Removed version number from file header.
[kai/samba.git] / source3 / rpc_server / srv_pipe.c
1 /* 
2  *  Unix SMB/CIFS implementation.
3  *  RPC Pipe client / server routines
4  *  Copyright (C) Andrew Tridgell              1992-1998
5  *  Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
6  *  Copyright (C) Paul Ashton                  1997-1998.
7  *  Copyright (C) Jeremy Allison                    1999.
8  *  
9  *  This program is free software; you can redistribute it and/or modify
10  *  it under the terms of the GNU General Public License as published by
11  *  the Free Software Foundation; either version 2 of the License, or
12  *  (at your option) any later version.
13  *  
14  *  This program is distributed in the hope that it will be useful,
15  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
16  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17  *  GNU General Public License for more details.
18  *  
19  *  You should have received a copy of the GNU General Public License
20  *  along with this program; if not, write to the Free Software
21  *  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22  */
23
24 /*  this module apparently provides an implementation of DCE/RPC over a
25  *  named pipe (IPC$ connection using SMBtrans).  details of DCE/RPC
26  *  documentation are available (in on-line form) from the X-Open group.
27  *
28  *  this module should provide a level of abstraction between SMB
29  *  and DCE/RPC, while minimising the amount of mallocs, unnecessary
30  *  data copies, and network traffic.
31  *
32  *  in this version, which takes a "let's learn what's going on and
33  *  get something running" approach, there is additional network
34  *  traffic generated, but the code should be easier to understand...
35  *
36  *  ... if you read the docs.  or stare at packets for weeks on end.
37  *
38  */
39
40 #include "includes.h"
41
42 static void NTLMSSPcalc_p( pipes_struct *p, unsigned char *data, int len)
43 {
44     unsigned char *hash = p->ntlmssp_hash;
45     unsigned char index_i = hash[256];
46     unsigned char index_j = hash[257];
47     int ind;
48
49     for( ind = 0; ind < len; ind++) {
50         unsigned char tc;
51         unsigned char t;
52
53         index_i++;
54         index_j += hash[index_i];
55
56         tc = hash[index_i];
57         hash[index_i] = hash[index_j];
58         hash[index_j] = tc;
59
60         t = hash[index_i] + hash[index_j];
61         data[ind] = data[ind] ^ hash[t];
62     }
63
64     hash[256] = index_i;
65     hash[257] = index_j;
66 }
67
68 /*******************************************************************
69  Generate the next PDU to be returned from the data in p->rdata. 
70  We cheat here as this function doesn't handle the special auth
71  footers of the authenticated bind response reply.
72  ********************************************************************/
73
74 BOOL create_next_pdu(pipes_struct *p)
75 {
76         RPC_HDR_RESP hdr_resp;
77         BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
78         BOOL auth_seal   = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
79         uint32 data_len;
80         uint32 data_space_available;
81         uint32 data_len_left;
82         prs_struct outgoing_pdu;
83         char *data;
84         char *data_from;
85         uint32 data_pos;
86
87         /*
88          * If we're in the fault state, keep returning fault PDU's until
89          * the pipe gets closed. JRA.
90          */
91
92         if(p->fault_state) {
93                 setup_fault_pdu(p, NT_STATUS(0x1c010002));
94                 return True;
95         }
96
97         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
98
99         /* Change the incoming request header to a response. */
100         p->hdr.pkt_type = RPC_RESPONSE;
101
102         /* Set up rpc header flags. */
103         if (p->out_data.data_sent_length == 0)
104                 p->hdr.flags = RPC_FLG_FIRST;
105         else
106                 p->hdr.flags = 0;
107
108         /*
109          * Work out how much we can fit in a single PDU.
110          */
111
112         data_space_available = sizeof(p->out_data.current_pdu) - RPC_HEADER_LEN - RPC_HDR_RESP_LEN;
113         if(p->ntlmssp_auth_validated)
114                 data_space_available -= (RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN);
115
116         /*
117          * The amount we send is the minimum of the available
118          * space and the amount left to send.
119          */
120
121         data_len_left = prs_offset(&p->out_data.rdata) - p->out_data.data_sent_length;
122
123         /*
124          * Ensure there really is data left to send.
125          */
126
127         if(!data_len_left) {
128                 DEBUG(0,("create_next_pdu: no data left to send !\n"));
129                 return False;
130         }
131
132         data_len = MIN(data_len_left, data_space_available);
133
134         /*
135          * Set up the alloc hint. This should be the data left to
136          * send.
137          */
138
139         hdr_resp.alloc_hint = data_len_left;
140
141         /*
142          * Set up the header lengths.
143          */
144
145         if (p->ntlmssp_auth_validated) {
146                 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len +
147                                         RPC_HDR_AUTH_LEN + RPC_AUTH_NTLMSSP_CHK_LEN;
148                 p->hdr.auth_len = RPC_AUTH_NTLMSSP_CHK_LEN;
149         } else {
150                 p->hdr.frag_len = RPC_HEADER_LEN + RPC_HDR_RESP_LEN + data_len;
151                 p->hdr.auth_len = 0;
152         }
153
154         /*
155          * Work out if this PDU will be the last.
156          */
157
158         if(p->out_data.data_sent_length + data_len >= prs_offset(&p->out_data.rdata))
159                 p->hdr.flags |= RPC_FLG_LAST;
160
161         /*
162          * Init the parse struct to point at the outgoing
163          * data.
164          */
165
166         prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
167         prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
168
169         /* Store the header in the data stream. */
170         if(!smb_io_rpc_hdr("hdr", &p->hdr, &outgoing_pdu, 0)) {
171                 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR.\n"));
172                 prs_mem_free(&outgoing_pdu);
173                 return False;
174         }
175
176         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
177                 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_RESP.\n"));
178                 prs_mem_free(&outgoing_pdu);
179                 return False;
180         }
181
182         /* Store the current offset. */
183         data_pos = prs_offset(&outgoing_pdu);
184
185         /* Copy the data into the PDU. */
186         data_from = prs_data_p(&p->out_data.rdata) + p->out_data.data_sent_length;
187
188         if(!prs_append_data(&outgoing_pdu, data_from, data_len)) {
189                 DEBUG(0,("create_next_pdu: failed to copy %u bytes of data.\n", (unsigned int)data_len));
190                 prs_mem_free(&outgoing_pdu);
191                 return False;
192         }
193
194         /*
195          * Set data to point to where we copied the data into.
196          */
197
198         data = prs_data_p(&outgoing_pdu) + data_pos;
199
200         if (p->hdr.auth_len > 0) {
201                 uint32 crc32 = 0;
202
203                 DEBUG(5,("create_next_pdu: sign: %s seal: %s data %d auth %d\n",
204                          BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, p->hdr.auth_len));
205
206                 if (auth_seal) {
207                         crc32 = crc32_calc_buffer(data, data_len);
208                         NTLMSSPcalc_p(p, (uchar*)data, data_len);
209                 }
210
211                 if (auth_seal || auth_verify) {
212                         RPC_HDR_AUTH auth_info;
213
214                         init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, 
215                                         (auth_verify ? RPC_HDR_AUTH_LEN : 0), (auth_verify ? 1 : 0));
216                         if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, &outgoing_pdu, 0)) {
217                                 DEBUG(0,("create_next_pdu: failed to marshall RPC_HDR_AUTH.\n"));
218                                 prs_mem_free(&outgoing_pdu);
219                                 return False;
220                         }
221                 }
222
223                 if (auth_verify) {
224                         RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
225                         char *auth_data = prs_data_p(&outgoing_pdu);
226
227                         p->ntlmssp_seq_num++;
228                         init_rpc_auth_ntlmssp_chk(&ntlmssp_chk, NTLMSSP_SIGN_VERSION,
229                                         crc32, p->ntlmssp_seq_num++);
230                         auth_data = prs_data_p(&outgoing_pdu) + prs_offset(&outgoing_pdu) + 4;
231                         if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, &outgoing_pdu, 0)) {
232                                 DEBUG(0,("create_next_pdu: failed to marshall RPC_AUTH_NTLMSSP_CHK.\n"));
233                                 prs_mem_free(&outgoing_pdu);
234                                 return False;
235                         }
236                         NTLMSSPcalc_p(p, (uchar*)auth_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
237                 }
238         }
239
240         /*
241          * Setup the counts for this PDU.
242          */
243
244         p->out_data.data_sent_length += data_len;
245         p->out_data.current_pdu_len = p->hdr.frag_len;
246         p->out_data.current_pdu_sent = 0;
247
248         prs_mem_free(&outgoing_pdu);
249         return True;
250 }
251
252 /*******************************************************************
253  Process an NTLMSSP authentication response.
254  If this function succeeds, the user has been authenticated
255  and their domain, name and calling workstation stored in
256  the pipe struct.
257  The initial challenge is stored in p->challenge.
258  *******************************************************************/
259
260 static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlmssp_resp)
261 {
262         uchar lm_owf[24];
263         uchar nt_owf[128];
264         int nt_pw_len;
265         int lm_pw_len;
266         fstring user_name;
267         fstring domain;
268         fstring wks;
269
270         NTSTATUS nt_status;
271
272         struct auth_context *auth_context = NULL;
273         auth_usersupplied_info *user_info = NULL;
274         auth_serversupplied_info *server_info = NULL;
275
276         uid_t uid;
277         uid_t gid;
278
279         DEBUG(5,("api_pipe_ntlmssp_verify: checking user details\n"));
280
281         memset(p->user_name, '\0', sizeof(p->user_name));
282         memset(p->pipe_user_name, '\0', sizeof(p->pipe_user_name));
283         memset(p->domain, '\0', sizeof(p->domain));
284         memset(p->wks, '\0', sizeof(p->wks));
285
286         /* Set up for non-authenticated user. */
287         delete_nt_token(&p->pipe_user.nt_user_token);
288         p->pipe_user.ngroups = 0;
289         SAFE_FREE( p->pipe_user.groups);
290
291         /* 
292          * Setup an empty password for a guest user.
293          */
294
295         /*
296          * We always negotiate UNICODE.
297          */
298
299         if (p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_UNICODE) {
300                 rpcstr_pull(user_name, ntlmssp_resp->user, sizeof(fstring), ntlmssp_resp->hdr_usr.str_str_len*2, 0 );
301                 rpcstr_pull(domain, ntlmssp_resp->domain, sizeof(fstring), ntlmssp_resp->hdr_domain.str_str_len*2, 0);
302                 rpcstr_pull(wks, ntlmssp_resp->wks, sizeof(fstring), ntlmssp_resp->hdr_wks.str_str_len*2, 0);
303         } else {
304                 pull_ascii_fstring(user_name, ntlmssp_resp->user);
305                 pull_ascii_fstring(domain, ntlmssp_resp->domain);
306                 pull_ascii_fstring(wks, ntlmssp_resp->wks);
307         }
308
309         DEBUG(5,("user: %s domain: %s wks: %s\n", user_name, domain, wks));
310
311         nt_pw_len = MIN(sizeof(nt_owf), ntlmssp_resp->hdr_nt_resp.str_str_len);
312         lm_pw_len = MIN(sizeof(lm_owf), ntlmssp_resp->hdr_lm_resp.str_str_len);
313
314         memcpy(lm_owf, ntlmssp_resp->lm_resp, sizeof(lm_owf));
315         memcpy(nt_owf, ntlmssp_resp->nt_resp, nt_pw_len);
316
317 #ifdef DEBUG_PASSWORD
318         DEBUG(100,("lm, nt owfs, chal\n"));
319         dump_data(100, (char *)lm_owf, sizeof(lm_owf));
320         dump_data(100, (char *)nt_owf, nt_pw_len);
321         dump_data(100, (char *)p->challenge, 8);
322 #endif
323
324         /*
325          * Allow guest access. Patch from Shirish Kalele <kalele@veritas.com>.
326          */
327
328         if (*user_name) {
329
330                 /* 
331                  * Do the length checking only if user is not NULL.
332                  */
333
334                 if (ntlmssp_resp->hdr_lm_resp.str_str_len == 0)
335                         return False;
336                 if (ntlmssp_resp->hdr_nt_resp.str_str_len == 0)
337                         return False;
338                 if (ntlmssp_resp->hdr_usr.str_str_len == 0)
339                         return False;
340                 if (ntlmssp_resp->hdr_domain.str_str_len == 0)
341                         return False;
342                 if (ntlmssp_resp->hdr_wks.str_str_len == 0)
343                         return False;
344
345         }
346         
347         make_auth_context_fixed(&auth_context, (uchar*)p->challenge);
348
349         if (!make_user_info_netlogon_network(&user_info, 
350                                              user_name, domain, wks,
351                                              lm_owf, lm_pw_len, 
352                                              nt_owf, nt_pw_len)) {
353                 DEBUG(0,("make_user_info_netlogon_network failed!  Failing authenticaion.\n"));
354                 return False;
355         }
356         
357         nt_status = auth_context->check_ntlm_password(auth_context, user_info, &server_info); 
358         
359         (auth_context->free)(&auth_context);
360         free_user_info(&user_info);
361         
362         p->ntlmssp_auth_validated = NT_STATUS_IS_OK(nt_status);
363         
364         if (!p->ntlmssp_auth_validated) {
365                 DEBUG(1,("api_pipe_ntlmssp_verify: User [%s]\\[%s] from machine %s \
366 failed authentication on named pipe %s.\n", domain, user_name, wks, p->name ));
367                 free_server_info(&server_info);
368                 return False;
369         }
370
371         /*
372          * Set up the sign/seal data.
373          */
374
375         {
376                 uchar p24[24];
377                 NTLMSSPOWFencrypt(server_info->first_8_lm_hash, lm_owf, p24);
378                 {
379                         unsigned char j = 0;
380                         int ind;
381
382                         unsigned char k2[8];
383
384                         memcpy(k2, p24, 5);
385                         k2[5] = 0xe5;
386                         k2[6] = 0x38;
387                         k2[7] = 0xb0;
388
389                         for (ind = 0; ind < 256; ind++)
390                                 p->ntlmssp_hash[ind] = (unsigned char)ind;
391
392                         for( ind = 0; ind < 256; ind++) {
393                                 unsigned char tc;
394
395                                 j += (p->ntlmssp_hash[ind] + k2[ind%8]);
396
397                                 tc = p->ntlmssp_hash[ind];
398                                 p->ntlmssp_hash[ind] = p->ntlmssp_hash[j];
399                                 p->ntlmssp_hash[j] = tc;
400                         }
401
402                         p->ntlmssp_hash[256] = 0;
403                         p->ntlmssp_hash[257] = 0;
404                 }
405 /*              NTLMSSPhash(p->ntlmssp_hash, p24); */
406                 p->ntlmssp_seq_num = 0;
407
408         }
409
410         fstrcpy(p->user_name, user_name);
411         fstrcpy(p->pipe_user_name, pdb_get_username(server_info->sam_account));
412         fstrcpy(p->domain, domain);
413         fstrcpy(p->wks, wks);
414
415         /*
416          * Store the UNIX credential data (uid/gid pair) in the pipe structure.
417          */
418
419         if (!IS_SAM_UNIX_USER(server_info->sam_account)) {
420                 DEBUG(0,("Attempted authenticated pipe with invalid user.  No uid/gid in SAM_ACCOUNT\n"));
421                 free_server_info(&server_info);
422                 return False;
423         }
424         
425         memcpy(p->session_key, server_info->session_key, sizeof(p->session_key));
426
427         uid = pdb_get_uid(server_info->sam_account);
428         gid = pdb_get_gid(server_info->sam_account);
429
430         p->pipe_user.uid = uid;
431         p->pipe_user.gid = gid;
432
433         /* Set up pipe user group membership. */
434         initialise_groups(p->pipe_user_name, p->pipe_user.uid, p->pipe_user.gid);
435         get_current_groups( &p->pipe_user.ngroups, &p->pipe_user.groups);
436
437         if (server_info->ptok)
438                 add_supplementary_nt_login_groups(&p->pipe_user.ngroups, &p->pipe_user.groups, &server_info->ptok);
439
440         /* Create an NT_USER_TOKEN struct for this user. */
441         p->pipe_user.nt_user_token = create_nt_token(p->pipe_user.uid,p->pipe_user.gid,
442                                                      p->pipe_user.ngroups, p->pipe_user.groups,
443                                                      server_info->guest, server_info->ptok);
444
445         p->ntlmssp_auth_validated = True;
446
447         pdb_free_sam(&server_info->sam_account);
448         return True;
449 }
450
451 /*******************************************************************
452  The switch table for the pipe names and the functions to handle them.
453  *******************************************************************/
454
455 struct api_cmd
456 {
457   char * pipe_clnt_name;
458   char * pipe_srv_name;
459   BOOL (*fn) (pipes_struct *);
460 };
461
462 static struct api_cmd api_fd_commands[] =
463 {
464     { "lsarpc",   "lsass",   api_ntlsa_rpc },
465     { "samr",     "lsass",   api_samr_rpc },
466     { "srvsvc",   "ntsvcs",  api_srvsvc_rpc },
467     { "wkssvc",   "ntsvcs",  api_wkssvc_rpc },
468     { "NETLOGON", "lsass",   api_netlog_rpc },
469     { "winreg",   "winreg",  api_reg_rpc },
470     { "spoolss",  "spoolss", api_spoolss_rpc },
471     { "netdfs",   "netdfs" , api_netdfs_rpc },
472     { NULL,       NULL,      NULL }
473 };
474
475 /*******************************************************************
476  This is the client reply to our challenge for an authenticated 
477  bind request. The challenge we sent is in p->challenge.
478 *******************************************************************/
479
480 BOOL api_pipe_bind_auth_resp(pipes_struct *p, prs_struct *rpc_in_p)
481 {
482         RPC_HDR_AUTHA autha_info;
483         RPC_AUTH_VERIFIER auth_verifier;
484         RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
485
486         DEBUG(5,("api_pipe_bind_auth_resp: decode request. %d\n", __LINE__));
487
488         if (p->hdr.auth_len == 0) {
489                 DEBUG(0,("api_pipe_bind_auth_resp: No auth field sent !\n"));
490                 return False;
491         }
492
493         /*
494          * Decode the authentication verifier response.
495          */
496
497         if(!smb_io_rpc_hdr_autha("", &autha_info, rpc_in_p, 0)) {
498                 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_HDR_AUTHA failed.\n"));
499                 return False;
500         }
501
502         if (autha_info.auth_type != NTLMSSP_AUTH_TYPE || autha_info.auth_level != NTLMSSP_AUTH_LEVEL) {
503                 DEBUG(0,("api_pipe_bind_auth_resp: incorrect auth type (%d) or level (%d).\n",
504                         (int)autha_info.auth_type, (int)autha_info.auth_level ));
505                 return False;
506         }
507
508         if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
509                 DEBUG(0,("api_pipe_bind_auth_resp: unmarshall of RPC_AUTH_VERIFIER failed.\n"));
510                 return False;
511         }
512
513         /*
514          * Ensure this is a NTLMSSP_AUTH packet type.
515          */
516
517         if (!rpc_auth_verifier_chk(&auth_verifier, "NTLMSSP", NTLMSSP_AUTH)) {
518                 DEBUG(0,("api_pipe_bind_auth_resp: rpc_auth_verifier_chk failed.\n"));
519                 return False;
520         }
521
522         if(!smb_io_rpc_auth_ntlmssp_resp("", &ntlmssp_resp, rpc_in_p, 0)) {
523                 DEBUG(0,("api_pipe_bind_auth_resp: Failed to unmarshall RPC_AUTH_NTLMSSP_RESP.\n"));
524                 return False;
525         }
526
527         /*
528          * The following call actually checks the challenge/response data.
529          * for correctness against the given DOMAIN\user name.
530          */
531         
532         if (!api_pipe_ntlmssp_verify(p, &ntlmssp_resp))
533                 return False;
534
535         p->pipe_bound = True
536 ;
537         return True;
538 }
539
540 /*******************************************************************
541  Marshall a bind_nak pdu.
542 *******************************************************************/
543
544 static BOOL setup_bind_nak(pipes_struct *p)
545 {
546         prs_struct outgoing_rpc;
547         RPC_HDR nak_hdr;
548         uint16 zero = 0;
549
550         /* Free any memory in the current return data buffer. */
551         prs_mem_free(&p->out_data.rdata);
552
553         /*
554          * Marshall directly into the outgoing PDU space. We
555          * must do this as we need to set to the bind response
556          * header and are never sending more than one PDU here.
557          */
558
559         prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
560         prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
561
562
563         /*
564          * Initialize a bind_nak header.
565          */
566
567         init_rpc_hdr(&nak_hdr, RPC_BINDNACK, RPC_FLG_FIRST | RPC_FLG_LAST,
568             p->hdr.call_id, RPC_HEADER_LEN + sizeof(uint16), 0);
569
570         /*
571          * Marshall the header into the outgoing PDU.
572          */
573
574         if(!smb_io_rpc_hdr("", &nak_hdr, &outgoing_rpc, 0)) {
575                 DEBUG(0,("setup_bind_nak: marshalling of RPC_HDR failed.\n"));
576                 prs_mem_free(&outgoing_rpc);
577                 return False;
578         }
579
580         /*
581          * Now add the reject reason.
582          */
583
584         if(!prs_uint16("reject code", &outgoing_rpc, 0, &zero)) {
585                 prs_mem_free(&outgoing_rpc);
586         return False;
587         }
588
589         p->out_data.data_sent_length = 0;
590         p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
591         p->out_data.current_pdu_sent = 0;
592
593         p->pipe_bound = False;
594
595         return True;
596 }
597
598 /*******************************************************************
599  Marshall a fault pdu.
600 *******************************************************************/
601
602 BOOL setup_fault_pdu(pipes_struct *p, NTSTATUS status)
603 {
604         prs_struct outgoing_pdu;
605         RPC_HDR fault_hdr;
606         RPC_HDR_RESP hdr_resp;
607         RPC_HDR_FAULT fault_resp;
608
609         /* Free any memory in the current return data buffer. */
610         prs_mem_free(&p->out_data.rdata);
611
612         /*
613          * Marshall directly into the outgoing PDU space. We
614          * must do this as we need to set to the bind response
615          * header and are never sending more than one PDU here.
616          */
617
618         prs_init( &outgoing_pdu, 0, p->mem_ctx, MARSHALL);
619         prs_give_memory( &outgoing_pdu, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
620
621         /*
622          * Initialize a fault header.
623          */
624
625         init_rpc_hdr(&fault_hdr, RPC_FAULT, RPC_FLG_FIRST | RPC_FLG_LAST | RPC_FLG_NOCALL,
626             p->hdr.call_id, RPC_HEADER_LEN + RPC_HDR_RESP_LEN + RPC_HDR_FAULT_LEN, 0);
627
628         /*
629          * Initialize the HDR_RESP and FAULT parts of the PDU.
630          */
631
632         memset((char *)&hdr_resp, '\0', sizeof(hdr_resp));
633
634         fault_resp.status = status;
635         fault_resp.reserved = 0;
636
637         /*
638          * Marshall the header into the outgoing PDU.
639          */
640
641         if(!smb_io_rpc_hdr("", &fault_hdr, &outgoing_pdu, 0)) {
642                 DEBUG(0,("setup_fault_pdu: marshalling of RPC_HDR failed.\n"));
643                 prs_mem_free(&outgoing_pdu);
644                 return False;
645         }
646
647         if(!smb_io_rpc_hdr_resp("resp", &hdr_resp, &outgoing_pdu, 0)) {
648                 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_RESP.\n"));
649                 prs_mem_free(&outgoing_pdu);
650                 return False;
651         }
652
653         if(!smb_io_rpc_hdr_fault("fault", &fault_resp, &outgoing_pdu, 0)) {
654                 DEBUG(0,("setup_fault_pdu: failed to marshall RPC_HDR_FAULT.\n"));
655                 prs_mem_free(&outgoing_pdu);
656                 return False;
657         }
658
659         p->out_data.data_sent_length = 0;
660         p->out_data.current_pdu_len = prs_offset(&outgoing_pdu);
661         p->out_data.current_pdu_sent = 0;
662
663         prs_mem_free(&outgoing_pdu);
664         return True;
665 }
666
667 /*******************************************************************
668  Ensure a bind request has the correct abstract & transfer interface.
669  Used to reject unknown binds from Win2k.
670 *******************************************************************/
671
672 BOOL check_bind_req(char* pipe_name, RPC_IFACE* abstract,
673                                         RPC_IFACE* transfer)
674 {
675         extern struct pipe_id_info pipe_names[];
676         int i=0;
677         fstring pname;
678         fstrcpy(pname,"\\PIPE\\");
679         fstrcat(pname,pipe_name);
680
681         for(i=0;pipe_names[i].client_pipe; i++) {
682                 if(strequal(pipe_names[i].client_pipe, pname))
683                         break;
684         }
685
686         if(pipe_names[i].client_pipe == NULL)
687                 return False;
688
689         /* check the abstract interface */
690         if((abstract->version != pipe_names[i].abstr_syntax.version) ||
691                 (memcmp(&abstract->uuid, &pipe_names[i].abstr_syntax.uuid,
692                         sizeof(RPC_UUID)) != 0))
693                 return False;
694
695         /* check the transfer interface */
696         if((transfer->version != pipe_names[i].trans_syntax.version) ||
697                 (memcmp(&transfer->uuid, &pipe_names[i].trans_syntax.uuid,
698                         sizeof(RPC_UUID)) != 0))
699                 return False;
700
701         return True;
702 }
703
704 /*******************************************************************
705  Respond to a pipe bind request.
706 *******************************************************************/
707
708 BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
709 {
710         RPC_HDR_BA hdr_ba;
711         RPC_HDR_RB hdr_rb;
712         RPC_HDR_AUTH auth_info;
713         uint16 assoc_gid;
714         fstring ack_pipe_name;
715         prs_struct out_hdr_ba;
716         prs_struct out_auth;
717         prs_struct outgoing_rpc;
718         int i = 0;
719         int auth_len = 0;
720         enum RPC_PKT_TYPE reply_pkt_type;
721
722         p->ntlmssp_auth_requested = False;
723
724         DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
725
726         /*
727          * Try and find the correct pipe name to ensure
728          * that this is a pipe name we support.
729          */
730
731         for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
732                 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
733                     api_fd_commands[i].fn != NULL) {
734                         DEBUG(3,("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
735                                    api_fd_commands[i].pipe_clnt_name,
736                                    api_fd_commands[i].pipe_srv_name));
737                         fstrcpy(p->pipe_srv_name, api_fd_commands[i].pipe_srv_name);
738                         break;
739                 }
740         }
741
742         if (api_fd_commands[i].fn == NULL) {
743                 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
744                         p->name ));
745                 if(!setup_bind_nak(p))
746                         return False;
747                 return True;
748         }
749
750         /* decode the bind request */
751         if(!smb_io_rpc_hdr_rb("", &hdr_rb, rpc_in_p, 0))  {
752                 DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_RB struct.\n"));
753                 return False;
754         }
755
756         /*
757          * Check if this is an authenticated request.
758          */
759
760         if (p->hdr.auth_len != 0) {
761                 RPC_AUTH_VERIFIER auth_verifier;
762                 RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
763
764                 /* 
765                  * Decode the authentication verifier.
766                  */
767
768                 if(!smb_io_rpc_hdr_auth("", &auth_info, rpc_in_p, 0)) {
769                         DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
770                         return False;
771                 }
772
773                 /*
774                  * We only support NTLMSSP_AUTH_TYPE requests.
775                  */
776
777                 if(auth_info.auth_type != NTLMSSP_AUTH_TYPE) {
778                         DEBUG(0,("api_pipe_bind_req: unknown auth type %x requested.\n",
779                                 auth_info.auth_type ));
780                         return False;
781                 }
782
783                 if(!smb_io_rpc_auth_verifier("", &auth_verifier, rpc_in_p, 0)) {
784                         DEBUG(0,("api_pipe_bind_req: unable to unmarshall RPC_HDR_AUTH struct.\n"));
785                         return False;
786                 }
787
788                 if(!strequal(auth_verifier.signature, "NTLMSSP")) {
789                         DEBUG(0,("api_pipe_bind_req: auth_verifier.signature != NTLMSSP\n"));
790                         return False;
791                 }
792
793                 if(auth_verifier.msg_type != NTLMSSP_NEGOTIATE) {
794                         DEBUG(0,("api_pipe_bind_req: auth_verifier.msg_type (%d) != NTLMSSP_NEGOTIATE\n",
795                                 auth_verifier.msg_type));
796                         return False;
797                 }
798
799                 if(!smb_io_rpc_auth_ntlmssp_neg("", &ntlmssp_neg, rpc_in_p, 0)) {
800                         DEBUG(0,("api_pipe_bind_req: Failed to unmarshall RPC_AUTH_NTLMSSP_NEG.\n"));
801                         return False;
802                 }
803
804                 p->ntlmssp_chal_flags = SMBD_NTLMSSP_NEG_FLAGS;
805                 p->ntlmssp_auth_requested = True;
806         }
807
808         switch(p->hdr.pkt_type) {
809                 case RPC_BIND:
810                         /* name has to be \PIPE\xxxxx */
811                         fstrcpy(ack_pipe_name, "\\PIPE\\");
812                         fstrcat(ack_pipe_name, p->pipe_srv_name);
813                         reply_pkt_type = RPC_BINDACK;
814                         break;
815                 case RPC_ALTCONT:
816                         /* secondary address CAN be NULL
817                          * as the specs say it's ignored.
818                          * It MUST NULL to have the spoolss working.
819                          */
820                         fstrcpy(ack_pipe_name,"");
821                         reply_pkt_type = RPC_ALTCONTRESP;
822                         break;
823                 default:
824                         return False;
825         }
826
827         DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
828
829         /* 
830          * Marshall directly into the outgoing PDU space. We
831          * must do this as we need to set to the bind response
832          * header and are never sending more than one PDU here.
833          */
834
835         prs_init( &outgoing_rpc, 0, p->mem_ctx, MARSHALL);
836         prs_give_memory( &outgoing_rpc, (char *)p->out_data.current_pdu, sizeof(p->out_data.current_pdu), False);
837
838         /*
839          * Setup the memory to marshall the ba header, and the
840          * auth footers.
841          */
842
843         if(!prs_init(&out_hdr_ba, 1024, p->mem_ctx, MARSHALL)) {
844                 DEBUG(0,("api_pipe_bind_req: malloc out_hdr_ba failed.\n"));
845                 prs_mem_free(&outgoing_rpc);
846                 return False;
847         }
848
849         if(!prs_init(&out_auth, 1024, p->mem_ctx, MARSHALL)) {
850                 DEBUG(0,("pi_pipe_bind_req: malloc out_auth failed.\n"));
851                 prs_mem_free(&outgoing_rpc);
852                 prs_mem_free(&out_hdr_ba);
853                 return False;
854         }
855
856         if (p->ntlmssp_auth_requested)
857                 assoc_gid = 0x7a77;
858         else
859                 assoc_gid = hdr_rb.bba.assoc_gid ? hdr_rb.bba.assoc_gid : 0x53f0;
860
861         /*
862          * Create the bind response struct.
863          */
864
865         /* If the requested abstract synt uuid doesn't match our client pipe,
866                 reject the bind_ack & set the transfer interface synt to all 0's,
867                 ver 0 (observed when NT5 attempts to bind to abstract interfaces
868                 unknown to NT4)
869                 Needed when adding entries to a DACL from NT5 - SK */
870
871         if(check_bind_req(p->name, &hdr_rb.abstract, &hdr_rb.transfer)) {
872                 init_rpc_hdr_ba(&hdr_ba,
873                         MAX_PDU_FRAG_LEN,
874                         MAX_PDU_FRAG_LEN,
875                         assoc_gid,
876                         ack_pipe_name,
877                         0x1, 0x0, 0x0,
878                         &hdr_rb.transfer);
879         } else {
880                 RPC_IFACE null_interface;
881                 ZERO_STRUCT(null_interface);
882                 /* Rejection reason: abstract syntax not supported */
883                 init_rpc_hdr_ba(&hdr_ba, MAX_PDU_FRAG_LEN,
884                                         MAX_PDU_FRAG_LEN, assoc_gid,
885                                         ack_pipe_name, 0x1, 0x2, 0x1,
886                                         &null_interface);
887         }
888
889         /*
890          * and marshall it.
891          */
892
893         if(!smb_io_rpc_hdr_ba("", &hdr_ba, &out_hdr_ba, 0)) {
894                 DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_BA failed.\n"));
895                 goto err_exit;
896         }
897
898         /*
899          * Now the authentication.
900          */
901
902         if (p->ntlmssp_auth_requested) {
903                 RPC_AUTH_VERIFIER auth_verifier;
904                 RPC_AUTH_NTLMSSP_CHAL ntlmssp_chal;
905
906                 generate_random_buffer(p->challenge, 8, False);
907
908                 /*** Authentication info ***/
909
910                 init_rpc_hdr_auth(&auth_info, NTLMSSP_AUTH_TYPE, NTLMSSP_AUTH_LEVEL, RPC_HDR_AUTH_LEN, 1);
911                 if(!smb_io_rpc_hdr_auth("", &auth_info, &out_auth, 0)) {
912                         DEBUG(0,("api_pipe_bind_req: marshalling of RPC_HDR_AUTH failed.\n"));
913                         goto err_exit;
914                 }
915
916                 /*** NTLMSSP verifier ***/
917
918                 init_rpc_auth_verifier(&auth_verifier, "NTLMSSP", NTLMSSP_CHALLENGE);
919                 if(!smb_io_rpc_auth_verifier("", &auth_verifier, &out_auth, 0)) {
920                         DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_VERIFIER failed.\n"));
921                         goto err_exit;
922                 }
923
924                 /* NTLMSSP challenge ***/
925
926                 init_rpc_auth_ntlmssp_chal(&ntlmssp_chal, p->ntlmssp_chal_flags, p->challenge);
927                 if(!smb_io_rpc_auth_ntlmssp_chal("", &ntlmssp_chal, &out_auth, 0)) {
928                         DEBUG(0,("api_pipe_bind_req: marshalling of RPC_AUTH_NTLMSSP_CHAL failed.\n"));
929                         goto err_exit;
930                 }
931
932                 /* Auth len in the rpc header doesn't include auth_header. */
933                 auth_len = prs_offset(&out_auth) - RPC_HDR_AUTH_LEN;
934         }
935
936         /*
937          * Create the header, now we know the length.
938          */
939
940         init_rpc_hdr(&p->hdr, reply_pkt_type, RPC_FLG_FIRST | RPC_FLG_LAST,
941                         p->hdr.call_id,
942                         RPC_HEADER_LEN + prs_offset(&out_hdr_ba) + prs_offset(&out_auth),
943                         auth_len);
944
945         /*
946          * Marshall the header into the outgoing PDU.
947          */
948
949         if(!smb_io_rpc_hdr("", &p->hdr, &outgoing_rpc, 0)) {
950                 DEBUG(0,("pi_pipe_bind_req: marshalling of RPC_HDR failed.\n"));
951                 goto err_exit;
952         }
953
954         /*
955          * Now add the RPC_HDR_BA and any auth needed.
956          */
957
958         if(!prs_append_prs_data( &outgoing_rpc, &out_hdr_ba)) {
959                 DEBUG(0,("api_pipe_bind_req: append of RPC_HDR_BA failed.\n"));
960                 goto err_exit;
961         }
962
963         if(p->ntlmssp_auth_requested && !prs_append_prs_data( &outgoing_rpc, &out_auth)) {
964                 DEBUG(0,("api_pipe_bind_req: append of auth info failed.\n"));
965                 goto err_exit;
966         }
967
968         if(!p->ntlmssp_auth_requested)
969                 p->pipe_bound = True;
970
971         /*
972          * Setup the lengths for the initial reply.
973          */
974
975         p->out_data.data_sent_length = 0;
976         p->out_data.current_pdu_len = prs_offset(&outgoing_rpc);
977         p->out_data.current_pdu_sent = 0;
978
979         prs_mem_free(&out_hdr_ba);
980         prs_mem_free(&out_auth);
981
982         return True;
983
984   err_exit:
985
986         prs_mem_free(&outgoing_rpc);
987         prs_mem_free(&out_hdr_ba);
988         prs_mem_free(&out_auth);
989         return False;
990 }
991
992 /****************************************************************************
993  Deal with sign & seal processing on an RPC request.
994 ****************************************************************************/
995
996 BOOL api_pipe_auth_process(pipes_struct *p, prs_struct *rpc_in)
997 {
998         /*
999          * We always negotiate the following two bits....
1000          */
1001         BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
1002         BOOL auth_seal   = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SEAL) != 0);
1003         int data_len;
1004         int auth_len;
1005         uint32 old_offset;
1006         uint32 crc32 = 0;
1007
1008         auth_len = p->hdr.auth_len;
1009
1010         if ((auth_len != RPC_AUTH_NTLMSSP_CHK_LEN) && auth_verify) {
1011                 DEBUG(0,("api_pipe_auth_process: Incorrect auth_len %d.\n", auth_len ));
1012                 return False;
1013         }
1014
1015         /*
1016          * The following is that length of the data we must verify or unseal.
1017          * This doesn't include the RPC headers or the auth_len or the RPC_HDR_AUTH_LEN
1018          * preceeding the auth_data.
1019          */
1020
1021         data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - 
1022                         (auth_verify ? RPC_HDR_AUTH_LEN : 0) - auth_len;
1023         
1024         DEBUG(5,("api_pipe_auth_process: sign: %s seal: %s data %d auth %d\n",
1025                  BOOLSTR(auth_verify), BOOLSTR(auth_seal), data_len, auth_len));
1026
1027         if (auth_seal) {
1028                 /*
1029                  * The data in rpc_in doesn't contain the RPC_HEADER as this
1030                  * has already been consumed.
1031                  */
1032                 char *data = prs_data_p(rpc_in) + RPC_HDR_REQ_LEN;
1033                 NTLMSSPcalc_p(p, (uchar*)data, data_len);
1034                 crc32 = crc32_calc_buffer(data, data_len);
1035         }
1036
1037         old_offset = prs_offset(rpc_in);
1038
1039         if (auth_seal || auth_verify) {
1040                 RPC_HDR_AUTH auth_info;
1041
1042                 if(!prs_set_offset(rpc_in, old_offset + data_len)) {
1043                         DEBUG(0,("api_pipe_auth_process: cannot move offset to %u.\n",
1044                                 (unsigned int)old_offset + data_len ));
1045                         return False;
1046                 }
1047
1048                 if(!smb_io_rpc_hdr_auth("hdr_auth", &auth_info, rpc_in, 0)) {
1049                         DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_HDR_AUTH.\n"));
1050                         return False;
1051                 }
1052         }
1053
1054         if (auth_verify) {
1055                 RPC_AUTH_NTLMSSP_CHK ntlmssp_chk;
1056                 char *req_data = prs_data_p(rpc_in) + prs_offset(rpc_in) + 4;
1057
1058                 DEBUG(5,("api_pipe_auth_process: auth %d\n", prs_offset(rpc_in) + 4));
1059
1060                 /*
1061                  * Ensure we have RPC_AUTH_NTLMSSP_CHK_LEN - 4 more bytes in the
1062                  * incoming buffer.
1063                  */
1064                 if(prs_mem_get(rpc_in, RPC_AUTH_NTLMSSP_CHK_LEN - 4) == NULL) {
1065                         DEBUG(0,("api_pipe_auth_process: missing %d bytes in buffer.\n",
1066                                 RPC_AUTH_NTLMSSP_CHK_LEN - 4 ));
1067                         return False;
1068                 }
1069
1070                 NTLMSSPcalc_p(p, (uchar*)req_data, RPC_AUTH_NTLMSSP_CHK_LEN - 4);
1071                 if(!smb_io_rpc_auth_ntlmssp_chk("auth_sign", &ntlmssp_chk, rpc_in, 0)) {
1072                         DEBUG(0,("api_pipe_auth_process: failed to unmarshall RPC_AUTH_NTLMSSP_CHK.\n"));
1073                         return False;
1074                 }
1075
1076                 if (!rpc_auth_ntlmssp_chk(&ntlmssp_chk, crc32, p->ntlmssp_seq_num)) {
1077                         DEBUG(0,("api_pipe_auth_process: NTLMSSP check failed.\n"));
1078                         return False;
1079                 }
1080         }
1081
1082         /*
1083          * Return the current pointer to the data offset.
1084          */
1085
1086         if(!prs_set_offset(rpc_in, old_offset)) {
1087                 DEBUG(0,("api_pipe_auth_process: failed to set offset back to %u\n",
1088                         (unsigned int)old_offset ));
1089                 return False;
1090         }
1091
1092         return True;
1093 }
1094
1095 /****************************************************************************
1096  Return a user struct for a pipe user.
1097 ****************************************************************************/
1098
1099 struct current_user *get_current_user(struct current_user *user, pipes_struct *p)
1100 {
1101         if (p->ntlmssp_auth_validated) {
1102                 memcpy(user, &p->pipe_user, sizeof(struct current_user));
1103         } else {
1104                 extern struct current_user current_user;
1105                 memcpy(user, &current_user, sizeof(struct current_user));
1106         }
1107
1108         return user;
1109 }
1110
1111 /****************************************************************************
1112  Find the correct RPC function to call for this request.
1113  If the pipe is authenticated then become the correct UNIX user
1114  before doing the call.
1115 ****************************************************************************/
1116
1117 BOOL api_pipe_request(pipes_struct *p)
1118 {
1119         int i = 0;
1120         BOOL ret = False;
1121
1122         if (p->ntlmssp_auth_validated) {
1123
1124                 if(!become_authenticated_pipe_user(p)) {
1125                         prs_mem_free(&p->out_data.rdata);
1126                         return False;
1127                 }
1128         }
1129
1130         for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) {
1131                 if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
1132                     api_fd_commands[i].fn != NULL) {
1133                         DEBUG(3,("Doing \\PIPE\\%s\n", api_fd_commands[i].pipe_clnt_name));
1134                         set_current_rpc_talloc(p->mem_ctx);
1135                         ret = api_fd_commands[i].fn(p);
1136                         set_current_rpc_talloc(NULL);
1137                 }
1138         }
1139
1140         if(p->ntlmssp_auth_validated)
1141                 unbecome_authenticated_pipe_user();
1142
1143         return ret;
1144 }
1145
1146 /*******************************************************************
1147  Calls the underlying RPC function for a named pipe.
1148  ********************************************************************/
1149
1150 BOOL api_rpcTNP(pipes_struct *p, char *rpc_name, 
1151                 struct api_struct *api_rpc_cmds)
1152 {
1153         int fn_num;
1154         fstring name;
1155         uint32 offset1, offset2;
1156  
1157         /* interpret the command */
1158         DEBUG(4,("api_rpcTNP: %s op 0x%x - ", rpc_name, p->hdr_req.opnum));
1159
1160         slprintf(name, sizeof(name)-1, "in_%s", rpc_name);
1161         prs_dump(name, p->hdr_req.opnum, &p->in_data.data);
1162
1163         for (fn_num = 0; api_rpc_cmds[fn_num].name; fn_num++) {
1164                 if (api_rpc_cmds[fn_num].opnum == p->hdr_req.opnum && api_rpc_cmds[fn_num].fn != NULL) {
1165                         DEBUG(3,("api_rpcTNP: rpc command: %s\n", api_rpc_cmds[fn_num].name));
1166                         break;
1167                 }
1168         }
1169
1170         if (api_rpc_cmds[fn_num].name == NULL) {
1171                 /*
1172                  * For an unknown RPC just return a fault PDU but
1173                  * return True to allow RPC's on the pipe to continue
1174                  * and not put the pipe into fault state. JRA.
1175                  */
1176                 DEBUG(4, ("unknown\n"));
1177                 setup_fault_pdu(p, NT_STATUS(0x1c010002));
1178                 return True;
1179         }
1180
1181         offset1 = prs_offset(&p->out_data.rdata);
1182
1183         /* do the actual command */
1184         if(!api_rpc_cmds[fn_num].fn(p)) {
1185                 DEBUG(0,("api_rpcTNP: %s: %s failed.\n", rpc_name, api_rpc_cmds[fn_num].name));
1186                 prs_mem_free(&p->out_data.rdata);
1187                 return False;
1188         }
1189
1190         if (p->bad_handle_fault_state) {
1191                 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
1192                 p->bad_handle_fault_state = False;
1193                 setup_fault_pdu(p, NT_STATUS(0x1C00001A));
1194                 return True;
1195         }
1196
1197         slprintf(name, sizeof(name)-1, "out_%s", rpc_name);
1198         offset2 = prs_offset(&p->out_data.rdata);
1199         prs_set_offset(&p->out_data.rdata, offset1);
1200         prs_dump(name, p->hdr_req.opnum, &p->out_data.rdata);
1201         prs_set_offset(&p->out_data.rdata, offset2);
1202
1203         DEBUG(5,("api_rpcTNP: called %s successfully\n", rpc_name));
1204
1205         /* Check for buffer underflow in rpc parsing */
1206
1207         if ((DEBUGLEVEL >= 10) && 
1208             (p->in_data.data.data_offset != p->in_data.data.buffer_size)) {
1209                 int data_len = p->in_data.data.buffer_size - 
1210                         p->in_data.data.data_offset;
1211                 char *data;
1212
1213                 data = malloc(data_len);
1214
1215                 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
1216                 if (data) {
1217                         prs_uint8s(False, "", &p->in_data.data, 0, (unsigned char *)data,
1218                                    data_len);
1219                         SAFE_FREE(data);
1220                 }
1221
1222         }
1223
1224         return True;
1225 }