169c45953466f929044d8184950f52c8097a2076
[nivanova/samba-autobuild/.git] / source3 / smbd / process.c
1 /* 
2    Unix SMB/CIFS implementation.
3    process incoming packets - main loop
4    Copyright (C) Andrew Tridgell 1992-1998
5    Copyright (C) Volker Lendecke 2005-2007
6
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License as published by
9    the Free Software Foundation; either version 3 of the License, or
10    (at your option) any later version.
11
12    This program is distributed in the hope that it will be useful,
13    but WITHOUT ANY WARRANTY; without even the implied warranty of
14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15    GNU General Public License for more details.
16
17    You should have received a copy of the GNU General Public License
18    along with this program.  If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include "../lib/tsocket/tsocket.h"
23 #include "system/filesys.h"
24 #include "smbd/smbd.h"
25 #include "smbd/globals.h"
26 #include "librpc/gen_ndr/netlogon.h"
27 #include "../lib/async_req/async_sock.h"
28 #include "ctdbd_conn.h"
29 #include "../lib/util/select.h"
30 #include "printing/pcap.h"
31 #include "system/select.h"
32 #include "passdb.h"
33 #include "auth.h"
34 #include "messages.h"
35 #include "smbprofile.h"
36 #include "rpc_server/spoolss/srv_spoolss_nt.h"
37
38 extern bool global_machine_password_needs_changing;
39
40 static void construct_reply_common(struct smb_request *req, const char *inbuf,
41                                    char *outbuf);
42 static struct pending_message_list *get_deferred_open_message_smb(uint64_t mid);
43
44 static bool smbd_lock_socket_internal(struct smbd_server_connection *sconn)
45 {
46         bool ok;
47
48         if (sconn->smb1.echo_handler.socket_lock_fd == -1) {
49                 return true;
50         }
51
52         sconn->smb1.echo_handler.ref_count++;
53
54         if (sconn->smb1.echo_handler.ref_count > 1) {
55                 return true;
56         }
57
58         DEBUG(10,("pid[%d] wait for socket lock\n", (int)sys_getpid()));
59
60         do {
61                 ok = fcntl_lock(
62                         sconn->smb1.echo_handler.socket_lock_fd,
63                         SMB_F_SETLKW, 0, 0, F_WRLCK);
64         } while (!ok && (errno == EINTR));
65
66         if (!ok) {
67                 DEBUG(1, ("fcntl_lock failed: %s\n", strerror(errno)));
68                 return false;
69         }
70
71         DEBUG(10,("pid[%d] got for socket lock\n", (int)sys_getpid()));
72
73         return true;
74 }
75
76 void smbd_lock_socket(struct smbd_server_connection *sconn)
77 {
78         if (!smbd_lock_socket_internal(sconn)) {
79                 exit_server_cleanly("failed to lock socket");
80         }
81 }
82
83 static bool smbd_unlock_socket_internal(struct smbd_server_connection *sconn)
84 {
85         bool ok;
86
87         if (sconn->smb1.echo_handler.socket_lock_fd == -1) {
88                 return true;
89         }
90
91         sconn->smb1.echo_handler.ref_count--;
92
93         if (sconn->smb1.echo_handler.ref_count > 0) {
94                 return true;
95         }
96
97         do {
98                 ok = fcntl_lock(
99                         sconn->smb1.echo_handler.socket_lock_fd,
100                         SMB_F_SETLKW, 0, 0, F_UNLCK);
101         } while (!ok && (errno == EINTR));
102
103         if (!ok) {
104                 DEBUG(1, ("fcntl_lock failed: %s\n", strerror(errno)));
105                 return false;
106         }
107
108         DEBUG(10,("pid[%d] unlocked socket\n", (int)sys_getpid()));
109
110         return true;
111 }
112
113 void smbd_unlock_socket(struct smbd_server_connection *sconn)
114 {
115         if (!smbd_unlock_socket_internal(sconn)) {
116                 exit_server_cleanly("failed to unlock socket");
117         }
118 }
119
120 /* Accessor function for smb_read_error for smbd functions. */
121
122 /****************************************************************************
123  Send an smb to a fd.
124 ****************************************************************************/
125
126 bool srv_send_smb(struct smbd_server_connection *sconn, char *buffer,
127                   bool do_signing, uint32_t seqnum,
128                   bool do_encrypt,
129                   struct smb_perfcount_data *pcd)
130 {
131         size_t len = 0;
132         size_t nwritten=0;
133         ssize_t ret;
134         char *buf_out = buffer;
135
136         smbd_lock_socket(sconn);
137
138         if (do_signing) {
139                 /* Sign the outgoing packet if required. */
140                 srv_calculate_sign_mac(sconn, buf_out, seqnum);
141         }
142
143         if (do_encrypt) {
144                 NTSTATUS status = srv_encrypt_buffer(buffer, &buf_out);
145                 if (!NT_STATUS_IS_OK(status)) {
146                         DEBUG(0, ("send_smb: SMB encryption failed "
147                                 "on outgoing packet! Error %s\n",
148                                 nt_errstr(status) ));
149                         goto out;
150                 }
151         }
152
153         len = smb_len(buf_out) + 4;
154
155         ret = write_data(sconn->sock, buf_out+nwritten, len - nwritten);
156         if (ret <= 0) {
157
158                 char addr[INET6_ADDRSTRLEN];
159                 /*
160                  * Try and give an error message saying what
161                  * client failed.
162                  */
163                 DEBUG(1,("pid[%d] Error writing %d bytes to client %s. %d. (%s)\n",
164                          (int)sys_getpid(), (int)len,
165                          get_peer_addr(sconn->sock, addr, sizeof(addr)),
166                          (int)ret, strerror(errno) ));
167
168                 srv_free_enc_buffer(buf_out);
169                 goto out;
170         }
171
172         SMB_PERFCOUNT_SET_MSGLEN_OUT(pcd, len);
173         srv_free_enc_buffer(buf_out);
174 out:
175         SMB_PERFCOUNT_END(pcd);
176
177         smbd_unlock_socket(sconn);
178         return true;
179 }
180
181 /*******************************************************************
182  Setup the word count and byte count for a smb message.
183 ********************************************************************/
184
185 int srv_set_message(char *buf,
186                         int num_words,
187                         int num_bytes,
188                         bool zero)
189 {
190         if (zero && (num_words || num_bytes)) {
191                 memset(buf + smb_size,'\0',num_words*2 + num_bytes);
192         }
193         SCVAL(buf,smb_wct,num_words);
194         SSVAL(buf,smb_vwv + num_words*SIZEOFWORD,num_bytes);
195         smb_setlen(buf,(smb_size + num_words*2 + num_bytes - 4));
196         return (smb_size + num_words*2 + num_bytes);
197 }
198
199 static bool valid_smb_header(const uint8_t *inbuf)
200 {
201         if (is_encrypted_packet(inbuf)) {
202                 return true;
203         }
204         /*
205          * This used to be (strncmp(smb_base(inbuf),"\377SMB",4) == 0)
206          * but it just looks weird to call strncmp for this one.
207          */
208         return (IVAL(smb_base(inbuf), 0) == 0x424D53FF);
209 }
210
211 /* Socket functions for smbd packet processing. */
212
213 static bool valid_packet_size(size_t len)
214 {
215         /*
216          * A WRITEX with CAP_LARGE_WRITEX can be 64k worth of data plus 65 bytes
217          * of header. Don't print the error if this fits.... JRA.
218          */
219
220         if (len > (BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE)) {
221                 DEBUG(0,("Invalid packet length! (%lu bytes).\n",
222                                         (unsigned long)len));
223                 return false;
224         }
225         return true;
226 }
227
228 static NTSTATUS read_packet_remainder(int fd, char *buffer,
229                                       unsigned int timeout, ssize_t len)
230 {
231         NTSTATUS status;
232
233         if (len <= 0) {
234                 return NT_STATUS_OK;
235         }
236
237         status = read_fd_with_timeout(fd, buffer, len, len, timeout, NULL);
238         if (!NT_STATUS_IS_OK(status)) {
239                 char addr[INET6_ADDRSTRLEN];
240                 DEBUG(0, ("read_fd_with_timeout failed for client %s read "
241                           "error = %s.\n",
242                           get_peer_addr(fd, addr, sizeof(addr)),
243                           nt_errstr(status)));
244         }
245         return status;
246 }
247
248 /****************************************************************************
249  Attempt a zerocopy writeX read. We know here that len > smb_size-4
250 ****************************************************************************/
251
252 /*
253  * Unfortunately, earlier versions of smbclient/libsmbclient
254  * don't send this "standard" writeX header. I've fixed this
255  * for 3.2 but we'll use the old method with earlier versions.
256  * Windows and CIFSFS at least use this standard size. Not
257  * sure about MacOSX.
258  */
259
260 #define STANDARD_WRITE_AND_X_HEADER_SIZE (smb_size - 4 + /* basic header */ \
261                                 (2*14) + /* word count (including bcc) */ \
262                                 1 /* pad byte */)
263
264 static NTSTATUS receive_smb_raw_talloc_partial_read(TALLOC_CTX *mem_ctx,
265                                                     const char lenbuf[4],
266                                                     struct smbd_server_connection *sconn,
267                                                     int sock,
268                                                     char **buffer,
269                                                     unsigned int timeout,
270                                                     size_t *p_unread,
271                                                     size_t *len_ret)
272 {
273         /* Size of a WRITEX call (+4 byte len). */
274         char writeX_header[4 + STANDARD_WRITE_AND_X_HEADER_SIZE];
275         ssize_t len = smb_len_large(lenbuf); /* Could be a UNIX large writeX. */
276         ssize_t toread;
277         NTSTATUS status;
278
279         memcpy(writeX_header, lenbuf, 4);
280
281         status = read_fd_with_timeout(
282                 sock, writeX_header + 4,
283                 STANDARD_WRITE_AND_X_HEADER_SIZE,
284                 STANDARD_WRITE_AND_X_HEADER_SIZE,
285                 timeout, NULL);
286
287         if (!NT_STATUS_IS_OK(status)) {
288                 DEBUG(0, ("read_fd_with_timeout failed for client %s read "
289                           "error = %s.\n", sconn->client_id.addr,
290                           nt_errstr(status)));
291                 return status;
292         }
293
294         /*
295          * Ok - now try and see if this is a possible
296          * valid writeX call.
297          */
298
299         if (is_valid_writeX_buffer(sconn, (uint8_t *)writeX_header)) {
300                 /*
301                  * If the data offset is beyond what
302                  * we've read, drain the extra bytes.
303                  */
304                 uint16_t doff = SVAL(writeX_header,smb_vwv11);
305                 ssize_t newlen;
306
307                 if (doff > STANDARD_WRITE_AND_X_HEADER_SIZE) {
308                         size_t drain = doff - STANDARD_WRITE_AND_X_HEADER_SIZE;
309                         if (drain_socket(sock, drain) != drain) {
310                                 smb_panic("receive_smb_raw_talloc_partial_read:"
311                                         " failed to drain pending bytes");
312                         }
313                 } else {
314                         doff = STANDARD_WRITE_AND_X_HEADER_SIZE;
315                 }
316
317                 /* Spoof down the length and null out the bcc. */
318                 set_message_bcc(writeX_header, 0);
319                 newlen = smb_len(writeX_header);
320
321                 /* Copy the header we've written. */
322
323                 *buffer = (char *)TALLOC_MEMDUP(mem_ctx,
324                                 writeX_header,
325                                 sizeof(writeX_header));
326
327                 if (*buffer == NULL) {
328                         DEBUG(0, ("Could not allocate inbuf of length %d\n",
329                                   (int)sizeof(writeX_header)));
330                         return NT_STATUS_NO_MEMORY;
331                 }
332
333                 /* Work out the remaining bytes. */
334                 *p_unread = len - STANDARD_WRITE_AND_X_HEADER_SIZE;
335                 *len_ret = newlen + 4;
336                 return NT_STATUS_OK;
337         }
338
339         if (!valid_packet_size(len)) {
340                 return NT_STATUS_INVALID_PARAMETER;
341         }
342
343         /*
344          * Not a valid writeX call. Just do the standard
345          * talloc and return.
346          */
347
348         *buffer = TALLOC_ARRAY(mem_ctx, char, len+4);
349
350         if (*buffer == NULL) {
351                 DEBUG(0, ("Could not allocate inbuf of length %d\n",
352                           (int)len+4));
353                 return NT_STATUS_NO_MEMORY;
354         }
355
356         /* Copy in what we already read. */
357         memcpy(*buffer,
358                 writeX_header,
359                 4 + STANDARD_WRITE_AND_X_HEADER_SIZE);
360         toread = len - STANDARD_WRITE_AND_X_HEADER_SIZE;
361
362         if(toread > 0) {
363                 status = read_packet_remainder(
364                         sock,
365                         (*buffer) + 4 + STANDARD_WRITE_AND_X_HEADER_SIZE,
366                         timeout, toread);
367
368                 if (!NT_STATUS_IS_OK(status)) {
369                         DEBUG(10, ("receive_smb_raw_talloc_partial_read: %s\n",
370                                    nt_errstr(status)));
371                         return status;
372                 }
373         }
374
375         *len_ret = len + 4;
376         return NT_STATUS_OK;
377 }
378
379 static NTSTATUS receive_smb_raw_talloc(TALLOC_CTX *mem_ctx,
380                                        struct smbd_server_connection *sconn,
381                                        int sock,
382                                        char **buffer, unsigned int timeout,
383                                        size_t *p_unread, size_t *plen)
384 {
385         char lenbuf[4];
386         size_t len;
387         int min_recv_size = lp_min_receive_file_size();
388         NTSTATUS status;
389
390         *p_unread = 0;
391
392         status = read_smb_length_return_keepalive(sock, lenbuf, timeout,
393                                                   &len);
394         if (!NT_STATUS_IS_OK(status)) {
395                 return status;
396         }
397
398         if (CVAL(lenbuf,0) == 0 && min_recv_size &&
399             (smb_len_large(lenbuf) > /* Could be a UNIX large writeX. */
400                 (min_recv_size + STANDARD_WRITE_AND_X_HEADER_SIZE)) &&
401             !srv_is_signing_active(sconn) &&
402             sconn->smb1.echo_handler.trusted_fde == NULL) {
403
404                 return receive_smb_raw_talloc_partial_read(
405                         mem_ctx, lenbuf, sconn, sock, buffer, timeout,
406                         p_unread, plen);
407         }
408
409         if (!valid_packet_size(len)) {
410                 return NT_STATUS_INVALID_PARAMETER;
411         }
412
413         /*
414          * The +4 here can't wrap, we've checked the length above already.
415          */
416
417         *buffer = TALLOC_ARRAY(mem_ctx, char, len+4);
418
419         if (*buffer == NULL) {
420                 DEBUG(0, ("Could not allocate inbuf of length %d\n",
421                           (int)len+4));
422                 return NT_STATUS_NO_MEMORY;
423         }
424
425         memcpy(*buffer, lenbuf, sizeof(lenbuf));
426
427         status = read_packet_remainder(sock, (*buffer)+4, timeout, len);
428         if (!NT_STATUS_IS_OK(status)) {
429                 return status;
430         }
431
432         *plen = len + 4;
433         return NT_STATUS_OK;
434 }
435
436 static NTSTATUS receive_smb_talloc(TALLOC_CTX *mem_ctx,
437                                    struct smbd_server_connection *sconn,
438                                    int sock,
439                                    char **buffer, unsigned int timeout,
440                                    size_t *p_unread, bool *p_encrypted,
441                                    size_t *p_len,
442                                    uint32_t *seqnum,
443                                    bool trusted_channel)
444 {
445         size_t len = 0;
446         NTSTATUS status;
447
448         *p_encrypted = false;
449
450         status = receive_smb_raw_talloc(mem_ctx, sconn, sock, buffer, timeout,
451                                         p_unread, &len);
452         if (!NT_STATUS_IS_OK(status)) {
453                 DEBUG(1, ("read_smb_length_return_keepalive failed for "
454                           "client %s read error = %s.\n",
455                           sconn->client_id.addr, nt_errstr(status)));
456                 return status;
457         }
458
459         if (is_encrypted_packet((uint8_t *)*buffer)) {
460                 status = srv_decrypt_buffer(*buffer);
461                 if (!NT_STATUS_IS_OK(status)) {
462                         DEBUG(0, ("receive_smb_talloc: SMB decryption failed on "
463                                 "incoming packet! Error %s\n",
464                                 nt_errstr(status) ));
465                         return status;
466                 }
467                 *p_encrypted = true;
468         }
469
470         /* Check the incoming SMB signature. */
471         if (!srv_check_sign_mac(sconn, *buffer, seqnum, trusted_channel)) {
472                 DEBUG(0, ("receive_smb: SMB Signature verification failed on "
473                           "incoming packet!\n"));
474                 return NT_STATUS_INVALID_NETWORK_RESPONSE;
475         }
476
477         *p_len = len;
478         return NT_STATUS_OK;
479 }
480
481 /*
482  * Initialize a struct smb_request from an inbuf
483  */
484
485 static bool init_smb_request(struct smb_request *req,
486                              struct smbd_server_connection *sconn,
487                              const uint8 *inbuf,
488                              size_t unread_bytes, bool encrypted,
489                              uint32_t seqnum)
490 {
491         size_t req_size = smb_len(inbuf) + 4;
492         /* Ensure we have at least smb_size bytes. */
493         if (req_size < smb_size) {
494                 DEBUG(0,("init_smb_request: invalid request size %u\n",
495                         (unsigned int)req_size ));
496                 return false;
497         }
498         req->cmd    = CVAL(inbuf, smb_com);
499         req->flags2 = SVAL(inbuf, smb_flg2);
500         req->smbpid = SVAL(inbuf, smb_pid);
501         req->mid    = (uint64_t)SVAL(inbuf, smb_mid);
502         req->seqnum = seqnum;
503         req->vuid   = SVAL(inbuf, smb_uid);
504         req->tid    = SVAL(inbuf, smb_tid);
505         req->wct    = CVAL(inbuf, smb_wct);
506         req->vwv    = (uint16_t *)(inbuf+smb_vwv);
507         req->buflen = smb_buflen(inbuf);
508         req->buf    = (const uint8_t *)smb_buf(inbuf);
509         req->unread_bytes = unread_bytes;
510         req->encrypted = encrypted;
511         req->sconn = sconn;
512         req->conn = conn_find(sconn,req->tid);
513         req->chain_fsp = NULL;
514         req->chain_outbuf = NULL;
515         req->done = false;
516         req->smb2req = NULL;
517         smb_init_perfcount_data(&req->pcd);
518
519         /* Ensure we have at least wct words and 2 bytes of bcc. */
520         if (smb_size + req->wct*2 > req_size) {
521                 DEBUG(0,("init_smb_request: invalid wct number %u (size %u)\n",
522                         (unsigned int)req->wct,
523                         (unsigned int)req_size));
524                 return false;
525         }
526         /* Ensure bcc is correct. */
527         if (((uint8 *)smb_buf(inbuf)) + req->buflen > inbuf + req_size) {
528                 DEBUG(0,("init_smb_request: invalid bcc number %u "
529                         "(wct = %u, size %u)\n",
530                         (unsigned int)req->buflen,
531                         (unsigned int)req->wct,
532                         (unsigned int)req_size));
533                 return false;
534         }
535
536         req->outbuf = NULL;
537         return true;
538 }
539
540 static void process_smb(struct smbd_server_connection *conn,
541                         uint8_t *inbuf, size_t nread, size_t unread_bytes,
542                         uint32_t seqnum, bool encrypted,
543                         struct smb_perfcount_data *deferred_pcd);
544
545 static void smbd_deferred_open_timer(struct event_context *ev,
546                                      struct timed_event *te,
547                                      struct timeval _tval,
548                                      void *private_data)
549 {
550         struct pending_message_list *msg = talloc_get_type(private_data,
551                                            struct pending_message_list);
552         TALLOC_CTX *mem_ctx = talloc_tos();
553         uint64_t mid = (uint64_t)SVAL(msg->buf.data,smb_mid);
554         uint8_t *inbuf;
555
556         inbuf = (uint8_t *)talloc_memdup(mem_ctx, msg->buf.data,
557                                          msg->buf.length);
558         if (inbuf == NULL) {
559                 exit_server("smbd_deferred_open_timer: talloc failed\n");
560                 return;
561         }
562
563         /* We leave this message on the queue so the open code can
564            know this is a retry. */
565         DEBUG(5,("smbd_deferred_open_timer: trigger mid %llu.\n",
566                 (unsigned long long)mid ));
567
568         /* Mark the message as processed so this is not
569          * re-processed in error. */
570         msg->processed = true;
571
572         process_smb(smbd_server_conn, inbuf,
573                     msg->buf.length, 0,
574                     msg->seqnum, msg->encrypted, &msg->pcd);
575
576         /* If it's still there and was processed, remove it. */
577         msg = get_deferred_open_message_smb(mid);
578         if (msg && msg->processed) {
579                 remove_deferred_open_message_smb(mid);
580         }
581 }
582
583 /****************************************************************************
584  Function to push a message onto the tail of a linked list of smb messages ready
585  for processing.
586 ****************************************************************************/
587
588 static bool push_queued_message(struct smb_request *req,
589                                 struct timeval request_time,
590                                 struct timeval end_time,
591                                 char *private_data, size_t private_len)
592 {
593         int msg_len = smb_len(req->inbuf) + 4;
594         struct pending_message_list *msg;
595
596         msg = TALLOC_ZERO_P(NULL, struct pending_message_list);
597
598         if(msg == NULL) {
599                 DEBUG(0,("push_message: malloc fail (1)\n"));
600                 return False;
601         }
602
603         msg->buf = data_blob_talloc(msg, req->inbuf, msg_len);
604         if(msg->buf.data == NULL) {
605                 DEBUG(0,("push_message: malloc fail (2)\n"));
606                 TALLOC_FREE(msg);
607                 return False;
608         }
609
610         msg->request_time = request_time;
611         msg->seqnum = req->seqnum;
612         msg->encrypted = req->encrypted;
613         msg->processed = false;
614         SMB_PERFCOUNT_DEFER_OP(&req->pcd, &msg->pcd);
615
616         if (private_data) {
617                 msg->private_data = data_blob_talloc(msg, private_data,
618                                                      private_len);
619                 if (msg->private_data.data == NULL) {
620                         DEBUG(0,("push_message: malloc fail (3)\n"));
621                         TALLOC_FREE(msg);
622                         return False;
623                 }
624         }
625
626         msg->te = event_add_timed(smbd_event_context(),
627                                   msg,
628                                   end_time,
629                                   smbd_deferred_open_timer,
630                                   msg);
631         if (!msg->te) {
632                 DEBUG(0,("push_message: event_add_timed failed\n"));
633                 TALLOC_FREE(msg);
634                 return false;
635         }
636
637         DLIST_ADD_END(deferred_open_queue, msg, struct pending_message_list *);
638
639         DEBUG(10,("push_message: pushed message length %u on "
640                   "deferred_open_queue\n", (unsigned int)msg_len));
641
642         return True;
643 }
644
645 /****************************************************************************
646  Function to delete a sharing violation open message by mid.
647 ****************************************************************************/
648
649 void remove_deferred_open_message_smb(uint64_t mid)
650 {
651         struct pending_message_list *pml;
652
653         if (smbd_server_conn->using_smb2) {
654                 remove_deferred_open_message_smb2(smbd_server_conn, mid);
655                 return;
656         }
657
658         for (pml = deferred_open_queue; pml; pml = pml->next) {
659                 if (mid == (uint64_t)SVAL(pml->buf.data,smb_mid)) {
660                         DEBUG(10,("remove_deferred_open_message_smb: "
661                                   "deleting mid %llu len %u\n",
662                                   (unsigned long long)mid,
663                                   (unsigned int)pml->buf.length ));
664                         DLIST_REMOVE(deferred_open_queue, pml);
665                         TALLOC_FREE(pml);
666                         return;
667                 }
668         }
669 }
670
671 /****************************************************************************
672  Move a sharing violation open retry message to the front of the list and
673  schedule it for immediate processing.
674 ****************************************************************************/
675
676 void schedule_deferred_open_message_smb(uint64_t mid)
677 {
678         struct pending_message_list *pml;
679         int i = 0;
680
681         if (smbd_server_conn->using_smb2) {
682                 schedule_deferred_open_message_smb2(smbd_server_conn, mid);
683                 return;
684         }
685
686         for (pml = deferred_open_queue; pml; pml = pml->next) {
687                 uint64_t msg_mid = (uint64_t)SVAL(pml->buf.data,smb_mid);
688
689                 DEBUG(10,("schedule_deferred_open_message_smb: [%d] "
690                         "msg_mid = %llu\n",
691                         i++,
692                         (unsigned long long)msg_mid ));
693
694                 if (mid == msg_mid) {
695                         struct timed_event *te;
696
697                         if (pml->processed) {
698                                 /* A processed message should not be
699                                  * rescheduled. */
700                                 DEBUG(0,("schedule_deferred_open_message_smb: LOGIC ERROR "
701                                         "message mid %llu was already processed\n",
702                                         (unsigned long long)msg_mid ));
703                                 continue;
704                         }
705
706                         DEBUG(10,("schedule_deferred_open_message_smb: "
707                                 "scheduling mid %llu\n",
708                                 (unsigned long long)mid ));
709
710                         te = event_add_timed(smbd_event_context(),
711                                              pml,
712                                              timeval_zero(),
713                                              smbd_deferred_open_timer,
714                                              pml);
715                         if (!te) {
716                                 DEBUG(10,("schedule_deferred_open_message_smb: "
717                                         "event_add_timed() failed, "
718                                         "skipping mid %llu\n",
719                                         (unsigned long long)msg_mid ));
720                         }
721
722                         TALLOC_FREE(pml->te);
723                         pml->te = te;
724                         DLIST_PROMOTE(deferred_open_queue, pml);
725                         return;
726                 }
727         }
728
729         DEBUG(10,("schedule_deferred_open_message_smb: failed to "
730                 "find message mid %llu\n",
731                 (unsigned long long)mid ));
732 }
733
734 /****************************************************************************
735  Return true if this mid is on the deferred queue and was not yet processed.
736 ****************************************************************************/
737
738 bool open_was_deferred(uint64_t mid)
739 {
740         struct pending_message_list *pml;
741
742         if (smbd_server_conn->using_smb2) {
743                 return open_was_deferred_smb2(smbd_server_conn, mid);
744         }
745
746         for (pml = deferred_open_queue; pml; pml = pml->next) {
747                 if (((uint64_t)SVAL(pml->buf.data,smb_mid)) == mid && !pml->processed) {
748                         return True;
749                 }
750         }
751         return False;
752 }
753
754 /****************************************************************************
755  Return the message queued by this mid.
756 ****************************************************************************/
757
758 static struct pending_message_list *get_deferred_open_message_smb(uint64_t mid)
759 {
760         struct pending_message_list *pml;
761
762         for (pml = deferred_open_queue; pml; pml = pml->next) {
763                 if (((uint64_t)SVAL(pml->buf.data,smb_mid)) == mid) {
764                         return pml;
765                 }
766         }
767         return NULL;
768 }
769
770 /****************************************************************************
771  Get the state data queued by this mid.
772 ****************************************************************************/
773
774 bool get_deferred_open_message_state(struct smb_request *smbreq,
775                                 struct timeval *p_request_time,
776                                 void **pp_state)
777 {
778         struct pending_message_list *pml;
779
780         if (smbd_server_conn->using_smb2) {
781                 return get_deferred_open_message_state_smb2(smbreq->smb2req,
782                                         p_request_time,
783                                         pp_state);
784         }
785
786         pml = get_deferred_open_message_smb(smbreq->mid);
787         if (!pml) {
788                 return false;
789         }
790         if (p_request_time) {
791                 *p_request_time = pml->request_time;
792         }
793         if (pp_state) {
794                 *pp_state = (void *)pml->private_data.data;
795         }
796         return true;
797 }
798
799 /****************************************************************************
800  Function to push a deferred open smb message onto a linked list of local smb
801  messages ready for processing.
802 ****************************************************************************/
803
804 bool push_deferred_open_message_smb(struct smb_request *req,
805                                struct timeval request_time,
806                                struct timeval timeout,
807                                struct file_id id,
808                                char *private_data, size_t priv_len)
809 {
810         struct timeval end_time;
811
812         if (req->smb2req) {
813                 return push_deferred_open_message_smb2(req->smb2req,
814                                                 request_time,
815                                                 timeout,
816                                                 id,
817                                                 private_data,
818                                                 priv_len);
819         }
820
821         if (req->unread_bytes) {
822                 DEBUG(0,("push_deferred_open_message_smb: logic error ! "
823                         "unread_bytes = %u\n",
824                         (unsigned int)req->unread_bytes ));
825                 smb_panic("push_deferred_open_message_smb: "
826                         "logic error unread_bytes != 0" );
827         }
828
829         end_time = timeval_sum(&request_time, &timeout);
830
831         DEBUG(10,("push_deferred_open_message_smb: pushing message "
832                 "len %u mid %llu timeout time [%u.%06u]\n",
833                 (unsigned int) smb_len(req->inbuf)+4,
834                 (unsigned long long)req->mid,
835                 (unsigned int)end_time.tv_sec,
836                 (unsigned int)end_time.tv_usec));
837
838         return push_queued_message(req, request_time, end_time,
839                                    private_data, priv_len);
840 }
841
842 struct idle_event {
843         struct timed_event *te;
844         struct timeval interval;
845         char *name;
846         bool (*handler)(const struct timeval *now, void *private_data);
847         void *private_data;
848 };
849
850 static void smbd_idle_event_handler(struct event_context *ctx,
851                                     struct timed_event *te,
852                                     struct timeval now,
853                                     void *private_data)
854 {
855         struct idle_event *event =
856                 talloc_get_type_abort(private_data, struct idle_event);
857
858         TALLOC_FREE(event->te);
859
860         DEBUG(10,("smbd_idle_event_handler: %s %p called\n",
861                   event->name, event->te));
862
863         if (!event->handler(&now, event->private_data)) {
864                 DEBUG(10,("smbd_idle_event_handler: %s %p stopped\n",
865                           event->name, event->te));
866                 /* Don't repeat, delete ourselves */
867                 TALLOC_FREE(event);
868                 return;
869         }
870
871         DEBUG(10,("smbd_idle_event_handler: %s %p rescheduled\n",
872                   event->name, event->te));
873
874         event->te = event_add_timed(ctx, event,
875                                     timeval_sum(&now, &event->interval),
876                                     smbd_idle_event_handler, event);
877
878         /* We can't do much but fail here. */
879         SMB_ASSERT(event->te != NULL);
880 }
881
882 struct idle_event *event_add_idle(struct event_context *event_ctx,
883                                   TALLOC_CTX *mem_ctx,
884                                   struct timeval interval,
885                                   const char *name,
886                                   bool (*handler)(const struct timeval *now,
887                                                   void *private_data),
888                                   void *private_data)
889 {
890         struct idle_event *result;
891         struct timeval now = timeval_current();
892
893         result = TALLOC_P(mem_ctx, struct idle_event);
894         if (result == NULL) {
895                 DEBUG(0, ("talloc failed\n"));
896                 return NULL;
897         }
898
899         result->interval = interval;
900         result->handler = handler;
901         result->private_data = private_data;
902
903         if (!(result->name = talloc_asprintf(result, "idle_evt(%s)", name))) {
904                 DEBUG(0, ("talloc failed\n"));
905                 TALLOC_FREE(result);
906                 return NULL;
907         }
908
909         result->te = event_add_timed(event_ctx, result,
910                                      timeval_sum(&now, &interval),
911                                      smbd_idle_event_handler, result);
912         if (result->te == NULL) {
913                 DEBUG(0, ("event_add_timed failed\n"));
914                 TALLOC_FREE(result);
915                 return NULL;
916         }
917
918         DEBUG(10,("event_add_idle: %s %p\n", result->name, result->te));
919         return result;
920 }
921
922 static void smbd_sig_term_handler(struct tevent_context *ev,
923                                   struct tevent_signal *se,
924                                   int signum,
925                                   int count,
926                                   void *siginfo,
927                                   void *private_data)
928 {
929         exit_server_cleanly("termination signal");
930 }
931
932 void smbd_setup_sig_term_handler(void)
933 {
934         struct tevent_signal *se;
935
936         se = tevent_add_signal(smbd_event_context(),
937                                smbd_event_context(),
938                                SIGTERM, 0,
939                                smbd_sig_term_handler,
940                                NULL);
941         if (!se) {
942                 exit_server("failed to setup SIGTERM handler");
943         }
944 }
945
946 static void smbd_sig_hup_handler(struct tevent_context *ev,
947                                   struct tevent_signal *se,
948                                   int signum,
949                                   int count,
950                                   void *siginfo,
951                                   void *private_data)
952 {
953         struct messaging_context *msg_ctx = talloc_get_type_abort(
954                 private_data, struct messaging_context);
955         change_to_root_user();
956         DEBUG(1,("Reloading services after SIGHUP\n"));
957         reload_services(msg_ctx, smbd_server_conn->sock, False);
958         if (am_parent) {
959                 pcap_cache_reload(ev, msg_ctx, &reload_pcap_change_notify);
960         }
961 }
962
963 void smbd_setup_sig_hup_handler(struct tevent_context *ev,
964                                 struct messaging_context *msg_ctx)
965 {
966         struct tevent_signal *se;
967
968         se = tevent_add_signal(ev, ev, SIGHUP, 0, smbd_sig_hup_handler,
969                                msg_ctx);
970         if (!se) {
971                 exit_server("failed to setup SIGHUP handler");
972         }
973 }
974
975 static NTSTATUS smbd_server_connection_loop_once(struct smbd_server_connection *conn)
976 {
977         int timeout;
978         int num_pfds = 0;
979         int ret;
980         bool retry;
981
982         timeout = SMBD_SELECT_TIMEOUT * 1000;
983
984         /*
985          * Are there any timed events waiting ? If so, ensure we don't
986          * select for longer than it would take to wait for them.
987          */
988
989         event_add_to_poll_args(smbd_event_context(), conn,
990                                &conn->pfds, &num_pfds, &timeout);
991
992         /* Process a signal and timed events now... */
993         if (run_events_poll(smbd_event_context(), 0, NULL, 0)) {
994                 return NT_STATUS_RETRY;
995         }
996
997         {
998                 int sav;
999                 START_PROFILE(smbd_idle);
1000
1001                 ret = sys_poll(conn->pfds, num_pfds, timeout);
1002                 sav = errno;
1003
1004                 END_PROFILE(smbd_idle);
1005                 errno = sav;
1006         }
1007
1008         if (ret == -1) {
1009                 if (errno == EINTR) {
1010                         return NT_STATUS_RETRY;
1011                 }
1012                 return map_nt_error_from_unix(errno);
1013         }
1014
1015         retry = run_events_poll(smbd_event_context(), ret, conn->pfds,
1016                                 num_pfds);
1017         if (retry) {
1018                 return NT_STATUS_RETRY;
1019         }
1020
1021         /* Did we timeout ? */
1022         if (ret == 0) {
1023                 return NT_STATUS_RETRY;
1024         }
1025
1026         /* should not be reached */
1027         return NT_STATUS_INTERNAL_ERROR;
1028 }
1029
1030 /*
1031  * Only allow 5 outstanding trans requests. We're allocating memory, so
1032  * prevent a DoS.
1033  */
1034
1035 NTSTATUS allow_new_trans(struct trans_state *list, uint64_t mid)
1036 {
1037         int count = 0;
1038         for (; list != NULL; list = list->next) {
1039
1040                 if (list->mid == mid) {
1041                         return NT_STATUS_INVALID_PARAMETER;
1042                 }
1043
1044                 count += 1;
1045         }
1046         if (count > 5) {
1047                 return NT_STATUS_INSUFFICIENT_RESOURCES;
1048         }
1049
1050         return NT_STATUS_OK;
1051 }
1052
1053 /*
1054 These flags determine some of the permissions required to do an operation 
1055
1056 Note that I don't set NEED_WRITE on some write operations because they
1057 are used by some brain-dead clients when printing, and I don't want to
1058 force write permissions on print services.
1059 */
1060 #define AS_USER (1<<0)
1061 #define NEED_WRITE (1<<1) /* Must be paired with AS_USER */
1062 #define TIME_INIT (1<<2)
1063 #define CAN_IPC (1<<3) /* Must be paired with AS_USER */
1064 #define AS_GUEST (1<<5) /* Must *NOT* be paired with AS_USER */
1065 #define DO_CHDIR (1<<6)
1066
1067 /* 
1068    define a list of possible SMB messages and their corresponding
1069    functions. Any message that has a NULL function is unimplemented -
1070    please feel free to contribute implementations!
1071 */
1072 static const struct smb_message_struct {
1073         const char *name;
1074         void (*fn)(struct smb_request *req);
1075         int flags;
1076 } smb_messages[256] = {
1077
1078 /* 0x00 */ { "SMBmkdir",reply_mkdir,AS_USER | NEED_WRITE},
1079 /* 0x01 */ { "SMBrmdir",reply_rmdir,AS_USER | NEED_WRITE},
1080 /* 0x02 */ { "SMBopen",reply_open,AS_USER },
1081 /* 0x03 */ { "SMBcreate",reply_mknew,AS_USER},
1082 /* 0x04 */ { "SMBclose",reply_close,AS_USER | CAN_IPC },
1083 /* 0x05 */ { "SMBflush",reply_flush,AS_USER},
1084 /* 0x06 */ { "SMBunlink",reply_unlink,AS_USER | NEED_WRITE },
1085 /* 0x07 */ { "SMBmv",reply_mv,AS_USER | NEED_WRITE },
1086 /* 0x08 */ { "SMBgetatr",reply_getatr,AS_USER},
1087 /* 0x09 */ { "SMBsetatr",reply_setatr,AS_USER | NEED_WRITE},
1088 /* 0x0a */ { "SMBread",reply_read,AS_USER},
1089 /* 0x0b */ { "SMBwrite",reply_write,AS_USER | CAN_IPC },
1090 /* 0x0c */ { "SMBlock",reply_lock,AS_USER},
1091 /* 0x0d */ { "SMBunlock",reply_unlock,AS_USER},
1092 /* 0x0e */ { "SMBctemp",reply_ctemp,AS_USER },
1093 /* 0x0f */ { "SMBmknew",reply_mknew,AS_USER},
1094 /* 0x10 */ { "SMBcheckpath",reply_checkpath,AS_USER},
1095 /* 0x11 */ { "SMBexit",reply_exit,DO_CHDIR},
1096 /* 0x12 */ { "SMBlseek",reply_lseek,AS_USER},
1097 /* 0x13 */ { "SMBlockread",reply_lockread,AS_USER},
1098 /* 0x14 */ { "SMBwriteunlock",reply_writeunlock,AS_USER},
1099 /* 0x15 */ { NULL, NULL, 0 },
1100 /* 0x16 */ { NULL, NULL, 0 },
1101 /* 0x17 */ { NULL, NULL, 0 },
1102 /* 0x18 */ { NULL, NULL, 0 },
1103 /* 0x19 */ { NULL, NULL, 0 },
1104 /* 0x1a */ { "SMBreadbraw",reply_readbraw,AS_USER},
1105 /* 0x1b */ { "SMBreadBmpx",reply_readbmpx,AS_USER},
1106 /* 0x1c */ { "SMBreadBs",reply_readbs,AS_USER },
1107 /* 0x1d */ { "SMBwritebraw",reply_writebraw,AS_USER},
1108 /* 0x1e */ { "SMBwriteBmpx",reply_writebmpx,AS_USER},
1109 /* 0x1f */ { "SMBwriteBs",reply_writebs,AS_USER},
1110 /* 0x20 */ { "SMBwritec", NULL,0},
1111 /* 0x21 */ { NULL, NULL, 0 },
1112 /* 0x22 */ { "SMBsetattrE",reply_setattrE,AS_USER | NEED_WRITE },
1113 /* 0x23 */ { "SMBgetattrE",reply_getattrE,AS_USER },
1114 /* 0x24 */ { "SMBlockingX",reply_lockingX,AS_USER },
1115 /* 0x25 */ { "SMBtrans",reply_trans,AS_USER | CAN_IPC },
1116 /* 0x26 */ { "SMBtranss",reply_transs,AS_USER | CAN_IPC},
1117 /* 0x27 */ { "SMBioctl",reply_ioctl,0},
1118 /* 0x28 */ { "SMBioctls", NULL,AS_USER},
1119 /* 0x29 */ { "SMBcopy",reply_copy,AS_USER | NEED_WRITE },
1120 /* 0x2a */ { "SMBmove", NULL,AS_USER | NEED_WRITE },
1121 /* 0x2b */ { "SMBecho",reply_echo,0},
1122 /* 0x2c */ { "SMBwriteclose",reply_writeclose,AS_USER},
1123 /* 0x2d */ { "SMBopenX",reply_open_and_X,AS_USER | CAN_IPC },
1124 /* 0x2e */ { "SMBreadX",reply_read_and_X,AS_USER | CAN_IPC },
1125 /* 0x2f */ { "SMBwriteX",reply_write_and_X,AS_USER | CAN_IPC },
1126 /* 0x30 */ { NULL, NULL, 0 },
1127 /* 0x31 */ { NULL, NULL, 0 },
1128 /* 0x32 */ { "SMBtrans2",reply_trans2, AS_USER | CAN_IPC },
1129 /* 0x33 */ { "SMBtranss2",reply_transs2, AS_USER | CAN_IPC },
1130 /* 0x34 */ { "SMBfindclose",reply_findclose,AS_USER},
1131 /* 0x35 */ { "SMBfindnclose",reply_findnclose,AS_USER},
1132 /* 0x36 */ { NULL, NULL, 0 },
1133 /* 0x37 */ { NULL, NULL, 0 },
1134 /* 0x38 */ { NULL, NULL, 0 },
1135 /* 0x39 */ { NULL, NULL, 0 },
1136 /* 0x3a */ { NULL, NULL, 0 },
1137 /* 0x3b */ { NULL, NULL, 0 },
1138 /* 0x3c */ { NULL, NULL, 0 },
1139 /* 0x3d */ { NULL, NULL, 0 },
1140 /* 0x3e */ { NULL, NULL, 0 },
1141 /* 0x3f */ { NULL, NULL, 0 },
1142 /* 0x40 */ { NULL, NULL, 0 },
1143 /* 0x41 */ { NULL, NULL, 0 },
1144 /* 0x42 */ { NULL, NULL, 0 },
1145 /* 0x43 */ { NULL, NULL, 0 },
1146 /* 0x44 */ { NULL, NULL, 0 },
1147 /* 0x45 */ { NULL, NULL, 0 },
1148 /* 0x46 */ { NULL, NULL, 0 },
1149 /* 0x47 */ { NULL, NULL, 0 },
1150 /* 0x48 */ { NULL, NULL, 0 },
1151 /* 0x49 */ { NULL, NULL, 0 },
1152 /* 0x4a */ { NULL, NULL, 0 },
1153 /* 0x4b */ { NULL, NULL, 0 },
1154 /* 0x4c */ { NULL, NULL, 0 },
1155 /* 0x4d */ { NULL, NULL, 0 },
1156 /* 0x4e */ { NULL, NULL, 0 },
1157 /* 0x4f */ { NULL, NULL, 0 },
1158 /* 0x50 */ { NULL, NULL, 0 },
1159 /* 0x51 */ { NULL, NULL, 0 },
1160 /* 0x52 */ { NULL, NULL, 0 },
1161 /* 0x53 */ { NULL, NULL, 0 },
1162 /* 0x54 */ { NULL, NULL, 0 },
1163 /* 0x55 */ { NULL, NULL, 0 },
1164 /* 0x56 */ { NULL, NULL, 0 },
1165 /* 0x57 */ { NULL, NULL, 0 },
1166 /* 0x58 */ { NULL, NULL, 0 },
1167 /* 0x59 */ { NULL, NULL, 0 },
1168 /* 0x5a */ { NULL, NULL, 0 },
1169 /* 0x5b */ { NULL, NULL, 0 },
1170 /* 0x5c */ { NULL, NULL, 0 },
1171 /* 0x5d */ { NULL, NULL, 0 },
1172 /* 0x5e */ { NULL, NULL, 0 },
1173 /* 0x5f */ { NULL, NULL, 0 },
1174 /* 0x60 */ { NULL, NULL, 0 },
1175 /* 0x61 */ { NULL, NULL, 0 },
1176 /* 0x62 */ { NULL, NULL, 0 },
1177 /* 0x63 */ { NULL, NULL, 0 },
1178 /* 0x64 */ { NULL, NULL, 0 },
1179 /* 0x65 */ { NULL, NULL, 0 },
1180 /* 0x66 */ { NULL, NULL, 0 },
1181 /* 0x67 */ { NULL, NULL, 0 },
1182 /* 0x68 */ { NULL, NULL, 0 },
1183 /* 0x69 */ { NULL, NULL, 0 },
1184 /* 0x6a */ { NULL, NULL, 0 },
1185 /* 0x6b */ { NULL, NULL, 0 },
1186 /* 0x6c */ { NULL, NULL, 0 },
1187 /* 0x6d */ { NULL, NULL, 0 },
1188 /* 0x6e */ { NULL, NULL, 0 },
1189 /* 0x6f */ { NULL, NULL, 0 },
1190 /* 0x70 */ { "SMBtcon",reply_tcon,0},
1191 /* 0x71 */ { "SMBtdis",reply_tdis,DO_CHDIR},
1192 /* 0x72 */ { "SMBnegprot",reply_negprot,0},
1193 /* 0x73 */ { "SMBsesssetupX",reply_sesssetup_and_X,0},
1194 /* 0x74 */ { "SMBulogoffX",reply_ulogoffX, 0}, /* ulogoff doesn't give a valid TID */
1195 /* 0x75 */ { "SMBtconX",reply_tcon_and_X,0},
1196 /* 0x76 */ { NULL, NULL, 0 },
1197 /* 0x77 */ { NULL, NULL, 0 },
1198 /* 0x78 */ { NULL, NULL, 0 },
1199 /* 0x79 */ { NULL, NULL, 0 },
1200 /* 0x7a */ { NULL, NULL, 0 },
1201 /* 0x7b */ { NULL, NULL, 0 },
1202 /* 0x7c */ { NULL, NULL, 0 },
1203 /* 0x7d */ { NULL, NULL, 0 },
1204 /* 0x7e */ { NULL, NULL, 0 },
1205 /* 0x7f */ { NULL, NULL, 0 },
1206 /* 0x80 */ { "SMBdskattr",reply_dskattr,AS_USER},
1207 /* 0x81 */ { "SMBsearch",reply_search,AS_USER},
1208 /* 0x82 */ { "SMBffirst",reply_search,AS_USER},
1209 /* 0x83 */ { "SMBfunique",reply_search,AS_USER},
1210 /* 0x84 */ { "SMBfclose",reply_fclose,AS_USER},
1211 /* 0x85 */ { NULL, NULL, 0 },
1212 /* 0x86 */ { NULL, NULL, 0 },
1213 /* 0x87 */ { NULL, NULL, 0 },
1214 /* 0x88 */ { NULL, NULL, 0 },
1215 /* 0x89 */ { NULL, NULL, 0 },
1216 /* 0x8a */ { NULL, NULL, 0 },
1217 /* 0x8b */ { NULL, NULL, 0 },
1218 /* 0x8c */ { NULL, NULL, 0 },
1219 /* 0x8d */ { NULL, NULL, 0 },
1220 /* 0x8e */ { NULL, NULL, 0 },
1221 /* 0x8f */ { NULL, NULL, 0 },
1222 /* 0x90 */ { NULL, NULL, 0 },
1223 /* 0x91 */ { NULL, NULL, 0 },
1224 /* 0x92 */ { NULL, NULL, 0 },
1225 /* 0x93 */ { NULL, NULL, 0 },
1226 /* 0x94 */ { NULL, NULL, 0 },
1227 /* 0x95 */ { NULL, NULL, 0 },
1228 /* 0x96 */ { NULL, NULL, 0 },
1229 /* 0x97 */ { NULL, NULL, 0 },
1230 /* 0x98 */ { NULL, NULL, 0 },
1231 /* 0x99 */ { NULL, NULL, 0 },
1232 /* 0x9a */ { NULL, NULL, 0 },
1233 /* 0x9b */ { NULL, NULL, 0 },
1234 /* 0x9c */ { NULL, NULL, 0 },
1235 /* 0x9d */ { NULL, NULL, 0 },
1236 /* 0x9e */ { NULL, NULL, 0 },
1237 /* 0x9f */ { NULL, NULL, 0 },
1238 /* 0xa0 */ { "SMBnttrans",reply_nttrans, AS_USER | CAN_IPC },
1239 /* 0xa1 */ { "SMBnttranss",reply_nttranss, AS_USER | CAN_IPC },
1240 /* 0xa2 */ { "SMBntcreateX",reply_ntcreate_and_X, AS_USER | CAN_IPC },
1241 /* 0xa3 */ { NULL, NULL, 0 },
1242 /* 0xa4 */ { "SMBntcancel",reply_ntcancel, 0 },
1243 /* 0xa5 */ { "SMBntrename",reply_ntrename, AS_USER | NEED_WRITE },
1244 /* 0xa6 */ { NULL, NULL, 0 },
1245 /* 0xa7 */ { NULL, NULL, 0 },
1246 /* 0xa8 */ { NULL, NULL, 0 },
1247 /* 0xa9 */ { NULL, NULL, 0 },
1248 /* 0xaa */ { NULL, NULL, 0 },
1249 /* 0xab */ { NULL, NULL, 0 },
1250 /* 0xac */ { NULL, NULL, 0 },
1251 /* 0xad */ { NULL, NULL, 0 },
1252 /* 0xae */ { NULL, NULL, 0 },
1253 /* 0xaf */ { NULL, NULL, 0 },
1254 /* 0xb0 */ { NULL, NULL, 0 },
1255 /* 0xb1 */ { NULL, NULL, 0 },
1256 /* 0xb2 */ { NULL, NULL, 0 },
1257 /* 0xb3 */ { NULL, NULL, 0 },
1258 /* 0xb4 */ { NULL, NULL, 0 },
1259 /* 0xb5 */ { NULL, NULL, 0 },
1260 /* 0xb6 */ { NULL, NULL, 0 },
1261 /* 0xb7 */ { NULL, NULL, 0 },
1262 /* 0xb8 */ { NULL, NULL, 0 },
1263 /* 0xb9 */ { NULL, NULL, 0 },
1264 /* 0xba */ { NULL, NULL, 0 },
1265 /* 0xbb */ { NULL, NULL, 0 },
1266 /* 0xbc */ { NULL, NULL, 0 },
1267 /* 0xbd */ { NULL, NULL, 0 },
1268 /* 0xbe */ { NULL, NULL, 0 },
1269 /* 0xbf */ { NULL, NULL, 0 },
1270 /* 0xc0 */ { "SMBsplopen",reply_printopen,AS_USER},
1271 /* 0xc1 */ { "SMBsplwr",reply_printwrite,AS_USER},
1272 /* 0xc2 */ { "SMBsplclose",reply_printclose,AS_USER},
1273 /* 0xc3 */ { "SMBsplretq",reply_printqueue,AS_USER},
1274 /* 0xc4 */ { NULL, NULL, 0 },
1275 /* 0xc5 */ { NULL, NULL, 0 },
1276 /* 0xc6 */ { NULL, NULL, 0 },
1277 /* 0xc7 */ { NULL, NULL, 0 },
1278 /* 0xc8 */ { NULL, NULL, 0 },
1279 /* 0xc9 */ { NULL, NULL, 0 },
1280 /* 0xca */ { NULL, NULL, 0 },
1281 /* 0xcb */ { NULL, NULL, 0 },
1282 /* 0xcc */ { NULL, NULL, 0 },
1283 /* 0xcd */ { NULL, NULL, 0 },
1284 /* 0xce */ { NULL, NULL, 0 },
1285 /* 0xcf */ { NULL, NULL, 0 },
1286 /* 0xd0 */ { "SMBsends",reply_sends,AS_GUEST},
1287 /* 0xd1 */ { "SMBsendb", NULL,AS_GUEST},
1288 /* 0xd2 */ { "SMBfwdname", NULL,AS_GUEST},
1289 /* 0xd3 */ { "SMBcancelf", NULL,AS_GUEST},
1290 /* 0xd4 */ { "SMBgetmac", NULL,AS_GUEST},
1291 /* 0xd5 */ { "SMBsendstrt",reply_sendstrt,AS_GUEST},
1292 /* 0xd6 */ { "SMBsendend",reply_sendend,AS_GUEST},
1293 /* 0xd7 */ { "SMBsendtxt",reply_sendtxt,AS_GUEST},
1294 /* 0xd8 */ { NULL, NULL, 0 },
1295 /* 0xd9 */ { NULL, NULL, 0 },
1296 /* 0xda */ { NULL, NULL, 0 },
1297 /* 0xdb */ { NULL, NULL, 0 },
1298 /* 0xdc */ { NULL, NULL, 0 },
1299 /* 0xdd */ { NULL, NULL, 0 },
1300 /* 0xde */ { NULL, NULL, 0 },
1301 /* 0xdf */ { NULL, NULL, 0 },
1302 /* 0xe0 */ { NULL, NULL, 0 },
1303 /* 0xe1 */ { NULL, NULL, 0 },
1304 /* 0xe2 */ { NULL, NULL, 0 },
1305 /* 0xe3 */ { NULL, NULL, 0 },
1306 /* 0xe4 */ { NULL, NULL, 0 },
1307 /* 0xe5 */ { NULL, NULL, 0 },
1308 /* 0xe6 */ { NULL, NULL, 0 },
1309 /* 0xe7 */ { NULL, NULL, 0 },
1310 /* 0xe8 */ { NULL, NULL, 0 },
1311 /* 0xe9 */ { NULL, NULL, 0 },
1312 /* 0xea */ { NULL, NULL, 0 },
1313 /* 0xeb */ { NULL, NULL, 0 },
1314 /* 0xec */ { NULL, NULL, 0 },
1315 /* 0xed */ { NULL, NULL, 0 },
1316 /* 0xee */ { NULL, NULL, 0 },
1317 /* 0xef */ { NULL, NULL, 0 },
1318 /* 0xf0 */ { NULL, NULL, 0 },
1319 /* 0xf1 */ { NULL, NULL, 0 },
1320 /* 0xf2 */ { NULL, NULL, 0 },
1321 /* 0xf3 */ { NULL, NULL, 0 },
1322 /* 0xf4 */ { NULL, NULL, 0 },
1323 /* 0xf5 */ { NULL, NULL, 0 },
1324 /* 0xf6 */ { NULL, NULL, 0 },
1325 /* 0xf7 */ { NULL, NULL, 0 },
1326 /* 0xf8 */ { NULL, NULL, 0 },
1327 /* 0xf9 */ { NULL, NULL, 0 },
1328 /* 0xfa */ { NULL, NULL, 0 },
1329 /* 0xfb */ { NULL, NULL, 0 },
1330 /* 0xfc */ { NULL, NULL, 0 },
1331 /* 0xfd */ { NULL, NULL, 0 },
1332 /* 0xfe */ { NULL, NULL, 0 },
1333 /* 0xff */ { NULL, NULL, 0 }
1334
1335 };
1336
1337 /*******************************************************************
1338  allocate and initialize a reply packet
1339 ********************************************************************/
1340
1341 static bool create_outbuf(TALLOC_CTX *mem_ctx, struct smb_request *req,
1342                           const char *inbuf, char **outbuf, uint8_t num_words,
1343                           uint32_t num_bytes)
1344 {
1345         /*
1346          * Protect against integer wrap
1347          */
1348         if ((num_bytes > 0xffffff)
1349             || ((num_bytes + smb_size + num_words*2) > 0xffffff)) {
1350                 char *msg;
1351                 if (asprintf(&msg, "num_bytes too large: %u",
1352                              (unsigned)num_bytes) == -1) {
1353                         msg = CONST_DISCARD(char *, "num_bytes too large");
1354                 }
1355                 smb_panic(msg);
1356         }
1357
1358         *outbuf = TALLOC_ARRAY(mem_ctx, char,
1359                                smb_size + num_words*2 + num_bytes);
1360         if (*outbuf == NULL) {
1361                 return false;
1362         }
1363
1364         construct_reply_common(req, inbuf, *outbuf);
1365         srv_set_message(*outbuf, num_words, num_bytes, false);
1366         /*
1367          * Zero out the word area, the caller has to take care of the bcc area
1368          * himself
1369          */
1370         if (num_words != 0) {
1371                 memset(*outbuf + smb_vwv0, 0, num_words*2);
1372         }
1373
1374         return true;
1375 }
1376
1377 void reply_outbuf(struct smb_request *req, uint8 num_words, uint32 num_bytes)
1378 {
1379         char *outbuf;
1380         if (!create_outbuf(req, req, (char *)req->inbuf, &outbuf, num_words,
1381                            num_bytes)) {
1382                 smb_panic("could not allocate output buffer\n");
1383         }
1384         req->outbuf = (uint8_t *)outbuf;
1385 }
1386
1387
1388 /*******************************************************************
1389  Dump a packet to a file.
1390 ********************************************************************/
1391
1392 static void smb_dump(const char *name, int type, const char *data, ssize_t len)
1393 {
1394         int fd, i;
1395         char *fname = NULL;
1396         if (DEBUGLEVEL < 50) {
1397                 return;
1398         }
1399
1400         if (len < 4) len = smb_len(data)+4;
1401         for (i=1;i<100;i++) {
1402                 if (asprintf(&fname, "/tmp/%s.%d.%s", name, i,
1403                              type ? "req" : "resp") == -1) {
1404                         return;
1405                 }
1406                 fd = open(fname, O_WRONLY|O_CREAT|O_EXCL, 0644);
1407                 if (fd != -1 || errno != EEXIST) break;
1408         }
1409         if (fd != -1) {
1410                 ssize_t ret = write(fd, data, len);
1411                 if (ret != len)
1412                         DEBUG(0,("smb_dump: problem: write returned %d\n", (int)ret ));
1413                 close(fd);
1414                 DEBUG(0,("created %s len %lu\n", fname, (unsigned long)len));
1415         }
1416         SAFE_FREE(fname);
1417 }
1418
1419 /****************************************************************************
1420  Prepare everything for calling the actual request function, and potentially
1421  call the request function via the "new" interface.
1422
1423  Return False if the "legacy" function needs to be called, everything is
1424  prepared.
1425
1426  Return True if we're done.
1427
1428  I know this API sucks, but it is the one with the least code change I could
1429  find.
1430 ****************************************************************************/
1431
1432 static connection_struct *switch_message(uint8 type, struct smb_request *req, int size)
1433 {
1434         int flags;
1435         uint16 session_tag;
1436         connection_struct *conn = NULL;
1437         struct smbd_server_connection *sconn = req->sconn;
1438
1439         errno = 0;
1440
1441         /* Make sure this is an SMB packet. smb_size contains NetBIOS header
1442          * so subtract 4 from it. */
1443         if (!valid_smb_header(req->inbuf)
1444             || (size < (smb_size - 4))) {
1445                 DEBUG(2,("Non-SMB packet of length %d. Terminating server\n",
1446                          smb_len(req->inbuf)));
1447                 exit_server_cleanly("Non-SMB packet");
1448         }
1449
1450         if (smb_messages[type].fn == NULL) {
1451                 DEBUG(0,("Unknown message type %d!\n",type));
1452                 smb_dump("Unknown", 1, (char *)req->inbuf, size);
1453                 reply_unknown_new(req, type);
1454                 return NULL;
1455         }
1456
1457         flags = smb_messages[type].flags;
1458
1459         /* In share mode security we must ignore the vuid. */
1460         session_tag = (lp_security() == SEC_SHARE)
1461                 ? UID_FIELD_INVALID : req->vuid;
1462         conn = req->conn;
1463
1464         DEBUG(3,("switch message %s (pid %d) conn 0x%lx\n", smb_fn_name(type),
1465                  (int)sys_getpid(), (unsigned long)conn));
1466
1467         smb_dump(smb_fn_name(type), 1, (char *)req->inbuf, size);
1468
1469         /* Ensure this value is replaced in the incoming packet. */
1470         SSVAL(req->inbuf,smb_uid,session_tag);
1471
1472         /*
1473          * Ensure the correct username is in current_user_info.  This is a
1474          * really ugly bugfix for problems with multiple session_setup_and_X's
1475          * being done and allowing %U and %G substitutions to work correctly.
1476          * There is a reason this code is done here, don't move it unless you
1477          * know what you're doing... :-).
1478          * JRA.
1479          */
1480
1481         if (session_tag != sconn->smb1.sessions.last_session_tag) {
1482                 user_struct *vuser = NULL;
1483
1484                 sconn->smb1.sessions.last_session_tag = session_tag;
1485                 if(session_tag != UID_FIELD_INVALID) {
1486                         vuser = get_valid_user_struct(sconn, session_tag);
1487                         if (vuser) {
1488                                 set_current_user_info(
1489                                         vuser->session_info->sanitized_username,
1490                                         vuser->session_info->unix_name,
1491                                         vuser->session_info->info3->base.domain.string);
1492                         }
1493                 }
1494         }
1495
1496         /* Does this call need to be run as the connected user? */
1497         if (flags & AS_USER) {
1498
1499                 /* Does this call need a valid tree connection? */
1500                 if (!conn) {
1501                         /*
1502                          * Amazingly, the error code depends on the command
1503                          * (from Samba4).
1504                          */
1505                         if (type == SMBntcreateX) {
1506                                 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
1507                         } else {
1508                                 reply_nterror(req, NT_STATUS_NETWORK_NAME_DELETED);
1509                         }
1510                         return NULL;
1511                 }
1512
1513                 if (!change_to_user(conn,session_tag)) {
1514                         DEBUG(0, ("Error: Could not change to user. Removing "
1515                                 "deferred open, mid=%llu.\n",
1516                                 (unsigned long long)req->mid));
1517                         reply_force_doserror(req, ERRSRV, ERRbaduid);
1518                         return conn;
1519                 }
1520
1521                 /* All NEED_WRITE and CAN_IPC flags must also have AS_USER. */
1522
1523                 /* Does it need write permission? */
1524                 if ((flags & NEED_WRITE) && !CAN_WRITE(conn)) {
1525                         reply_nterror(req, NT_STATUS_MEDIA_WRITE_PROTECTED);
1526                         return conn;
1527                 }
1528
1529                 /* IPC services are limited */
1530                 if (IS_IPC(conn) && !(flags & CAN_IPC)) {
1531                         reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1532                         return conn;
1533                 }
1534         } else {
1535                 /* This call needs to be run as root */
1536                 change_to_root_user();
1537         }
1538
1539         /* load service specific parameters */
1540         if (conn) {
1541                 if (req->encrypted) {
1542                         conn->encrypted_tid = true;
1543                         /* encrypted required from now on. */
1544                         conn->encrypt_level = Required;
1545                 } else if (ENCRYPTION_REQUIRED(conn)) {
1546                         if (req->cmd != SMBtrans2 && req->cmd != SMBtranss2) {
1547                                 exit_server_cleanly("encryption required "
1548                                         "on connection");
1549                                 return conn;
1550                         }
1551                 }
1552
1553                 if (!set_current_service(conn,SVAL(req->inbuf,smb_flg),
1554                                          (flags & (AS_USER|DO_CHDIR)
1555                                           ?True:False))) {
1556                         reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1557                         return conn;
1558                 }
1559                 conn->num_smb_operations++;
1560         }
1561
1562         /* does this protocol need to be run as guest? */
1563         if ((flags & AS_GUEST)
1564             && (!change_to_guest() ||
1565                 !allow_access(lp_hostsdeny(-1), lp_hostsallow(-1),
1566                               sconn->client_id.name,
1567                               sconn->client_id.addr))) {
1568                 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1569                 return conn;
1570         }
1571
1572         smb_messages[type].fn(req);
1573         return req->conn;
1574 }
1575
1576 /****************************************************************************
1577  Construct a reply to the incoming packet.
1578 ****************************************************************************/
1579
1580 static void construct_reply(struct smbd_server_connection *sconn,
1581                             char *inbuf, int size, size_t unread_bytes,
1582                             uint32_t seqnum, bool encrypted,
1583                             struct smb_perfcount_data *deferred_pcd)
1584 {
1585         connection_struct *conn;
1586         struct smb_request *req;
1587
1588         if (!(req = talloc(talloc_tos(), struct smb_request))) {
1589                 smb_panic("could not allocate smb_request");
1590         }
1591
1592         if (!init_smb_request(req, sconn, (uint8 *)inbuf, unread_bytes,
1593                               encrypted, seqnum)) {
1594                 exit_server_cleanly("Invalid SMB request");
1595         }
1596
1597         req->inbuf  = (uint8_t *)talloc_move(req, &inbuf);
1598
1599         /* we popped this message off the queue - keep original perf data */
1600         if (deferred_pcd)
1601                 req->pcd = *deferred_pcd;
1602         else {
1603                 SMB_PERFCOUNT_START(&req->pcd);
1604                 SMB_PERFCOUNT_SET_OP(&req->pcd, req->cmd);
1605                 SMB_PERFCOUNT_SET_MSGLEN_IN(&req->pcd, size);
1606         }
1607
1608         conn = switch_message(req->cmd, req, size);
1609
1610         if (req->unread_bytes) {
1611                 /* writeX failed. drain socket. */
1612                 if (drain_socket(req->sconn->sock, req->unread_bytes) !=
1613                                 req->unread_bytes) {
1614                         smb_panic("failed to drain pending bytes");
1615                 }
1616                 req->unread_bytes = 0;
1617         }
1618
1619         if (req->done) {
1620                 TALLOC_FREE(req);
1621                 return;
1622         }
1623
1624         if (req->outbuf == NULL) {
1625                 return;
1626         }
1627
1628         if (CVAL(req->outbuf,0) == 0) {
1629                 show_msg((char *)req->outbuf);
1630         }
1631
1632         if (!srv_send_smb(req->sconn,
1633                         (char *)req->outbuf,
1634                         true, req->seqnum+1,
1635                         IS_CONN_ENCRYPTED(conn)||req->encrypted,
1636                         &req->pcd)) {
1637                 exit_server_cleanly("construct_reply: srv_send_smb failed.");
1638         }
1639
1640         TALLOC_FREE(req);
1641
1642         return;
1643 }
1644
1645 /****************************************************************************
1646  Process an smb from the client
1647 ****************************************************************************/
1648 static void process_smb(struct smbd_server_connection *sconn,
1649                         uint8_t *inbuf, size_t nread, size_t unread_bytes,
1650                         uint32_t seqnum, bool encrypted,
1651                         struct smb_perfcount_data *deferred_pcd)
1652 {
1653         int msg_type = CVAL(inbuf,0);
1654
1655         DO_PROFILE_INC(smb_count);
1656
1657         DEBUG( 6, ( "got message type 0x%x of len 0x%x\n", msg_type,
1658                     smb_len(inbuf) ) );
1659         DEBUG(3, ("Transaction %d of length %d (%u toread)\n",
1660                   sconn->trans_num, (int)nread, (unsigned int)unread_bytes));
1661
1662         if (msg_type != 0) {
1663                 /*
1664                  * NetBIOS session request, keepalive, etc.
1665                  */
1666                 reply_special(sconn, (char *)inbuf, nread);
1667                 goto done;
1668         }
1669
1670         if (sconn->using_smb2) {
1671                 /* At this point we're not really using smb2,
1672                  * we make the decision here.. */
1673                 if (smbd_is_smb2_header(inbuf, nread)) {
1674                         smbd_smb2_first_negprot(sconn, inbuf, nread);
1675                         return;
1676                 } else if (nread >= smb_size && valid_smb_header(inbuf)
1677                                 && CVAL(inbuf, smb_com) != 0x72) {
1678                         /* This is a non-negprot SMB1 packet.
1679                            Disable SMB2 from now on. */
1680                         sconn->using_smb2 = false;
1681                 }
1682         }
1683
1684         show_msg((char *)inbuf);
1685
1686         construct_reply(sconn, (char *)inbuf, nread, unread_bytes, seqnum,
1687                         encrypted, deferred_pcd);
1688         sconn->trans_num++;
1689
1690 done:
1691         sconn->smb1.num_requests++;
1692
1693         /* The timeout_processing function isn't run nearly
1694            often enough to implement 'max log size' without
1695            overrunning the size of the file by many megabytes.
1696            This is especially true if we are running at debug
1697            level 10.  Checking every 50 SMBs is a nice
1698            tradeoff of performance vs log file size overrun. */
1699
1700         if ((sconn->smb1.num_requests % 50) == 0 &&
1701             need_to_check_log_size()) {
1702                 change_to_root_user();
1703                 check_log_size();
1704         }
1705 }
1706
1707 /****************************************************************************
1708  Return a string containing the function name of a SMB command.
1709 ****************************************************************************/
1710
1711 const char *smb_fn_name(int type)
1712 {
1713         const char *unknown_name = "SMBunknown";
1714
1715         if (smb_messages[type].name == NULL)
1716                 return(unknown_name);
1717
1718         return(smb_messages[type].name);
1719 }
1720
1721 /****************************************************************************
1722  Helper functions for contruct_reply.
1723 ****************************************************************************/
1724
1725 void add_to_common_flags2(uint32 v)
1726 {
1727         common_flags2 |= v;
1728 }
1729
1730 void remove_from_common_flags2(uint32 v)
1731 {
1732         common_flags2 &= ~v;
1733 }
1734
1735 static void construct_reply_common(struct smb_request *req, const char *inbuf,
1736                                    char *outbuf)
1737 {
1738         srv_set_message(outbuf,0,0,false);
1739
1740         SCVAL(outbuf, smb_com, req->cmd);
1741         SIVAL(outbuf,smb_rcls,0);
1742         SCVAL(outbuf,smb_flg, FLAG_REPLY | (CVAL(inbuf,smb_flg) & FLAG_CASELESS_PATHNAMES)); 
1743         SSVAL(outbuf,smb_flg2,
1744                 (SVAL(inbuf,smb_flg2) & FLAGS2_UNICODE_STRINGS) |
1745                 common_flags2);
1746         memset(outbuf+smb_pidhigh,'\0',(smb_tid-smb_pidhigh));
1747
1748         SSVAL(outbuf,smb_tid,SVAL(inbuf,smb_tid));
1749         SSVAL(outbuf,smb_pid,SVAL(inbuf,smb_pid));
1750         SSVAL(outbuf,smb_uid,SVAL(inbuf,smb_uid));
1751         SSVAL(outbuf,smb_mid,SVAL(inbuf,smb_mid));
1752 }
1753
1754 void construct_reply_common_req(struct smb_request *req, char *outbuf)
1755 {
1756         construct_reply_common(req, (char *)req->inbuf, outbuf);
1757 }
1758
1759 /*
1760  * How many bytes have we already accumulated up to the current wct field
1761  * offset?
1762  */
1763
1764 size_t req_wct_ofs(struct smb_request *req)
1765 {
1766         size_t buf_size;
1767
1768         if (req->chain_outbuf == NULL) {
1769                 return smb_wct - 4;
1770         }
1771         buf_size = talloc_get_size(req->chain_outbuf);
1772         if ((buf_size % 4) != 0) {
1773                 buf_size += (4 - (buf_size % 4));
1774         }
1775         return buf_size - 4;
1776 }
1777
1778 /*
1779  * Hack around reply_nterror & friends not being aware of chained requests,
1780  * generating illegal (i.e. wct==0) chain replies.
1781  */
1782
1783 static void fixup_chain_error_packet(struct smb_request *req)
1784 {
1785         uint8_t *outbuf = req->outbuf;
1786         req->outbuf = NULL;
1787         reply_outbuf(req, 2, 0);
1788         memcpy(req->outbuf, outbuf, smb_wct);
1789         TALLOC_FREE(outbuf);
1790         SCVAL(req->outbuf, smb_vwv0, 0xff);
1791 }
1792
1793 /**
1794  * @brief Find the smb_cmd offset of the last command pushed
1795  * @param[in] buf       The buffer we're building up
1796  * @retval              Where can we put our next andx cmd?
1797  *
1798  * While chaining requests, the "next" request we're looking at needs to put
1799  * its SMB_Command before the data the previous request already built up added
1800  * to the chain. Find the offset to the place where we have to put our cmd.
1801  */
1802
1803 static bool find_andx_cmd_ofs(uint8_t *buf, size_t *pofs)
1804 {
1805         uint8_t cmd;
1806         size_t ofs;
1807
1808         cmd = CVAL(buf, smb_com);
1809
1810         SMB_ASSERT(is_andx_req(cmd));
1811
1812         ofs = smb_vwv0;
1813
1814         while (CVAL(buf, ofs) != 0xff) {
1815
1816                 if (!is_andx_req(CVAL(buf, ofs))) {
1817                         return false;
1818                 }
1819
1820                 /*
1821                  * ofs is from start of smb header, so add the 4 length
1822                  * bytes. The next cmd is right after the wct field.
1823                  */
1824                 ofs = SVAL(buf, ofs+2) + 4 + 1;
1825
1826                 SMB_ASSERT(ofs+4 < talloc_get_size(buf));
1827         }
1828
1829         *pofs = ofs;
1830         return true;
1831 }
1832
1833 /**
1834  * @brief Do the smb chaining at a buffer level
1835  * @param[in] poutbuf           Pointer to the talloc'ed buffer to be modified
1836  * @param[in] smb_command       The command that we want to issue
1837  * @param[in] wct               How many words?
1838  * @param[in] vwv               The words, already in network order
1839  * @param[in] bytes_alignment   How shall we align "bytes"?
1840  * @param[in] num_bytes         How many bytes?
1841  * @param[in] bytes             The data the request ships
1842  *
1843  * smb_splice_chain() adds the vwv and bytes to the request already present in
1844  * *poutbuf.
1845  */
1846
1847 static bool smb_splice_chain(uint8_t **poutbuf, uint8_t smb_command,
1848                              uint8_t wct, const uint16_t *vwv,
1849                              size_t bytes_alignment,
1850                              uint32_t num_bytes, const uint8_t *bytes)
1851 {
1852         uint8_t *outbuf;
1853         size_t old_size, new_size;
1854         size_t ofs;
1855         size_t chain_padding = 0;
1856         size_t bytes_padding = 0;
1857         bool first_request;
1858
1859         old_size = talloc_get_size(*poutbuf);
1860
1861         /*
1862          * old_size == smb_wct means we're pushing the first request in for
1863          * libsmb/
1864          */
1865
1866         first_request = (old_size == smb_wct);
1867
1868         if (!first_request && ((old_size % 4) != 0)) {
1869                 /*
1870                  * Align the wct field of subsequent requests to a 4-byte
1871                  * boundary
1872                  */
1873                 chain_padding = 4 - (old_size % 4);
1874         }
1875
1876         /*
1877          * After the old request comes the new wct field (1 byte), the vwv's
1878          * and the num_bytes field. After at we might need to align the bytes
1879          * given to us to "bytes_alignment", increasing the num_bytes value.
1880          */
1881
1882         new_size = old_size + chain_padding + 1 + wct * sizeof(uint16_t) + 2;
1883
1884         if ((bytes_alignment != 0) && ((new_size % bytes_alignment) != 0)) {
1885                 bytes_padding = bytes_alignment - (new_size % bytes_alignment);
1886         }
1887
1888         new_size += bytes_padding + num_bytes;
1889
1890         if ((smb_command != SMBwriteX) && (new_size > 0xffff)) {
1891                 DEBUG(1, ("splice_chain: %u bytes won't fit\n",
1892                           (unsigned)new_size));
1893                 return false;
1894         }
1895
1896         outbuf = TALLOC_REALLOC_ARRAY(NULL, *poutbuf, uint8_t, new_size);
1897         if (outbuf == NULL) {
1898                 DEBUG(0, ("talloc failed\n"));
1899                 return false;
1900         }
1901         *poutbuf = outbuf;
1902
1903         if (first_request) {
1904                 SCVAL(outbuf, smb_com, smb_command);
1905         } else {
1906                 size_t andx_cmd_ofs;
1907
1908                 if (!find_andx_cmd_ofs(outbuf, &andx_cmd_ofs)) {
1909                         DEBUG(1, ("invalid command chain\n"));
1910                         *poutbuf = TALLOC_REALLOC_ARRAY(
1911                                 NULL, *poutbuf, uint8_t, old_size);
1912                         return false;
1913                 }
1914
1915                 if (chain_padding != 0) {
1916                         memset(outbuf + old_size, 0, chain_padding);
1917                         old_size += chain_padding;
1918                 }
1919
1920                 SCVAL(outbuf, andx_cmd_ofs, smb_command);
1921                 SSVAL(outbuf, andx_cmd_ofs + 2, old_size - 4);
1922         }
1923
1924         ofs = old_size;
1925
1926         /*
1927          * Push the chained request:
1928          *
1929          * wct field
1930          */
1931
1932         SCVAL(outbuf, ofs, wct);
1933         ofs += 1;
1934
1935         /*
1936          * vwv array
1937          */
1938
1939         memcpy(outbuf + ofs, vwv, sizeof(uint16_t) * wct);
1940         ofs += sizeof(uint16_t) * wct;
1941
1942         /*
1943          * bcc (byte count)
1944          */
1945
1946         SSVAL(outbuf, ofs, num_bytes + bytes_padding);
1947         ofs += sizeof(uint16_t);
1948
1949         /*
1950          * padding
1951          */
1952
1953         if (bytes_padding != 0) {
1954                 memset(outbuf + ofs, 0, bytes_padding);
1955                 ofs += bytes_padding;
1956         }
1957
1958         /*
1959          * The bytes field
1960          */
1961
1962         memcpy(outbuf + ofs, bytes, num_bytes);
1963
1964         return true;
1965 }
1966
1967 /****************************************************************************
1968  Construct a chained reply and add it to the already made reply
1969 ****************************************************************************/
1970
1971 void chain_reply(struct smb_request *req)
1972 {
1973         size_t smblen = smb_len(req->inbuf);
1974         size_t already_used, length_needed;
1975         uint8_t chain_cmd;
1976         uint32_t chain_offset;  /* uint32_t to avoid overflow */
1977
1978         uint8_t wct;
1979         uint16_t *vwv;
1980         uint16_t buflen;
1981         uint8_t *buf;
1982
1983         if (IVAL(req->outbuf, smb_rcls) != 0) {
1984                 fixup_chain_error_packet(req);
1985         }
1986
1987         /*
1988          * Any of the AndX requests and replies have at least a wct of
1989          * 2. vwv[0] is the next command, vwv[1] is the offset from the
1990          * beginning of the SMB header to the next wct field.
1991          *
1992          * None of the AndX requests put anything valuable in vwv[0] and [1],
1993          * so we can overwrite it here to form the chain.
1994          */
1995
1996         if ((req->wct < 2) || (CVAL(req->outbuf, smb_wct) < 2)) {
1997                 if (req->chain_outbuf == NULL) {
1998                         req->chain_outbuf = TALLOC_REALLOC_ARRAY(
1999                                 req, req->outbuf, uint8_t,
2000                                 smb_len(req->outbuf) + 4);
2001                         if (req->chain_outbuf == NULL) {
2002                                 smb_panic("talloc failed");
2003                         }
2004                 }
2005                 req->outbuf = NULL;
2006                 goto error;
2007         }
2008
2009         /*
2010          * Here we assume that this is the end of the chain. For that we need
2011          * to set "next command" to 0xff and the offset to 0. If we later find
2012          * more commands in the chain, this will be overwritten again.
2013          */
2014
2015         SCVAL(req->outbuf, smb_vwv0, 0xff);
2016         SCVAL(req->outbuf, smb_vwv0+1, 0);
2017         SSVAL(req->outbuf, smb_vwv1, 0);
2018
2019         if (req->chain_outbuf == NULL) {
2020                 /*
2021                  * In req->chain_outbuf we collect all the replies. Start the
2022                  * chain by copying in the first reply.
2023                  *
2024                  * We do the realloc because later on we depend on
2025                  * talloc_get_size to determine the length of
2026                  * chain_outbuf. The reply_xxx routines might have
2027                  * over-allocated (reply_pipe_read_and_X used to be such an
2028                  * example).
2029                  */
2030                 req->chain_outbuf = TALLOC_REALLOC_ARRAY(
2031                         req, req->outbuf, uint8_t, smb_len(req->outbuf) + 4);
2032                 if (req->chain_outbuf == NULL) {
2033                         smb_panic("talloc failed");
2034                 }
2035                 req->outbuf = NULL;
2036         } else {
2037                 /*
2038                  * Update smb headers where subsequent chained commands
2039                  * may have updated them.
2040                  */
2041                 SSVAL(req->chain_outbuf, smb_tid, SVAL(req->outbuf, smb_tid));
2042                 SSVAL(req->chain_outbuf, smb_uid, SVAL(req->outbuf, smb_uid));
2043
2044                 if (!smb_splice_chain(&req->chain_outbuf,
2045                                       CVAL(req->outbuf, smb_com),
2046                                       CVAL(req->outbuf, smb_wct),
2047                                       (uint16_t *)(req->outbuf + smb_vwv),
2048                                       0, smb_buflen(req->outbuf),
2049                                       (uint8_t *)smb_buf(req->outbuf))) {
2050                         goto error;
2051                 }
2052                 TALLOC_FREE(req->outbuf);
2053         }
2054
2055         /*
2056          * We use the old request's vwv field to grab the next chained command
2057          * and offset into the chained fields.
2058          */
2059
2060         chain_cmd = CVAL(req->vwv+0, 0);
2061         chain_offset = SVAL(req->vwv+1, 0);
2062
2063         if (chain_cmd == 0xff) {
2064                 /*
2065                  * End of chain, no more requests from the client. So ship the
2066                  * replies.
2067                  */
2068                 smb_setlen((char *)(req->chain_outbuf),
2069                            talloc_get_size(req->chain_outbuf) - 4);
2070
2071                 if (!srv_send_smb(req->sconn, (char *)req->chain_outbuf,
2072                                   true, req->seqnum+1,
2073                                   IS_CONN_ENCRYPTED(req->conn)
2074                                   ||req->encrypted,
2075                                   &req->pcd)) {
2076                         exit_server_cleanly("chain_reply: srv_send_smb "
2077                                             "failed.");
2078                 }
2079                 TALLOC_FREE(req->chain_outbuf);
2080                 req->done = true;
2081                 return;
2082         }
2083
2084         /* add a new perfcounter for this element of chain */
2085         SMB_PERFCOUNT_ADD(&req->pcd);
2086         SMB_PERFCOUNT_SET_OP(&req->pcd, chain_cmd);
2087         SMB_PERFCOUNT_SET_MSGLEN_IN(&req->pcd, smblen);
2088
2089         /*
2090          * Check if the client tries to fool us. The request so far uses the
2091          * space to the end of the byte buffer in the request just
2092          * processed. The chain_offset can't point into that area. If that was
2093          * the case, we could end up with an endless processing of the chain,
2094          * we would always handle the same request.
2095          */
2096
2097         already_used = PTR_DIFF(req->buf+req->buflen, smb_base(req->inbuf));
2098         if (chain_offset < already_used) {
2099                 goto error;
2100         }
2101
2102         /*
2103          * Next check: Make sure the chain offset does not point beyond the
2104          * overall smb request length.
2105          */
2106
2107         length_needed = chain_offset+1; /* wct */
2108         if (length_needed > smblen) {
2109                 goto error;
2110         }
2111
2112         /*
2113          * Now comes the pointer magic. Goal here is to set up req->vwv and
2114          * req->buf correctly again to be able to call the subsequent
2115          * switch_message(). The chain offset (the former vwv[1]) points at
2116          * the new wct field.
2117          */
2118
2119         wct = CVAL(smb_base(req->inbuf), chain_offset);
2120
2121         /*
2122          * Next consistency check: Make the new vwv array fits in the overall
2123          * smb request.
2124          */
2125
2126         length_needed += (wct+1)*sizeof(uint16_t); /* vwv+buflen */
2127         if (length_needed > smblen) {
2128                 goto error;
2129         }
2130         vwv = (uint16_t *)(smb_base(req->inbuf) + chain_offset + 1);
2131
2132         /*
2133          * Now grab the new byte buffer....
2134          */
2135
2136         buflen = SVAL(vwv+wct, 0);
2137
2138         /*
2139          * .. and check that it fits.
2140          */
2141
2142         length_needed += buflen;
2143         if (length_needed > smblen) {
2144                 goto error;
2145         }
2146         buf = (uint8_t *)(vwv+wct+1);
2147
2148         req->cmd = chain_cmd;
2149         req->wct = wct;
2150         req->vwv = vwv;
2151         req->buflen = buflen;
2152         req->buf = buf;
2153
2154         switch_message(chain_cmd, req, smblen);
2155
2156         if (req->outbuf == NULL) {
2157                 /*
2158                  * This happens if the chained command has suspended itself or
2159                  * if it has called srv_send_smb() itself.
2160                  */
2161                 return;
2162         }
2163
2164         /*
2165          * We end up here if the chained command was not itself chained or
2166          * suspended, but for example a close() command. We now need to splice
2167          * the chained commands' outbuf into the already built up chain_outbuf
2168          * and ship the result.
2169          */
2170         goto done;
2171
2172  error:
2173         /*
2174          * We end up here if there's any error in the chain syntax. Report a
2175          * DOS error, just like Windows does.
2176          */
2177         reply_force_doserror(req, ERRSRV, ERRerror);
2178         fixup_chain_error_packet(req);
2179
2180  done:
2181         /*
2182          * This scary statement intends to set the
2183          * FLAGS2_32_BIT_ERROR_CODES flg2 field in req->chain_outbuf
2184          * to the value req->outbuf carries
2185          */
2186         SSVAL(req->chain_outbuf, smb_flg2,
2187               (SVAL(req->chain_outbuf, smb_flg2) & ~FLAGS2_32_BIT_ERROR_CODES)
2188               | (SVAL(req->outbuf, smb_flg2) & FLAGS2_32_BIT_ERROR_CODES));
2189
2190         /*
2191          * Transfer the error codes from the subrequest to the main one
2192          */
2193         SSVAL(req->chain_outbuf, smb_rcls, SVAL(req->outbuf, smb_rcls));
2194         SSVAL(req->chain_outbuf, smb_err, SVAL(req->outbuf, smb_err));
2195
2196         if (!smb_splice_chain(&req->chain_outbuf,
2197                               CVAL(req->outbuf, smb_com),
2198                               CVAL(req->outbuf, smb_wct),
2199                               (uint16_t *)(req->outbuf + smb_vwv),
2200                               0, smb_buflen(req->outbuf),
2201                               (uint8_t *)smb_buf(req->outbuf))) {
2202                 exit_server_cleanly("chain_reply: smb_splice_chain failed\n");
2203         }
2204         TALLOC_FREE(req->outbuf);
2205
2206         smb_setlen((char *)(req->chain_outbuf),
2207                    talloc_get_size(req->chain_outbuf) - 4);
2208
2209         show_msg((char *)(req->chain_outbuf));
2210
2211         if (!srv_send_smb(req->sconn, (char *)req->chain_outbuf,
2212                           true, req->seqnum+1,
2213                           IS_CONN_ENCRYPTED(req->conn)||req->encrypted,
2214                           &req->pcd)) {
2215                 exit_server_cleanly("chain_reply: srv_send_smb failed.");
2216         }
2217         TALLOC_FREE(req->chain_outbuf);
2218         req->done = true;
2219 }
2220
2221 /****************************************************************************
2222  Check if services need reloading.
2223 ****************************************************************************/
2224
2225 static void check_reload(struct smbd_server_connection *sconn, time_t t)
2226 {
2227
2228         if (last_smb_conf_reload_time == 0) {
2229                 last_smb_conf_reload_time = t;
2230         }
2231
2232         if (t >= last_smb_conf_reload_time+SMBD_RELOAD_CHECK) {
2233                 reload_services(sconn->msg_ctx, sconn->sock, True);
2234                 last_smb_conf_reload_time = t;
2235         }
2236 }
2237
2238 static bool fd_is_readable(int fd)
2239 {
2240         int ret, revents;
2241
2242         ret = poll_one_fd(fd, POLLIN|POLLHUP, 0, &revents);
2243
2244         return ((ret > 0) && ((revents & (POLLIN|POLLHUP|POLLERR)) != 0));
2245
2246 }
2247
2248 static void smbd_server_connection_write_handler(struct smbd_server_connection *conn)
2249 {
2250         /* TODO: make write nonblocking */
2251 }
2252
2253 static void smbd_server_connection_read_handler(
2254         struct smbd_server_connection *conn, int fd)
2255 {
2256         uint8_t *inbuf = NULL;
2257         size_t inbuf_len = 0;
2258         size_t unread_bytes = 0;
2259         bool encrypted = false;
2260         TALLOC_CTX *mem_ctx = talloc_tos();
2261         NTSTATUS status;
2262         uint32_t seqnum;
2263
2264         bool from_client = (conn->sock == fd);
2265
2266         if (from_client) {
2267                 smbd_lock_socket(conn);
2268
2269                 if (lp_async_smb_echo_handler() && !fd_is_readable(fd)) {
2270                         DEBUG(10,("the echo listener was faster\n"));
2271                         smbd_unlock_socket(conn);
2272                         return;
2273                 }
2274
2275                 /* TODO: make this completely nonblocking */
2276                 status = receive_smb_talloc(mem_ctx, conn, fd,
2277                                             (char **)(void *)&inbuf,
2278                                             0, /* timeout */
2279                                             &unread_bytes,
2280                                             &encrypted,
2281                                             &inbuf_len, &seqnum,
2282                                             false /* trusted channel */);
2283                 smbd_unlock_socket(conn);
2284         } else {
2285                 /* TODO: make this completely nonblocking */
2286                 status = receive_smb_talloc(mem_ctx, conn, fd,
2287                                             (char **)(void *)&inbuf,
2288                                             0, /* timeout */
2289                                             &unread_bytes,
2290                                             &encrypted,
2291                                             &inbuf_len, &seqnum,
2292                                             true /* trusted channel */);
2293         }
2294
2295         if (NT_STATUS_EQUAL(status, NT_STATUS_RETRY)) {
2296                 goto process;
2297         }
2298         if (NT_STATUS_IS_ERR(status)) {
2299                 exit_server_cleanly("failed to receive smb request");
2300         }
2301         if (!NT_STATUS_IS_OK(status)) {
2302                 return;
2303         }
2304
2305 process:
2306         process_smb(conn, inbuf, inbuf_len, unread_bytes,
2307                     seqnum, encrypted, NULL);
2308 }
2309
2310 static void smbd_server_connection_handler(struct event_context *ev,
2311                                            struct fd_event *fde,
2312                                            uint16_t flags,
2313                                            void *private_data)
2314 {
2315         struct smbd_server_connection *conn = talloc_get_type(private_data,
2316                                               struct smbd_server_connection);
2317
2318         if (flags & EVENT_FD_WRITE) {
2319                 smbd_server_connection_write_handler(conn);
2320                 return;
2321         }
2322         if (flags & EVENT_FD_READ) {
2323                 smbd_server_connection_read_handler(conn, conn->sock);
2324                 return;
2325         }
2326 }
2327
2328 static void smbd_server_echo_handler(struct event_context *ev,
2329                                      struct fd_event *fde,
2330                                      uint16_t flags,
2331                                      void *private_data)
2332 {
2333         struct smbd_server_connection *conn = talloc_get_type(private_data,
2334                                               struct smbd_server_connection);
2335
2336         if (flags & EVENT_FD_WRITE) {
2337                 smbd_server_connection_write_handler(conn);
2338                 return;
2339         }
2340         if (flags & EVENT_FD_READ) {
2341                 smbd_server_connection_read_handler(
2342                         conn, conn->smb1.echo_handler.trusted_fd);
2343                 return;
2344         }
2345 }
2346
2347 /****************************************************************************
2348 received when we should release a specific IP
2349 ****************************************************************************/
2350 static void release_ip(const char *ip, void *priv)
2351 {
2352         const char *addr = (const char *)priv;
2353         const char *p = addr;
2354
2355         if (strncmp("::ffff:", addr, 7) == 0) {
2356                 p = addr + 7;
2357         }
2358
2359         if ((strcmp(p, ip) == 0) || ((p != addr) && strcmp(addr, ip) == 0)) {
2360                 /* we can't afford to do a clean exit - that involves
2361                    database writes, which would potentially mean we
2362                    are still running after the failover has finished -
2363                    we have to get rid of this process ID straight
2364                    away */
2365                 DEBUG(0,("Got release IP message for our IP %s - exiting immediately\n",
2366                         ip));
2367                 /* note we must exit with non-zero status so the unclean handler gets
2368                    called in the parent, so that the brl database is tickled */
2369                 _exit(1);
2370         }
2371 }
2372
2373 static void msg_release_ip(struct messaging_context *msg_ctx, void *private_data,
2374                            uint32_t msg_type, struct server_id server_id, DATA_BLOB *data)
2375 {
2376         struct smbd_server_connection *sconn = talloc_get_type_abort(
2377                 private_data, struct smbd_server_connection);
2378
2379         release_ip((char *)data->data, sconn->client_id.addr);
2380 }
2381
2382 #ifdef CLUSTER_SUPPORT
2383 static int client_get_tcp_info(int sock, struct sockaddr_storage *server,
2384                                struct sockaddr_storage *client)
2385 {
2386         socklen_t length;
2387         length = sizeof(*server);
2388         if (getsockname(sock, (struct sockaddr *)server, &length) != 0) {
2389                 return -1;
2390         }
2391         length = sizeof(*client);
2392         if (getpeername(sock, (struct sockaddr *)client, &length) != 0) {
2393                 return -1;
2394         }
2395         return 0;
2396 }
2397 #endif
2398
2399 /*
2400  * Send keepalive packets to our client
2401  */
2402 static bool keepalive_fn(const struct timeval *now, void *private_data)
2403 {
2404         struct smbd_server_connection *sconn = smbd_server_conn;
2405         bool ret;
2406
2407         if (sconn->using_smb2) {
2408                 /* Don't do keepalives on an SMB2 connection. */
2409                 return false;
2410         }
2411
2412         smbd_lock_socket(smbd_server_conn);
2413         ret = send_keepalive(sconn->sock);
2414         smbd_unlock_socket(smbd_server_conn);
2415
2416         if (!ret) {
2417                 char addr[INET6_ADDRSTRLEN];
2418                 /*
2419                  * Try and give an error message saying what
2420                  * client failed.
2421                  */
2422                 DEBUG(0, ("send_keepalive failed for client %s. "
2423                           "Error %s - exiting\n",
2424                           get_peer_addr(sconn->sock, addr, sizeof(addr)),
2425                           strerror(errno)));
2426                 return False;
2427         }
2428         return True;
2429 }
2430
2431 /*
2432  * Do the recurring check if we're idle
2433  */
2434 static bool deadtime_fn(const struct timeval *now, void *private_data)
2435 {
2436         struct smbd_server_connection *sconn =
2437                 (struct smbd_server_connection *)private_data;
2438
2439         if ((conn_num_open(sconn) == 0)
2440             || (conn_idle_all(sconn, now->tv_sec))) {
2441                 DEBUG( 2, ( "Closing idle connection\n" ) );
2442                 messaging_send(sconn->msg_ctx,
2443                                messaging_server_id(sconn->msg_ctx),
2444                                MSG_SHUTDOWN, &data_blob_null);
2445                 return False;
2446         }
2447
2448         return True;
2449 }
2450
2451 /*
2452  * Do the recurring log file and smb.conf reload checks.
2453  */
2454
2455 static bool housekeeping_fn(const struct timeval *now, void *private_data)
2456 {
2457         struct smbd_server_connection *sconn = talloc_get_type_abort(
2458                 private_data, struct smbd_server_connection);
2459
2460         DEBUG(5, ("housekeeping\n"));
2461
2462         change_to_root_user();
2463
2464         /* update printer queue caches if necessary */
2465         update_monitored_printq_cache(sconn->msg_ctx);
2466
2467         /* check if we need to reload services */
2468         check_reload(sconn, time_mono(NULL));
2469
2470         /* Change machine password if neccessary. */
2471         attempt_machine_password_change();
2472
2473         /*
2474          * Force a log file check.
2475          */
2476         force_check_log_size();
2477         check_log_size();
2478         return true;
2479 }
2480
2481 static int create_unlink_tmp(const char *dir)
2482 {
2483         char *fname;
2484         int fd;
2485
2486         fname = talloc_asprintf(talloc_tos(), "%s/listenerlock_XXXXXX", dir);
2487         if (fname == NULL) {
2488                 errno = ENOMEM;
2489                 return -1;
2490         }
2491         fd = mkstemp(fname);
2492         if (fd == -1) {
2493                 TALLOC_FREE(fname);
2494                 return -1;
2495         }
2496         if (unlink(fname) == -1) {
2497                 int sys_errno = errno;
2498                 close(fd);
2499                 TALLOC_FREE(fname);
2500                 errno = sys_errno;
2501                 return -1;
2502         }
2503         TALLOC_FREE(fname);
2504         return fd;
2505 }
2506
2507 struct smbd_echo_state {
2508         struct tevent_context *ev;
2509         struct iovec *pending;
2510         struct smbd_server_connection *sconn;
2511         int parent_pipe;
2512
2513         struct tevent_fd *parent_fde;
2514
2515         struct tevent_fd *read_fde;
2516         struct tevent_req *write_req;
2517 };
2518
2519 static void smbd_echo_writer_done(struct tevent_req *req);
2520
2521 static void smbd_echo_activate_writer(struct smbd_echo_state *state)
2522 {
2523         int num_pending;
2524
2525         if (state->write_req != NULL) {
2526                 return;
2527         }
2528
2529         num_pending = talloc_array_length(state->pending);
2530         if (num_pending == 0) {
2531                 return;
2532         }
2533
2534         state->write_req = writev_send(state, state->ev, NULL,
2535                                        state->parent_pipe, false,
2536                                        state->pending, num_pending);
2537         if (state->write_req == NULL) {
2538                 DEBUG(1, ("writev_send failed\n"));
2539                 exit(1);
2540         }
2541
2542         talloc_steal(state->write_req, state->pending);
2543         state->pending = NULL;
2544
2545         tevent_req_set_callback(state->write_req, smbd_echo_writer_done,
2546                                 state);
2547 }
2548
2549 static void smbd_echo_writer_done(struct tevent_req *req)
2550 {
2551         struct smbd_echo_state *state = tevent_req_callback_data(
2552                 req, struct smbd_echo_state);
2553         ssize_t written;
2554         int err;
2555
2556         written = writev_recv(req, &err);
2557         TALLOC_FREE(req);
2558         state->write_req = NULL;
2559         if (written == -1) {
2560                 DEBUG(1, ("writev to parent failed: %s\n", strerror(err)));
2561                 exit(1);
2562         }
2563         DEBUG(10,("echo_handler[%d]: forwarded pdu to main\n", (int)sys_getpid()));
2564         smbd_echo_activate_writer(state);
2565 }
2566
2567 static bool smbd_echo_reply(uint8_t *inbuf, size_t inbuf_len,
2568                             uint32_t seqnum)
2569 {
2570         struct smb_request req;
2571         uint16_t num_replies;
2572         size_t out_len;
2573         char *outbuf;
2574         bool ok;
2575
2576         if ((inbuf_len == 4) && (CVAL(inbuf, 0) == SMBkeepalive)) {
2577                 DEBUG(10, ("Got netbios keepalive\n"));
2578                 /*
2579                  * Just swallow it
2580                  */
2581                 return true;
2582         }
2583
2584         if (inbuf_len < smb_size) {
2585                 DEBUG(10, ("Got short packet: %d bytes\n", (int)inbuf_len));
2586                 return false;
2587         }
2588         if (!valid_smb_header(inbuf)) {
2589                 DEBUG(10, ("Got invalid SMB header\n"));
2590                 return false;
2591         }
2592
2593         if (!init_smb_request(&req, smbd_server_conn, inbuf, 0, false,
2594                               seqnum)) {
2595                 return false;
2596         }
2597         req.inbuf = inbuf;
2598
2599         DEBUG(10, ("smbecho handler got cmd %d (%s)\n", (int)req.cmd,
2600                    smb_messages[req.cmd].name
2601                    ? smb_messages[req.cmd].name : "unknown"));
2602
2603         if (req.cmd != SMBecho) {
2604                 return false;
2605         }
2606         if (req.wct < 1) {
2607                 return false;
2608         }
2609
2610         num_replies = SVAL(req.vwv+0, 0);
2611         if (num_replies != 1) {
2612                 /* Not a Windows "Hey, you're still there?" request */
2613                 return false;
2614         }
2615
2616         if (!create_outbuf(talloc_tos(), &req, (char *)req.inbuf, &outbuf,
2617                            1, req.buflen)) {
2618                 DEBUG(10, ("create_outbuf failed\n"));
2619                 return false;
2620         }
2621         req.outbuf = (uint8_t *)outbuf;
2622
2623         SSVAL(req.outbuf, smb_vwv0, num_replies);
2624
2625         if (req.buflen > 0) {
2626                 memcpy(smb_buf(req.outbuf), req.buf, req.buflen);
2627         }
2628
2629         out_len = smb_len(req.outbuf) + 4;
2630
2631         ok = srv_send_smb(req.sconn,
2632                           (char *)outbuf,
2633                           true, seqnum+1,
2634                           false, &req.pcd);
2635         TALLOC_FREE(outbuf);
2636         if (!ok) {
2637                 exit(1);
2638         }
2639
2640         return true;
2641 }
2642
2643 static void smbd_echo_exit(struct tevent_context *ev,
2644                            struct tevent_fd *fde, uint16_t flags,
2645                            void *private_data)
2646 {
2647         DEBUG(2, ("smbd_echo_exit: lost connection to parent\n"));
2648         exit(0);
2649 }
2650
2651 static void smbd_echo_reader(struct tevent_context *ev,
2652                              struct tevent_fd *fde, uint16_t flags,
2653                              void *private_data)
2654 {
2655         struct smbd_echo_state *state = talloc_get_type_abort(
2656                 private_data, struct smbd_echo_state);
2657         struct smbd_server_connection *sconn = state->sconn;
2658         size_t unread, num_pending;
2659         NTSTATUS status;
2660         struct iovec *tmp;
2661         size_t iov_len;
2662         uint32_t seqnum = 0;
2663         bool reply;
2664         bool ok;
2665         bool encrypted = false;
2666
2667         smb_msleep(1000);
2668
2669         ok = smbd_lock_socket_internal(sconn);
2670         if (!ok) {
2671                 DEBUG(0, ("%s: failed to lock socket\n",
2672                         __location__));
2673                 exit(1);
2674         }
2675
2676         if (!fd_is_readable(sconn->sock)) {
2677                 DEBUG(10,("echo_handler[%d] the parent smbd was faster\n",
2678                           (int)sys_getpid()));
2679                 ok = smbd_unlock_socket_internal(sconn);
2680                 if (!ok) {
2681                         DEBUG(1, ("%s: failed to unlock socket in\n",
2682                                 __location__));
2683                         exit(1);
2684                 }
2685                 return;
2686         }
2687
2688         num_pending = talloc_array_length(state->pending);
2689         tmp = talloc_realloc(state, state->pending, struct iovec,
2690                              num_pending+1);
2691         if (tmp == NULL) {
2692                 DEBUG(1, ("talloc_realloc failed\n"));
2693                 exit(1);
2694         }
2695         state->pending = tmp;
2696
2697         DEBUG(10,("echo_handler[%d]: reading pdu\n", (int)sys_getpid()));
2698
2699         status = receive_smb_talloc(state->pending, sconn, sconn->sock,
2700                                     (char **)(void *)&state->pending[num_pending].iov_base,
2701                                     0 /* timeout */,
2702                                     &unread,
2703                                     &encrypted,
2704                                     &iov_len,
2705                                     &seqnum,
2706                                     false /* trusted_channel*/);
2707         if (!NT_STATUS_IS_OK(status)) {
2708                 DEBUG(1, ("echo_handler[%d]: receive_smb_raw_talloc failed: %s\n",
2709                           (int)sys_getpid(), nt_errstr(status)));
2710                 exit(1);
2711         }
2712         state->pending[num_pending].iov_len = iov_len;
2713
2714         ok = smbd_unlock_socket_internal(sconn);
2715         if (!ok) {
2716                 DEBUG(1, ("%s: failed to unlock socket in\n",
2717                         __location__));
2718                 exit(1);
2719         }
2720
2721         reply = smbd_echo_reply((uint8_t *)state->pending[num_pending].iov_base,
2722                                 state->pending[num_pending].iov_len,
2723                                 seqnum);
2724         if (reply) {
2725                 DEBUG(10,("echo_handler[%d]: replied to client\n", (int)sys_getpid()));
2726                 /* no check, shrinking by some bytes does not fail */
2727                 state->pending = talloc_realloc(state, state->pending,
2728                                                 struct iovec,
2729                                                 num_pending);
2730                 return;
2731         }
2732
2733         if (state->pending[num_pending].iov_len >= smb_size) {
2734                 /*
2735                  * place the seqnum in the packet so that the main process
2736                  * can reply with signing
2737                  */
2738                 SIVAL((uint8_t *)state->pending[num_pending].iov_base,
2739                       smb_ss_field, seqnum);
2740                 SIVAL((uint8_t *)state->pending[num_pending].iov_base,
2741                       smb_ss_field+4, NT_STATUS_V(NT_STATUS_OK));
2742         }
2743
2744         DEBUG(10,("echo_handler[%d]: forward to main\n", (int)sys_getpid()));
2745         smbd_echo_activate_writer(state);
2746 }
2747
2748 static void smbd_echo_loop(struct smbd_server_connection *sconn,
2749                            int parent_pipe)
2750 {
2751         struct smbd_echo_state *state;
2752
2753         state = talloc_zero(sconn, struct smbd_echo_state);
2754         if (state == NULL) {
2755                 DEBUG(1, ("talloc failed\n"));
2756                 return;
2757         }
2758         state->sconn = sconn;
2759         state->parent_pipe = parent_pipe;
2760         state->ev = s3_tevent_context_init(state);
2761         if (state->ev == NULL) {
2762                 DEBUG(1, ("tevent_context_init failed\n"));
2763                 TALLOC_FREE(state);
2764                 return;
2765         }
2766         state->parent_fde = tevent_add_fd(state->ev, state, parent_pipe,
2767                                         TEVENT_FD_READ, smbd_echo_exit,
2768                                         state);
2769         if (state->parent_fde == NULL) {
2770                 DEBUG(1, ("tevent_add_fd failed\n"));
2771                 TALLOC_FREE(state);
2772                 return;
2773         }
2774         state->read_fde = tevent_add_fd(state->ev, state, sconn->sock,
2775                                         TEVENT_FD_READ, smbd_echo_reader,
2776                                         state);
2777         if (state->read_fde == NULL) {
2778                 DEBUG(1, ("tevent_add_fd failed\n"));
2779                 TALLOC_FREE(state);
2780                 return;
2781         }
2782
2783         while (true) {
2784                 if (tevent_loop_once(state->ev) == -1) {
2785                         DEBUG(1, ("tevent_loop_once failed: %s\n",
2786                                   strerror(errno)));
2787                         break;
2788                 }
2789         }
2790         TALLOC_FREE(state);
2791 }
2792
2793 /*
2794  * Handle SMBecho requests in a forked child process
2795  */
2796 static bool fork_echo_handler(struct smbd_server_connection *sconn)
2797 {
2798         int listener_pipe[2];
2799         int res;
2800         pid_t child;
2801
2802         res = pipe(listener_pipe);
2803         if (res == -1) {
2804                 DEBUG(1, ("pipe() failed: %s\n", strerror(errno)));
2805                 return false;
2806         }
2807         sconn->smb1.echo_handler.socket_lock_fd = create_unlink_tmp(lp_lockdir());
2808         if (sconn->smb1.echo_handler.socket_lock_fd == -1) {
2809                 DEBUG(1, ("Could not create lock fd: %s\n", strerror(errno)));
2810                 goto fail;
2811         }
2812
2813         child = sys_fork();
2814         if (child == 0) {
2815                 NTSTATUS status;
2816
2817                 close(listener_pipe[0]);
2818                 set_blocking(listener_pipe[1], false);
2819
2820                 status = reinit_after_fork(sconn->msg_ctx,
2821                                            smbd_event_context(),
2822                                            procid_self(), false);
2823                 if (!NT_STATUS_IS_OK(status)) {
2824                         DEBUG(1, ("reinit_after_fork failed: %s\n",
2825                                   nt_errstr(status)));
2826                         exit(1);
2827                 }
2828                 smbd_echo_loop(sconn, listener_pipe[1]);
2829                 exit(0);
2830         }
2831         close(listener_pipe[1]);
2832         listener_pipe[1] = -1;
2833         sconn->smb1.echo_handler.trusted_fd = listener_pipe[0];
2834
2835         DEBUG(10,("fork_echo_handler: main[%d] echo_child[%d]\n", (int)sys_getpid(), child));
2836
2837         /*
2838          * Without smb signing this is the same as the normal smbd
2839          * listener. This needs to change once signing comes in.
2840          */
2841         sconn->smb1.echo_handler.trusted_fde = event_add_fd(smbd_event_context(),
2842                                         sconn,
2843                                         sconn->smb1.echo_handler.trusted_fd,
2844                                         EVENT_FD_READ,
2845                                         smbd_server_echo_handler,
2846                                         sconn);
2847         if (sconn->smb1.echo_handler.trusted_fde == NULL) {
2848                 DEBUG(1, ("event_add_fd failed\n"));
2849                 goto fail;
2850         }
2851
2852         return true;
2853
2854 fail:
2855         if (listener_pipe[0] != -1) {
2856                 close(listener_pipe[0]);
2857         }
2858         if (listener_pipe[1] != -1) {
2859                 close(listener_pipe[1]);
2860         }
2861         sconn->smb1.echo_handler.trusted_fd = -1;
2862         if (sconn->smb1.echo_handler.socket_lock_fd != -1) {
2863                 close(sconn->smb1.echo_handler.socket_lock_fd);
2864         }
2865         sconn->smb1.echo_handler.trusted_fd = -1;
2866         sconn->smb1.echo_handler.socket_lock_fd = -1;
2867         return false;
2868 }
2869
2870 #if CLUSTER_SUPPORT
2871
2872 static NTSTATUS smbd_register_ips(struct smbd_server_connection *sconn,
2873                                   struct sockaddr_storage *srv,
2874                                   struct sockaddr_storage *clnt)
2875 {
2876         struct ctdbd_connection *cconn;
2877         char tmp_addr[INET6_ADDRSTRLEN];
2878         char *addr;
2879
2880         cconn = messaging_ctdbd_connection();
2881         if (cconn == NULL) {
2882                 return NT_STATUS_NO_MEMORY;
2883         }
2884
2885         client_socket_addr(sconn->sock, tmp_addr, sizeof(tmp_addr));
2886         addr = talloc_strdup(cconn, tmp_addr);
2887         if (addr == NULL) {
2888                 return NT_STATUS_NO_MEMORY;
2889         }
2890         return ctdbd_register_ips(cconn, srv, clnt, release_ip, addr);
2891 }
2892
2893 #endif
2894
2895 /****************************************************************************
2896  Process commands from the client
2897 ****************************************************************************/
2898
2899 void smbd_process(struct smbd_server_connection *sconn)
2900 {
2901         TALLOC_CTX *frame = talloc_stackframe();
2902         struct sockaddr_storage ss;
2903         struct sockaddr *sa = NULL;
2904         socklen_t sa_socklen;
2905         struct tsocket_address *local_address = NULL;
2906         struct tsocket_address *remote_address = NULL;
2907         const char *remaddr = NULL;
2908         int ret;
2909
2910         if (lp_maxprotocol() == PROTOCOL_SMB2 &&
2911             !lp_async_smb_echo_handler()) {
2912                 /*
2913                  * We're not making the decision here,
2914                  * we're just allowing the client
2915                  * to decide between SMB1 and SMB2
2916                  * with the first negprot
2917                  * packet.
2918                  */
2919                 sconn->using_smb2 = true;
2920         }
2921
2922         /* Ensure child is set to blocking mode */
2923         set_blocking(sconn->sock,True);
2924
2925         set_socket_options(sconn->sock, "SO_KEEPALIVE");
2926         set_socket_options(sconn->sock, lp_socket_options());
2927
2928         sa = (struct sockaddr *)(void *)&ss;
2929         sa_socklen = sizeof(ss);
2930         ret = getpeername(sconn->sock, sa, &sa_socklen);
2931         if (ret != 0) {
2932                 int level = (errno == ENOTCONN)?2:0;
2933                 DEBUG(level,("getpeername() failed - %s\n", strerror(errno)));
2934                 exit_server_cleanly("getpeername() failed.\n");
2935         }
2936         ret = tsocket_address_bsd_from_sockaddr(sconn,
2937                                                 sa, sa_socklen,
2938                                                 &remote_address);
2939         if (ret != 0) {
2940                 DEBUG(0,("%s: tsocket_address_bsd_from_sockaddr remote failed - %s\n",
2941                         __location__, strerror(errno)));
2942                 exit_server_cleanly("tsocket_address_bsd_from_sockaddr remote failed.\n");
2943         }
2944
2945         sa = (struct sockaddr *)(void *)&ss;
2946         sa_socklen = sizeof(ss);
2947         ret = getsockname(sconn->sock, sa, &sa_socklen);
2948         if (ret != 0) {
2949                 int level = (errno == ENOTCONN)?2:0;
2950                 DEBUG(level,("getsockname() failed - %s\n", strerror(errno)));
2951                 exit_server_cleanly("getsockname() failed.\n");
2952         }
2953         ret = tsocket_address_bsd_from_sockaddr(sconn,
2954                                                 sa, sa_socklen,
2955                                                 &local_address);
2956         if (ret != 0) {
2957                 DEBUG(0,("%s: tsocket_address_bsd_from_sockaddr remote failed - %s\n",
2958                         __location__, strerror(errno)));
2959                 exit_server_cleanly("tsocket_address_bsd_from_sockaddr remote failed.\n");
2960         }
2961
2962         sconn->local_address = local_address;
2963         sconn->remote_address = remote_address;
2964
2965         if (tsocket_address_is_inet(remote_address, "ip")) {
2966                 remaddr = tsocket_address_inet_addr_string(
2967                                 sconn->remote_address,
2968                                 talloc_tos());
2969                 if (remaddr == NULL) {
2970
2971                 }
2972         } else {
2973                 remaddr = "0.0.0.0";
2974         }
2975
2976         /* this is needed so that we get decent entries
2977            in smbstatus for port 445 connects */
2978         set_remote_machine_name(remaddr, false);
2979         reload_services(sconn->msg_ctx, sconn->sock, true);
2980
2981         /*
2982          * Before the first packet, check the global hosts allow/ hosts deny
2983          * parameters before doing any parsing of packets passed to us by the
2984          * client. This prevents attacks on our parsing code from hosts not in
2985          * the hosts allow list.
2986          */
2987
2988         if (!allow_access(lp_hostsdeny(-1), lp_hostsallow(-1),
2989                           sconn->client_id.name,
2990                           sconn->client_id.addr)) {
2991                 /*
2992                  * send a negative session response "not listening on calling
2993                  * name"
2994                  */
2995                 unsigned char buf[5] = {0x83, 0, 0, 1, 0x81};
2996                 DEBUG( 1, ("Connection denied from %s to %s\n",
2997                            tsocket_address_string(remote_address, talloc_tos()),
2998                            tsocket_address_string(local_address, talloc_tos())));
2999                 (void)srv_send_smb(sconn,(char *)buf, false,
3000                                    0, false, NULL);
3001                 exit_server_cleanly("connection denied");
3002         }
3003
3004         DEBUG(10, ("Connection allowed from %s to %s\n",
3005                    tsocket_address_string(remote_address, talloc_tos()),
3006                    tsocket_address_string(local_address, talloc_tos())));
3007
3008         init_modules();
3009
3010         smb_perfcount_init();
3011
3012         if (!init_account_policy()) {
3013                 exit_server("Could not open account policy tdb.\n");
3014         }
3015
3016         if (*lp_rootdir()) {
3017                 if (chroot(lp_rootdir()) != 0) {
3018                         DEBUG(0,("Failed to change root to %s\n", lp_rootdir()));
3019                         exit_server("Failed to chroot()");
3020                 }
3021                 if (chdir("/") == -1) {
3022                         DEBUG(0,("Failed to chdir to / on chroot to %s\n", lp_rootdir()));
3023                         exit_server("Failed to chroot()");
3024                 }
3025                 DEBUG(0,("Changed root to %s\n", lp_rootdir()));
3026         }
3027
3028         if (!srv_init_signing(sconn)) {
3029                 exit_server("Failed to init smb_signing");
3030         }
3031
3032         if (lp_async_smb_echo_handler() && !fork_echo_handler(sconn)) {
3033                 exit_server("Failed to fork echo handler");
3034         }
3035
3036         /* Setup oplocks */
3037         if (!init_oplocks(sconn->msg_ctx))
3038                 exit_server("Failed to init oplocks");
3039
3040         /* register our message handlers */
3041         messaging_register(sconn->msg_ctx, NULL,
3042                            MSG_SMB_FORCE_TDIS, msg_force_tdis);
3043         messaging_register(sconn->msg_ctx, sconn,
3044                            MSG_SMB_RELEASE_IP, msg_release_ip);
3045         messaging_register(sconn->msg_ctx, NULL,
3046                            MSG_SMB_CLOSE_FILE, msg_close_file);
3047
3048         /*
3049          * Use the default MSG_DEBUG handler to avoid rebroadcasting
3050          * MSGs to all child processes
3051          */
3052         messaging_deregister(sconn->msg_ctx,
3053                              MSG_DEBUG, NULL);
3054         messaging_register(sconn->msg_ctx, NULL,
3055                            MSG_DEBUG, debug_message);
3056
3057         if ((lp_keepalive() != 0)
3058             && !(event_add_idle(smbd_event_context(), NULL,
3059                                 timeval_set(lp_keepalive(), 0),
3060                                 "keepalive", keepalive_fn,
3061                                 NULL))) {
3062                 DEBUG(0, ("Could not add keepalive event\n"));
3063                 exit(1);
3064         }
3065
3066         if (!(event_add_idle(smbd_event_context(), NULL,
3067                              timeval_set(IDLE_CLOSED_TIMEOUT, 0),
3068                              "deadtime", deadtime_fn, sconn))) {
3069                 DEBUG(0, ("Could not add deadtime event\n"));
3070                 exit(1);
3071         }
3072
3073         if (!(event_add_idle(smbd_event_context(), NULL,
3074                              timeval_set(SMBD_HOUSEKEEPING_INTERVAL, 0),
3075                              "housekeeping", housekeeping_fn, sconn))) {
3076                 DEBUG(0, ("Could not add housekeeping event\n"));
3077                 exit(1);
3078         }
3079
3080 #ifdef CLUSTER_SUPPORT
3081
3082         if (lp_clustering()) {
3083                 /*
3084                  * We need to tell ctdb about our client's TCP
3085                  * connection, so that for failover ctdbd can send
3086                  * tickle acks, triggering a reconnection by the
3087                  * client.
3088                  */
3089
3090                 struct sockaddr_storage srv, clnt;
3091
3092                 if (client_get_tcp_info(sconn->sock, &srv, &clnt) == 0) {
3093                         NTSTATUS status;
3094                         status = smbd_register_ips(sconn, &srv, &clnt);
3095                         if (!NT_STATUS_IS_OK(status)) {
3096                                 DEBUG(0, ("ctdbd_register_ips failed: %s\n",
3097                                           nt_errstr(status)));
3098                         }
3099                 } else
3100                 {
3101                         DEBUG(0,("Unable to get tcp info for "
3102                                  "CTDB_CONTROL_TCP_CLIENT: %s\n",
3103                                  strerror(errno)));
3104                 }
3105         }
3106
3107 #endif
3108
3109         sconn->nbt.got_session = false;
3110
3111         sconn->smb1.negprot.max_recv = MIN(lp_maxxmit(),BUFFER_SIZE);
3112
3113         sconn->smb1.sessions.done_sesssetup = false;
3114         sconn->smb1.sessions.max_send = BUFFER_SIZE;
3115         sconn->smb1.sessions.last_session_tag = UID_FIELD_INVALID;
3116         /* users from session setup */
3117         sconn->smb1.sessions.session_userlist = NULL;
3118         /* workgroup from session setup. */
3119         sconn->smb1.sessions.session_workgroup = NULL;
3120         /* this holds info on user ids that are already validated for this VC */
3121         sconn->smb1.sessions.validated_users = NULL;
3122         sconn->smb1.sessions.next_vuid = VUID_OFFSET;
3123         sconn->smb1.sessions.num_validated_vuids = 0;
3124
3125         conn_init(sconn);
3126         if (!init_dptrs(sconn)) {
3127                 exit_server("init_dptrs() failed");
3128         }
3129
3130         sconn->smb1.fde = event_add_fd(smbd_event_context(),
3131                                                   sconn,
3132                                                   sconn->sock,
3133                                                   EVENT_FD_READ,
3134                                                   smbd_server_connection_handler,
3135                                                   sconn);
3136         if (!sconn->smb1.fde) {
3137                 exit_server("failed to create smbd_server_connection fde");
3138         }
3139
3140         TALLOC_FREE(frame);
3141
3142         while (True) {
3143                 NTSTATUS status;
3144
3145                 frame = talloc_stackframe_pool(8192);
3146
3147                 errno = 0;
3148
3149                 status = smbd_server_connection_loop_once(sconn);
3150                 if (!NT_STATUS_EQUAL(status, NT_STATUS_RETRY) &&
3151                     !NT_STATUS_IS_OK(status)) {
3152                         DEBUG(3, ("smbd_server_connection_loop_once failed: %s,"
3153                                   " exiting\n", nt_errstr(status)));
3154                         break;
3155                 }
3156
3157                 TALLOC_FREE(frame);
3158         }
3159
3160         exit_server_cleanly(NULL);
3161 }
3162
3163 bool req_is_in_chain(struct smb_request *req)
3164 {
3165         if (req->vwv != (uint16_t *)(req->inbuf+smb_vwv)) {
3166                 /*
3167                  * We're right now handling a subsequent request, so we must
3168                  * be in a chain
3169                  */
3170                 return true;
3171         }
3172
3173         if (!is_andx_req(req->cmd)) {
3174                 return false;
3175         }
3176
3177         if (req->wct < 2) {
3178                 /*
3179                  * Okay, an illegal request, but definitely not chained :-)
3180                  */
3181                 return false;
3182         }
3183
3184         return (CVAL(req->vwv+0, 0) != 0xFF);
3185 }