3448                 return;
3449         }
3450
3451         if (id_in_use(sconn->users, &id)) {
3452                 exit_server_cleanly(msg);
3453         }
3454         id_cache_delete_from_cache(&id);
3455 }
3456
3457 NTSTATUS smbXsrv_connection_init_tables(struct smbXsrv_connection *conn,
3458                                         enum protocol_types protocol)
3459 {
3460         NTSTATUS status;
3461
3462         set_Protocol(protocol);
3463         conn->protocol = protocol;
3464
3465         if (protocol >= PROTOCOL_SMB2_02) {
3466                 status = smb2srv_session_table_init(conn);
3467                 if (!NT_STATUS_IS_OK(status)) {
3468                         return status;
3469                 }
3470
3471                 status = smb2srv_open_table_init(conn);
3472                 if (!NT_STATUS_IS_OK(status)) {
3473                         return status;
3474                 }
3475         } else {
3476                 status = smb1srv_session_table_init(conn);
3477                 if (!NT_STATUS_IS_OK(status)) {
3478                         return status;
3479                 }
3480
3481                 status = smb1srv_tcon_table_init(conn);
3482                 if (!NT_STATUS_IS_OK(status)) {
3483                         return status;
3484                 }
3485
3486                 status = smb1srv_open_table_init(conn);
3487                 if (!NT_STATUS_IS_OK(status)) {
3488                         return status;
3489                 }
3490         }
3491
3492         return NT_STATUS_OK;
3493 }
3494
3495 static void smbd_tevent_trace_callback(enum tevent_trace_point point,
3496                                        void *private_data)
3497 {
3498         struct smbXsrv_connection *conn =
3499                 talloc_get_type_abort(private_data,
3500                 struct smbXsrv_connection);
3501
3502         switch (point) {
3503         case TEVENT_TRACE_BEFORE_WAIT:
3504                 /*
3505                  * This just removes compiler warning
3506                  * without profile support
3507                  */
3508                 conn->smbd_idle_profstamp = 0;
3509                 START_PROFILE_STAMP(smbd_idle, conn->smbd_idle_profstamp);
3510                 break;
3511         case TEVENT_TRACE_AFTER_WAIT:
3512                 END_PROFILE_STAMP(smbd_idle, conn->smbd_idle_profstamp);
3513                 break;
3514 #ifdef TEVENT_HAS_LOOP_ONCE_TRACE_POINTS
3515         case TEVENT_TRACE_BEFORE_LOOP_ONCE:
3516         case TEVENT_TRACE_AFTER_LOOP_ONCE:
3517                 break;
3518 #endif
3519         }
3520 }
3521
3522 /**
3523  * Create a debug string for the connection
3524  *
3525  * This is allocated to talloc_tos() or a string constant
3526  * in certain corner cases. The returned string should
3527  * hence not be free'd directly but only via the talloc stack.
3528  */
3529 const char *smbXsrv_connection_dbg(const struct smbXsrv_connection *xconn)
3530 {
3531         const char *ret;
3532
3533         /*
3534          * TODO: this can be improved later
3535          * maybe including the client guid or more
3536          */
3537         ret = tsocket_address_string(xconn->remote_address, talloc_tos());
3538         if (ret == NULL) {
3539                 return "<tsocket_address_string() failed>";
3540         }
3541
3542         return ret;
3543 }
3544
3545 /****************************************************************************
3546  Process commands from the client
3547 ****************************************************************************/
3548
3549 void smbd_process(struct tevent_context *ev_ctx,
3550                   struct messaging_context *msg_ctx,
3551                   int sock_fd,
3552                   bool interactive)
3553 {
3554         TALLOC_CTX *frame = talloc_stackframe();
3555         struct smbXsrv_connection *xconn;
3556         struct smbd_server_connection *sconn;
3557         struct sockaddr_storage ss_srv;
3558         void *sp_srv = (void *)&ss_srv;
3559         struct sockaddr *sa_srv = (struct sockaddr *)sp_srv;
3560         struct sockaddr_storage ss_clnt;
3561         void *sp_clnt = (void *)&ss_clnt;
3562         struct sockaddr *sa_clnt = (struct sockaddr *)sp_clnt;
3563         socklen_t sa_socklen;
3564         struct tsocket_address *local_address = NULL;
3565         struct tsocket_address *remote_address = NULL;
3566         const char *locaddr = NULL;
3567         const char *remaddr = NULL;
3568         char *rhost;
3569         int ret;
3570         int tmp;
3571
3572         xconn = talloc_zero(ev_ctx, struct smbXsrv_connection);
3573         if (xconn == NULL) {
3574                 DEBUG(0,("talloc_zero(struct smbXsrv_connection)\n"));
3575                 exit_server_cleanly("talloc_zero(struct smbXsrv_connection).\n");
3576         }
3577
3578         xconn->ev_ctx = ev_ctx;
3579         xconn->msg_ctx = msg_ctx;
3580         xconn->transport.sock = sock_fd;
3581         smbd_echo_init(xconn);
3582
3583         sconn = talloc_zero(xconn, struct smbd_server_connection);
3584         if (!sconn) {
3585                 exit_server("failed to create smbd_server_connection");
3586         }
3587
3588         xconn->sconn = sconn;
3589         sconn->conn = xconn;
3590
3591         /*
3592          * TODO: remove this...:-)
3593          */
3594         global_smbXsrv_connection = xconn;
3595
3596         sconn->ev_ctx = ev_ctx;
3597         sconn->msg_ctx = msg_ctx;
3598
3599         if (!interactive) {
3600                 smbd_setup_sig_term_handler(sconn);
3601                 smbd_setup_sig_hup_handler(sconn);
3602
3603                 if (!serverid_register(messaging_server_id(msg_ctx),
3604                                        FLAG_MSG_GENERAL|FLAG_MSG_SMBD
3605                                        |FLAG_MSG_DBWRAP
3606                                        |FLAG_MSG_PRINT_GENERAL)) {
3607                         exit_server_cleanly("Could not register myself in "
3608                                             "serverid.tdb");
3609                 }
3610         }
3611
3612         if (lp_server_max_protocol() >= PROTOCOL_SMB2_02) {
3613                 /*
3614                  * We're not making the decision here,
3615                  * we're just allowing the client
3616                  * to decide between SMB1 and SMB2
3617                  * with the first negprot
3618                  * packet.
3619                  */
3620                 sconn->using_smb2 = true;
3621         }
3622
3623         /* Ensure child is set to blocking mode */
3624         set_blocking(sock_fd,True);
3625
3626         set_socket_options(sock_fd, "SO_KEEPALIVE");
3627         set_socket_options(sock_fd, lp_socket_options());
3628
3629         sa_socklen = sizeof(ss_clnt);
3630         ret = getpeername(sock_fd, sa_clnt, &sa_socklen);
3631         if (ret != 0) {
3632                 int level = (errno == ENOTCONN)?2:0;
3633                 DEBUG(level,("getpeername() failed - %s\n", strerror(errno)));
3634                 exit_server_cleanly("getpeername() failed.\n");
3635         }
3636         ret = tsocket_address_bsd_from_sockaddr(sconn,
3637                                                 sa_clnt, sa_socklen,
3638                                                 &remote_address);
3639         if (ret != 0) {
3640                 DEBUG(0,("%s: tsocket_address_bsd_from_sockaddr remote failed - %s\n",
3641                         __location__, strerror(errno)));
3642                 exit_server_cleanly("tsocket_address_bsd_from_sockaddr remote failed.\n");
3643         }
3644
3645         sa_socklen = sizeof(ss_srv);
3646         ret = getsockname(sock_fd, sa_srv, &sa_socklen);
3647         if (ret != 0) {
3648                 int level = (errno == ENOTCONN)?2:0;
3649                 DEBUG(level,("getsockname() failed - %s\n", strerror(errno)));
3650                 exit_server_cleanly("getsockname() failed.\n");
3651         }
3652         ret = tsocket_address_bsd_from_sockaddr(sconn,
3653                                                 sa_srv, sa_socklen,
3654                                                 &local_address);
3655         if (ret != 0) {
3656