import HEAD into svn+ssh://svn.samba.org/home/svn/samba/trunk
[metze/old/v3-2-winbind-ndr.git] / source / rpc_server / srv_pipe_hnd.c
1 /* 
2  *  Unix SMB/CIFS implementation.
3  *  RPC Pipe client / server routines
4  *  Copyright (C) Andrew Tridgell              1992-1998,
5  *  Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
6  *  Copyright (C) Jeremy Allison                                    1999.
7  *  
8  *  This program is free software; you can redistribute it and/or modify
9  *  it under the terms of the GNU General Public License as published by
10  *  the Free Software Foundation; either version 2 of the License, or
11  *  (at your option) any later version.
12  *  
13  *  This program is distributed in the hope that it will be useful,
14  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
15  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16  *  GNU General Public License for more details.
17  *  
18  *  You should have received a copy of the GNU General Public License
19  *  along with this program; if not, write to the Free Software
20  *  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
21  */
22
23 #include "includes.h"
24
25 #undef DBGC_CLASS
26 #define DBGC_CLASS DBGC_RPC_SRV
27
28 #define PIPE            "\\PIPE\\"
29 #define PIPELEN         strlen(PIPE)
30
31 static smb_np_struct *chain_p;
32 static int pipes_open;
33
34 /*
35  * Sometimes I can't decide if I hate Windows printer driver
36  * writers more than I hate the Windows spooler service driver
37  * writers. This gets around a combination of bugs in the spooler
38  * and the HP 8500 PCL driver that causes a spooler spin. JRA.
39  *
40  * bumped up from 20 -> 64 after viewing traffic from WordPerfect
41  * 2002 running on NT 4.- SP6
42  * bumped up from 64 -> 256 after viewing traffic from con2prt
43  * for lots of printers on a WinNT 4.x SP6 box.
44  */
45  
46 #ifndef MAX_OPEN_SPOOLSS_PIPES
47 #define MAX_OPEN_SPOOLSS_PIPES 256
48 #endif
49 static int current_spoolss_pipes_open;
50
51 static smb_np_struct *Pipes;
52 static pipes_struct *InternalPipes;
53 static struct bitmap *bmap;
54
55 /* TODO
56  * the following prototypes are declared here to avoid
57  * code being moved about too much for a patch to be
58  * disrupted / less obvious.
59  *
60  * these functions, and associated functions that they
61  * call, should be moved behind a .so module-loading
62  * system _anyway_.  so that's the next step...
63  */
64
65 static ssize_t read_from_internal_pipe(void *np_conn, char *data, size_t n,
66                 BOOL *is_data_outstanding);
67 static ssize_t write_to_internal_pipe(void *np_conn, char *data, size_t n);
68 static BOOL close_internal_rpc_pipe_hnd(void *np_conn);
69 static void *make_internal_rpc_pipe_p(char *pipe_name, 
70                               connection_struct *conn, uint16 vuid);
71
72 /****************************************************************************
73  Pipe iterator functions.
74 ****************************************************************************/
75
76 smb_np_struct *get_first_pipe(void)
77 {
78         return Pipes;
79 }
80
81 smb_np_struct *get_next_pipe(smb_np_struct *p)
82 {
83         return p->next;
84 }
85
86 /****************************************************************************
87  Internal Pipe iterator functions.
88 ****************************************************************************/
89
90 pipes_struct *get_first_internal_pipe(void)
91 {
92         return InternalPipes;
93 }
94
95 pipes_struct *get_next_internal_pipe(pipes_struct *p)
96 {
97         return p->next;
98 }
99
100 /* this must be larger than the sum of the open files and directories */
101 static int pipe_handle_offset;
102
103 /****************************************************************************
104  Set the pipe_handle_offset. Called from smbd/files.c
105 ****************************************************************************/
106
107 void set_pipe_handle_offset(int max_open_files)
108 {
109   if(max_open_files < 0x7000)
110     pipe_handle_offset = 0x7000;
111   else
112     pipe_handle_offset = max_open_files + 10; /* For safety. :-) */
113 }
114
115 /****************************************************************************
116  Reset pipe chain handle number.
117 ****************************************************************************/
118
119 void reset_chain_p(void)
120 {
121         chain_p = NULL;
122 }
123
124 /****************************************************************************
125  Initialise pipe handle states.
126 ****************************************************************************/
127
128 void init_rpc_pipe_hnd(void)
129 {
130         bmap = bitmap_allocate(MAX_OPEN_PIPES);
131         if (!bmap)
132                 exit_server("out of memory in init_rpc_pipe_hnd");
133 }
134
135 /****************************************************************************
136  Initialise an outgoing packet.
137 ****************************************************************************/
138
139 static BOOL pipe_init_outgoing_data(pipes_struct *p)
140 {
141         output_data *o_data = &p->out_data;
142
143         /* Reset the offset counters. */
144         o_data->data_sent_length = 0;
145         o_data->current_pdu_len = 0;
146         o_data->current_pdu_sent = 0;
147
148         memset(o_data->current_pdu, '\0', sizeof(o_data->current_pdu));
149
150         /* Free any memory in the current return data buffer. */
151         prs_mem_free(&o_data->rdata);
152
153         /*
154          * Initialize the outgoing RPC data buffer.
155          * we will use this as the raw data area for replying to rpc requests.
156          */     
157         if(!prs_init(&o_data->rdata, MAX_PDU_FRAG_LEN, p->mem_ctx, MARSHALL)) {
158                 DEBUG(0,("pipe_init_outgoing_data: malloc fail.\n"));
159                 return False;
160         }
161
162         return True;
163 }
164
165 /****************************************************************************
166  Find first available pipe slot.
167 ****************************************************************************/
168
169 smb_np_struct *open_rpc_pipe_p(char *pipe_name, 
170                               connection_struct *conn, uint16 vuid)
171 {
172         int i;
173         smb_np_struct *p, *p_it;
174         static int next_pipe;
175         BOOL is_spoolss_pipe = False;
176
177         DEBUG(4,("Open pipe requested %s (pipes_open=%d)\n",
178                  pipe_name, pipes_open));
179
180         if (strstr(pipe_name, "spoolss"))
181                 is_spoolss_pipe = True;
182  
183         if (is_spoolss_pipe && current_spoolss_pipes_open >= MAX_OPEN_SPOOLSS_PIPES) {
184                 DEBUG(10,("open_rpc_pipe_p: spooler bug workaround. Denying open on pipe %s\n",
185                         pipe_name ));
186                 return NULL;
187         }
188
189         /* not repeating pipe numbers makes it easier to track things in 
190            log files and prevents client bugs where pipe numbers are reused
191            over connection restarts */
192         if (next_pipe == 0)
193                 next_pipe = (sys_getpid() ^ time(NULL)) % MAX_OPEN_PIPES;
194
195         i = bitmap_find(bmap, next_pipe);
196
197         if (i == -1) {
198                 DEBUG(0,("ERROR! Out of pipe structures\n"));
199                 return NULL;
200         }
201
202         next_pipe = (i+1) % MAX_OPEN_PIPES;
203
204         for (p = Pipes; p; p = p->next)
205                 DEBUG(5,("open_rpc_pipe_p: name %s pnum=%x\n", p->name, p->pnum));  
206
207         p = (smb_np_struct *)malloc(sizeof(*p));
208
209         if (!p) {
210                 DEBUG(0,("ERROR! no memory for pipes_struct!\n"));
211                 return NULL;
212         }
213
214         ZERO_STRUCTP(p);
215
216         /* add a dso mechanism instead of this, here */
217
218         p->namedpipe_create = make_internal_rpc_pipe_p;
219         p->namedpipe_read = read_from_internal_pipe;
220         p->namedpipe_write = write_to_internal_pipe;
221         p->namedpipe_close = close_internal_rpc_pipe_hnd;
222
223         p->np_state = p->namedpipe_create(pipe_name, conn, vuid);
224
225         if (p->np_state == NULL) {
226                 DEBUG(0,("open_rpc_pipe_p: make_internal_rpc_pipe_p failed.\n"));
227                 SAFE_FREE(p);
228                 return NULL;
229         }
230
231         DLIST_ADD(Pipes, p);
232
233         /*
234          * Initialize the incoming RPC data buffer with one PDU worth of memory.
235          * We cheat here and say we're marshalling, as we intend to add incoming
236          * data directly into the prs_struct and we want it to auto grow. We will
237          * change the type to UNMARSALLING before processing the stream.
238          */
239
240         bitmap_set(bmap, i);
241         i += pipe_handle_offset;
242
243         pipes_open++;
244
245         p->pnum = i;
246
247         p->open = True;
248         p->device_state = 0;
249         p->priority = 0;
250         p->conn = conn;
251         p->vuid  = vuid;
252
253         p->max_trans_reply = 0;
254         
255         fstrcpy(p->name, pipe_name);
256         
257         DEBUG(4,("Opened pipe %s with handle %x (pipes_open=%d)\n",
258                  pipe_name, i, pipes_open));
259         
260         chain_p = p;
261         
262         /* Iterate over p_it as a temp variable, to display all open pipes */ 
263         for (p_it = Pipes; p_it; p_it = p_it->next)
264                 DEBUG(5,("open pipes: name %s pnum=%x\n", p_it->name, p_it->pnum));  
265
266         return chain_p;
267 }
268
269 /****************************************************************************
270  Make an internal namedpipes structure
271 ****************************************************************************/
272
273 static void *make_internal_rpc_pipe_p(char *pipe_name, 
274                               connection_struct *conn, uint16 vuid)
275 {
276         pipes_struct *p;
277         user_struct *vuser = get_valid_user_struct(vuid);
278
279         DEBUG(4,("Create pipe requested %s\n", pipe_name));
280
281         if (!vuser && vuid != UID_FIELD_INVALID) {
282                 DEBUG(0,("ERROR! vuid %d did not map to a valid vuser struct!\n", vuid));
283                 return NULL;
284         }
285
286         p = (pipes_struct *)malloc(sizeof(*p));
287
288         if (!p)
289         {
290                 DEBUG(0,("ERROR! no memory for pipes_struct!\n"));
291                 return NULL;
292         }
293
294         ZERO_STRUCTP(p);
295
296         if ((p->mem_ctx = talloc_init("pipe %s %p", pipe_name, p)) == NULL) {
297                 DEBUG(0,("open_rpc_pipe_p: talloc_init failed.\n"));
298                 SAFE_FREE(p);
299                 return NULL;
300         }
301
302         if (!init_pipe_handle_list(p, pipe_name)) {
303                 DEBUG(0,("open_rpc_pipe_p: init_pipe_handles failed.\n"));
304                 talloc_destroy(p->mem_ctx);
305                 SAFE_FREE(p);
306                 return NULL;
307         }
308
309         /*
310          * Initialize the incoming RPC data buffer with one PDU worth of memory.
311          * We cheat here and say we're marshalling, as we intend to add incoming
312          * data directly into the prs_struct and we want it to auto grow. We will
313          * change the type to UNMARSALLING before processing the stream.
314          */
315
316         if(!prs_init(&p->in_data.data, MAX_PDU_FRAG_LEN, p->mem_ctx, MARSHALL)) {
317                 DEBUG(0,("open_rpc_pipe_p: malloc fail for in_data struct.\n"));
318                 return NULL;
319         }
320
321         DLIST_ADD(InternalPipes, p);
322
323         p->conn = conn;
324
325         /* Ensure the connection isn't idled whilst this pipe is open. */
326         p->conn->num_files_open++;
327
328         p->vuid  = vuid;
329
330         p->ntlmssp_chal_flags = 0;
331         p->ntlmssp_auth_validated = False;
332         p->ntlmssp_auth_requested = False;
333
334         p->pipe_bound = False;
335         p->fault_state = False;
336         p->endian = RPC_LITTLE_ENDIAN;
337
338         ZERO_STRUCT(p->pipe_user);
339
340         p->pipe_user.uid = (uid_t)-1;
341         p->pipe_user.gid = (gid_t)-1;
342         
343         /* Store the session key and NT_TOKEN */
344         if (vuser) {
345                 p->session_key = data_blob(vuser->session_key.data, vuser->session_key.length);
346                 p->pipe_user.nt_user_token = dup_nt_token(vuser->nt_user_token);
347                 init_privilege(&p->pipe_user.privs);
348                 dup_priv_set(p->pipe_user.privs, vuser->privs);
349         }
350
351         /*
352          * Initialize the incoming RPC struct.
353          */
354
355         p->in_data.pdu_needed_len = 0;
356         p->in_data.pdu_received_len = 0;
357
358         /*
359          * Initialize the outgoing RPC struct.
360          */
361
362         p->out_data.current_pdu_len = 0;
363         p->out_data.current_pdu_sent = 0;
364         p->out_data.data_sent_length = 0;
365
366         /*
367          * Initialize the outgoing RPC data buffer with no memory.
368          */     
369         prs_init(&p->out_data.rdata, 0, p->mem_ctx, MARSHALL);
370         
371         fstrcpy(p->name, pipe_name);
372         
373         DEBUG(4,("Created internal pipe %s (pipes_open=%d)\n",
374                  pipe_name, pipes_open));
375
376         return (void*)p;
377 }
378
379 /****************************************************************************
380  Sets the fault state on incoming packets.
381 ****************************************************************************/
382
383 static void set_incoming_fault(pipes_struct *p)
384 {
385         prs_mem_free(&p->in_data.data);
386         p->in_data.pdu_needed_len = 0;
387         p->in_data.pdu_received_len = 0;
388         p->fault_state = True;
389         DEBUG(10,("set_incoming_fault: Setting fault state on pipe %s : vuid = 0x%x\n",
390                 p->name, p->vuid ));
391 }
392
393 /****************************************************************************
394  Ensures we have at least RPC_HEADER_LEN amount of data in the incoming buffer.
395 ****************************************************************************/
396
397 static ssize_t fill_rpc_header(pipes_struct *p, char *data, size_t data_to_copy)
398 {
399         size_t len_needed_to_complete_hdr = MIN(data_to_copy, RPC_HEADER_LEN - p->in_data.pdu_received_len);
400
401         DEBUG(10,("fill_rpc_header: data_to_copy = %u, len_needed_to_complete_hdr = %u, receive_len = %u\n",
402                         (unsigned int)data_to_copy, (unsigned int)len_needed_to_complete_hdr,
403                         (unsigned int)p->in_data.pdu_received_len ));
404
405         memcpy((char *)&p->in_data.current_in_pdu[p->in_data.pdu_received_len], data, len_needed_to_complete_hdr);
406         p->in_data.pdu_received_len += len_needed_to_complete_hdr;
407
408         return (ssize_t)len_needed_to_complete_hdr;
409 }
410
411 /****************************************************************************
412  Unmarshalls a new PDU header. Assumes the raw header data is in current_in_pdu.
413 ****************************************************************************/
414
415 static ssize_t unmarshall_rpc_header(pipes_struct *p)
416 {
417         /*
418          * Unmarshall the header to determine the needed length.
419          */
420
421         prs_struct rpc_in;
422
423         if(p->in_data.pdu_received_len != RPC_HEADER_LEN) {
424                 DEBUG(0,("unmarshall_rpc_header: assert on rpc header length failed.\n"));
425                 set_incoming_fault(p);
426                 return -1;
427         }
428
429         prs_init( &rpc_in, 0, p->mem_ctx, UNMARSHALL);
430         prs_set_endian_data( &rpc_in, p->endian);
431
432         prs_give_memory( &rpc_in, (char *)&p->in_data.current_in_pdu[0],
433                                         p->in_data.pdu_received_len, False);
434
435         /*
436          * Unmarshall the header as this will tell us how much
437          * data we need to read to get the complete pdu.
438          * This also sets the endian flag in rpc_in.
439          */
440
441         if(!smb_io_rpc_hdr("", &p->hdr, &rpc_in, 0)) {
442                 DEBUG(0,("unmarshall_rpc_header: failed to unmarshall RPC_HDR.\n"));
443                 set_incoming_fault(p);
444                 prs_mem_free(&rpc_in);
445                 return -1;
446         }
447
448         /*
449          * Validate the RPC header.
450          */
451
452         if(p->hdr.major != 5 && p->hdr.minor != 0) {
453                 DEBUG(0,("unmarshall_rpc_header: invalid major/minor numbers in RPC_HDR.\n"));
454                 set_incoming_fault(p);
455                 prs_mem_free(&rpc_in);
456                 return -1;
457         }
458
459         /*
460          * If there's not data in the incoming buffer this should be the start of a new RPC.
461          */
462
463         if(prs_offset(&p->in_data.data) == 0) {
464
465                 /*
466                  * AS/U doesn't set FIRST flag in a BIND packet it seems.
467                  */
468
469                 if ((p->hdr.pkt_type == RPC_REQUEST) && !(p->hdr.flags & RPC_FLG_FIRST)) {
470                         /*
471                          * Ensure that the FIRST flag is set. If not then we have
472                          * a stream missmatch.
473                          */
474
475                         DEBUG(0,("unmarshall_rpc_header: FIRST flag not set in first PDU !\n"));
476                         set_incoming_fault(p);
477                         prs_mem_free(&rpc_in);
478                         return -1;
479                 }
480
481                 /*
482                  * If this is the first PDU then set the endianness
483                  * flag in the pipe. We will need this when parsing all
484                  * data in this RPC.
485                  */
486
487                 p->endian = rpc_in.bigendian_data;
488
489                 DEBUG(5,("unmarshall_rpc_header: using %sendian RPC\n",
490                                 p->endian == RPC_LITTLE_ENDIAN ? "little-" : "big-" ));
491
492         } else {
493
494                 /*
495                  * If this is *NOT* the first PDU then check the endianness
496                  * flag in the pipe is the same as that in the PDU.
497                  */
498
499                 if (p->endian != rpc_in.bigendian_data) {
500                         DEBUG(0,("unmarshall_rpc_header: FIRST endianness flag (%d) different in next PDU !\n", (int)p->endian));
501                         set_incoming_fault(p);
502                         prs_mem_free(&rpc_in);
503                         return -1;
504                 }
505         }
506
507         /*
508          * Ensure that the pdu length is sane.
509          */
510
511         if((p->hdr.frag_len < RPC_HEADER_LEN) || (p->hdr.frag_len > MAX_PDU_FRAG_LEN)) {
512                 DEBUG(0,("unmarshall_rpc_header: assert on frag length failed.\n"));
513                 set_incoming_fault(p);
514                 prs_mem_free(&rpc_in);
515                 return -1;
516         }
517
518         DEBUG(10,("unmarshall_rpc_header: type = %u, flags = %u\n", (unsigned int)p->hdr.pkt_type,
519                         (unsigned int)p->hdr.flags ));
520
521         /*
522          * Adjust for the header we just ate.
523          */
524         p->in_data.pdu_received_len = 0;
525         p->in_data.pdu_needed_len = (uint32)p->hdr.frag_len - RPC_HEADER_LEN;
526
527         /*
528          * Null the data we just ate.
529          */
530
531         memset((char *)&p->in_data.current_in_pdu[0], '\0', RPC_HEADER_LEN);
532
533         prs_mem_free(&rpc_in);
534
535         return 0; /* No extra data processed. */
536 }
537
538 /****************************************************************************
539  Call this to free any talloc'ed memory. Do this before and after processing
540  a complete PDU.
541 ****************************************************************************/
542
543 void free_pipe_context(pipes_struct *p)
544 {
545         if (p->mem_ctx) {
546                 DEBUG(3,("free_pipe_context: destroying talloc pool of size %lu\n", (unsigned long)talloc_pool_size(p->mem_ctx) ));
547                 talloc_destroy_pool(p->mem_ctx);
548         } else {
549                 p->mem_ctx = talloc_init("pipe %s %p", p->name, p);
550                 if (p->mem_ctx == NULL)
551                         p->fault_state = True;
552         }
553 }
554
555 /****************************************************************************
556  Processes a request pdu. This will do auth processing if needed, and
557  appends the data into the complete stream if the LAST flag is not set.
558 ****************************************************************************/
559
560 static BOOL process_request_pdu(pipes_struct *p, prs_struct *rpc_in_p)
561 {
562         BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
563         size_t data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
564                                 (auth_verify ? RPC_HDR_AUTH_LEN : 0) - p->hdr.auth_len;
565
566         if(!p->pipe_bound) {
567                 DEBUG(0,("process_request_pdu: rpc request with no bind.\n"));
568                 set_incoming_fault(p);
569                 return False;
570         }
571
572         /*
573          * Check if we need to do authentication processing.
574          * This is only done on requests, not binds.
575          */
576
577         /*
578          * Read the RPC request header.
579          */
580
581         if(!smb_io_rpc_hdr_req("req", &p->hdr_req, rpc_in_p, 0)) {
582                 DEBUG(0,("process_request_pdu: failed to unmarshall RPC_HDR_REQ.\n"));
583                 set_incoming_fault(p);
584                 return False;
585         }
586
587         if(p->ntlmssp_auth_validated && !api_pipe_auth_process(p, rpc_in_p)) {
588                 DEBUG(0,("process_request_pdu: failed to do auth processing.\n"));
589                 set_incoming_fault(p);
590                 return False;
591         }
592
593         if (p->ntlmssp_auth_requested && !p->ntlmssp_auth_validated) {
594
595                 /*
596                  * Authentication _was_ requested and it already failed.
597                  */
598
599                 DEBUG(0,("process_request_pdu: RPC request received on pipe %s "
600                          "where authentication failed. Denying the request.\n",
601                          p->name));
602                 set_incoming_fault(p);
603                 return False;
604         }
605
606         if (p->netsec_auth_validated && !api_pipe_netsec_process(p, rpc_in_p)) {
607                 DEBUG(0,("process_request_pdu: failed to do schannel processing.\n"));
608                 set_incoming_fault(p);
609                 return False;
610         }
611
612         /*
613          * Check the data length doesn't go over the 15Mb limit.
614          * increased after observing a bug in the Windows NT 4.0 SP6a
615          * spoolsv.exe when the response to a GETPRINTERDRIVER2 RPC
616          * will not fit in the initial buffer of size 0x1068   --jerry 22/01/2002
617          */
618         
619         if(prs_offset(&p->in_data.data) + data_len > 15*1024*1024) {
620                 DEBUG(0,("process_request_pdu: rpc data buffer too large (%u) + (%u)\n",
621                                 (unsigned int)prs_data_size(&p->in_data.data), (unsigned int)data_len ));
622                 set_incoming_fault(p);
623                 return False;
624         }
625
626         /*
627          * Append the data portion into the buffer and return.
628          */
629
630         if(!prs_append_some_prs_data(&p->in_data.data, rpc_in_p, prs_offset(rpc_in_p), data_len)) {
631                 DEBUG(0,("process_request_pdu: Unable to append data size %u to parse buffer of size %u.\n",
632                                 (unsigned int)data_len, (unsigned int)prs_data_size(&p->in_data.data) ));
633                 set_incoming_fault(p);
634                 return False;
635         }
636
637         if(p->hdr.flags & RPC_FLG_LAST) {
638                 BOOL ret = False;
639                 /*
640                  * Ok - we finally have a complete RPC stream.
641                  * Call the rpc command to process it.
642                  */
643
644                 /*
645                  * Ensure the internal prs buffer size is *exactly* the same
646                  * size as the current offset.
647                  */
648
649                 if(!prs_set_buffer_size(&p->in_data.data, prs_offset(&p->in_data.data)))
650                 {
651                         DEBUG(0,("process_request_pdu: Call to prs_set_buffer_size failed!\n"));
652                         set_incoming_fault(p);
653                         return False;
654                 }
655
656                 /*
657                  * Set the parse offset to the start of the data and set the
658                  * prs_struct to UNMARSHALL.
659                  */
660
661                 prs_set_offset(&p->in_data.data, 0);
662                 prs_switch_type(&p->in_data.data, UNMARSHALL);
663
664                 /*
665                  * Process the complete data stream here.
666                  */
667
668                 free_pipe_context(p);
669
670                 if(pipe_init_outgoing_data(p))
671                         ret = api_pipe_request(p);
672
673                 free_pipe_context(p);
674
675                 /*
676                  * We have consumed the whole data stream. Set back to
677                  * marshalling and set the offset back to the start of
678                  * the buffer to re-use it (we could also do a prs_mem_free()
679                  * and then re_init on the next start of PDU. Not sure which
680                  * is best here.... JRA.
681                  */
682
683                 prs_switch_type(&p->in_data.data, MARSHALL);
684                 prs_set_offset(&p->in_data.data, 0);
685                 return ret;
686         }
687
688         return True;
689 }
690
691 /****************************************************************************
692  Processes a finished PDU stored in current_in_pdu. The RPC_HEADER has
693  already been parsed and stored in p->hdr.
694 ****************************************************************************/
695
696 static ssize_t process_complete_pdu(pipes_struct *p)
697 {
698         prs_struct rpc_in;
699         size_t data_len = p->in_data.pdu_received_len;
700         char *data_p = (char *)&p->in_data.current_in_pdu[0];
701         BOOL reply = False;
702
703         if(p->fault_state) {
704                 DEBUG(10,("process_complete_pdu: pipe %s in fault state.\n",
705                         p->name ));
706                 set_incoming_fault(p);
707                 setup_fault_pdu(p, NT_STATUS(0x1c010002));
708                 return (ssize_t)data_len;
709         }
710
711         prs_init( &rpc_in, 0, p->mem_ctx, UNMARSHALL);
712
713         /*
714          * Ensure we're using the corrent endianness for both the 
715          * RPC header flags and the raw data we will be reading from.
716          */
717
718         prs_set_endian_data( &rpc_in, p->endian);
719         prs_set_endian_data( &p->in_data.data, p->endian);
720
721         prs_give_memory( &rpc_in, data_p, (uint32)data_len, False);
722
723         DEBUG(10,("process_complete_pdu: processing packet type %u\n",
724                         (unsigned int)p->hdr.pkt_type ));
725
726         switch (p->hdr.pkt_type) {
727                 case RPC_BIND:
728                 case RPC_ALTCONT:
729                         /*
730                          * We assume that a pipe bind is only in one pdu.
731                          */
732                         if(pipe_init_outgoing_data(p))
733                                 reply = api_pipe_bind_req(p, &rpc_in);
734                         break;
735                 case RPC_BINDRESP:
736                         /*
737                          * We assume that a pipe bind_resp is only in one pdu.
738                          */
739                         if(pipe_init_outgoing_data(p))
740                                 reply = api_pipe_bind_auth_resp(p, &rpc_in);
741                         break;
742                 case RPC_REQUEST:
743                         reply = process_request_pdu(p, &rpc_in);
744                         break;
745                 default:
746                         DEBUG(0,("process_complete_pdu: Unknown rpc type = %u received.\n", (unsigned int)p->hdr.pkt_type ));
747                         break;
748         }
749
750         /* Reset to little endian. Probably don't need this but it won't hurt. */
751         prs_set_endian_data( &p->in_data.data, RPC_LITTLE_ENDIAN);
752
753         if (!reply) {
754                 DEBUG(3,("process_complete_pdu: DCE/RPC fault sent on pipe %s\n", p->pipe_srv_name));
755                 set_incoming_fault(p);
756                 setup_fault_pdu(p, NT_STATUS(0x1c010002));
757                 prs_mem_free(&rpc_in);
758         } else {
759                 /*
760                  * Reset the lengths. We're ready for a new pdu.
761                  */
762                 p->in_data.pdu_needed_len = 0;
763                 p->in_data.pdu_received_len = 0;
764         }
765
766         prs_mem_free(&rpc_in);
767         return (ssize_t)data_len;
768 }
769
770 /****************************************************************************
771  Accepts incoming data on an rpc pipe. Processes the data in pdu sized units.
772 ****************************************************************************/
773
774 static ssize_t process_incoming_data(pipes_struct *p, char *data, size_t n)
775 {
776         size_t data_to_copy = MIN(n, MAX_PDU_FRAG_LEN - p->in_data.pdu_received_len);
777         size_t old_pdu_received_len = p->in_data.pdu_received_len;
778
779         DEBUG(10,("process_incoming_data: Start: pdu_received_len = %u, pdu_needed_len = %u, incoming data = %u\n",
780                 (unsigned int)p->in_data.pdu_received_len, (unsigned int)p->in_data.pdu_needed_len,
781                 (unsigned int)n ));
782
783         if(data_to_copy == 0) {
784                 /*
785                  * This is an error - data is being received and there is no
786                  * space in the PDU. Free the received data and go into the fault state.
787                  */
788                 DEBUG(0,("process_incoming_data: No space in incoming pdu buffer. Current size = %u \
789 incoming data size = %u\n", (unsigned int)p->in_data.pdu_received_len, (unsigned int)n ));
790                 set_incoming_fault(p);
791                 return -1;
792         }
793
794         /*
795          * If we have no data already, wait until we get at least a RPC_HEADER_LEN
796          * number of bytes before we can do anything.
797          */
798
799         if((p->in_data.pdu_needed_len == 0) && (p->in_data.pdu_received_len < RPC_HEADER_LEN)) {
800                 /*
801                  * Always return here. If we have more data then the RPC_HEADER
802                  * will be processed the next time around the loop.
803                  */
804                 return fill_rpc_header(p, data, data_to_copy);
805         }
806
807         /*
808          * At this point we know we have at least an RPC_HEADER_LEN amount of data
809          * stored in current_in_pdu.
810          */
811
812         /*
813          * If pdu_needed_len is zero this is a new pdu. 
814          * Unmarshall the header so we know how much more
815          * data we need, then loop again.
816          */
817
818         if(p->in_data.pdu_needed_len == 0)
819                 return unmarshall_rpc_header(p);
820
821         /*
822          * Ok - at this point we have a valid RPC_HEADER in p->hdr.
823          * Keep reading until we have a full pdu.
824          */
825
826         data_to_copy = MIN(data_to_copy, p->in_data.pdu_needed_len);
827
828         /*
829          * Copy as much of the data as we need into the current_in_pdu buffer.
830          */
831
832         memcpy( (char *)&p->in_data.current_in_pdu[p->in_data.pdu_received_len], data, data_to_copy);
833         p->in_data.pdu_received_len += data_to_copy;
834
835         /*
836          * Do we have a complete PDU ?
837          * (return the nym of bytes handled in the call)
838          */
839
840         if(p->in_data.pdu_received_len == p->in_data.pdu_needed_len)
841                 return process_complete_pdu(p) - old_pdu_received_len;
842
843         DEBUG(10,("process_incoming_data: not a complete PDU yet. pdu_received_len = %u, pdu_needed_len = %u\n",
844                 (unsigned int)p->in_data.pdu_received_len, (unsigned int)p->in_data.pdu_needed_len ));
845
846         return (ssize_t)data_to_copy;
847
848 }
849
850 /****************************************************************************
851  Accepts incoming data on an rpc pipe.
852 ****************************************************************************/
853
854 ssize_t write_to_pipe(smb_np_struct *p, char *data, size_t n)
855 {
856         DEBUG(6,("write_to_pipe: %x", p->pnum));
857
858         DEBUG(6,(" name: %s open: %s len: %d\n",
859                  p->name, BOOLSTR(p->open), (int)n));
860
861         dump_data(50, data, n);
862
863         return p->namedpipe_write(p->np_state, data, n);
864 }
865
866 /****************************************************************************
867  Accepts incoming data on an internal rpc pipe.
868 ****************************************************************************/
869
870 static ssize_t write_to_internal_pipe(void *np_conn, char *data, size_t n)
871 {
872         pipes_struct *p = (pipes_struct*)np_conn;
873         size_t data_left = n;
874
875         while(data_left) {
876                 ssize_t data_used;
877
878                 DEBUG(10,("write_to_pipe: data_left = %u\n", (unsigned int)data_left ));
879
880                 data_used = process_incoming_data(p, data, data_left);
881
882                 DEBUG(10,("write_to_pipe: data_used = %d\n", (int)data_used ));
883
884                 if(data_used < 0)
885                         return -1;
886
887                 data_left -= data_used;
888                 data += data_used;
889         }       
890
891         return n;
892 }
893
894 /****************************************************************************
895  Replies to a request to read data from a pipe.
896
897  Headers are interspersed with the data at PDU intervals. By the time
898  this function is called, the start of the data could possibly have been
899  read by an SMBtrans (file_offset != 0).
900
901  Calling create_rpc_reply() here is a hack. The data should already
902  have been prepared into arrays of headers + data stream sections.
903 ****************************************************************************/
904
905 ssize_t read_from_pipe(smb_np_struct *p, char *data, size_t n,
906                 BOOL *is_data_outstanding)
907 {
908         if (!p || !p->open) {
909                 DEBUG(0,("read_from_pipe: pipe not open\n"));
910                 return -1;              
911         }
912
913         DEBUG(6,("read_from_pipe: %x", p->pnum));
914
915         return p->namedpipe_read(p->np_state, data, n, is_data_outstanding);
916 }
917
918 /****************************************************************************
919  Replies to a request to read data from a pipe.
920
921  Headers are interspersed with the data at PDU intervals. By the time
922  this function is called, the start of the data could possibly have been
923  read by an SMBtrans (file_offset != 0).
924
925  Calling create_rpc_reply() here is a hack. The data should already
926  have been prepared into arrays of headers + data stream sections.
927 ****************************************************************************/
928
929 static ssize_t read_from_internal_pipe(void *np_conn, char *data, size_t n,
930                 BOOL *is_data_outstanding)
931 {
932         pipes_struct *p = (pipes_struct*)np_conn;
933         uint32 pdu_remaining = 0;
934         ssize_t data_returned = 0;
935
936         if (!p) {
937                 DEBUG(0,("read_from_pipe: pipe not open\n"));
938                 return -1;              
939         }
940
941         DEBUG(6,(" name: %s len: %u\n", p->name, (unsigned int)n));
942
943         /*
944          * We cannot return more than one PDU length per
945          * read request.
946          */
947
948         /*
949          * This condition should result in the connection being closed.  
950          * Netapp filers seem to set it to 0xffff which results in domain
951          * authentications failing.  Just ignore it so things work.
952          */
953
954         if(n > MAX_PDU_FRAG_LEN) {
955                 DEBUG(5,("read_from_pipe: too large read (%u) requested on \
956 pipe %s. We can only service %d sized reads.\n", (unsigned int)n, p->name, MAX_PDU_FRAG_LEN ));
957         }
958
959         /*
960          * Determine if there is still data to send in the
961          * pipe PDU buffer. Always send this first. Never
962          * send more than is left in the current PDU. The
963          * client should send a new read request for a new
964          * PDU.
965          */
966
967         if((pdu_remaining = p->out_data.current_pdu_len - p->out_data.current_pdu_sent) > 0) {
968                 data_returned = (ssize_t)MIN(n, pdu_remaining);
969
970                 DEBUG(10,("read_from_pipe: %s: current_pdu_len = %u, current_pdu_sent = %u \
971 returning %d bytes.\n", p->name, (unsigned int)p->out_data.current_pdu_len, 
972                         (unsigned int)p->out_data.current_pdu_sent, (int)data_returned));
973
974                 memcpy( data, &p->out_data.current_pdu[p->out_data.current_pdu_sent], (size_t)data_returned);
975                 p->out_data.current_pdu_sent += (uint32)data_returned;
976                 goto out;
977         }
978
979         /*
980          * At this point p->current_pdu_len == p->current_pdu_sent (which
981          * may of course be zero if this is the first return fragment.
982          */
983
984         DEBUG(10,("read_from_pipe: %s: fault_state = %d : data_sent_length \
985 = %u, prs_offset(&p->out_data.rdata) = %u.\n",
986                 p->name, (int)p->fault_state, (unsigned int)p->out_data.data_sent_length, (unsigned int)prs_offset(&p->out_data.rdata) ));
987
988         if(p->out_data.data_sent_length >= prs_offset(&p->out_data.rdata)) {
989                 /*
990                  * We have sent all possible data, return 0.
991                  */
992                 data_returned = 0;
993                 goto out;
994         }
995
996         /*
997          * We need to create a new PDU from the data left in p->rdata.
998          * Create the header/data/footers. This also sets up the fields
999          * p->current_pdu_len, p->current_pdu_sent, p->data_sent_length
1000          * and stores the outgoing PDU in p->current_pdu.
1001          */
1002
1003         if(!create_next_pdu(p)) {
1004                 DEBUG(0,("read_from_pipe: %s: create_next_pdu failed.\n", p->name));
1005                 return -1;
1006         }
1007
1008         data_returned = MIN(n, p->out_data.current_pdu_len);
1009
1010         memcpy( data, p->out_data.current_pdu, (size_t)data_returned);
1011         p->out_data.current_pdu_sent += (uint32)data_returned;
1012
1013   out:
1014
1015         (*is_data_outstanding) = p->out_data.current_pdu_len > n;
1016         return data_returned;
1017 }
1018
1019 /****************************************************************************
1020  Wait device state on a pipe. Exactly what this is for is unknown...
1021 ****************************************************************************/
1022
1023 BOOL wait_rpc_pipe_hnd_state(smb_np_struct *p, uint16 priority)
1024 {
1025         if (p == NULL)
1026                 return False;
1027
1028         if (p->open) {
1029                 DEBUG(3,("wait_rpc_pipe_hnd_state: Setting pipe wait state priority=%x on pipe (name=%s)\n",
1030                          priority, p->name));
1031
1032                 p->priority = priority;
1033                 
1034                 return True;
1035         } 
1036
1037         DEBUG(3,("wait_rpc_pipe_hnd_state: Error setting pipe wait state priority=%x (name=%s)\n",
1038                  priority, p->name));
1039         return False;
1040 }
1041
1042
1043 /****************************************************************************
1044  Set device state on a pipe. Exactly what this is for is unknown...
1045 ****************************************************************************/
1046
1047 BOOL set_rpc_pipe_hnd_state(smb_np_struct *p, uint16 device_state)
1048 {
1049         if (p == NULL)
1050                 return False;
1051
1052         if (p->open) {
1053                 DEBUG(3,("set_rpc_pipe_hnd_state: Setting pipe device state=%x on pipe (name=%s)\n",
1054                          device_state, p->name));
1055
1056                 p->device_state = device_state;
1057                 
1058                 return True;
1059         } 
1060
1061         DEBUG(3,("set_rpc_pipe_hnd_state: Error setting pipe device state=%x (name=%s)\n",
1062                  device_state, p->name));
1063         return False;
1064 }
1065
1066
1067 /****************************************************************************
1068  Close an rpc pipe.
1069 ****************************************************************************/
1070
1071 BOOL close_rpc_pipe_hnd(smb_np_struct *p)
1072 {
1073         if (!p) {
1074                 DEBUG(0,("Invalid pipe in close_rpc_pipe_hnd\n"));
1075                 return False;
1076         }
1077
1078         p->namedpipe_close(p->np_state);
1079
1080         bitmap_clear(bmap, p->pnum - pipe_handle_offset);
1081
1082         pipes_open--;
1083
1084         DEBUG(4,("closed pipe name %s pnum=%x (pipes_open=%d)\n", 
1085                  p->name, p->pnum, pipes_open));  
1086
1087         DLIST_REMOVE(Pipes, p);
1088
1089         ZERO_STRUCTP(p);
1090
1091         SAFE_FREE(p);
1092
1093         return True;
1094 }
1095
1096 /****************************************************************************
1097  Close an rpc pipe.
1098 ****************************************************************************/
1099
1100 static BOOL close_internal_rpc_pipe_hnd(void *np_conn)
1101 {
1102         pipes_struct *p = (pipes_struct *)np_conn;
1103         if (!p) {
1104                 DEBUG(0,("Invalid pipe in close_internal_rpc_pipe_hnd\n"));
1105                 return False;
1106         }
1107
1108         prs_mem_free(&p->out_data.rdata);
1109         prs_mem_free(&p->in_data.data);
1110
1111         if (p->mem_ctx)
1112                 talloc_destroy(p->mem_ctx);
1113                 
1114         free_pipe_rpc_context( p->contexts );
1115
1116         /* Free the handles database. */
1117         close_policy_by_pipe(p);
1118
1119         delete_nt_token(&p->pipe_user.nt_user_token);
1120         SAFE_FREE(p->pipe_user.groups);
1121
1122         DLIST_REMOVE(InternalPipes, p);
1123
1124         p->conn->num_files_open--;
1125
1126         ZERO_STRUCTP(p);
1127
1128         SAFE_FREE(p);
1129         
1130         return True;
1131 }
1132
1133 /****************************************************************************
1134  Find an rpc pipe given a pipe handle in a buffer and an offset.
1135 ****************************************************************************/
1136
1137 smb_np_struct *get_rpc_pipe_p(char *buf, int where)
1138 {
1139         int pnum = SVAL(buf,where);
1140
1141         if (chain_p)
1142                 return chain_p;
1143
1144         return get_rpc_pipe(pnum);
1145 }
1146
1147 /****************************************************************************
1148  Find an rpc pipe given a pipe handle.
1149 ****************************************************************************/
1150
1151 smb_np_struct *get_rpc_pipe(int pnum)
1152 {
1153         smb_np_struct *p;
1154
1155         DEBUG(4,("search for pipe pnum=%x\n", pnum));
1156
1157         for (p=Pipes;p;p=p->next)
1158                 DEBUG(5,("pipe name %s pnum=%x (pipes_open=%d)\n", 
1159                           p->name, p->pnum, pipes_open));  
1160
1161         for (p=Pipes;p;p=p->next) {
1162                 if (p->pnum == pnum) {
1163                         chain_p = p;
1164                         return p;
1165                 }
1166         }
1167
1168         return NULL;
1169 }