2 Unix SMB/CIFS implementation.
5 Copyright (C) Stefan Metzmacher 2009
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 #include "smbd/globals.h"
23 #include "../source4/libcli/smb2/smb2_constants.h"
24 #include "../lib/tsocket/tsocket.h"
26 bool smbd_is_smb2_header(const uint8_t *inbuf, size_t size)
28 if (size < (4 + SMB2_HDR_BODY)) {
32 if (IVAL(inbuf, 4) != SMB2_MAGIC) {
39 static NTSTATUS smbd_initialize_smb2(struct smbd_server_connection *conn)
44 TALLOC_FREE(conn->smb1.fde);
46 conn->smb2.event_ctx = smbd_event_context();
48 conn->smb2.recv_queue = tevent_queue_create(conn, "smb2 recv queue");
49 if (conn->smb2.recv_queue == NULL) {
50 return NT_STATUS_NO_MEMORY;
53 conn->smb2.send_queue = tevent_queue_create(conn, "smb2 send queue");
54 if (conn->smb2.send_queue == NULL) {
55 return NT_STATUS_NO_MEMORY;
58 conn->smb2.sessions.idtree = idr_init(conn);
59 if (conn->smb2.sessions.idtree == NULL) {
60 return NT_STATUS_NO_MEMORY;
62 conn->smb2.sessions.limit = 0x0000FFFE;
63 conn->smb2.sessions.list = NULL;
65 ret = tstream_bsd_existing_socket(conn, smbd_server_fd(),
68 status = map_nt_error_from_unix(errno);
72 /* Ensure child is set to non-blocking mode */
73 set_blocking(smbd_server_fd(),false);
77 #define smb2_len(buf) (PVAL(buf,3)|(PVAL(buf,2)<<8)|(PVAL(buf,1)<<16))
78 #define _smb2_setlen(_buf,len) do { \
79 uint8_t *buf = (uint8_t *)_buf; \
81 buf[1] = ((len)&0xFF0000)>>16; \
82 buf[2] = ((len)&0xFF00)>>8; \
83 buf[3] = (len)&0xFF; \
86 static void smb2_setup_nbt_length(struct iovec *vector, int count)
91 for (i=1; i < count; i++) {
92 len += vector[i].iov_len;
95 _smb2_setlen(vector[0].iov_base, len);
98 static NTSTATUS smbd_smb2_request_create(struct smbd_server_connection *conn,
99 const uint8_t *inbuf, size_t size,
100 struct smbd_smb2_request **_req)
102 TALLOC_CTX *mem_pool;
103 struct smbd_smb2_request *req;
104 uint32_t protocol_version;
105 const uint8_t *inhdr = NULL;
108 uint32_t next_command_ofs;
110 if (size < (4 + SMB2_HDR_BODY + 2)) {
111 DEBUG(0,("Invalid SMB2 packet length count %ld\n", (long)size));
112 return NT_STATUS_INVALID_PARAMETER;
117 protocol_version = IVAL(inhdr, SMB2_HDR_PROTOCOL_ID);
118 if (protocol_version != SMB2_MAGIC) {
119 DEBUG(0,("Invalid SMB packet: protocol prefix: 0x%08X\n",
121 return NT_STATUS_INVALID_PARAMETER;
124 cmd = SVAL(inhdr, SMB2_HDR_OPCODE);
125 if (cmd != SMB2_OP_NEGPROT) {
126 DEBUG(0,("Invalid SMB packet: first request: 0x%04X\n",
128 return NT_STATUS_INVALID_PARAMETER;
131 next_command_ofs = IVAL(inhdr, SMB2_HDR_NEXT_COMMAND);
132 if (next_command_ofs != 0) {
133 DEBUG(0,("Invalid SMB packet: next_command: 0x%08X\n",
135 return NT_STATUS_INVALID_PARAMETER;
138 mem_pool = talloc_pool(conn, 8192);
139 if (mem_pool == NULL) {
140 return NT_STATUS_NO_MEMORY;
143 req = talloc_zero(mem_pool, struct smbd_smb2_request);
145 talloc_free(mem_pool);
146 return NT_STATUS_NO_MEMORY;
148 req->mem_pool = mem_pool;
151 talloc_steal(req, inbuf);
153 req->in.vector = talloc_array(req, struct iovec, 4);
154 if (req->in.vector == NULL) {
155 talloc_free(mem_pool);
156 return NT_STATUS_NO_MEMORY;
158 req->in.vector_count = 4;
160 memcpy(req->in.nbt_hdr, inbuf, 4);
163 req->in.vector[0].iov_base = (void *)req->in.nbt_hdr;
164 req->in.vector[0].iov_len = 4;
165 ofs += req->in.vector[0].iov_len;
167 req->in.vector[1].iov_base = (void *)(inbuf + ofs);
168 req->in.vector[1].iov_len = SMB2_HDR_BODY;
169 ofs += req->in.vector[1].iov_len;
171 req->in.vector[2].iov_base = (void *)(inbuf + ofs);
172 req->in.vector[2].iov_len = SVAL(inbuf, ofs) & 0xFFFE;
173 ofs += req->in.vector[2].iov_len;
176 return NT_STATUS_INVALID_PARAMETER;
179 req->in.vector[3].iov_base = (void *)(inbuf + ofs);
180 req->in.vector[3].iov_len = size - ofs;
181 ofs += req->in.vector[3].iov_len;
183 req->current_idx = 1;
189 static NTSTATUS smbd_smb2_request_validate(struct smbd_smb2_request *req)
193 bool compound_related = false;
195 count = req->in.vector_count;
198 /* It's not a SMB2 request */
199 return NT_STATUS_INVALID_PARAMETER;
202 for (idx=1; idx < count; idx += 3) {
203 const uint8_t *inhdr = NULL;
206 if (req->in.vector[idx].iov_len != SMB2_HDR_BODY) {
207 return NT_STATUS_INVALID_PARAMETER;
210 if (req->in.vector[idx+1].iov_len < 2) {
211 return NT_STATUS_INVALID_PARAMETER;
214 inhdr = (const uint8_t *)req->in.vector[idx].iov_base;
216 /* setup the SMB2 header */
217 if (IVAL(inhdr, SMB2_HDR_PROTOCOL_ID) != SMB2_MAGIC) {
218 return NT_STATUS_INVALID_PARAMETER;
221 flags = IVAL(inhdr, SMB2_HDR_FLAGS);
224 * the 1st request should never have the
225 * SMB2_HDR_FLAG_CHAINED flag set
227 if (flags & SMB2_HDR_FLAG_CHAINED) {
228 req->next_status = NT_STATUS_INVALID_PARAMETER;
231 } else if (idx == 4) {
233 * the 2nd request triggers related vs. unrelated
234 * compounded requests
236 if (flags & SMB2_HDR_FLAG_CHAINED) {
237 compound_related = true;
239 } else if (idx > 4) {
242 * It seems the this tests are wrong
243 * see the SMB2-COMPOUND test
247 * all other requests should match the 2nd one
249 if (flags & SMB2_HDR_FLAG_CHAINED) {
250 if (!compound_related) {
252 NT_STATUS_INVALID_PARAMETER;
256 if (compound_related) {
258 NT_STATUS_INVALID_PARAMETER;
269 static NTSTATUS smbd_smb2_request_setup_out(struct smbd_smb2_request *req)
271 struct iovec *vector;
275 count = req->in.vector_count;
276 vector = talloc_array(req, struct iovec, count);
277 if (vector == NULL) {
278 return NT_STATUS_NO_MEMORY;
281 vector[0].iov_base = req->out.nbt_hdr;
282 vector[0].iov_len = 4;
283 SIVAL(req->out.nbt_hdr, 0, 0);
285 for (idx=1; idx < count; idx += 3) {
286 const uint8_t *inhdr = NULL;
288 uint8_t *outhdr = NULL;
289 uint8_t *outbody = NULL;
290 uint32_t next_command_ofs = 0;
291 struct iovec *current = &vector[idx];
293 if ((idx + 3) < count) {
294 /* we have a next command */
295 next_command_ofs = SMB2_HDR_BODY + 8;
298 inhdr = (const uint8_t *)req->in.vector[idx].iov_base;
299 in_flags = IVAL(inhdr, SMB2_HDR_FLAGS);
301 outhdr = talloc_array(vector, uint8_t,
303 if (outhdr == NULL) {
304 return NT_STATUS_NO_MEMORY;
307 outbody = outhdr + SMB2_HDR_BODY;
309 current[0].iov_base = (void *)outhdr;
310 current[0].iov_len = SMB2_HDR_BODY;
312 current[1].iov_base = (void *)outbody;
313 current[1].iov_len = 8;
315 current[2].iov_base = NULL;
316 current[2].iov_len = 0;
318 /* setup the SMB2 header */
319 SIVAL(outhdr, SMB2_HDR_PROTOCOL_ID, SMB2_MAGIC);
320 SSVAL(outhdr, SMB2_HDR_LENGTH, SMB2_HDR_BODY);
321 SSVAL(outhdr, SMB2_HDR_EPOCH, 0);
322 SIVAL(outhdr, SMB2_HDR_STATUS,
323 NT_STATUS_V(NT_STATUS_INTERNAL_ERROR));
324 SSVAL(outhdr, SMB2_HDR_OPCODE,
325 SVAL(inhdr, SMB2_HDR_OPCODE));
326 /* Make up a number for now... JRA. FIXME ! FIXME !*/
327 SSVAL(outhdr, SMB2_HDR_CREDIT, 20);
328 SIVAL(outhdr, SMB2_HDR_FLAGS,
329 IVAL(inhdr, SMB2_HDR_FLAGS) | SMB2_HDR_FLAG_REDIRECT);
330 SIVAL(outhdr, SMB2_HDR_NEXT_COMMAND, next_command_ofs);
331 SBVAL(outhdr, SMB2_HDR_MESSAGE_ID,
332 BVAL(inhdr, SMB2_HDR_MESSAGE_ID));
333 SIVAL(outhdr, SMB2_HDR_PID,
334 IVAL(inhdr, SMB2_HDR_PID));
335 SIVAL(outhdr, SMB2_HDR_TID,
336 IVAL(inhdr, SMB2_HDR_TID));
337 SBVAL(outhdr, SMB2_HDR_SESSION_ID,
338 BVAL(inhdr, SMB2_HDR_SESSION_ID));
339 memset(outhdr + SMB2_HDR_SIGNATURE, 0, 16);
341 /* setup error body header */
342 SSVAL(outbody, 0x00, 0x08 + 1);
343 SSVAL(outbody, 0x02, 0);
344 SIVAL(outbody, 0x04, 0);
347 req->out.vector = vector;
348 req->out.vector_count = count;
350 /* setup the length of the NBT packet */
351 smb2_setup_nbt_length(req->out.vector, req->out.vector_count);
356 void smbd_server_connection_terminate_ex(struct smbd_server_connection *sconn,
358 const char *location)
360 DEBUG(10,("smbd_server_connection_terminate_ex: reason[%s] at %s\n",
362 exit_server_cleanly(reason);
365 static NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
367 const uint8_t *inhdr;
368 int i = req->current_idx;
372 NTSTATUS session_status;
374 inhdr = (const uint8_t *)req->in.vector[i].iov_base;
376 /* TODO: verify more things */
378 flags = IVAL(inhdr, SMB2_HDR_FLAGS);
379 opcode = IVAL(inhdr, SMB2_HDR_OPCODE);
380 DEBUG(10,("smbd_smb2_request_dispatch: opcode[%u]\n", opcode));
382 #define TMP_SMB2_ALLOWED_FLAGS ( \
383 SMB2_HDR_FLAG_CHAINED | \
384 SMB2_HDR_FLAG_SIGNED | \
386 if ((flags & ~TMP_SMB2_ALLOWED_FLAGS) != 0) {
387 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
389 #undef TMP_SMB2_ALLOWED_FLAGS
391 session_status = smbd_smb2_request_check_session(req);
393 req->do_signing = false;
394 if (flags & SMB2_HDR_FLAG_SIGNED) {
395 if (!NT_STATUS_IS_OK(session_status)) {
396 return smbd_smb2_request_error(req, session_status);
399 req->do_signing = true;
400 status = smb2_signing_check_pdu(req->session->session_key,
401 &req->in.vector[i], 3);
402 if (!NT_STATUS_IS_OK(status)) {
403 return smbd_smb2_request_error(req, status);
405 } else if (req->session && req->session->do_signing) {
406 return smbd_smb2_request_error(req, NT_STATUS_ACCESS_DENIED);
409 if (flags & SMB2_HDR_FLAG_CHAINED) {
411 * This check is mostly for giving the correct error code
412 * for compounded requests.
414 * TODO: we may need to move this after the session
417 if (!NT_STATUS_IS_OK(req->next_status)) {
418 return smbd_smb2_request_error(req, req->next_status);
421 req->compat_chain_fsp = NULL;
425 case SMB2_OP_NEGPROT:
426 return smbd_smb2_request_process_negprot(req);
428 case SMB2_OP_SESSSETUP:
429 return smbd_smb2_request_process_sesssetup(req);
432 if (!NT_STATUS_IS_OK(session_status)) {
433 return smbd_smb2_request_error(req, session_status);
435 return smbd_smb2_request_process_logoff(req);
438 if (!NT_STATUS_IS_OK(session_status)) {
439 return smbd_smb2_request_error(req, session_status);
441 status = smbd_smb2_request_check_session(req);
442 if (!NT_STATUS_IS_OK(status)) {
443 return smbd_smb2_request_error(req, status);
445 return smbd_smb2_request_process_tcon(req);
448 if (!NT_STATUS_IS_OK(session_status)) {
449 return smbd_smb2_request_error(req, session_status);
451 status = smbd_smb2_request_check_tcon(req);
452 if (!NT_STATUS_IS_OK(status)) {
453 return smbd_smb2_request_error(req, status);
455 return smbd_smb2_request_process_tdis(req);
458 if (!NT_STATUS_IS_OK(session_status)) {
459 return smbd_smb2_request_error(req, session_status);
461 status = smbd_smb2_request_check_tcon(req);
462 if (!NT_STATUS_IS_OK(status)) {
463 return smbd_smb2_request_error(req, status);
465 return smbd_smb2_request_process_create(req);
468 if (!NT_STATUS_IS_OK(session_status)) {
469 return smbd_smb2_request_error(req, session_status);
471 status = smbd_smb2_request_check_tcon(req);
472 if (!NT_STATUS_IS_OK(status)) {
473 return smbd_smb2_request_error(req, status);
475 return smbd_smb2_request_process_close(req);
478 if (!NT_STATUS_IS_OK(session_status)) {
479 return smbd_smb2_request_error(req, session_status);
481 status = smbd_smb2_request_check_tcon(req);
482 if (!NT_STATUS_IS_OK(status)) {
483 return smbd_smb2_request_error(req, status);
485 return smbd_smb2_request_process_flush(req);
488 if (!NT_STATUS_IS_OK(session_status)) {
489 return smbd_smb2_request_error(req, session_status);
491 status = smbd_smb2_request_check_tcon(req);
492 if (!NT_STATUS_IS_OK(status)) {
493 return smbd_smb2_request_error(req, status);
495 return smbd_smb2_request_process_read(req);
498 if (!NT_STATUS_IS_OK(session_status)) {
499 return smbd_smb2_request_error(req, session_status);
501 status = smbd_smb2_request_check_tcon(req);
502 if (!NT_STATUS_IS_OK(status)) {
503 return smbd_smb2_request_error(req, status);
505 return smbd_smb2_request_process_write(req);
508 if (!NT_STATUS_IS_OK(session_status)) {
509 return smbd_smb2_request_error(req, session_status);
511 status = smbd_smb2_request_check_tcon(req);
512 if (!NT_STATUS_IS_OK(status)) {
513 return smbd_smb2_request_error(req, status);
515 return smbd_smb2_request_error(req, NT_STATUS_NOT_IMPLEMENTED);
518 if (!NT_STATUS_IS_OK(session_status)) {
519 return smbd_smb2_request_error(req, session_status);
521 status = smbd_smb2_request_check_tcon(req);
522 if (!NT_STATUS_IS_OK(status)) {
523 return smbd_smb2_request_error(req, status);
525 return smbd_smb2_request_process_ioctl(req);
528 return smbd_smb2_request_error(req, NT_STATUS_NOT_IMPLEMENTED);
530 case SMB2_OP_KEEPALIVE:
531 return smbd_smb2_request_process_keepalive(req);
534 if (!NT_STATUS_IS_OK(session_status)) {
535 return smbd_smb2_request_error(req, session_status);
537 status = smbd_smb2_request_check_tcon(req);
538 if (!NT_STATUS_IS_OK(status)) {
539 return smbd_smb2_request_error(req, status);
541 return smbd_smb2_request_error(req, NT_STATUS_NOT_IMPLEMENTED);
544 if (!NT_STATUS_IS_OK(session_status)) {
545 return smbd_smb2_request_error(req, session_status);
547 status = smbd_smb2_request_check_tcon(req);
548 if (!NT_STATUS_IS_OK(status)) {
549 return smbd_smb2_request_error(req, status);
551 return smbd_smb2_request_error(req, NT_STATUS_NOT_IMPLEMENTED);
553 case SMB2_OP_GETINFO:
554 if (!NT_STATUS_IS_OK(session_status)) {
555 return smbd_smb2_request_error(req, session_status);
557 status = smbd_smb2_request_check_tcon(req);
558 if (!NT_STATUS_IS_OK(status)) {
559 return smbd_smb2_request_error(req, status);
561 return smbd_smb2_request_error(req, NT_STATUS_NOT_IMPLEMENTED);
563 case SMB2_OP_SETINFO:
564 if (!NT_STATUS_IS_OK(session_status)) {
565 return smbd_smb2_request_error(req, session_status);
567 status = smbd_smb2_request_check_tcon(req);
568 if (!NT_STATUS_IS_OK(status)) {
569 return smbd_smb2_request_error(req, status);
571 return smbd_smb2_request_error(req, NT_STATUS_NOT_IMPLEMENTED);
574 if (!NT_STATUS_IS_OK(session_status)) {
575 return smbd_smb2_request_error(req, session_status);
577 status = smbd_smb2_request_check_tcon(req);
578 if (!NT_STATUS_IS_OK(status)) {
579 return smbd_smb2_request_error(req, status);
581 return smbd_smb2_request_error(req, NT_STATUS_NOT_IMPLEMENTED);
584 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
587 static void smbd_smb2_request_dispatch_compound(struct tevent_req *subreq);
588 static void smbd_smb2_request_writev_done(struct tevent_req *subreq);
590 static NTSTATUS smbd_smb2_request_reply(struct smbd_smb2_request *req)
592 struct tevent_req *subreq;
594 smb2_setup_nbt_length(req->out.vector, req->out.vector_count);
596 if (req->do_signing) {
597 int i = req->current_idx;
599 status = smb2_signing_sign_pdu(req->session->session_key,
600 &req->out.vector[i], 3);
601 if (!NT_STATUS_IS_OK(status)) {
606 req->current_idx += 3;
608 if (req->current_idx < req->out.vector_count) {
609 struct timeval zero = timeval_zero();
610 subreq = tevent_wakeup_send(req,
611 req->conn->smb2.event_ctx,
613 if (subreq == NULL) {
614 return NT_STATUS_NO_MEMORY;
616 tevent_req_set_callback(subreq,
617 smbd_smb2_request_dispatch_compound,
623 subreq = tstream_writev_queue_send(req,
624 req->conn->smb2.event_ctx,
625 req->conn->smb2.stream,
626 req->conn->smb2.send_queue,
628 req->out.vector_count);
629 if (subreq == NULL) {
630 return NT_STATUS_NO_MEMORY;
632 tevent_req_set_callback(subreq, smbd_smb2_request_writev_done, req);
637 static void smbd_smb2_request_dispatch_compound(struct tevent_req *subreq)
639 struct smbd_smb2_request *req = tevent_req_callback_data(subreq,
640 struct smbd_smb2_request);
641 struct smbd_server_connection *conn = req->conn;
644 tevent_wakeup_recv(subreq);
647 DEBUG(10,("smbd_smb2_request_dispatch_compound: idx[%d] of %d vectors\n",
648 req->current_idx, req->in.vector_count));
650 status = smbd_smb2_request_dispatch(req);
651 if (!NT_STATUS_IS_OK(status)) {
652 smbd_server_connection_terminate(conn, nt_errstr(status));
657 static void smbd_smb2_request_writev_done(struct tevent_req *subreq)
659 struct smbd_smb2_request *req = tevent_req_callback_data(subreq,
660 struct smbd_smb2_request);
661 struct smbd_server_connection *conn = req->conn;
664 TALLOC_CTX *mem_pool;
666 ret = tstream_writev_queue_recv(subreq, &sys_errno);
669 NTSTATUS status = map_nt_error_from_unix(sys_errno);
670 smbd_server_connection_terminate(conn, nt_errstr(status));
674 mem_pool = req->mem_pool;
676 talloc_free(mem_pool);
679 NTSTATUS smbd_smb2_request_error_ex(struct smbd_smb2_request *req,
682 const char *location)
686 int i = req->current_idx;
688 DEBUG(10,("smbd_smb2_request_error_ex: idx[%d] status[%s] |%s| at %s\n",
689 i, nt_errstr(status), info ? " +info" : "",
692 outhdr = (uint8_t *)req->out.vector[i].iov_base;
694 SIVAL(outhdr, SMB2_HDR_STATUS, NT_STATUS_V(status));
696 outbody = outhdr + SMB2_HDR_BODY;
698 req->out.vector[i+1].iov_base = (void *)outbody;
699 req->out.vector[i+1].iov_len = 8;
702 SIVAL(outbody, 0x04, info->length);
703 req->out.vector[i+2].iov_base = (void *)info->data;
704 req->out.vector[i+2].iov_len = info->length;
706 req->out.vector[i+2].iov_base = NULL;
707 req->out.vector[i+2].iov_len = 0;
711 * if a request fails, all other remaining
712 * compounded requests should fail too
714 req->next_status = NT_STATUS_INVALID_PARAMETER;
716 return smbd_smb2_request_reply(req);
719 NTSTATUS smbd_smb2_request_done_ex(struct smbd_smb2_request *req,
721 DATA_BLOB body, DATA_BLOB *dyn,
722 const char *location)
726 int i = req->current_idx;
727 uint32_t next_command_ofs;
729 DEBUG(10,("smbd_smb2_request_done_ex: "
730 "idx[%d] status[%s] body[%u] dyn[%s:%u] at %s\n",
731 i, nt_errstr(status), (unsigned int)body.length,
733 (unsigned int)(dyn ? dyn->length : 0),
736 if (body.length < 2) {
737 return smbd_smb2_request_error(req, NT_STATUS_INTERNAL_ERROR);
740 if ((body.length % 2) != 0) {
741 return smbd_smb2_request_error(req, NT_STATUS_INTERNAL_ERROR);
744 outhdr = (uint8_t *)req->out.vector[i].iov_base;
745 /* the fallback dynamic buffer */
746 outdyn = outhdr + SMB2_HDR_BODY + 8;
748 next_command_ofs = IVAL(outhdr, SMB2_HDR_NEXT_COMMAND);
749 SIVAL(outhdr, SMB2_HDR_STATUS, NT_STATUS_V(status));
751 req->out.vector[i+1].iov_base = (void *)body.data;
752 req->out.vector[i+1].iov_len = body.length;
755 req->out.vector[i+2].iov_base = (void *)dyn->data;
756 req->out.vector[i+2].iov_len = dyn->length;
758 req->out.vector[i+2].iov_base = NULL;
759 req->out.vector[i+2].iov_len = 0;
762 /* see if we need to recalculate the offset to the next response */
763 if (next_command_ofs > 0) {
764 next_command_ofs = SMB2_HDR_BODY;
765 next_command_ofs += req->out.vector[i+1].iov_len;
766 next_command_ofs += req->out.vector[i+2].iov_len;
769 if ((next_command_ofs % 8) != 0) {
770 size_t pad_size = 8 - (next_command_ofs % 8);
771 if (req->out.vector[i+2].iov_len == 0) {
773 * if the dyn buffer is empty
774 * we can use it to add padding
778 pad = talloc_zero_array(req->out.vector,
781 return smbd_smb2_request_error(req,
782 NT_STATUS_NO_MEMORY);
785 req->out.vector[i+2].iov_base = (void *)pad;
786 req->out.vector[i+2].iov_len = pad_size;
789 * For now we copy the dynamic buffer
790 * and add the padding to the new buffer
797 old_size = req->out.vector[i+2].iov_len;
798 old_dyn = (uint8_t *)req->out.vector[i+2].iov_base;
800 new_size = old_size + pad_size;
801 new_dyn = talloc_array(req->out.vector,
803 if (new_dyn == NULL) {
804 return smbd_smb2_request_error(req,
805 NT_STATUS_NO_MEMORY);
808 memcpy(new_dyn, old_dyn, old_size);
809 memset(new_dyn + old_size, 0, pad_size);
811 req->out.vector[i+2].iov_base = (void *)new_dyn;
812 req->out.vector[i+2].iov_len = new_size;
814 TALLOC_FREE(old_dyn);
816 next_command_ofs += pad_size;
819 SIVAL(outhdr, SMB2_HDR_NEXT_COMMAND, next_command_ofs);
821 return smbd_smb2_request_reply(req);
824 struct smbd_smb2_request_read_state {
826 bool asked_for_header;
827 struct smbd_smb2_request *smb2_req;
830 static int smbd_smb2_request_next_vector(struct tstream_context *stream,
833 struct iovec **_vector,
835 static void smbd_smb2_request_read_done(struct tevent_req *subreq);
837 static struct tevent_req *smbd_smb2_request_read_send(TALLOC_CTX *mem_ctx,
838 struct tevent_context *ev,
839 struct smbd_server_connection *conn)
841 struct tevent_req *req;
842 struct smbd_smb2_request_read_state *state;
843 struct tevent_req *subreq;
844 TALLOC_CTX *mem_pool;
846 req = tevent_req_create(mem_ctx, &state,
847 struct smbd_smb2_request_read_state);
852 state->asked_for_header = false;
854 mem_pool = talloc_pool(state, 8192);
855 if (tevent_req_nomem(mem_pool, req)) {
856 return tevent_req_post(req, ev);
859 state->smb2_req = talloc_zero(mem_pool, struct smbd_smb2_request);
860 if (tevent_req_nomem(state->smb2_req, req)) {
861 return tevent_req_post(req, ev);
864 state->smb2_req->mem_pool = mem_pool;
865 state->smb2_req->conn = conn;
867 subreq = tstream_readv_pdu_queue_send(state, ev, conn->smb2.stream,
868 conn->smb2.recv_queue,
869 smbd_smb2_request_next_vector,
871 if (tevent_req_nomem(subreq, req)) {
872 return tevent_req_post(req, ev);
874 tevent_req_set_callback(subreq, smbd_smb2_request_read_done, req);
879 static int smbd_smb2_request_next_vector(struct tstream_context *stream,
882 struct iovec **_vector,
885 struct smbd_smb2_request_read_state *state =
886 talloc_get_type_abort(private_data,
887 struct smbd_smb2_request_read_state);
888 struct smbd_smb2_request *req = state->smb2_req;
889 struct iovec *vector;
890 int idx = req->in.vector_count;
894 if (req->in.vector_count == 0) {
896 * first we need to get the NBT header
898 req->in.vector = talloc_array(req, struct iovec,
899 req->in.vector_count + 1);
900 if (req->in.vector == NULL) {
903 req->in.vector_count += 1;
905 req->in.vector[idx].iov_base = (void *)req->in.nbt_hdr;
906 req->in.vector[idx].iov_len = 4;
908 vector = talloc_array(mem_ctx, struct iovec, 1);
909 if (vector == NULL) {
913 vector[0] = req->in.vector[idx];
920 if (req->in.vector_count == 1) {
922 * Now we analyze the NBT header
924 state->missing = smb2_len(req->in.vector[0].iov_base);
926 if (state->missing == 0) {
927 /* if there're no remaining bytes, we're done */
933 req->in.vector = talloc_realloc(req, req->in.vector,
935 req->in.vector_count + 1);
936 if (req->in.vector == NULL) {
939 req->in.vector_count += 1;
941 if (CVAL(req->in.vector[0].iov_base, 0) != 0) {
943 * it's a special NBT message,
944 * so get all remaining bytes
946 len = state->missing;
947 } else if (state->missing < (SMB2_HDR_BODY + 2)) {
949 * it's an invalid message, just read what we can get
950 * and let the caller handle the error
952 len = state->missing;
955 * We assume it's a SMB2 request,
956 * and we first get the header and the
957 * first 2 bytes (the struct size) of the body
959 len = SMB2_HDR_BODY + 2;
961 state->asked_for_header = true;
964 state->missing -= len;
966 buf = talloc_array(req->in.vector, uint8_t, len);
971 req->in.vector[idx].iov_base = (void *)buf;
972 req->in.vector[idx].iov_len = len;
974 vector = talloc_array(mem_ctx, struct iovec, 1);
975 if (vector == NULL) {
979 vector[0] = req->in.vector[idx];
986 if (state->missing == 0) {
987 /* if there're no remaining bytes, we're done */
993 if (state->asked_for_header) {
996 size_t next_command_ofs;
1001 bool invalid = false;
1003 state->asked_for_header = false;
1006 * We got the SMB2 header and the first 2 bytes
1007 * of the body. We fix the size to just the header
1008 * and manually copy the 2 first bytes to the body section
1010 req->in.vector[idx-1].iov_len = SMB2_HDR_BODY;
1011 hdr = (const uint8_t *)req->in.vector[idx-1].iov_base;
1013 /* allocate vectors for body and dynamic areas */
1014 req->in.vector = talloc_realloc(req, req->in.vector,
1016 req->in.vector_count + 2);
1017 if (req->in.vector == NULL) {
1020 req->in.vector_count += 2;
1022 full_size = state->missing + SMB2_HDR_BODY + 2;
1023 next_command_ofs = IVAL(hdr, SMB2_HDR_NEXT_COMMAND);
1024 body_size = SVAL(hdr, SMB2_HDR_BODY);
1026 if (next_command_ofs != 0) {
1027 if (next_command_ofs < (SMB2_HDR_BODY + 2)) {
1029 * this is invalid, just return a zero
1030 * body and let the caller deal with the error
1033 } else if (next_command_ofs > full_size) {
1035 * this is invalid, just return a zero
1036 * body and let the caller deal with the error
1040 full_size = next_command_ofs;
1045 if (body_size < 2) {
1047 * this is invalid, just return a zero
1048 * body and let the caller deal with the error
1051 } else if (body_size > (full_size - SMB2_HDR_BODY)) {
1053 * this is invalid, just return a zero
1054 * body and let the caller deal with the error
1061 /* the caller should check this */
1065 if ((body_size % 2) != 0) {
1069 dyn_size = full_size - (SMB2_HDR_BODY + body_size);
1071 state->missing -= (body_size - 2) + dyn_size;
1073 body = talloc_array(req->in.vector, uint8_t, body_size);
1078 dyn = talloc_array(req->in.vector, uint8_t, dyn_size);
1083 req->in.vector[idx].iov_base = (void *)body;
1084 req->in.vector[idx].iov_len = body_size;
1085 req->in.vector[idx+1].iov_base = (void *)dyn;
1086 req->in.vector[idx+1].iov_len = dyn_size;
1088 vector = talloc_array(mem_ctx, struct iovec, 2);
1089 if (vector == NULL) {
1094 * the first 2 bytes of the body were already fetched
1095 * together with the header
1097 memcpy(body, hdr + SMB2_HDR_BODY, 2);
1098 vector[0].iov_base = body + 2;
1099 vector[0].iov_len = req->in.vector[idx].iov_len - 2;
1101 vector[1] = req->in.vector[idx+1];
1109 * when we endup here, we're looking for a new SMB2 request
1110 * next. And we ask for its header and the first 2 bytes of
1111 * the body (like we did for the first SMB2 request).
1114 req->in.vector = talloc_realloc(req, req->in.vector,
1116 req->in.vector_count + 1);
1117 if (req->in.vector == NULL) {
1120 req->in.vector_count += 1;
1123 * We assume it's a SMB2 request,
1124 * and we first get the header and the
1125 * first 2 bytes (the struct size) of the body
1127 len = SMB2_HDR_BODY + 2;
1129 if (len > state->missing) {
1130 /* let the caller handle the error */
1131 len = state->missing;
1134 state->missing -= len;
1135 state->asked_for_header = true;
1137 buf = talloc_array(req->in.vector, uint8_t, len);
1142 req->in.vector[idx].iov_base = (void *)buf;
1143 req->in.vector[idx].iov_len = len;
1145 vector = talloc_array(mem_ctx, struct iovec, 1);
1146 if (vector == NULL) {
1150 vector[0] = req->in.vector[idx];
1157 static void smbd_smb2_request_read_done(struct tevent_req *subreq)
1159 struct tevent_req *req =
1160 tevent_req_callback_data(subreq,
1166 ret = tstream_readv_pdu_queue_recv(subreq, &sys_errno);
1168 status = map_nt_error_from_unix(sys_errno);
1169 tevent_req_nterror(req, status);
1173 tevent_req_done(req);
1176 static NTSTATUS smbd_smb2_request_read_recv(struct tevent_req *req,
1177 TALLOC_CTX *mem_ctx,
1178 struct smbd_smb2_request **_smb2_req)
1180 struct smbd_smb2_request_read_state *state =
1181 tevent_req_data(req,
1182 struct smbd_smb2_request_read_state);
1185 if (tevent_req_is_nterror(req, &status)) {
1186 tevent_req_received(req);
1190 talloc_steal(mem_ctx, state->smb2_req->mem_pool);
1191 *_smb2_req = state->smb2_req;
1192 tevent_req_received(req);
1193 return NT_STATUS_OK;
1196 static void smbd_smb2_request_incoming(struct tevent_req *subreq);
1198 void smbd_smb2_first_negprot(struct smbd_server_connection *conn,
1199 const uint8_t *inbuf, size_t size)
1202 struct smbd_smb2_request *req;
1203 struct tevent_req *subreq;
1205 DEBUG(10,("smbd_smb2_first_negprot: packet length %u\n",
1206 (unsigned int)size));
1208 status = smbd_initialize_smb2(conn);
1209 if (!NT_STATUS_IS_OK(status)) {
1210 smbd_server_connection_terminate(conn, nt_errstr(status));
1214 status = smbd_smb2_request_create(conn, inbuf, size, &req);
1215 if (!NT_STATUS_IS_OK(status)) {
1216 smbd_server_connection_terminate(conn, nt_errstr(status));
1220 status = smbd_smb2_request_setup_out(req);
1221 if (!NT_STATUS_IS_OK(status)) {
1222 smbd_server_connection_terminate(conn, nt_errstr(status));
1226 status = smbd_smb2_request_dispatch(req);
1227 if (!NT_STATUS_IS_OK(status)) {
1228 smbd_server_connection_terminate(conn, nt_errstr(status));
1232 /* ask for the next request */
1233 subreq = smbd_smb2_request_read_send(conn,conn->smb2.event_ctx, conn);
1234 if (subreq == NULL) {
1235 smbd_server_connection_terminate(conn, "no memory for reading");
1238 tevent_req_set_callback(subreq, smbd_smb2_request_incoming, conn);
1241 static void smbd_smb2_request_incoming(struct tevent_req *subreq)
1243 struct smbd_server_connection *conn = tevent_req_callback_data(subreq,
1244 struct smbd_server_connection);
1246 struct smbd_smb2_request *req;
1248 status = smbd_smb2_request_read_recv(subreq, conn, &req);
1249 TALLOC_FREE(subreq);
1250 if (!NT_STATUS_IS_OK(status)) {
1251 smbd_server_connection_terminate(conn, nt_errstr(status));
1255 if (req->in.nbt_hdr[0] != 0x00) {
1256 DEBUG(1,("smbd_smb2_request_incoming: ignore NBT[0x%02X] msg\n",
1257 req->in.nbt_hdr[0]));
1258 talloc_free(req->mem_pool);
1263 req->current_idx = 1;
1265 DEBUG(10,("smbd_smb2_request_incoming: idx[%d] of %d vectors\n",
1266 req->current_idx, req->in.vector_count));
1268 status = smbd_smb2_request_validate(req);
1269 if (!NT_STATUS_IS_OK(status)) {
1270 smbd_server_connection_terminate(conn, nt_errstr(status));
1274 status = smbd_smb2_request_setup_out(req);
1275 if (!NT_STATUS_IS_OK(status)) {
1276 smbd_server_connection_terminate(conn, nt_errstr(status));
1280 status = smbd_smb2_request_dispatch(req);
1281 if (!NT_STATUS_IS_OK(status)) {
1282 smbd_server_connection_terminate(conn, nt_errstr(status));
1287 /* ask for the next request (this constructs the main loop) */
1288 subreq = smbd_smb2_request_read_send(conn,conn->smb2.event_ctx, conn);
1289 if (subreq == NULL) {
1290 smbd_server_connection_terminate(conn, "no memory for reading");
1293 tevent_req_set_callback(subreq, smbd_smb2_request_incoming, conn);