Reformatting
[tprouty/samba.git] / source / smbd / nttrans.c
1 /*
2    Unix SMB/CIFS implementation.
3    SMB NT transaction handling
4    Copyright (C) Jeremy Allison                 1994-2007
5    Copyright (C) Stefan (metze) Metzmacher      2003
6
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License as published by
9    the Free Software Foundation; either version 3 of the License, or
10    (at your option) any later version.
11
12    This program is distributed in the hope that it will be useful,
13    but WITHOUT ANY WARRANTY; without even the implied warranty of
14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15    GNU General Public License for more details.
16
17    You should have received a copy of the GNU General Public License
18    along with this program.  If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22
23 extern int max_send;
24 extern enum protocol_types Protocol;
25 extern struct current_user current_user;
26
27 static const char *known_nt_pipes[] = {
28         "\\LANMAN",
29         "\\srvsvc",
30         "\\samr",
31         "\\wkssvc",
32         "\\NETLOGON",
33         "\\ntlsa",
34         "\\ntsvcs",
35         "\\lsass",
36         "\\lsarpc",
37         "\\winreg",
38         "\\initshutdown",
39         "\\spoolss",
40         "\\netdfs",
41         "\\rpcecho",
42         "\\svcctl",
43         "\\eventlog",
44         "\\unixinfo",
45         NULL
46 };
47
48 static char *nttrans_realloc(char **ptr, size_t size)
49 {
50         if (ptr==NULL) {
51                 smb_panic("nttrans_realloc() called with NULL ptr");
52         }
53
54         *ptr = (char *)SMB_REALLOC(*ptr, size);
55         if(*ptr == NULL) {
56                 return NULL;
57         }
58         memset(*ptr,'\0',size);
59         return *ptr;
60 }
61
62 /****************************************************************************
63  Send the required number of replies back.
64  We assume all fields other than the data fields are
65  set correctly for the type of call.
66  HACK ! Always assumes smb_setup field is zero.
67 ****************************************************************************/
68
69 void send_nt_replies(struct smb_request *req, NTSTATUS nt_error,
70                      char *params, int paramsize,
71                      char *pdata, int datasize)
72 {
73         int data_to_send = datasize;
74         int params_to_send = paramsize;
75         int useable_space;
76         char *pp = params;
77         char *pd = pdata;
78         int params_sent_thistime, data_sent_thistime, total_sent_thistime;
79         int alignment_offset = 3;
80         int data_alignment_offset = 0;
81
82         /*
83          * If there genuinely are no parameters or data to send just send
84          * the empty packet.
85          */
86
87         if(params_to_send == 0 && data_to_send == 0) {
88                 reply_outbuf(req, 18, 0);
89                 show_msg((char *)req->outbuf);
90                 return;
91         }
92
93         /*
94          * When sending params and data ensure that both are nicely aligned.
95          * Only do this alignment when there is also data to send - else
96          * can cause NT redirector problems.
97          */
98
99         if (((params_to_send % 4) != 0) && (data_to_send != 0)) {
100                 data_alignment_offset = 4 - (params_to_send % 4);
101         }
102
103         /*
104          * Space is bufsize minus Netbios over TCP header minus SMB header.
105          * The alignment_offset is to align the param bytes on a four byte
106          * boundary (2 bytes for data len, one byte pad).
107          * NT needs this to work correctly.
108          */
109
110         useable_space = max_send - (smb_size
111                                     + 2 * 18 /* wct */
112                                     + alignment_offset
113                                     + data_alignment_offset);
114
115         /*
116          * useable_space can never be more than max_send minus the
117          * alignment offset.
118          */
119
120         useable_space = MIN(useable_space,
121                                 max_send - (alignment_offset+data_alignment_offset));
122
123
124         while (params_to_send || data_to_send) {
125
126                 /*
127                  * Calculate whether we will totally or partially fill this packet.
128                  */
129
130                 total_sent_thistime = params_to_send + data_to_send +
131                                         alignment_offset + data_alignment_offset;
132
133                 /*
134                  * We can never send more than useable_space.
135                  */
136
137                 total_sent_thistime = MIN(total_sent_thistime, useable_space);
138
139                 reply_outbuf(req, 18, total_sent_thistime);
140
141                 /*
142                  * Set total params and data to be sent.
143                  */
144
145                 SIVAL(req->outbuf,smb_ntr_TotalParameterCount,paramsize);
146                 SIVAL(req->outbuf,smb_ntr_TotalDataCount,datasize);
147
148                 /*
149                  * Calculate how many parameters and data we can fit into
150                  * this packet. Parameters get precedence.
151                  */
152
153                 params_sent_thistime = MIN(params_to_send,useable_space);
154                 data_sent_thistime = useable_space - params_sent_thistime;
155                 data_sent_thistime = MIN(data_sent_thistime,data_to_send);
156
157                 SIVAL(req->outbuf, smb_ntr_ParameterCount,
158                       params_sent_thistime);
159
160                 if(params_sent_thistime == 0) {
161                         SIVAL(req->outbuf,smb_ntr_ParameterOffset,0);
162                         SIVAL(req->outbuf,smb_ntr_ParameterDisplacement,0);
163                 } else {
164                         /*
165                          * smb_ntr_ParameterOffset is the offset from the start of the SMB header to the
166                          * parameter bytes, however the first 4 bytes of outbuf are
167                          * the Netbios over TCP header. Thus use smb_base() to subtract
168                          * them from the calculation.
169                          */
170
171                         SIVAL(req->outbuf,smb_ntr_ParameterOffset,
172                               ((smb_buf(req->outbuf)+alignment_offset)
173                                - smb_base(req->outbuf)));
174                         /*
175                          * Absolute displacement of param bytes sent in this packet.
176                          */
177
178                         SIVAL(req->outbuf, smb_ntr_ParameterDisplacement,
179                               pp - params);
180                 }
181
182                 /*
183                  * Deal with the data portion.
184                  */
185
186                 SIVAL(req->outbuf, smb_ntr_DataCount, data_sent_thistime);
187
188                 if(data_sent_thistime == 0) {
189                         SIVAL(req->outbuf,smb_ntr_DataOffset,0);
190                         SIVAL(req->outbuf,smb_ntr_DataDisplacement, 0);
191                 } else {
192                         /*
193                          * The offset of the data bytes is the offset of the
194                          * parameter bytes plus the number of parameters being sent this time.
195                          */
196
197                         SIVAL(req->outbuf, smb_ntr_DataOffset,
198                               ((smb_buf(req->outbuf)+alignment_offset) -
199                                smb_base(req->outbuf))
200                               + params_sent_thistime + data_alignment_offset);
201                         SIVAL(req->outbuf,smb_ntr_DataDisplacement, pd - pdata);
202                 }
203
204                 /*
205                  * Copy the param bytes into the packet.
206                  */
207
208                 if(params_sent_thistime) {
209                         if (alignment_offset != 0) {
210                                 memset(smb_buf(req->outbuf), 0,
211                                        alignment_offset);
212                         }
213                         memcpy((smb_buf(req->outbuf)+alignment_offset), pp,
214                                params_sent_thistime);
215                 }
216
217                 /*
218                  * Copy in the data bytes
219                  */
220
221                 if(data_sent_thistime) {
222                         if (data_alignment_offset != 0) {
223                                 memset((smb_buf(req->outbuf)+alignment_offset+
224                                         params_sent_thistime), 0,
225                                        data_alignment_offset);
226                         }
227                         memcpy(smb_buf(req->outbuf)+alignment_offset
228                                +params_sent_thistime+data_alignment_offset,
229                                pd,data_sent_thistime);
230                 }
231
232                 DEBUG(9,("nt_rep: params_sent_thistime = %d, data_sent_thistime = %d, useable_space = %d\n",
233                         params_sent_thistime, data_sent_thistime, useable_space));
234                 DEBUG(9,("nt_rep: params_to_send = %d, data_to_send = %d, paramsize = %d, datasize = %d\n",
235                         params_to_send, data_to_send, paramsize, datasize));
236
237                 if (NT_STATUS_V(nt_error)) {
238                         error_packet_set((char *)req->outbuf,
239                                          0, 0, nt_error,
240                                          __LINE__,__FILE__);
241                 }
242
243                 /* Send the packet */
244                 show_msg((char *)req->outbuf);
245                 if (!send_smb(smbd_server_fd(),(char *)req->outbuf)) {
246                         exit_server_cleanly("send_nt_replies: send_smb failed.");
247                 }
248
249                 TALLOC_FREE(req->outbuf);
250
251                 pp += params_sent_thistime;
252                 pd += data_sent_thistime;
253
254                 params_to_send -= params_sent_thistime;
255                 data_to_send -= data_sent_thistime;
256
257                 /*
258                  * Sanity check
259                  */
260
261                 if(params_to_send < 0 || data_to_send < 0) {
262                         DEBUG(0,("send_nt_replies failed sanity check pts = %d, dts = %d\n!!!",
263                                 params_to_send, data_to_send));
264                         return;
265                 }
266         }
267 }
268
269 /****************************************************************************
270  Is it an NTFS stream name ?
271 ****************************************************************************/
272
273 bool is_ntfs_stream_name(const char *fname)
274 {
275         if (lp_posix_pathnames()) {
276                 return False;
277         }
278         return (strchr_m(fname, ':') != NULL) ? True : False;
279 }
280
281 struct case_semantics_state {
282         connection_struct *conn;
283         bool case_sensitive;
284         bool case_preserve;
285         bool short_case_preserve;
286 };
287
288 /****************************************************************************
289  Restore case semantics.
290 ****************************************************************************/
291 static int restore_case_semantics(struct case_semantics_state *state)
292 {
293         state->conn->case_sensitive = state->case_sensitive;
294         state->conn->case_preserve = state->case_preserve;
295         state->conn->short_case_preserve = state->short_case_preserve;
296         return 0;
297 }
298
299 /****************************************************************************
300  Save case semantics.
301 ****************************************************************************/
302 static struct case_semantics_state *set_posix_case_semantics(TALLOC_CTX *mem_ctx,
303                                                              connection_struct *conn)
304 {
305         struct case_semantics_state *result;
306
307         if (!(result = talloc(mem_ctx, struct case_semantics_state))) {
308                 DEBUG(0, ("talloc failed\n"));
309                 return NULL;
310         }
311
312         result->conn = conn;
313         result->case_sensitive = conn->case_sensitive;
314         result->case_preserve = conn->case_preserve;
315         result->short_case_preserve = conn->short_case_preserve;
316
317         /* Set to POSIX. */
318         conn->case_sensitive = True;
319         conn->case_preserve = True;
320         conn->short_case_preserve = True;
321
322         talloc_set_destructor(result, restore_case_semantics);
323
324         return result;
325 }
326
327 /****************************************************************************
328  Reply to an NT create and X call on a pipe
329 ****************************************************************************/
330
331 static void nt_open_pipe(char *fname, connection_struct *conn,
332                          struct smb_request *req, int *ppnum)
333 {
334         smb_np_struct *p = NULL;
335         int i;
336
337         DEBUG(4,("nt_open_pipe: Opening pipe %s.\n", fname));
338
339         /* See if it is one we want to handle. */
340
341         if (lp_disable_spoolss() && strequal(fname, "\\spoolss")) {
342                 reply_botherror(req, NT_STATUS_OBJECT_NAME_NOT_FOUND,
343                                 ERRDOS, ERRbadpipe);
344                 return;
345         }
346
347         for( i = 0; known_nt_pipes[i]; i++ ) {
348                 if( strequal(fname,known_nt_pipes[i])) {
349                         break;
350                 }
351         }
352
353         if ( known_nt_pipes[i] == NULL ) {
354                 reply_botherror(req, NT_STATUS_OBJECT_NAME_NOT_FOUND,
355                                 ERRDOS, ERRbadpipe);
356                 return;
357         }
358
359         /* Strip \\ off the name. */
360         fname++;
361
362         DEBUG(3,("nt_open_pipe: Known pipe %s opening.\n", fname));
363
364         p = open_rpc_pipe_p(fname, conn, req->vuid);
365         if (!p) {
366                 reply_doserror(req, ERRSRV, ERRnofids);
367                 return;
368         }
369
370         /* TODO: Add pipe to db */
371
372         if ( !store_pipe_opendb( p ) ) {
373                 DEBUG(3,("nt_open_pipe: failed to store %s pipe open.\n", fname));
374         }
375
376         *ppnum = p->pnum;
377         return;
378 }
379
380 /****************************************************************************
381  Reply to an NT create and X call for pipes.
382 ****************************************************************************/
383
384 static void do_ntcreate_pipe_open(connection_struct *conn,
385                                   struct smb_request *req)
386 {
387         char *fname = NULL;
388         int pnum = -1;
389         char *p = NULL;
390         uint32 flags = IVAL(req->inbuf,smb_ntcreate_Flags);
391         TALLOC_CTX *ctx = talloc_tos();
392
393         srvstr_pull_buf_talloc(ctx, (char *)req->inbuf, req->flags2, &fname,
394                         smb_buf(req->inbuf), STR_TERMINATE);
395
396         if (!fname) {
397                 reply_botherror(req, NT_STATUS_OBJECT_NAME_NOT_FOUND,
398                                 ERRDOS, ERRbadpipe);
399                 return;
400         }
401         nt_open_pipe(fname, conn, req, &pnum);
402
403         if (req->outbuf) {
404                 /* error reply */
405                 return;
406         }
407
408         /*
409          * Deal with pipe return.
410          */
411
412         if (flags & EXTENDED_RESPONSE_REQUIRED) {
413                 /* This is very strange. We
414                  * return 50 words, but only set
415                  * the wcnt to 42 ? It's definately
416                  * what happens on the wire....
417                  */
418                 reply_outbuf(req, 50, 0);
419                 SCVAL(req->outbuf,smb_wct,42);
420         } else {
421                 reply_outbuf(req, 34, 0);
422         }
423
424         p = (char *)req->outbuf + smb_vwv2;
425         p++;
426         SSVAL(p,0,pnum);
427         p += 2;
428         SIVAL(p,0,FILE_WAS_OPENED);
429         p += 4;
430         p += 32;
431         SIVAL(p,0,FILE_ATTRIBUTE_NORMAL); /* File Attributes. */
432         p += 20;
433         /* File type. */
434         SSVAL(p,0,FILE_TYPE_MESSAGE_MODE_PIPE);
435         /* Device state. */
436         SSVAL(p,2, 0x5FF); /* ? */
437         p += 4;
438
439         if (flags & EXTENDED_RESPONSE_REQUIRED) {
440                 p += 25;
441                 SIVAL(p,0,FILE_GENERIC_ALL);
442                 /*
443                  * For pipes W2K3 seems to return
444                  * 0x12019B next.
445                  * This is ((FILE_GENERIC_READ|FILE_GENERIC_WRITE) & ~FILE_APPEND_DATA)
446                  */
447                 SIVAL(p,4,(FILE_GENERIC_READ|FILE_GENERIC_WRITE)&~FILE_APPEND_DATA);
448         }
449
450         DEBUG(5,("do_ntcreate_pipe_open: open pipe = %s\n", fname));
451
452         chain_reply(req);
453 }
454
455 /****************************************************************************
456  Reply to an NT create and X call for a quota file.
457 ****************************************************************************/
458
459 static void reply_ntcreate_and_X_quota(connection_struct *conn,
460                                        struct smb_request *req,
461                                        enum FAKE_FILE_TYPE fake_file_type,
462                                        const char *fname)
463 {
464         char *p;
465         uint32 desired_access = IVAL(req->inbuf,smb_ntcreate_DesiredAccess);
466         files_struct *fsp;
467         NTSTATUS status;
468
469         status = open_fake_file(conn, fake_file_type, fname, desired_access,
470                                 &fsp);
471
472         if (!NT_STATUS_IS_OK(status)) {
473                 reply_nterror(req, status);
474                 return;
475         }
476
477         reply_outbuf(req, 34, 0);
478
479         p = (char *)req->outbuf + smb_vwv2;
480
481         /* SCVAL(p,0,NO_OPLOCK_RETURN); */
482         p++;
483         SSVAL(p,0,fsp->fnum);
484
485         DEBUG(5,("reply_ntcreate_and_X_quota: fnum = %d, open name = %s\n", fsp->fnum, fsp->fsp_name));
486
487         chain_reply(req);
488 }
489
490 /****************************************************************************
491  Reply to an NT create and X call.
492 ****************************************************************************/
493
494 void reply_ntcreate_and_X(connection_struct *conn,
495                           struct smb_request *req)
496 {
497         char *fname = NULL;
498         uint32 flags;
499         uint32 access_mask;
500         uint32 file_attributes;
501         uint32 share_access;
502         uint32 create_disposition;
503         uint32 create_options;
504         uint16 root_dir_fid;
505         SMB_BIG_UINT allocation_size;
506         /* Breakout the oplock request bits so we can set the
507            reply bits separately. */
508         int oplock_request = 0;
509         uint32 fattr=0;
510         SMB_OFF_T file_len = 0;
511         SMB_STRUCT_STAT sbuf;
512         int info = 0;
513         files_struct *fsp = NULL;
514         char *p = NULL;
515         struct timespec c_timespec;
516         struct timespec a_timespec;
517         struct timespec m_timespec;
518         bool extended_oplock_granted = False;
519         NTSTATUS status;
520         struct case_semantics_state *case_state = NULL;
521         TALLOC_CTX *ctx = talloc_tos();
522
523         START_PROFILE(SMBntcreateX);
524
525         if (req->wct < 24) {
526                 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
527                 return;
528         }
529
530         flags = IVAL(req->inbuf,smb_ntcreate_Flags);
531         access_mask = IVAL(req->inbuf,smb_ntcreate_DesiredAccess);
532         file_attributes = IVAL(req->inbuf,smb_ntcreate_FileAttributes);
533         share_access = IVAL(req->inbuf,smb_ntcreate_ShareAccess);
534         create_disposition = IVAL(req->inbuf,smb_ntcreate_CreateDisposition);
535         create_options = IVAL(req->inbuf,smb_ntcreate_CreateOptions);
536         root_dir_fid = (uint16)IVAL(req->inbuf,smb_ntcreate_RootDirectoryFid);
537
538         allocation_size = (SMB_BIG_UINT)IVAL(req->inbuf,smb_ntcreate_AllocationSize);
539 #ifdef LARGE_SMB_OFF_T
540         allocation_size |= (((SMB_BIG_UINT)IVAL(req->inbuf,smb_ntcreate_AllocationSize + 4)) << 32);
541 #endif
542
543         srvstr_get_path(ctx, (char *)req->inbuf, req->flags2, &fname,
544                         smb_buf(req->inbuf), 0, STR_TERMINATE, &status);
545
546         if (!NT_STATUS_IS_OK(status)) {
547                 reply_nterror(req, status);
548                 END_PROFILE(SMBntcreateX);
549                 return;
550         }
551
552         DEBUG(10,("reply_ntcreate_and_X: flags = 0x%x, access_mask = 0x%x "
553                   "file_attributes = 0x%x, share_access = 0x%x, "
554                   "create_disposition = 0x%x create_options = 0x%x "
555                   "root_dir_fid = 0x%x, fname = %s\n",
556                         (unsigned int)flags,
557                         (unsigned int)access_mask,
558                         (unsigned int)file_attributes,
559                         (unsigned int)share_access,
560                         (unsigned int)create_disposition,
561                         (unsigned int)create_options,
562                         (unsigned int)root_dir_fid,
563                         fname));
564
565         /*
566          * If it's an IPC, use the pipe handler.
567          */
568
569         if (IS_IPC(conn)) {
570                 if (lp_nt_pipe_support()) {
571                         do_ntcreate_pipe_open(conn, req);
572                         END_PROFILE(SMBntcreateX);
573                         return;
574                 } else {
575                         reply_doserror(req, ERRDOS, ERRnoaccess);
576                         END_PROFILE(SMBntcreateX);
577                         return;
578                 }
579         }
580
581         if (create_options & FILE_OPEN_BY_FILE_ID) {
582                 reply_nterror(req, NT_STATUS_NOT_SUPPORTED);
583                 END_PROFILE(SMBntcreateX);
584                 return;
585         }
586
587         /*
588          * Get the file name.
589          */
590
591         if (root_dir_fid != 0) {
592                 /*
593                  * This filename is relative to a directory fid.
594                  */
595                 char *parent_fname = NULL;
596                 char *tmp;
597                 files_struct *dir_fsp = file_fsp(root_dir_fid);
598
599                 if(!dir_fsp) {
600                         reply_doserror(req, ERRDOS, ERRbadfid);
601                         END_PROFILE(SMBntcreateX);
602                         return;
603                 }
604
605                 if(!dir_fsp->is_directory) {
606
607                         /*
608                          * Check to see if this is a mac fork of some kind.
609                          */
610
611                         if( is_ntfs_stream_name(fname)) {
612                                 reply_nterror(
613                                         req, NT_STATUS_OBJECT_PATH_NOT_FOUND);
614                                 END_PROFILE(SMBntcreateX);
615                                 return;
616                         }
617
618                         /*
619                           we need to handle the case when we get a
620                           relative open relative to a file and the
621                           pathname is blank - this is a reopen!
622                           (hint from demyn plantenberg)
623                         */
624
625                         reply_doserror(req, ERRDOS, ERRbadfid);
626                         END_PROFILE(SMBntcreateX);
627                         return;
628                 }
629
630                 if (ISDOT(dir_fsp->fsp_name)) {
631                         /*
632                          * We're at the toplevel dir, the final file name
633                          * must not contain ./, as this is filtered out
634                          * normally by srvstr_get_path and unix_convert
635                          * explicitly rejects paths containing ./.
636                          */
637                         parent_fname = talloc_strdup(ctx,"");
638                         if (!parent_fname) {
639                                 reply_nterror(req, NT_STATUS_NO_MEMORY);
640                                 END_PROFILE(SMBntcreateX);
641                                 return;
642                         }
643                 } else {
644                         size_t dir_name_len = strlen(dir_fsp->fsp_name);
645
646                         /*
647                          * Copy in the base directory name.
648                          */
649
650                         parent_fname = TALLOC_ARRAY(ctx, char, dir_name_len+2);
651                         if (!parent_fname) {
652                                 reply_nterror(req, NT_STATUS_NO_MEMORY);
653                                 END_PROFILE(SMBntcreateX);
654                                 return;
655                         }
656                         memcpy(parent_fname, dir_fsp->fsp_name,
657                                dir_name_len+1);
658
659                         /*
660                          * Ensure it ends in a '/'.
661                          * We used TALLOC_SIZE +2 to add space for the '/'.
662                          */
663
664                         if(dir_name_len
665                            && (parent_fname[dir_name_len-1] != '\\')
666                            && (parent_fname[dir_name_len-1] != '/')) {
667                                 parent_fname[dir_name_len] = '/';
668                                 parent_fname[dir_name_len+1] = '\0';
669                         }
670                 }
671
672                 tmp = talloc_asprintf(ctx, "%s%s", parent_fname, fname);
673                 if (tmp == NULL) {
674                         reply_nterror(req, NT_STATUS_NO_MEMORY);
675                         END_PROFILE(SMBntcreateX);
676                         return;
677                 }
678                 TALLOC_FREE(fname);
679                 fname = tmp;
680         } else {
681                 /*
682                  * Check to see if this is a mac fork of some kind.
683                  */
684
685                 if( is_ntfs_stream_name(fname)) {
686                         enum FAKE_FILE_TYPE fake_file_type = is_fake_file(fname);
687                         if (fake_file_type!=FAKE_FILE_TYPE_NONE) {
688                                 /*
689                                  * Here we go! support for changing the disk quotas --metze
690                                  *
691                                  * We need to fake up to open this MAGIC QUOTA file 
692                                  * and return a valid FID.
693                                  *
694                                  * w2k close this file directly after openening
695                                  * xp also tries a QUERY_FILE_INFO on the file and then close it
696                                  */
697                                 reply_ntcreate_and_X_quota(conn, req,
698                                                           fake_file_type, fname);
699                         } else {
700                                 reply_nterror(req, NT_STATUS_OBJECT_PATH_NOT_FOUND);
701                         }
702                         END_PROFILE(SMBntcreateX);
703                         return;
704                 }
705         }
706
707         oplock_request = (flags & REQUEST_OPLOCK) ? EXCLUSIVE_OPLOCK : 0;
708         if (oplock_request) {
709                 oplock_request |= (flags & REQUEST_BATCH_OPLOCK)
710                         ? BATCH_OPLOCK : 0;
711         }
712
713         /*
714          * Now contruct the smb_open_mode value from the filename,
715          * desired access and the share access.
716          */
717         status = resolve_dfspath(ctx, conn,
718                                 req->flags2 & FLAGS2_DFS_PATHNAMES,
719                                 fname,
720                                 &fname);
721         if (!NT_STATUS_IS_OK(status)) {
722                 if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) {
723                         reply_botherror(req, NT_STATUS_PATH_NOT_COVERED,
724                                         ERRSRV, ERRbadpath);
725                         END_PROFILE(SMBntcreateX);
726                         return;
727                 }
728                 reply_nterror(req, status);
729                 END_PROFILE(SMBntcreateX);
730                 return;
731         }
732
733         /*
734          * Ordinary file or directory.
735          */
736
737         /*
738          * Check if POSIX semantics are wanted.
739          */
740
741         if (file_attributes & FILE_FLAG_POSIX_SEMANTICS) {
742                 case_state = set_posix_case_semantics(NULL, conn);
743                 file_attributes &= ~FILE_FLAG_POSIX_SEMANTICS;
744         }
745
746         status = unix_convert(ctx, conn, fname, False, &fname, NULL, &sbuf);
747         if (!NT_STATUS_IS_OK(status)) {
748                 TALLOC_FREE(case_state);
749                 reply_nterror(req, status);
750                 END_PROFILE(SMBntcreateX);
751                 return;
752         }
753         /* All file access must go through check_name() */
754         status = check_name(conn, fname);
755         if (!NT_STATUS_IS_OK(status)) {
756                 TALLOC_FREE(case_state);
757                 reply_nterror(req, status);
758                 END_PROFILE(SMBntcreateX);
759                 return;
760         }
761
762         /* This is the correct thing to do (check every time) but can_delete
763          * is expensive (it may have to read the parent directory
764          * permissions). So for now we're not doing it unless we have a strong
765          * hint the client is really going to delete this file. If the client
766          * is forcing FILE_CREATE let the filesystem take care of the
767          * permissions. */
768
769         /* Setting FILE_SHARE_DELETE is the hint. */
770
771         if (lp_acl_check_permissions(SNUM(conn))
772             && (create_disposition != FILE_CREATE)
773             && (share_access & FILE_SHARE_DELETE)
774             && (access_mask & DELETE_ACCESS)) {
775                 if (((dos_mode(conn, fname, &sbuf) & FILE_ATTRIBUTE_READONLY)
776                                 && !lp_delete_readonly(SNUM(conn))) ||
777                                 !can_delete_file_in_directory(conn, fname)) {
778                         TALLOC_FREE(case_state);
779                         reply_nterror(req, NT_STATUS_ACCESS_DENIED);
780                         END_PROFILE(SMBntcreateX);
781                         return;
782                 }
783         }
784
785 #if 0
786         /* We need to support SeSecurityPrivilege for this. */
787         if ((access_mask & SEC_RIGHT_SYSTEM_SECURITY) &&
788                         !user_has_privileges(current_user.nt_user_token,
789                                 &se_security)) {
790                 TALLOC_FREE(case_state);
791                 END_PROFILE(SMBntcreateX);
792                 return ERROR_NT(NT_STATUS_PRIVILEGE_NOT_HELD);
793         }
794 #endif
795
796         /*
797          * If it's a request for a directory open, deal with it separately.
798          */
799
800         if(create_options & FILE_DIRECTORY_FILE) {
801
802                 /* Can't open a temp directory. IFS kit test. */
803                 if (file_attributes & FILE_ATTRIBUTE_TEMPORARY) {
804                         TALLOC_FREE(case_state);
805                         reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
806                         END_PROFILE(SMBntcreateX);
807                         return;
808                 }
809
810                 oplock_request = 0;
811                 status = open_directory(conn, req, fname, &sbuf,
812                                         access_mask,
813                                         share_access,
814                                         create_disposition,
815                                         create_options,
816                                         file_attributes,
817                                         &info, &fsp);
818
819         } else {
820
821                 /*
822                  * Ordinary file case.
823                  */
824
825                 /* NB. We have a potential bug here. If we
826                  * cause an oplock break to ourselves, then we
827                  * could end up processing filename related
828                  * SMB requests whilst we await the oplock
829                  * break response. As we may have changed the
830                  * filename case semantics to be POSIX-like,
831                  * this could mean a filename request could
832                  * fail when it should succeed. This is a rare
833                  * condition, but eventually we must arrange
834                  * to restore the correct case semantics
835                  * before issuing an oplock break request to
836                  * our client. JRA.  */
837
838                 status = open_file_ntcreate(conn, req, fname, &sbuf,
839                                         access_mask,
840                                         share_access,
841                                         create_disposition,
842                                         create_options,
843                                         file_attributes,
844                                         oplock_request,
845                                         &info, &fsp);
846
847                 /* We cheat here. There are two cases we
848                  * care about. One is a directory rename,
849                  * where the NT client will attempt to
850                  * open the source directory for
851                  * DELETE access. Note that when the
852                  * NT client does this it does *not*
853                  * set the directory bit in the
854                  * request packet. This is translated
855                  * into a read/write open
856                  * request. POSIX states that any open
857                  * for write request on a directory
858                  * will generate an EISDIR error, so
859                  * we can catch this here and open a
860                  * pseudo handle that is flagged as a
861                  * directory. The second is an open
862                  * for a permissions read only, which
863                  * we handle in the open_file_stat case. JRA.
864                  */
865
866                 if (NT_STATUS_EQUAL(status, NT_STATUS_FILE_IS_A_DIRECTORY)) {
867
868                         /*
869                          * Fail the open if it was explicitly a non-directory
870                          * file.
871                          */
872
873                         if (create_options & FILE_NON_DIRECTORY_FILE) {
874                                 TALLOC_FREE(case_state);
875                                 reply_force_nterror(
876                                         req,
877                                         NT_STATUS_FILE_IS_A_DIRECTORY);
878                                 END_PROFILE(SMBntcreateX);
879                                 return;
880                         }
881
882                         oplock_request = 0;
883                         status = open_directory(conn, req, fname,
884                                                 &sbuf,
885                                                 access_mask,
886                                                 share_access,
887                                                 create_disposition,
888                                                 create_options,
889                                                 file_attributes,
890                                                 &info, &fsp);
891                 }
892         }
893
894         TALLOC_FREE(case_state);
895
896         if (!NT_STATUS_IS_OK(status)) {
897                 if (open_was_deferred(req->mid)) {
898                         /* We have re-scheduled this call. */
899                         END_PROFILE(SMBntcreateX);
900                         return;
901                 }
902                 reply_openerror(req, status);
903                 END_PROFILE(SMBntcreateX);
904                 return;
905         }
906
907         file_len = sbuf.st_size;
908         fattr = dos_mode(conn,fname,&sbuf);
909         if(fattr == 0) {
910                 fattr = FILE_ATTRIBUTE_NORMAL;
911         }
912         if (!fsp->is_directory && (fattr & aDIR)) {
913                 close_file(fsp,ERROR_CLOSE);
914                 reply_doserror(req, ERRDOS, ERRnoaccess);
915                 END_PROFILE(SMBntcreateX);
916                 return;
917         }
918
919         /* Save the requested allocation size. */
920         if ((info == FILE_WAS_CREATED) || (info == FILE_WAS_OVERWRITTEN)) {
921                 if (allocation_size && (allocation_size > (SMB_BIG_UINT)file_len)) {
922                         fsp->initial_allocation_size = smb_roundup(fsp->conn, allocation_size);
923                         if (fsp->is_directory) {
924                                 close_file(fsp,ERROR_CLOSE);
925                                 /* Can't set allocation size on a directory. */
926                                 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
927                                 END_PROFILE(SMBntcreateX);
928                                 return;
929                         }
930                         if (vfs_allocate_file_space(fsp, fsp->initial_allocation_size) == -1) {
931                                 close_file(fsp,ERROR_CLOSE);
932                                 reply_nterror(req, NT_STATUS_DISK_FULL);
933                                 END_PROFILE(SMBntcreateX);
934                                 return;
935                         }
936                 } else {
937                         fsp->initial_allocation_size = smb_roundup(fsp->conn,(SMB_BIG_UINT)file_len);
938                 }
939         }
940
941         /*
942          * If the caller set the extended oplock request bit
943          * and we granted one (by whatever means) - set the
944          * correct bit for extended oplock reply.
945          */
946
947         if (oplock_request && lp_fake_oplocks(SNUM(conn))) {
948                 extended_oplock_granted = True;
949         }
950
951         if(oplock_request && EXCLUSIVE_OPLOCK_TYPE(fsp->oplock_type)) {
952                 extended_oplock_granted = True;
953         }
954
955         if (flags & EXTENDED_RESPONSE_REQUIRED) {
956                 /* This is very strange. We
957                  * return 50 words, but only set
958                  * the wcnt to 42 ? It's definately
959                  * what happens on the wire....
960                  */
961                 reply_outbuf(req, 50, 0);
962                 SCVAL(req->outbuf,smb_wct,42);
963         } else {
964                 reply_outbuf(req, 34, 0);
965         }
966
967         p = (char *)req->outbuf + smb_vwv2;
968
969         /*
970          * Currently as we don't support level II oplocks we just report
971          * exclusive & batch here.
972          */
973
974         if (extended_oplock_granted) {
975                 if (flags & REQUEST_BATCH_OPLOCK) {
976                         SCVAL(p,0, BATCH_OPLOCK_RETURN);
977                 } else {
978                         SCVAL(p,0, EXCLUSIVE_OPLOCK_RETURN);
979                 }
980         } else if (fsp->oplock_type == LEVEL_II_OPLOCK) {
981                 SCVAL(p,0, LEVEL_II_OPLOCK_RETURN);
982         } else {
983                 SCVAL(p,0,NO_OPLOCK_RETURN);
984         }
985
986         p++;
987         SSVAL(p,0,fsp->fnum);
988         p += 2;
989         if ((create_disposition == FILE_SUPERSEDE) && (info == FILE_WAS_OVERWRITTEN)) {
990                 SIVAL(p,0,FILE_WAS_SUPERSEDED);
991         } else {
992                 SIVAL(p,0,info);
993         }
994         p += 4;
995
996         /* Create time. */
997         c_timespec = get_create_timespec(&sbuf,lp_fake_dir_create_times(SNUM(conn)));
998         a_timespec = get_atimespec(&sbuf);
999         m_timespec = get_mtimespec(&sbuf);
1000
1001         if (lp_dos_filetime_resolution(SNUM(conn))) {
1002                 dos_filetime_timespec(&c_timespec);
1003                 dos_filetime_timespec(&a_timespec);
1004                 dos_filetime_timespec(&m_timespec);
1005         }
1006
1007         put_long_date_timespec(p, c_timespec); /* create time. */
1008         p += 8;
1009         put_long_date_timespec(p, a_timespec); /* access time */
1010         p += 8;
1011         put_long_date_timespec(p, m_timespec); /* write time */
1012         p += 8;
1013         put_long_date_timespec(p, m_timespec); /* change time */
1014         p += 8;
1015         SIVAL(p,0,fattr); /* File Attributes. */
1016         p += 4;
1017         SOFF_T(p, 0, get_allocation_size(conn,fsp,&sbuf));
1018         p += 8;
1019         SOFF_T(p,0,file_len);
1020         p += 8;
1021         if (flags & EXTENDED_RESPONSE_REQUIRED) {
1022                 SSVAL(p,2,0x7);
1023         }
1024         p += 4;
1025         SCVAL(p,0,fsp->is_directory ? 1 : 0);
1026
1027         if (flags & EXTENDED_RESPONSE_REQUIRED) {
1028                 uint32 perms = 0;
1029                 p += 25;
1030                 if (fsp->is_directory || can_write_to_file(conn, fname, &sbuf)) {
1031                         perms = FILE_GENERIC_ALL;
1032                 } else {
1033                         perms = FILE_GENERIC_READ|FILE_EXECUTE;
1034                 }
1035                 SIVAL(p,0,perms);
1036         }
1037
1038         DEBUG(5,("reply_ntcreate_and_X: fnum = %d, open name = %s\n", fsp->fnum, fsp->fsp_name));
1039
1040         chain_reply(req);
1041         END_PROFILE(SMBntcreateX);
1042         return;
1043 }
1044
1045 /****************************************************************************
1046  Reply to a NT_TRANSACT_CREATE call to open a pipe.
1047 ****************************************************************************/
1048
1049 static void do_nt_transact_create_pipe(connection_struct *conn,
1050                                        struct smb_request *req,
1051                                        uint16 **ppsetup, uint32 setup_count,
1052                                        char **ppparams, uint32 parameter_count,
1053                                        char **ppdata, uint32 data_count)
1054 {
1055         char *fname = NULL;
1056         char *params = *ppparams;
1057         int pnum = -1;
1058         char *p = NULL;
1059         NTSTATUS status;
1060         size_t param_len;
1061         uint32 flags;
1062         TALLOC_CTX *ctx = talloc_tos();
1063
1064         /*
1065          * Ensure minimum number of parameters sent.
1066          */
1067
1068         if(parameter_count < 54) {
1069                 DEBUG(0,("do_nt_transact_create_pipe - insufficient parameters (%u)\n", (unsigned int)parameter_count));
1070                 reply_doserror(req, ERRDOS, ERRnoaccess);
1071                 return;
1072         }
1073
1074         flags = IVAL(params,0);
1075
1076         srvstr_get_path(ctx, params, req->flags2, &fname, params+53,
1077                         parameter_count-53, STR_TERMINATE,
1078                         &status);
1079         if (!NT_STATUS_IS_OK(status)) {
1080                 reply_nterror(req, status);
1081                 return;
1082         }
1083
1084         nt_open_pipe(fname, conn, req, &pnum);
1085
1086         if (req->outbuf) {
1087                 /* Error return */
1088                 return;
1089         }
1090
1091         /* Realloc the size of parameters and data we will return */
1092         if (flags & EXTENDED_RESPONSE_REQUIRED) {
1093                 /* Extended response is 32 more byyes. */
1094                 param_len = 101;
1095         } else {
1096                 param_len = 69;
1097         }
1098         params = nttrans_realloc(ppparams, param_len);
1099         if(params == NULL) {
1100                 reply_doserror(req, ERRDOS, ERRnomem);
1101                 return;
1102         }
1103
1104         p = params;
1105         SCVAL(p,0,NO_OPLOCK_RETURN);
1106
1107         p += 2;
1108         SSVAL(p,0,pnum);
1109         p += 2;
1110         SIVAL(p,0,FILE_WAS_OPENED);
1111         p += 8;
1112
1113         p += 32;
1114         SIVAL(p,0,FILE_ATTRIBUTE_NORMAL); /* File Attributes. */
1115         p += 20;
1116         /* File type. */
1117         SSVAL(p,0,FILE_TYPE_MESSAGE_MODE_PIPE);
1118         /* Device state. */
1119         SSVAL(p,2, 0x5FF); /* ? */
1120         p += 4;
1121
1122         if (flags & EXTENDED_RESPONSE_REQUIRED) {
1123                 p += 25;
1124                 SIVAL(p,0,FILE_GENERIC_ALL);
1125                 /*
1126                  * For pipes W2K3 seems to return
1127                  * 0x12019B next.
1128                  * This is ((FILE_GENERIC_READ|FILE_GENERIC_WRITE) & ~FILE_APPEND_DATA)
1129                  */
1130                 SIVAL(p,4,(FILE_GENERIC_READ|FILE_GENERIC_WRITE)&~FILE_APPEND_DATA);
1131         }
1132
1133         DEBUG(5,("do_nt_transact_create_pipe: open name = %s\n", fname));
1134
1135         /* Send the required number of replies */
1136         send_nt_replies(req, NT_STATUS_OK, params, param_len, *ppdata, 0);
1137
1138         return;
1139 }
1140
1141 /****************************************************************************
1142  Internal fn to set security descriptors.
1143 ****************************************************************************/
1144
1145 static NTSTATUS set_sd(files_struct *fsp, char *data, uint32 sd_len, uint32 security_info_sent)
1146 {
1147         prs_struct pd;
1148         SEC_DESC *psd = NULL;
1149         TALLOC_CTX *mem_ctx;
1150         NTSTATUS status;
1151
1152         if (sd_len == 0 || !lp_nt_acl_support(SNUM(fsp->conn))) {
1153                 return NT_STATUS_OK;
1154         }
1155
1156         /*
1157          * Init the parse struct we will unmarshall from.
1158          */
1159
1160         if ((mem_ctx = talloc_init("set_sd")) == NULL) {
1161                 DEBUG(0,("set_sd: talloc_init failed.\n"));
1162                 return NT_STATUS_NO_MEMORY;
1163         }
1164
1165         prs_init(&pd, 0, mem_ctx, UNMARSHALL);
1166
1167         /*
1168          * Setup the prs_struct to point at the memory we just
1169          * allocated.
1170          */
1171
1172         prs_give_memory( &pd, data, sd_len, False);
1173
1174         /*
1175          * Finally, unmarshall from the data buffer.
1176          */
1177
1178         if(!sec_io_desc( "sd data", &psd, &pd, 1)) {
1179                 DEBUG(0,("set_sd: Error in unmarshalling security descriptor.\n"));
1180                 /*
1181                  * Return access denied for want of a better error message..
1182                  */
1183                 talloc_destroy(mem_ctx);
1184                 return NT_STATUS_NO_MEMORY;
1185         }
1186
1187         if (psd->owner_sid==0) {
1188                 security_info_sent &= ~OWNER_SECURITY_INFORMATION;
1189         }
1190         if (psd->group_sid==0) {
1191                 security_info_sent &= ~GROUP_SECURITY_INFORMATION;
1192         }
1193         if (psd->sacl==0) {
1194                 security_info_sent &= ~SACL_SECURITY_INFORMATION;
1195         }
1196         if (psd->dacl==0) {
1197                 security_info_sent &= ~DACL_SECURITY_INFORMATION;
1198         }
1199
1200         status = SMB_VFS_FSET_NT_ACL( fsp, fsp->fh->fd, security_info_sent, psd);
1201
1202         talloc_destroy(mem_ctx);
1203         return status;
1204 }
1205
1206 /****************************************************************************
1207  Read a list of EA names and data from an incoming data buffer. Create an ea_list with them.
1208 ****************************************************************************/
1209
1210 static struct ea_list *read_nttrans_ea_list(TALLOC_CTX *ctx, const char *pdata, size_t data_size)
1211 {
1212         struct ea_list *ea_list_head = NULL;
1213         size_t offset = 0;
1214
1215         if (data_size < 4) {
1216                 return NULL;
1217         }
1218
1219         while (offset + 4 <= data_size) {
1220                 size_t next_offset = IVAL(pdata,offset);
1221                 struct ea_list *eal = read_ea_list_entry(ctx, pdata + offset + 4, data_size - offset - 4, NULL);
1222
1223                 if (!eal) {
1224                         return NULL;
1225                 }
1226
1227                 DLIST_ADD_END(ea_list_head, eal, struct ea_list *);
1228                 if (next_offset == 0) {
1229                         break;
1230                 }
1231                 offset += next_offset;
1232         }
1233
1234         return ea_list_head;
1235 }
1236
1237 /****************************************************************************
1238  Reply to a NT_TRANSACT_CREATE call (needs to process SD's).
1239 ****************************************************************************/
1240
1241 static void call_nt_transact_create(connection_struct *conn,
1242                                     struct smb_request *req,
1243                                     uint16 **ppsetup, uint32 setup_count,
1244                                     char **ppparams, uint32 parameter_count,
1245                                     char **ppdata, uint32 data_count,
1246                                     uint32 max_data_count)
1247 {
1248         char *fname = NULL;
1249         char *params = *ppparams;
1250         char *data = *ppdata;
1251         /* Breakout the oplock request bits so we can set the reply bits separately. */
1252         int oplock_request = 0;
1253         uint32 fattr=0;
1254         SMB_OFF_T file_len = 0;
1255         SMB_STRUCT_STAT sbuf;
1256         int info = 0;
1257         files_struct *fsp = NULL;
1258         char *p = NULL;
1259         bool extended_oplock_granted = False;
1260         uint32 flags;
1261         uint32 access_mask;
1262         uint32 file_attributes;
1263         uint32 share_access;
1264         uint32 create_disposition;
1265         uint32 create_options;
1266         uint32 sd_len;
1267         uint32 ea_len;
1268         uint16 root_dir_fid;
1269         struct timespec c_timespec;
1270         struct timespec a_timespec;
1271         struct timespec m_timespec;
1272         struct ea_list *ea_list = NULL;
1273         NTSTATUS status;
1274         size_t param_len;
1275         struct case_semantics_state *case_state = NULL;
1276         SMB_BIG_UINT allocation_size;
1277         TALLOC_CTX *ctx = talloc_tos();
1278
1279         DEBUG(5,("call_nt_transact_create\n"));
1280
1281         /*
1282          * If it's an IPC, use the pipe handler.
1283          */
1284
1285         if (IS_IPC(conn)) {
1286                 if (lp_nt_pipe_support()) {
1287                         do_nt_transact_create_pipe(
1288                                 conn, req,
1289                                 ppsetup, setup_count,
1290                                 ppparams, parameter_count,
1291                                 ppdata, data_count);
1292                         return;
1293                 } else {
1294                         reply_doserror(req, ERRDOS, ERRnoaccess);
1295                         return;
1296                 }
1297         }
1298
1299         /*
1300          * Ensure minimum number of parameters sent.
1301          */
1302
1303         if(parameter_count < 54) {
1304                 DEBUG(0,("call_nt_transact_create - insufficient parameters (%u)\n", (unsigned int)parameter_count));
1305                 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1306                 return;
1307         }
1308
1309         flags = IVAL(params,0);
1310         access_mask = IVAL(params,8);
1311         file_attributes = IVAL(params,20);
1312         share_access = IVAL(params,24);
1313         create_disposition = IVAL(params,28);
1314         create_options = IVAL(params,32);
1315         sd_len = IVAL(params,36);
1316         ea_len = IVAL(params,40);
1317         root_dir_fid = (uint16)IVAL(params,4);
1318         allocation_size = (SMB_BIG_UINT)IVAL(params,12);
1319 #ifdef LARGE_SMB_OFF_T
1320         allocation_size |= (((SMB_BIG_UINT)IVAL(params,16)) << 32);
1321 #endif
1322
1323         /* Ensure the data_len is correct for the sd and ea values given. */
1324         if ((ea_len + sd_len > data_count)
1325             || (ea_len > data_count) || (sd_len > data_count)
1326             || (ea_len + sd_len < ea_len) || (ea_len + sd_len < sd_len)) {
1327                 DEBUG(10, ("call_nt_transact_create - ea_len = %u, sd_len = "
1328                            "%u, data_count = %u\n", (unsigned int)ea_len,
1329                            (unsigned int)sd_len, (unsigned int)data_count));
1330                 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1331                 return;
1332         }
1333
1334         if (ea_len) {
1335                 if (!lp_ea_support(SNUM(conn))) {
1336                         DEBUG(10, ("call_nt_transact_create - ea_len = %u but "
1337                                    "EA's not supported.\n",
1338                                    (unsigned int)ea_len));
1339                         reply_nterror(req, NT_STATUS_EAS_NOT_SUPPORTED);
1340                         return;
1341                 }
1342
1343                 if (ea_len < 10) {
1344                         DEBUG(10,("call_nt_transact_create - ea_len = %u - "
1345                                   "too small (should be more than 10)\n",
1346                                   (unsigned int)ea_len ));
1347                         reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1348                         return;
1349                 }
1350
1351                 /* We have already checked that ea_len <= data_count here. */
1352                 ea_list = read_nttrans_ea_list(talloc_tos(), data + sd_len,
1353                                                ea_len);
1354                 if (ea_list == NULL) {
1355                         reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1356                         return;
1357                 }
1358         }
1359
1360         srvstr_get_path(ctx, params, req->flags2, &fname,
1361                         params+53, parameter_count-53,
1362                         STR_TERMINATE, &status);
1363         if (!NT_STATUS_IS_OK(status)) {
1364                 reply_nterror(req, status);
1365                 return;
1366         }
1367
1368         if (create_options & FILE_OPEN_BY_FILE_ID) {
1369                 reply_nterror(req, NT_STATUS_NOT_SUPPORTED);
1370                 return;
1371         }
1372
1373         /*
1374          * Get the file name.
1375          */
1376
1377         if(root_dir_fid != 0) {
1378                 /*
1379                  * This filename is relative to a directory fid.
1380                  */
1381                 char *parent_fname = NULL;
1382                 char *tmp;
1383                 files_struct *dir_fsp = file_fsp(root_dir_fid);
1384
1385                 if(!dir_fsp) {
1386                         reply_doserror(req, ERRDOS, ERRbadfid);
1387                         return;
1388                 }
1389
1390                 if(!dir_fsp->is_directory) {
1391
1392                         /*
1393                          * Check to see if this is a mac fork of some kind.
1394                          */
1395
1396                         if( is_ntfs_stream_name(fname)) {
1397                                 reply_nterror(req,
1398                                               NT_STATUS_OBJECT_PATH_NOT_FOUND);
1399                                 return;
1400                         }
1401
1402                         /*
1403                           we need to handle the case when we get a
1404                           relative open relative to a file and the
1405                           pathname is blank - this is a reopen!
1406                           (hint from demyn plantenberg)
1407                         */
1408
1409                         reply_doserror(req, ERRDOS, ERRbadfid);
1410                         return;
1411                 }
1412
1413                 if (ISDOT(dir_fsp->fsp_name)) {
1414                         /*
1415                          * We're at the toplevel dir, the final file name
1416                          * must not contain ./, as this is filtered out
1417                          * normally by srvstr_get_path and unix_convert
1418                          * explicitly rejects paths containing ./.
1419                          */
1420                         parent_fname = talloc_strdup(ctx,"");
1421                         if (!parent_fname) {
1422                                 reply_nterror(req, NT_STATUS_NO_MEMORY);
1423                                 return;
1424                         }
1425                 } else {
1426                         size_t dir_name_len = strlen(dir_fsp->fsp_name);
1427
1428                         /*
1429                          * Copy in the base directory name.
1430                          */
1431
1432                         parent_fname = TALLOC_ARRAY(ctx, char, dir_name_len+2);
1433                         if (!fname) {
1434                                 reply_nterror(req, NT_STATUS_NO_MEMORY);
1435                                 return;
1436                         }
1437                         memcpy(parent_fname, dir_fsp->fsp_name,
1438                                dir_name_len+1);
1439
1440                         /*
1441                          * Ensure it ends in a '/'.
1442                          * We used TALLOC_SIZE +2 to add space for the '/'.
1443                          */
1444
1445                         if(dir_name_len
1446                            && (parent_fname[dir_name_len-1] != '\\')
1447                            && (parent_fname[dir_name_len-1] != '/')) {
1448                                 parent_fname[dir_name_len] = '/';
1449                                 parent_fname[dir_name_len+1] = '\0';
1450                         }
1451                 }
1452
1453                 tmp = talloc_asprintf(ctx, "%s%s", parent_fname, fname);
1454                 if (tmp == NULL) {
1455                         reply_nterror(req, NT_STATUS_NO_MEMORY);
1456                         END_PROFILE(SMBntcreateX);
1457                         return;
1458                 }
1459                 TALLOC_FREE(fname);
1460                 fname = tmp;
1461         } else {
1462                 /*
1463                  * Check to see if this is a mac fork of some kind.
1464                  */
1465
1466                 if( is_ntfs_stream_name(fname)) {
1467                         reply_nterror(req, NT_STATUS_OBJECT_PATH_NOT_FOUND);
1468                         return;
1469                 }
1470         }
1471
1472         oplock_request = (flags & REQUEST_OPLOCK) ? EXCLUSIVE_OPLOCK : 0;
1473         if (oplock_request) {
1474                 oplock_request |= (flags & REQUEST_BATCH_OPLOCK)
1475                         ? BATCH_OPLOCK : 0;
1476         }
1477
1478         /*
1479          * Ordinary file or directory.
1480          */
1481
1482         status = resolve_dfspath(ctx, conn,
1483                                 req->flags2 & FLAGS2_DFS_PATHNAMES,
1484                                 fname,
1485                                 &fname);
1486         if (!NT_STATUS_IS_OK(status)) {
1487                 TALLOC_FREE(case_state);
1488                 if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) {
1489                         reply_botherror(req, NT_STATUS_PATH_NOT_COVERED,
1490                                         ERRSRV, ERRbadpath);
1491                         return;
1492                 }
1493                 reply_nterror(req, status);
1494                 return;
1495         }
1496
1497         /*
1498          * Check if POSIX semantics are wanted.
1499          */
1500
1501         if (file_attributes & FILE_FLAG_POSIX_SEMANTICS) {
1502                 case_state = set_posix_case_semantics(NULL, conn);
1503                 file_attributes &= ~FILE_FLAG_POSIX_SEMANTICS;
1504         }
1505
1506         status = unix_convert(ctx, conn, fname, False, &fname, NULL, &sbuf);
1507         if (!NT_STATUS_IS_OK(status)) {
1508                 TALLOC_FREE(case_state);
1509                 reply_nterror(req, status);
1510                 return;
1511         }
1512         /* All file access must go through check_name() */
1513         status = check_name(conn, fname);
1514         if (!NT_STATUS_IS_OK(status)) {
1515                 TALLOC_FREE(case_state);
1516                 reply_nterror(req, status);
1517                 return;
1518         }
1519
1520         /* This is the correct thing to do (check every time) but can_delete
1521          * is expensive (it may have to read the parent directory
1522          * permissions). So for now we're not doing it unless we have a strong
1523          * hint the client is really going to delete this file. If the client
1524          * is forcing FILE_CREATE let the filesystem take care of the
1525          * permissions. */
1526
1527         /* Setting FILE_SHARE_DELETE is the hint. */
1528
1529         if (lp_acl_check_permissions(SNUM(conn))
1530             && (create_disposition != FILE_CREATE)
1531             && (share_access & FILE_SHARE_DELETE)
1532             && (access_mask & DELETE_ACCESS)) {
1533                 if (((dos_mode(conn, fname, &sbuf) & FILE_ATTRIBUTE_READONLY)
1534                                 && !lp_delete_readonly(SNUM(conn))) ||
1535                                 !can_delete_file_in_directory(conn, fname)) {
1536                         TALLOC_FREE(case_state);
1537                         reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1538                         return;
1539                 }
1540         }
1541
1542 #if 0
1543         /* We need to support SeSecurityPrivilege for this. */
1544         if ((access_mask & SEC_RIGHT_SYSTEM_SECURITY) &&
1545                         !user_has_privileges(current_user.nt_user_token,
1546                                 &se_security)) {
1547                 TALLOC_FREE(case_state);
1548                 reply_nterror(req, NT_STATUS_PRIVILEGE_NOT_HELD);
1549                 return;
1550         }
1551 #endif
1552
1553         /*
1554          * If it's a request for a directory open, deal with it separately.
1555          */
1556
1557         if(create_options & FILE_DIRECTORY_FILE) {
1558
1559                 /* Can't open a temp directory. IFS kit test. */
1560                 if (file_attributes & FILE_ATTRIBUTE_TEMPORARY) {
1561                         TALLOC_FREE(case_state);
1562                         reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1563                         return;
1564                 }
1565
1566                 /*
1567                  * We will get a create directory here if the Win32
1568                  * app specified a security descriptor in the 
1569                  * CreateDirectory() call.
1570                  */
1571
1572                 oplock_request = 0;
1573                 status = open_directory(conn, req, fname, &sbuf,
1574                                         access_mask,
1575                                         share_access,
1576                                         create_disposition,
1577                                         create_options,
1578                                         file_attributes,
1579                                         &info, &fsp);
1580         } else {
1581
1582                 /*
1583                  * Ordinary file case.
1584                  */
1585
1586                 status = open_file_ntcreate(conn,req,fname,&sbuf,
1587                                         access_mask,
1588                                         share_access,
1589                                         create_disposition,
1590                                         create_options,
1591                                         file_attributes,
1592                                         oplock_request,
1593                                         &info, &fsp);
1594
1595                 if (NT_STATUS_EQUAL(status, NT_STATUS_FILE_IS_A_DIRECTORY)) {
1596
1597                         /*
1598                          * Fail the open if it was explicitly a non-directory
1599                          * file.
1600                          */
1601
1602                         if (create_options & FILE_NON_DIRECTORY_FILE) {
1603                                 TALLOC_FREE(case_state);
1604                                 reply_force_nterror(
1605                                         req,
1606                                         NT_STATUS_FILE_IS_A_DIRECTORY);
1607                                 return;
1608                         }
1609
1610                         oplock_request = 0;
1611                         status = open_directory(conn, req, fname,
1612                                                 &sbuf,
1613                                                 access_mask,
1614                                                 share_access,
1615                                                 create_disposition,
1616                                                 create_options,
1617                                                 file_attributes,
1618                                                 &info, &fsp);
1619                 }
1620         }
1621
1622         TALLOC_FREE(case_state);
1623
1624         if(!NT_STATUS_IS_OK(status)) {
1625                 if (open_was_deferred(req->mid)) {
1626                         /* We have re-scheduled this call. */
1627                         return;
1628                 }
1629                 reply_openerror(req, status);
1630                 return;
1631         }
1632
1633         /*
1634          * According to the MS documentation, the only time the security
1635          * descriptor is applied to the opened file is iff we *created* the
1636          * file; an existing file stays the same.
1637          *
1638          * Also, it seems (from observation) that you can open the file with
1639          * any access mask but you can still write the sd. We need to override
1640          * the granted access before we call set_sd
1641          * Patch for bug #2242 from Tom Lackemann <cessnatomny@yahoo.com>.
1642          */
1643
1644         if (lp_nt_acl_support(SNUM(conn)) && sd_len && info == FILE_WAS_CREATED) {
1645                 uint32 saved_access_mask = fsp->access_mask;
1646
1647                 /* We have already checked that sd_len <= data_count here. */
1648
1649                 fsp->access_mask = FILE_GENERIC_ALL;
1650
1651                 status = set_sd( fsp, data, sd_len, ALL_SECURITY_INFORMATION);
1652                 if (!NT_STATUS_IS_OK(status)) {
1653                         close_file(fsp,ERROR_CLOSE);
1654                         TALLOC_FREE(case_state);
1655                         reply_nterror(req, status);
1656                         return;
1657                 }
1658                 fsp->access_mask = saved_access_mask;
1659         }
1660
1661         if (ea_len && (info == FILE_WAS_CREATED)) {
1662                 status = set_ea(conn, fsp, fname, ea_list);
1663                 if (!NT_STATUS_IS_OK(status)) {
1664                         close_file(fsp,ERROR_CLOSE);
1665                         TALLOC_FREE(case_state);
1666                         reply_nterror(req, status);
1667                         return;
1668                 }
1669         }
1670
1671         file_len = sbuf.st_size;
1672         fattr = dos_mode(conn,fname,&sbuf);
1673         if(fattr == 0) {
1674                 fattr = FILE_ATTRIBUTE_NORMAL;
1675         }
1676         if (!fsp->is_directory && (fattr & aDIR)) {
1677                 close_file(fsp,ERROR_CLOSE);
1678                 reply_doserror(req, ERRDOS, ERRnoaccess);
1679                 return;
1680         }
1681
1682         /* Save the requested allocation size. */
1683         if ((info == FILE_WAS_CREATED) || (info == FILE_WAS_OVERWRITTEN)) {
1684                 if (allocation_size && (allocation_size > file_len)) {
1685                         fsp->initial_allocation_size = smb_roundup(fsp->conn, allocation_size);
1686                         if (fsp->is_directory) {
1687                                 close_file(fsp,ERROR_CLOSE);
1688                                 /* Can't set allocation size on a directory. */
1689                                 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1690                                 return;
1691                         }
1692                         if (vfs_allocate_file_space(fsp, fsp->initial_allocation_size) == -1) {
1693                                 close_file(fsp,ERROR_CLOSE);
1694                                 reply_nterror(req, NT_STATUS_DISK_FULL);
1695                                 return;
1696                         }
1697                 } else {
1698                         fsp->initial_allocation_size = smb_roundup(fsp->conn, (SMB_BIG_UINT)file_len);
1699                 }
1700         }
1701
1702         /*
1703          * If the caller set the extended oplock request bit
1704          * and we granted one (by whatever means) - set the
1705          * correct bit for extended oplock reply.
1706          */
1707
1708         if (oplock_request && lp_fake_oplocks(SNUM(conn))) {
1709                 extended_oplock_granted = True;
1710         }
1711
1712         if(oplock_request && EXCLUSIVE_OPLOCK_TYPE(fsp->oplock_type)) {
1713                 extended_oplock_granted = True;
1714         }
1715
1716         /* Realloc the size of parameters and data we will return */
1717         if (flags & EXTENDED_RESPONSE_REQUIRED) {
1718                 /* Extended response is 32 more byyes. */
1719                 param_len = 101;
1720         } else {
1721                 param_len = 69;
1722         }
1723         params = nttrans_realloc(ppparams, param_len);
1724         if(params == NULL) {
1725                 reply_doserror(req, ERRDOS, ERRnomem);
1726                 return;
1727         }
1728
1729         p = params;
1730         if (extended_oplock_granted) {
1731                 if (flags & REQUEST_BATCH_OPLOCK) {
1732                         SCVAL(p,0, BATCH_OPLOCK_RETURN);
1733                 } else {
1734                         SCVAL(p,0, EXCLUSIVE_OPLOCK_RETURN);
1735                 }
1736         } else if (fsp->oplock_type == LEVEL_II_OPLOCK) {
1737                 SCVAL(p,0, LEVEL_II_OPLOCK_RETURN);
1738         } else {
1739                 SCVAL(p,0,NO_OPLOCK_RETURN);
1740         }
1741
1742         p += 2;
1743         SSVAL(p,0,fsp->fnum);
1744         p += 2;
1745         if ((create_disposition == FILE_SUPERSEDE) && (info == FILE_WAS_OVERWRITTEN)) {
1746                 SIVAL(p,0,FILE_WAS_SUPERSEDED);
1747         } else {
1748                 SIVAL(p,0,info);
1749         }
1750         p += 8;
1751
1752         /* Create time. */
1753         c_timespec = get_create_timespec(&sbuf,lp_fake_dir_create_times(SNUM(conn)));
1754         a_timespec = get_atimespec(&sbuf);
1755         m_timespec = get_mtimespec(&sbuf);
1756
1757         if (lp_dos_filetime_resolution(SNUM(conn))) {
1758                 dos_filetime_timespec(&c_timespec);
1759                 dos_filetime_timespec(&a_timespec);
1760                 dos_filetime_timespec(&m_timespec);
1761         }
1762
1763         put_long_date_timespec(p, c_timespec); /* create time. */
1764         p += 8;
1765         put_long_date_timespec(p, a_timespec); /* access time */
1766         p += 8;
1767         put_long_date_timespec(p, m_timespec); /* write time */
1768         p += 8;
1769         put_long_date_timespec(p, m_timespec); /* change time */
1770         p += 8;
1771         SIVAL(p,0,fattr); /* File Attributes. */
1772         p += 4;
1773         SOFF_T(p, 0, get_allocation_size(conn,fsp,&sbuf));
1774         p += 8;
1775         SOFF_T(p,0,file_len);
1776         p += 8;
1777         if (flags & EXTENDED_RESPONSE_REQUIRED) {
1778                 SSVAL(p,2,0x7);
1779         }
1780         p += 4;
1781         SCVAL(p,0,fsp->is_directory ? 1 : 0);
1782
1783         if (flags & EXTENDED_RESPONSE_REQUIRED) {
1784                 uint32 perms = 0;
1785                 p += 25;
1786                 if (fsp->is_directory || can_write_to_file(conn, fname, &sbuf)) {
1787                         perms = FILE_GENERIC_ALL;
1788                 } else {
1789                         perms = FILE_GENERIC_READ|FILE_EXECUTE;
1790                 }
1791                 SIVAL(p,0,perms);
1792         }
1793
1794         DEBUG(5,("call_nt_transact_create: open name = %s\n", fname));
1795
1796         /* Send the required number of replies */
1797         send_nt_replies(req, NT_STATUS_OK, params, param_len, *ppdata, 0);
1798
1799         return;
1800 }
1801
1802 /****************************************************************************
1803  Reply to a NT CANCEL request.
1804  conn POINTER CAN BE NULL HERE !
1805 ****************************************************************************/
1806
1807 void reply_ntcancel(connection_struct *conn, struct smb_request *req)
1808 {
1809         /*
1810          * Go through and cancel any pending change notifies.
1811          */
1812
1813         START_PROFILE(SMBntcancel);
1814         remove_pending_change_notify_requests_by_mid(req->mid);
1815         remove_pending_lock_requests_by_mid(req->mid);
1816         srv_cancel_sign_response(req->mid);
1817
1818         DEBUG(3,("reply_ntcancel: cancel called on mid = %d.\n", req->mid));
1819
1820         END_PROFILE(SMBntcancel);
1821         return;
1822 }
1823
1824 /****************************************************************************
1825  Copy a file.
1826 ****************************************************************************/
1827
1828 static NTSTATUS copy_internals(TALLOC_CTX *ctx,
1829                                 connection_struct *conn,
1830                                 struct smb_request *req,
1831                                 const char *oldname_in,
1832                                 const char *newname_in,
1833                                 uint32 attrs)
1834 {
1835         SMB_STRUCT_STAT sbuf1, sbuf2;
1836         char *oldname = NULL;
1837         char *newname = NULL;
1838         char *last_component_oldname = NULL;
1839         char *last_component_newname = NULL;
1840         files_struct *fsp1,*fsp2;
1841         uint32 fattr;
1842         int info;
1843         SMB_OFF_T ret=-1;
1844         NTSTATUS status = NT_STATUS_OK;
1845
1846         ZERO_STRUCT(sbuf1);
1847         ZERO_STRUCT(sbuf2);
1848
1849         if (!CAN_WRITE(conn)) {
1850                 return NT_STATUS_MEDIA_WRITE_PROTECTED;
1851         }
1852
1853         status = unix_convert(ctx, conn, oldname_in, False, &oldname,
1854                         &last_component_oldname, &sbuf1);
1855         if (!NT_STATUS_IS_OK(status)) {
1856                 return status;
1857         }
1858
1859         status = check_name(conn, oldname);
1860         if (!NT_STATUS_IS_OK(status)) {
1861                 return status;
1862         }
1863
1864         /* Source must already exist. */
1865         if (!VALID_STAT(sbuf1)) {
1866                 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1867         }
1868         /* Ensure attributes match. */
1869         fattr = dos_mode(conn,oldname,&sbuf1);
1870         if ((fattr & ~attrs) & (aHIDDEN | aSYSTEM)) {
1871                 return NT_STATUS_NO_SUCH_FILE;
1872         }
1873
1874         status = unix_convert(ctx, conn, newname_in, False, &newname,
1875                         &last_component_newname, &sbuf2);
1876         if (!NT_STATUS_IS_OK(status)) {
1877                 return status;
1878         }
1879
1880         status = check_name(conn, newname);
1881         if (!NT_STATUS_IS_OK(status)) {
1882                 return status;
1883         }
1884
1885         /* Disallow if newname already exists. */
1886         if (VALID_STAT(sbuf2)) {
1887                 return NT_STATUS_OBJECT_NAME_COLLISION;
1888         }
1889
1890         /* No links from a directory. */
1891         if (S_ISDIR(sbuf1.st_mode)) {
1892                 return NT_STATUS_FILE_IS_A_DIRECTORY;
1893         }
1894
1895         /* Ensure this is within the share. */
1896         status = check_reduced_name(conn, oldname);
1897         if (!NT_STATUS_IS_OK(status)) {
1898                 return status;
1899         }
1900
1901         DEBUG(10,("copy_internals: doing file copy %s to %s\n",
1902                                 oldname, newname));
1903
1904         status = open_file_ntcreate(conn, req, oldname, &sbuf1,
1905                         FILE_READ_DATA, /* Read-only. */
1906                         FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE,
1907                         FILE_OPEN,
1908                         0, /* No create options. */
1909                         FILE_ATTRIBUTE_NORMAL,
1910                         NO_OPLOCK,
1911                         &info, &fsp1);
1912
1913         if (!NT_STATUS_IS_OK(status)) {
1914                 return status;
1915         }
1916
1917         status = open_file_ntcreate(conn, req, newname, &sbuf2,
1918                         FILE_WRITE_DATA, /* Read-only. */
1919                         FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE,
1920                         FILE_CREATE,
1921                         0, /* No create options. */
1922                         fattr,
1923                         NO_OPLOCK,
1924                         &info, &fsp2);
1925
1926         if (!NT_STATUS_IS_OK(status)) {
1927                 close_file(fsp1,ERROR_CLOSE);
1928                 return status;
1929         }
1930
1931         if (sbuf1.st_size) {
1932                 ret = vfs_transfer_file(fsp1, fsp2, sbuf1.st_size);
1933         }
1934
1935         /*
1936          * As we are opening fsp1 read-only we only expect
1937          * an error on close on fsp2 if we are out of space.
1938          * Thus we don't look at the error return from the
1939          * close of fsp1.
1940          */
1941         close_file(fsp1,NORMAL_CLOSE);
1942
1943         /* Ensure the modtime is set correctly on the destination file. */
1944         fsp_set_pending_modtime(fsp2, get_mtimespec(&sbuf1));
1945
1946         status = close_file(fsp2,NORMAL_CLOSE);
1947
1948         /* Grrr. We have to do this as open_file_ntcreate adds aARCH when it
1949            creates the file. This isn't the correct thing to do in the copy
1950            case. JRA */
1951         file_set_dosmode(conn, newname, fattr, &sbuf2,
1952                          parent_dirname(newname),false);
1953
1954         if (ret < (SMB_OFF_T)sbuf1.st_size) {
1955                 return NT_STATUS_DISK_FULL;
1956         }
1957
1958         if (!NT_STATUS_IS_OK(status)) {
1959                 DEBUG(3,("copy_internals: Error %s copy file %s to %s\n",
1960                         nt_errstr(status), oldname, newname));
1961         }
1962         return status;
1963 }
1964
1965 /****************************************************************************
1966  Reply to a NT rename request.
1967 ****************************************************************************/
1968
1969 void reply_ntrename(connection_struct *conn, struct smb_request *req)
1970 {
1971         char *oldname = NULL;
1972         char *newname = NULL;
1973         char *p;
1974         NTSTATUS status;
1975         bool src_has_wcard = False;
1976         bool dest_has_wcard = False;
1977         uint32 attrs;
1978         uint16 rename_type;
1979         TALLOC_CTX *ctx = talloc_tos();
1980
1981         START_PROFILE(SMBntrename);
1982
1983         if (req->wct < 4) {
1984                 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1985                 END_PROFILE(SMBntrename);
1986                 return;
1987         }
1988
1989         attrs = SVAL(req->inbuf,smb_vwv0);
1990         rename_type = SVAL(req->inbuf,smb_vwv1);
1991
1992         p = smb_buf(req->inbuf) + 1;
1993         p += srvstr_get_path_wcard(ctx, (char *)req->inbuf, req->flags2, &oldname, p,
1994                                    0, STR_TERMINATE, &status,
1995                                    &src_has_wcard);
1996         if (!NT_STATUS_IS_OK(status)) {
1997                 reply_nterror(req, status);
1998                 END_PROFILE(SMBntrename);
1999                 return;
2000         }
2001
2002         if( is_ntfs_stream_name(oldname)) {
2003                 /* Can't rename a stream. */
2004                 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
2005                 END_PROFILE(SMBntrename);
2006                 return;
2007         }
2008
2009         if (ms_has_wild(oldname)) {
2010                 reply_nterror(req, NT_STATUS_OBJECT_PATH_SYNTAX_BAD);
2011                 END_PROFILE(SMBntrename);
2012                 return;
2013         }
2014
2015         p++;
2016         p += srvstr_get_path_wcard(ctx, (char *)req->inbuf, req->flags2, &newname, p,
2017                                    0, STR_TERMINATE, &status,
2018                                    &dest_has_wcard);
2019         if (!NT_STATUS_IS_OK(status)) {
2020                 reply_nterror(req, status);
2021                 END_PROFILE(SMBntrename);
2022                 return;
2023         }
2024
2025         status = resolve_dfspath(ctx, conn,
2026                                 req->flags2 & FLAGS2_DFS_PATHNAMES,
2027                                 oldname,
2028                                 &oldname);
2029         if (!NT_STATUS_IS_OK(status)) {
2030                 if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) {
2031                         reply_botherror(req, NT_STATUS_PATH_NOT_COVERED,
2032                                         ERRSRV, ERRbadpath);
2033                         END_PROFILE(SMBntrename);
2034                         return;
2035                 }
2036                 reply_nterror(req, status);
2037                 END_PROFILE(SMBntrename);
2038                 return;
2039         }
2040
2041         status = resolve_dfspath(ctx, conn,
2042                                 req->flags2 & FLAGS2_DFS_PATHNAMES,
2043                                 newname,
2044                                 &newname);
2045         if (!NT_STATUS_IS_OK(status)) {
2046                 if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) {
2047                         reply_botherror(req, NT_STATUS_PATH_NOT_COVERED,
2048                                         ERRSRV, ERRbadpath);
2049                         END_PROFILE(SMBntrename);
2050                         return;
2051                 }
2052                 reply_nterror(req, status);
2053                 END_PROFILE(SMBntrename);
2054                 return;
2055         }
2056
2057         DEBUG(3,("reply_ntrename : %s -> %s\n",oldname,newname));
2058
2059         switch(rename_type) {
2060                 case RENAME_FLAG_RENAME:
2061                         status = rename_internals(ctx, conn, req, oldname,
2062                                         newname, attrs, False, src_has_wcard,
2063                                         dest_has_wcard);
2064                         break;
2065                 case RENAME_FLAG_HARD_LINK:
2066                         if (src_has_wcard || dest_has_wcard) {
2067                                 /* No wildcards. */
2068                                 status = NT_STATUS_OBJECT_PATH_SYNTAX_BAD;
2069                         } else {
2070                                 status = hardlink_internals(ctx,
2071                                                 conn,
2072                                                 oldname,
2073                                                 newname);
2074                         }
2075                         break;
2076                 case RENAME_FLAG_COPY:
2077                         if (src_has_wcard || dest_has_wcard) {
2078                                 /* No wildcards. */
2079                                 status = NT_STATUS_OBJECT_PATH_SYNTAX_BAD;
2080                         } else {
2081                                 status = copy_internals(ctx, conn, req, oldname,
2082                                                         newname, attrs);
2083                         }
2084                         break;
2085                 case RENAME_FLAG_MOVE_CLUSTER_INFORMATION:
2086                         status = NT_STATUS_INVALID_PARAMETER;
2087                         break;
2088                 default:
2089                         status = NT_STATUS_ACCESS_DENIED; /* Default error. */
2090                         break;
2091         }
2092
2093         if (!NT_STATUS_IS_OK(status)) {
2094                 if (open_was_deferred(req->mid)) {
2095                         /* We have re-scheduled this call. */
2096                         END_PROFILE(SMBntrename);
2097                         return;
2098                 }
2099
2100                 reply_nterror(req, status);
2101                 END_PROFILE(SMBntrename);
2102                 return;
2103         }
2104
2105         reply_outbuf(req, 0, 0);
2106
2107         END_PROFILE(SMBntrename);
2108         return;
2109 }
2110
2111 /****************************************************************************
2112  Reply to a notify change - queue the request and
2113  don't allow a directory to be opened.
2114 ****************************************************************************/
2115
2116 static void call_nt_transact_notify_change(connection_struct *conn,
2117                                            struct smb_request *req,
2118                                            uint16 **ppsetup,
2119                                            uint32 setup_count,
2120                                            char **ppparams,
2121                                            uint32 parameter_count,
2122                                            char **ppdata, uint32 data_count,
2123                                            uint32 max_data_count,
2124                                            uint32 max_param_count)
2125 {
2126         uint16 *setup = *ppsetup;
2127         files_struct *fsp;
2128         uint32 filter;
2129         NTSTATUS status;
2130         bool recursive;
2131
2132         if(setup_count < 6) {
2133                 reply_doserror(req, ERRDOS, ERRbadfunc);
2134                 return;
2135         }
2136
2137         fsp = file_fsp(SVAL(setup,4));
2138         filter = IVAL(setup, 0);
2139         recursive = (SVAL(setup, 6) != 0) ? True : False;
2140
2141         DEBUG(3,("call_nt_transact_notify_change\n"));
2142
2143         if(!fsp) {
2144                 reply_doserror(req, ERRDOS, ERRbadfid);
2145                 return;
2146         }
2147
2148         {
2149                 char *filter_string;
2150
2151                 if (!(filter_string = notify_filter_string(NULL, filter))) {
2152                         reply_nterror(req,NT_STATUS_NO_MEMORY);
2153                         return;
2154                 }
2155
2156                 DEBUG(3,("call_nt_transact_notify_change: notify change "
2157                          "called on %s, filter = %s, recursive = %d\n",
2158                          fsp->fsp_name, filter_string, recursive));
2159
2160                 TALLOC_FREE(filter_string);
2161         }
2162
2163         if((!fsp->is_directory) || (conn != fsp->conn)) {
2164                 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2165                 return;
2166         }
2167
2168         if (fsp->notify == NULL) {
2169
2170                 status = change_notify_create(fsp, filter, recursive);
2171
2172                 if (!NT_STATUS_IS_OK(status)) {
2173                         DEBUG(10, ("change_notify_create returned %s\n",
2174                                    nt_errstr(status)));
2175                         reply_nterror(req, status);
2176                         return;
2177                 }
2178         }
2179
2180         if (fsp->notify->num_changes != 0) {
2181
2182                 /*
2183                  * We've got changes pending, respond immediately
2184                  */
2185
2186                 /*
2187                  * TODO: write a torture test to check the filtering behaviour
2188                  * here.
2189                  */
2190
2191                 change_notify_reply(req->inbuf, max_param_count, fsp->notify);
2192
2193                 /*
2194                  * change_notify_reply() above has independently sent its
2195                  * results
2196                  */
2197                 return;
2198         }
2199
2200         /*
2201          * No changes pending, queue the request
2202          */
2203
2204         status = change_notify_add_request(req->inbuf, max_param_count, filter,
2205                         recursive, fsp);
2206         if (!NT_STATUS_IS_OK(status)) {
2207                 reply_nterror(req, status);
2208         }
2209         return;
2210 }
2211
2212 /****************************************************************************
2213  Reply to an NT transact rename command.
2214 ****************************************************************************/
2215
2216 static void call_nt_transact_rename(connection_struct *conn,
2217                                     struct smb_request *req,
2218                                     uint16 **ppsetup, uint32 setup_count,
2219                                     char **ppparams, uint32 parameter_count,
2220                                     char **ppdata, uint32 data_count,
2221                                     uint32 max_data_count)
2222 {
2223         char *params = *ppparams;
2224         char *new_name = NULL;
2225         files_struct *fsp = NULL;
2226         bool replace_if_exists = False;
2227         bool dest_has_wcard = False;
2228         NTSTATUS status;
2229         TALLOC_CTX *ctx = talloc_tos();
2230
2231         if(parameter_count < 5) {
2232                 reply_doserror(req, ERRDOS, ERRbadfunc);
2233                 return;
2234         }
2235
2236         fsp = file_fsp(SVAL(params, 0));
2237         replace_if_exists = (SVAL(params,2) & RENAME_REPLACE_IF_EXISTS) ? True : False;
2238         if (!check_fsp(conn, req, fsp, &current_user)) {
2239                 return;
2240         }
2241         srvstr_get_path_wcard(ctx, params, req->flags2, &new_name, params+4,
2242                               parameter_count - 4,
2243                               STR_TERMINATE, &status, &dest_has_wcard);
2244         if (!NT_STATUS_IS_OK(status)) {
2245                 reply_nterror(req, status);
2246                 return;
2247         }
2248
2249         status = rename_internals(ctx,
2250                         conn,
2251                         req,
2252                         fsp->fsp_name,
2253                         new_name,
2254                         0,
2255                         replace_if_exists,
2256                         False,
2257                         dest_has_wcard);
2258
2259         if (!NT_STATUS_IS_OK(status)) {
2260                 if (open_was_deferred(req->mid)) {
2261                         /* We have re-scheduled this call. */
2262                         return;
2263                 }
2264                 reply_nterror(req, status);
2265                 return;
2266         }
2267
2268         /*
2269          * Rename was successful.
2270          */
2271         send_nt_replies(req, NT_STATUS_OK, NULL, 0, NULL, 0);
2272
2273         DEBUG(3,("nt transact rename from = %s, to = %s succeeded.\n",
2274                  fsp->fsp_name, new_name));
2275
2276         return;
2277 }
2278
2279 /******************************************************************************
2280  Fake up a completely empty SD.
2281 *******************************************************************************/
2282
2283 static NTSTATUS get_null_nt_acl(TALLOC_CTX *mem_ctx, SEC_DESC **ppsd)
2284 {
2285         size_t sd_size;
2286
2287         *ppsd = make_standard_sec_desc( mem_ctx, &global_sid_World, &global_sid_World, NULL, &sd_size);
2288         if(!*ppsd) {
2289                 DEBUG(0,("get_null_nt_acl: Unable to malloc space for security descriptor.\n"));
2290                 return NT_STATUS_NO_MEMORY;
2291         }
2292
2293         return NT_STATUS_OK;
2294 }
2295
2296 /****************************************************************************
2297  Reply to query a security descriptor.
2298 ****************************************************************************/
2299
2300 static void call_nt_transact_query_security_desc(connection_struct *conn,
2301                                                  struct smb_request *req,
2302                                                  uint16 **ppsetup,
2303                                                  uint32 setup_count,
2304                                                  char **ppparams,
2305                                                  uint32 parameter_count,
2306                                                  char **ppdata,
2307                                                  uint32 data_count,
2308                                                  uint32 max_data_count)
2309 {
2310         char *params = *ppparams;
2311         char *data = *ppdata;
2312         prs_struct pd;
2313         SEC_DESC *psd = NULL;
2314         size_t sd_size;
2315         uint32 security_info_wanted;
2316         TALLOC_CTX *mem_ctx;
2317         files_struct *fsp = NULL;
2318         NTSTATUS status;
2319
2320         if(parameter_count < 8) {
2321                 reply_doserror(req, ERRDOS, ERRbadfunc);
2322                 return;
2323         }
2324
2325         fsp = file_fsp(SVAL(params,0));
2326         if(!fsp) {
2327                 reply_doserror(req, ERRDOS, ERRbadfid);
2328                 return;
2329         }
2330
2331         security_info_wanted = IVAL(params,4);
2332
2333         DEBUG(3,("call_nt_transact_query_security_desc: file = %s, info_wanted = 0x%x\n", fsp->fsp_name,
2334                         (unsigned int)security_info_wanted ));
2335
2336         params = nttrans_realloc(ppparams, 4);
2337         if(params == NULL) {
2338                 reply_doserror(req, ERRDOS, ERRnomem);
2339                 return;
2340         }
2341
2342         if ((mem_ctx = talloc_init("call_nt_transact_query_security_desc")) == NULL) {
2343                 DEBUG(0,("call_nt_transact_query_security_desc: talloc_init failed.\n"));
2344                 reply_doserror(req, ERRDOS, ERRnomem);
2345                 return;
2346         }
2347
2348         /*
2349          * Get the permissions to return.
2350          */
2351
2352         if (!lp_nt_acl_support(SNUM(conn))) {
2353                 status = get_null_nt_acl(mem_ctx, &psd);
2354         } else {
2355                 status = SMB_VFS_FGET_NT_ACL(fsp, fsp->fh->fd,
2356                                              security_info_wanted, &psd);
2357         }
2358
2359         if (!NT_STATUS_IS_OK(status)) {
2360                 talloc_destroy(mem_ctx);
2361                 reply_nterror(req, status);
2362                 return;
2363         }
2364
2365         sd_size = sec_desc_size(psd);
2366
2367         DEBUG(3,("call_nt_transact_query_security_desc: sd_size = %lu.\n",(unsigned long)sd_size));
2368
2369         SIVAL(params,0,(uint32)sd_size);
2370
2371         if(max_data_count < sd_size) {
2372
2373                 send_nt_replies(req, NT_STATUS_BUFFER_TOO_SMALL,
2374                                 params, 4, *ppdata, 0);
2375                 talloc_destroy(mem_ctx);
2376                 return;
2377         }
2378
2379         /*
2380          * Allocate the data we will point this at.
2381          */
2382
2383         data = nttrans_realloc(ppdata, sd_size);
2384         if(data == NULL) {
2385                 talloc_destroy(mem_ctx);
2386                 reply_doserror(req, ERRDOS, ERRnomem);
2387                 return;
2388         }
2389
2390         /*
2391          * Init the parse struct we will marshall into.
2392          */
2393
2394         prs_init(&pd, 0, mem_ctx, MARSHALL);
2395
2396         /*
2397          * Setup the prs_struct to point at the memory we just
2398          * allocated.
2399          */
2400
2401         prs_give_memory( &pd, data, (uint32)sd_size, False);
2402
2403         /*
2404          * Finally, linearize into the outgoing buffer.
2405          */
2406
2407         if(!sec_io_desc( "sd data", &psd, &pd, 1)) {
2408                 DEBUG(0,("call_nt_transact_query_security_desc: Error in marshalling \
2409 security descriptor.\n"));
2410                 /*
2411                  * Return access denied for want of a better error message..
2412                  */
2413                 talloc_destroy(mem_ctx);
2414                 reply_unixerror(req, ERRDOS, ERRnoaccess);
2415                 return;
2416         }
2417
2418         /*
2419          * Now we can delete the security descriptor.
2420          */
2421
2422         talloc_destroy(mem_ctx);
2423
2424         send_nt_replies(req, NT_STATUS_OK, params, 4, data, (int)sd_size);
2425         return;
2426 }
2427
2428 /****************************************************************************
2429  Reply to set a security descriptor. Map to UNIX perms or POSIX ACLs.
2430 ****************************************************************************/
2431
2432 static void call_nt_transact_set_security_desc(connection_struct *conn,
2433                                                struct smb_request *req,
2434                                                uint16 **ppsetup,
2435                                                uint32 setup_count,
2436                                                char **ppparams,
2437                                                uint32 parameter_count,
2438                                                char **ppdata,
2439                                                uint32 data_count,
2440                                                uint32 max_data_count)
2441 {
2442         char *params= *ppparams;
2443         char *data = *ppdata;
2444         files_struct *fsp = NULL;
2445         uint32 security_info_sent = 0;
2446         NTSTATUS nt_status;
2447
2448         if(parameter_count < 8) {
2449                 reply_doserror(req, ERRDOS, ERRbadfunc);
2450                 return;
2451         }
2452
2453         if((fsp = file_fsp(SVAL(params,0))) == NULL) {
2454                 reply_doserror(req, ERRDOS, ERRbadfid);
2455                 return;
2456         }
2457
2458         if(!lp_nt_acl_support(SNUM(conn))) {
2459                 goto done;
2460         }
2461
2462         security_info_sent = IVAL(params,4);
2463
2464         DEBUG(3,("call_nt_transact_set_security_desc: file = %s, sent 0x%x\n", fsp->fsp_name,
2465                 (unsigned int)security_info_sent ));
2466
2467         if (data_count == 0) {
2468                 reply_doserror(req, ERRDOS, ERRnoaccess);
2469                 return;
2470         }
2471
2472         if (!NT_STATUS_IS_OK(nt_status = set_sd( fsp, data, data_count, security_info_sent))) {
2473                 reply_nterror(req, nt_status);
2474                 return;
2475         }
2476
2477   done:
2478
2479         send_nt_replies(req, NT_STATUS_OK, NULL, 0, NULL, 0);
2480         return;
2481 }
2482
2483 /****************************************************************************
2484  Reply to NT IOCTL
2485 ****************************************************************************/
2486
2487 static void call_nt_transact_ioctl(connection_struct *conn,
2488                                    struct smb_request *req,
2489                                    uint16 **ppsetup, uint32 setup_count,
2490                                    char **ppparams, uint32 parameter_count,
2491                                    char **ppdata, uint32 data_count,
2492                                    uint32 max_data_count)
2493 {
2494         uint32 function;
2495         uint16 fidnum;
2496         files_struct *fsp;
2497         uint8 isFSctl;
2498         uint8 compfilter;
2499         static bool logged_message;
2500         char *pdata = *ppdata;
2501
2502         if (setup_count != 8) {
2503                 DEBUG(3,("call_nt_transact_ioctl: invalid setup count %d\n", setup_count));
2504                 reply_nterror(req, NT_STATUS_NOT_SUPPORTED);
2505                 return;
2506         }
2507
2508         function = IVAL(*ppsetup, 0);
2509         fidnum = SVAL(*ppsetup, 4);
2510         isFSctl = CVAL(*ppsetup, 6);
2511         compfilter = CVAL(*ppsetup, 7);
2512
2513         DEBUG(10,("call_nt_transact_ioctl: function[0x%08X] FID[0x%04X] isFSctl[0x%02X] compfilter[0x%02X]\n", 
2514                  function, fidnum, isFSctl, compfilter));
2515
2516         fsp=file_fsp(fidnum);
2517         /* this check is done in each implemented function case for now
2518            because I don't want to break anything... --metze
2519         FSP_BELONGS_CONN(fsp,conn);*/
2520
2521         switch (function) {
2522         case FSCTL_SET_SPARSE:
2523                 /* pretend this succeeded - tho strictly we should
2524                    mark the file sparse (if the local fs supports it)
2525                    so we can know if we need to pre-allocate or not */
2526
2527                 DEBUG(10,("FSCTL_SET_SPARSE: called on FID[0x%04X](but not implemented)\n", fidnum));
2528                 send_nt_replies(req, NT_STATUS_OK, NULL, 0, NULL, 0);
2529                 return;
2530
2531         case FSCTL_CREATE_OR_GET_OBJECT_ID:
2532         {
2533                 unsigned char objid[16];
2534
2535                 /* This should return the object-id on this file.
2536                  * I think I'll make this be the inode+dev. JRA.
2537                  */
2538
2539                 DEBUG(10,("FSCTL_CREATE_OR_GET_OBJECT_ID: called on FID[0x%04X]\n",fidnum));
2540
2541                 if (!fsp_belongs_conn(conn, req, fsp, &current_user)) {
2542                         return;
2543                 }
2544
2545                 data_count = 64;
2546                 pdata = nttrans_realloc(ppdata, data_count);
2547                 if (pdata == NULL) {
2548                         reply_nterror(req, NT_STATUS_NO_MEMORY);
2549                         return;
2550                 }
2551                 push_file_id_16(pdata, &fsp->file_id);
2552                 memcpy(pdata+16,create_volume_objectid(conn,objid),16);
2553                 push_file_id_16(pdata+32, &fsp->file_id);
2554                 send_nt_replies(req, NT_STATUS_OK, NULL, 0,
2555                                 pdata, data_count);
2556                 return;
2557         }
2558
2559         case FSCTL_GET_REPARSE_POINT:
2560                 /* pretend this fail - my winXP does it like this
2561                  * --metze
2562                  */
2563
2564                 DEBUG(10,("FSCTL_GET_REPARSE_POINT: called on FID[0x%04X](but not implemented)\n",fidnum));
2565                 reply_nterror(req, NT_STATUS_NOT_A_REPARSE_POINT);
2566                 return;
2567
2568         case FSCTL_SET_REPARSE_POINT:
2569                 /* pretend this fail - I'm assuming this because of the FSCTL_GET_REPARSE_POINT case.
2570                  * --metze
2571                  */
2572
2573                 DEBUG(10,("FSCTL_SET_REPARSE_POINT: called on FID[0x%04X](but not implemented)\n",fidnum));
2574                 reply_nterror(req, NT_STATUS_NOT_A_REPARSE_POINT);
2575                 return;
2576
2577         case FSCTL_GET_SHADOW_COPY_DATA: /* don't know if this name is right...*/
2578         {
2579                 /*
2580                  * This is called to retrieve the number of Shadow Copies (a.k.a. snapshots)
2581                  * and return their volume names.  If max_data_count is 16, then it is just
2582                  * asking for the number of volumes and length of the combined names.
2583                  *
2584                  * pdata is the data allocated by our caller, but that uses
2585                  * total_data_count (which is 0 in our case) rather than max_data_count.
2586                  * Allocate the correct amount and return the pointer to let
2587                  * it be deallocated when we return.
2588                  */
2589                 SHADOW_COPY_DATA *shadow_data = NULL;
2590                 TALLOC_CTX *shadow_mem_ctx = NULL;
2591                 bool labels = False;
2592                 uint32 labels_data_count = 0;
2593                 uint32 i;
2594                 char *cur_pdata;
2595
2596                 if (!fsp_belongs_conn(conn, req, fsp, &current_user)) {
2597                         return;
2598                 }
2599
2600                 if (max_data_count < 16) {
2601                         DEBUG(0,("FSCTL_GET_SHADOW_COPY_DATA: max_data_count(%u) < 16 is invalid!\n",
2602                                 max_data_count));
2603                         reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2604                         return;
2605                 }
2606
2607                 if (max_data_count > 16) {
2608                         labels = True;
2609                 }
2610
2611                 shadow_mem_ctx = talloc_init("SHADOW_COPY_DATA");
2612                 if (shadow_mem_ctx == NULL) {
2613                         DEBUG(0,("talloc_init(SHADOW_COPY_DATA) failed!\n"));
2614                         reply_nterror(req, NT_STATUS_NO_MEMORY);
2615                         return;
2616                 }
2617
2618                 shadow_data = TALLOC_ZERO_P(shadow_mem_ctx,SHADOW_COPY_DATA);
2619                 if (shadow_data == NULL) {
2620                         DEBUG(0,("TALLOC_ZERO() failed!\n"));
2621                         talloc_destroy(shadow_mem_ctx);
2622                         reply_nterror(req, NT_STATUS_NO_MEMORY);
2623                         return;
2624                 }
2625
2626                 shadow_data->mem_ctx = shadow_mem_ctx;
2627
2628                 /*
2629                  * Call the VFS routine to actually do the work.
2630                  */
2631                 if (SMB_VFS_GET_SHADOW_COPY_DATA(fsp, shadow_data, labels)!=0) {
2632                         talloc_destroy(shadow_data->mem_ctx);
2633                         if (errno == ENOSYS) {
2634                                 DEBUG(5,("FSCTL_GET_SHADOW_COPY_DATA: connectpath %s, not supported.\n", 
2635                                         conn->connectpath));
2636                                 reply_nterror(req, NT_STATUS_NOT_SUPPORTED);
2637                                 return;
2638                         } else {
2639                                 DEBUG(0,("FSCTL_GET_SHADOW_COPY_DATA: connectpath %s, failed.\n", 
2640                                         conn->connectpath));
2641                                 reply_nterror(req, NT_STATUS_UNSUCCESSFUL);
2642                                 return;
2643                         }
2644                 }
2645
2646                 labels_data_count = (shadow_data->num_volumes*2*sizeof(SHADOW_COPY_LABEL))+2;
2647
2648                 if (!labels) {
2649                         data_count = 16;
2650                 } else {
2651                         data_count = 12+labels_data_count+4;
2652                 }
2653
2654                 if (max_data_count<data_count) {
2655                         DEBUG(0,("FSCTL_GET_SHADOW_COPY_DATA: max_data_count(%u) too small (%u) bytes needed!\n",
2656                                 max_data_count,data_count));
2657                         talloc_destroy(shadow_data->mem_ctx);
2658                         reply_nterror(req, NT_STATUS_BUFFER_TOO_SMALL);
2659                         return;
2660                 }
2661
2662                 pdata = nttrans_realloc(ppdata, data_count);
2663                 if (pdata == NULL) {
2664                         talloc_destroy(shadow_data->mem_ctx);
2665                         reply_nterror(req, NT_STATUS_NO_MEMORY);
2666                         return;
2667                 }
2668
2669                 cur_pdata = pdata;
2670
2671                 /* num_volumes 4 bytes */
2672                 SIVAL(pdata,0,shadow_data->num_volumes);
2673
2674                 if (labels) {
2675                         /* num_labels 4 bytes */
2676                         SIVAL(pdata,4,shadow_data->num_volumes);
2677                 }
2678
2679                 /* needed_data_count 4 bytes */
2680                 SIVAL(pdata,8,labels_data_count);
2681
2682                 cur_pdata+=12;
2683
2684                 DEBUG(10,("FSCTL_GET_SHADOW_COPY_DATA: %u volumes for path[%s].\n",
2685                         shadow_data->num_volumes,fsp->fsp_name));
2686                 if (labels && shadow_data->labels) {
2687                         for (i=0;i<shadow_data->num_volumes;i++) {
2688                                 srvstr_push(pdata, req->flags2,
2689                                             cur_pdata, shadow_data->labels[i],
2690                                             2*sizeof(SHADOW_COPY_LABEL),
2691                                             STR_UNICODE|STR_TERMINATE);
2692                                 cur_pdata+=2*sizeof(SHADOW_COPY_LABEL);
2693                                 DEBUGADD(10,("Label[%u]: '%s'\n",i,shadow_data->labels[i]));
2694                         }
2695                 }
2696
2697                 talloc_destroy(shadow_data->mem_ctx);
2698
2699                 send_nt_replies(req, NT_STATUS_OK, NULL, 0,
2700                                 pdata, data_count);
2701
2702                 return;
2703         }
2704
2705         case FSCTL_FIND_FILES_BY_SID: /* I hope this name is right */
2706         {
2707                 /* pretend this succeeded -
2708                  *
2709                  * we have to send back a list with all files owned by this SID
2710                  *
2711                  * but I have to check that --metze
2712                  */
2713                 DOM_SID sid;
2714                 uid_t uid;
2715                 size_t sid_len = MIN(data_count-4,SID_MAX_SIZE);
2716
2717                 DEBUG(10,("FSCTL_FIND_FILES_BY_SID: called on FID[0x%04X]\n",fidnum));
2718
2719                 if (!fsp_belongs_conn(conn, req, fsp, &current_user)) {
2720                         return;
2721                 }
2722
2723                 /* unknown 4 bytes: this is not the length of the sid :-(  */
2724                 /*unknown = IVAL(pdata,0);*/
2725
2726                 sid_parse(pdata+4,sid_len,&sid);
2727                 DEBUGADD(10,("for SID: %s\n",sid_string_static(&sid)));
2728
2729                 if (!sid_to_uid(&sid, &uid)) {
2730                         DEBUG(0,("sid_to_uid: failed, sid[%s] sid_len[%lu]\n",
2731                                 sid_string_static(&sid),(unsigned long)sid_len));
2732                         uid = (-1);
2733                 }
2734
2735                 /* we can take a look at the find source :-)
2736                  *
2737                  * find ./ -uid $uid  -name '*'   is what we need here
2738                  *
2739                  *
2740                  * and send 4bytes len and then NULL terminated unicode strings
2741                  * for each file
2742                  *
2743                  * but I don't know how to deal with the paged results
2744                  * (maybe we can hang the result anywhere in the fsp struct)
2745                  *
2746                  * we don't send all files at once
2747                  * and at the next we should *not* start from the beginning,
2748                  * so we have to cache the result
2749                  *
2750                  * --metze
2751                  */
2752
2753                 /* this works for now... */
2754                 send_nt_replies(req, NT_STATUS_OK, NULL, 0, NULL, 0);
2755                 return;
2756         }
2757         default:
2758                 if (!logged_message) {
2759                         logged_message = True; /* Only print this once... */
2760                         DEBUG(0,("call_nt_transact_ioctl(0x%x): Currently not implemented.\n",
2761                                  function));
2762                 }
2763         }
2764
2765         reply_nterror(req, NT_STATUS_NOT_SUPPORTED);
2766 }
2767
2768
2769 #ifdef HAVE_SYS_QUOTAS
2770 /****************************************************************************
2771  Reply to get user quota
2772 ****************************************************************************/
2773
2774 static void call_nt_transact_get_user_quota(connection_struct *conn,
2775                                             struct smb_request *req,
2776                                             uint16 **ppsetup,
2777                                             uint32 setup_count,
2778                                             char **ppparams,
2779                                             uint32 parameter_count,
2780                                             char **ppdata,
2781                                             uint32 data_count,
2782                                             uint32 max_data_count)
2783 {
2784         NTSTATUS nt_status = NT_STATUS_OK;
2785         char *params = *ppparams;
2786         char *pdata = *ppdata;
2787         char *entry;
2788         int data_len=0,param_len=0;
2789         int qt_len=0;
2790         int entry_len = 0;
2791         files_struct *fsp = NULL;
2792         uint16 level = 0;
2793         size_t sid_len;
2794         DOM_SID sid;
2795         bool start_enum = True;
2796         SMB_NTQUOTA_STRUCT qt;
2797         SMB_NTQUOTA_LIST *tmp_list;
2798         SMB_NTQUOTA_HANDLE *qt_handle = NULL;
2799
2800         ZERO_STRUCT(qt);
2801
2802         /* access check */
2803         if (current_user.ut.uid != 0) {
2804                 DEBUG(1,("get_user_quota: access_denied service [%s] user [%s]\n",
2805                         lp_servicename(SNUM(conn)),conn->user));
2806                 reply_doserror(req, ERRDOS, ERRnoaccess);
2807                 return;
2808         }
2809
2810         /*
2811          * Ensure minimum number of parameters sent.
2812          */
2813
2814         if (parameter_count < 4) {
2815                 DEBUG(0,("TRANSACT_GET_USER_QUOTA: requires %d >= 4 bytes parameters\n",parameter_count));
2816                 reply_doserror(req, ERRDOS, ERRinvalidparam);
2817                 return;
2818         }
2819
2820         /* maybe we can check the quota_fnum */
2821         fsp = file_fsp(SVAL(params,0));
2822         if (!CHECK_NTQUOTA_HANDLE_OK(fsp,conn)) {
2823                 DEBUG(3,("TRANSACT_GET_USER_QUOTA: no valid QUOTA HANDLE\n"));
2824                 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
2825                 return;
2826         }
2827
2828         /* the NULL pointer checking for fsp->fake_file_handle->pd
2829          * is done by CHECK_NTQUOTA_HANDLE_OK()
2830          */
2831         qt_handle = (SMB_NTQUOTA_HANDLE *)fsp->fake_file_handle->pd;
2832
2833         level = SVAL(params,2);
2834
2835         /* unknown 12 bytes leading in params */
2836
2837         switch (level) {
2838                 case TRANSACT_GET_USER_QUOTA_LIST_CONTINUE:
2839                         /* seems that we should continue with the enum here --metze */
2840
2841                         if (qt_handle->quota_list!=NULL &&
2842                             qt_handle->tmp_list==NULL) {
2843
2844                                 /* free the list */
2845                                 free_ntquota_list(&(qt_handle->quota_list));
2846
2847                                 /* Realloc the size of parameters and data we will return */
2848                                 param_len = 4;
2849                                 params = nttrans_realloc(ppparams, param_len);
2850                                 if(params == NULL) {
2851                                         reply_doserror(req, ERRDOS, ERRnomem);
2852                                         return;
2853                                 }
2854
2855                                 data_len = 0;
2856                                 SIVAL(params,0,data_len);
2857
2858                                 break;
2859                         }
2860
2861                         start_enum = False;
2862
2863                 case TRANSACT_GET_USER_QUOTA_LIST_START:
2864
2865                         if (qt_handle->quota_list==NULL &&
2866                                 qt_handle->tmp_list==NULL) {
2867                                 start_enum = True;
2868                         }
2869
2870                         if (start_enum && vfs_get_user_ntquota_list(fsp,&(qt_handle->quota_list))!=0) {
2871                                 reply_doserror(req, ERRSRV, ERRerror);
2872                                 return;
2873                         }
2874
2875                         /* Realloc the size of parameters and data we will return */
2876                         param_len = 4;
2877                         params = nttrans_realloc(ppparams, param_len);
2878                         if(params == NULL) {
2879                                 reply_doserror(req, ERRDOS, ERRnomem);
2880                                 return;
2881                         }
2882
2883                         /* we should not trust the value in max_data_count*/
2884                         max_data_count = MIN(max_data_count,2048);
2885
2886                         pdata = nttrans_realloc(ppdata, max_data_count);/* should be max data count from client*/
2887                         if(pdata == NULL) {
2888                                 reply_doserror(req, ERRDOS, ERRnomem);
2889                                 return;
2890                         }
2891
2892                         entry = pdata;
2893
2894                         /* set params Size of returned Quota Data 4 bytes*/
2895                         /* but set it later when we know it */
2896
2897                         /* for each entry push the data */
2898
2899                         if (start_enum) {
2900                                 qt_handle->tmp_list = qt_handle->quota_list;
2901                         }
2902
2903                         tmp_list = qt_handle->tmp_list;
2904
2905                         for (;((tmp_list!=NULL)&&((qt_len +40+SID_MAX_SIZE)<max_data_count));
2906                                 tmp_list=tmp_list->next,entry+=entry_len,qt_len+=entry_len) {
2907
2908                                 sid_len = sid_size(&tmp_list->quotas->sid);
2909                                 entry_len = 40 + sid_len;
2910
2911                                 /* nextoffset entry 4 bytes */
2912                                 SIVAL(entry,0,entry_len);
2913
2914                                 /* then the len of the SID 4 bytes */
2915                                 SIVAL(entry,4,sid_len);
2916
2917                                 /* unknown data 8 bytes SMB_BIG_UINT */
2918                                 SBIG_UINT(entry,8,(SMB_BIG_UINT)0); /* this is not 0 in windows...-metze*/
2919
2920                                 /* the used disk space 8 bytes SMB_BIG_UINT */
2921                                 SBIG_UINT(entry,16,tmp_list->quotas->usedspace);
2922
2923                                 /* the soft quotas 8 bytes SMB_BIG_UINT */
2924                                 SBIG_UINT(entry,24,tmp_list->quotas->softlim);
2925
2926                                 /* the hard quotas 8 bytes SMB_BIG_UINT */
2927                                 SBIG_UINT(entry,32,tmp_list->quotas->hardlim);
2928
2929                                 /* and now the SID */
2930                                 sid_linearize(entry+40, sid_len, &tmp_list->quotas->sid);
2931                         }
2932
2933                         qt_handle->tmp_list = tmp_list;
2934
2935                         /* overwrite the offset of the last entry */
2936                         SIVAL(entry-entry_len,0,0);
2937
2938                         data_len = 4+qt_len;
2939                         /* overwrite the params quota_data_len */
2940                         SIVAL(params,0,data_len);
2941
2942                         break;
2943
2944                 case TRANSACT_GET_USER_QUOTA_FOR_SID:
2945
2946                         /* unknown 4 bytes IVAL(pdata,0) */
2947
2948                         if (data_count < 8) {
2949                                 DEBUG(0,("TRANSACT_GET_USER_QUOTA_FOR_SID: requires %d >= %d bytes data\n",data_count,8));
2950                                 reply_doserror(req, ERRDOS, ERRunknownlevel);
2951                                 return;
2952                         }
2953
2954                         sid_len = IVAL(pdata,4);
2955                         /* Ensure this is less than 1mb. */
2956                         if (sid_len > (1024*1024)) {
2957                                 reply_doserror(req, ERRDOS, ERRnomem);
2958                                 return;
2959                         }
2960
2961                         if (data_count < 8+sid_len) {
2962                                 DEBUG(0,("TRANSACT_GET_USER_QUOTA_FOR_SID: requires %d >= %lu bytes data\n",data_count,(unsigned long)(8+sid_len)));
2963                                 reply_doserror(req, ERRDOS, ERRunknownlevel);
2964                                 return;
2965                         }
2966
2967                         data_len = 4+40+sid_len;
2968
2969                         if (max_data_count < data_len) {
2970                                 DEBUG(0,("TRANSACT_GET_USER_QUOTA_FOR_SID: max_data_count(%d) < data_len(%d)\n",
2971                                         max_data_count, data_len));
2972                                 param_len = 4;
2973                                 SIVAL(params,0,data_len);
2974                                 data_len = 0;
2975                                 nt_status = NT_STATUS_BUFFER_TOO_SMALL;
2976                                 break;
2977                         }
2978
2979                         sid_parse(pdata+8,sid_len,&sid);
2980
2981                         if (vfs_get_ntquota(fsp, SMB_USER_QUOTA_TYPE, &sid, &qt)!=0) {
2982                                 ZERO_STRUCT(qt);
2983                                 /*
2984                                  * we have to return zero's in all fields
2985                                  * instead of returning an error here
2986                                  * --metze
2987                                  */
2988                         }
2989
2990                         /* Realloc the size of parameters and data we will return */
2991                         param_len = 4;
2992                         params = nttrans_realloc(ppparams, param_len);
2993                         if(params == NULL) {
2994                                 reply_doserror(req, ERRDOS, ERRnomem);
2995                                 return;
2996                         }
2997
2998                         pdata = nttrans_realloc(ppdata, data_len);
2999                         if(pdata == NULL) {
3000                                 reply_doserror(req, ERRDOS, ERRnomem);
3001                                 return;
3002                         }
3003
3004                         entry = pdata;
3005
3006                         /* set params Size of returned Quota Data 4 bytes*/
3007                         SIVAL(params,0,data_len);
3008
3009                         /* nextoffset entry 4 bytes */
3010                         SIVAL(entry,0,0);
3011
3012                         /* then the len of the SID 4 bytes */
3013                         SIVAL(entry,4,sid_len);
3014
3015                         /* unknown data 8 bytes SMB_BIG_UINT */
3016                         SBIG_UINT(entry,8,(SMB_BIG_UINT)0); /* this is not 0 in windows...-mezte*/
3017
3018                         /* the used disk space 8 bytes SMB_BIG_UINT */
3019                         SBIG_UINT(entry,16,qt.usedspace);
3020
3021                         /* the soft quotas 8 bytes SMB_BIG_UINT */
3022                         SBIG_UINT(entry,24,qt.softlim);
3023
3024                         /* the hard quotas 8 bytes SMB_BIG_UINT */
3025                         SBIG_UINT(entry,32,qt.hardlim);
3026
3027                         /* and now the SID */
3028                         sid_linearize(entry+40, sid_len, &sid);
3029
3030                         break;
3031
3032                 default:
3033                         DEBUG(0,("do_nt_transact_get_user_quota: fnum %d unknown level 0x%04hX\n",fsp->fnum,level));
3034                         reply_doserror(req, ERRSRV, ERRerror);
3035                         return;
3036                         break;
3037         }
3038
3039         send_nt_replies(req, nt_status, params, param_len,
3040                         pdata, data_len);
3041 }
3042
3043 /****************************************************************************
3044  Reply to set user quota
3045 ****************************************************************************/
3046
3047 static void call_nt_transact_set_user_quota(connection_struct *conn,
3048                                             struct smb_request *req,
3049                                             uint16 **ppsetup,
3050                                             uint32 setup_count,
3051                                             char **ppparams,
3052                                             uint32 parameter_count,
3053                                             char **ppdata,
3054                                             uint32 data_count,
3055                                             uint32 max_data_count)
3056 {
3057         char *params = *ppparams;
3058         char *pdata = *ppdata;
3059         int data_len=0,param_len=0;
3060         SMB_NTQUOTA_STRUCT qt;
3061         size_t sid_len;
3062         DOM_SID sid;
3063         files_struct *fsp = NULL;
3064
3065         ZERO_STRUCT(qt);
3066
3067         /* access check */
3068         if (current_user.ut.uid != 0) {
3069                 DEBUG(1,("set_user_quota: access_denied service [%s] user [%s]\n",
3070                         lp_servicename(SNUM(conn)),conn->user));
3071                 reply_doserror(req, ERRDOS, ERRnoaccess);
3072                 return;
3073         }
3074
3075         /*
3076          * Ensure minimum number of parameters sent.
3077          */
3078
3079         if (parameter_count < 2) {
3080                 DEBUG(0,("TRANSACT_SET_USER_QUOTA: requires %d >= 2 bytes parameters\n",parameter_count));
3081                 reply_doserror(req, ERRDOS, ERRinvalidparam);
3082                 return;
3083         }
3084
3085         /* maybe we can check the quota_fnum */
3086         fsp = file_fsp(SVAL(params,0));
3087         if (!CHECK_NTQUOTA_HANDLE_OK(fsp,conn)) {
3088                 DEBUG(3,("TRANSACT_GET_USER_QUOTA: no valid QUOTA HANDLE\n"));
3089                 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
3090                 return;
3091         }
3092
3093         if (data_count < 40) {
3094                 DEBUG(0,("TRANSACT_SET_USER_QUOTA: requires %d >= %d bytes data\n",data_count,40));
3095                 reply_doserror(req, ERRDOS, ERRunknownlevel);
3096                 return;
3097         }
3098
3099         /* offset to next quota record.
3100          * 4 bytes IVAL(pdata,0)
3101          * unused here...
3102          */
3103
3104         /* sid len */
3105         sid_len = IVAL(pdata,4);
3106
3107         if (data_count < 40+sid_len) {
3108                 DEBUG(0,("TRANSACT_SET_USER_QUOTA: requires %d >= %lu bytes data\n",data_count,(unsigned long)40+sid_len));
3109                 reply_doserror(req, ERRDOS, ERRunknownlevel);
3110                 return;
3111         }
3112
3113         /* unknown 8 bytes in pdata
3114          * maybe its the change time in NTTIME
3115          */
3116
3117         /* the used space 8 bytes (SMB_BIG_UINT)*/
3118         qt.usedspace = (SMB_BIG_UINT)IVAL(pdata,16);
3119 #ifdef LARGE_SMB_OFF_T
3120         qt.usedspace |= (((SMB_BIG_UINT)IVAL(pdata,20)) << 32);
3121 #else /* LARGE_SMB_OFF_T */
3122         if ((IVAL(pdata,20) != 0)&&
3123                 ((qt.usedspace != 0xFFFFFFFF)||
3124                 (IVAL(pdata,20)!=0xFFFFFFFF))) {
3125                 /* more than 32 bits? */
3126                 reply_doserror(req, ERRDOS, ERRunknownlevel);
3127                 return;
3128         }
3129 #endif /* LARGE_SMB_OFF_T */
3130
3131         /* the soft quotas 8 bytes (SMB_BIG_UINT)*/
3132         qt.softlim = (SMB_BIG_UINT)IVAL(pdata,24);
3133 #ifdef LARGE_SMB_OFF_T
3134         qt.softlim |= (((SMB_BIG_UINT)IVAL(pdata,28)) << 32);
3135 #else /* LARGE_SMB_OFF_T */
3136         if ((IVAL(pdata,28) != 0)&&
3137                 ((qt.softlim != 0xFFFFFFFF)||
3138                 (IVAL(pdata,28)!=0xFFFFFFFF))) {
3139                 /* more than 32 bits? */
3140                 reply_doserror(req, ERRDOS, ERRunknownlevel);
3141                 return;
3142         }
3143 #endif /* LARGE_SMB_OFF_T */
3144
3145         /* the hard quotas 8 bytes (SMB_BIG_UINT)*/
3146         qt.hardlim = (SMB_BIG_UINT)IVAL(pdata,32);
3147 #ifdef LARGE_SMB_OFF_T
3148         qt.hardlim |= (((SMB_BIG_UINT)IVAL(pdata,36)) << 32);
3149 #else /* LARGE_SMB_OFF_T */
3150         if ((IVAL(pdata,36) != 0)&&
3151                 ((qt.hardlim != 0xFFFFFFFF)||
3152                 (IVAL(pdata,36)!=0xFFFFFFFF))) {
3153                 /* more than 32 bits? */
3154                 reply_doserror(req, ERRDOS, ERRunknownlevel);
3155                 return;
3156         }
3157 #endif /* LARGE_SMB_OFF_T */
3158
3159         sid_parse(pdata+40,sid_len,&sid);
3160         DEBUGADD(8,("SID: %s\n",sid_string_static(&sid)));
3161
3162         /* 44 unknown bytes left... */
3163
3164         if (vfs_set_ntquota(fsp, SMB_USER_QUOTA_TYPE, &sid, &qt)!=0) {
3165                 reply_doserror(req, ERRSRV, ERRerror);
3166                 return;
3167         }
3168
3169         send_nt_replies(req, NT_STATUS_OK, params, param_len,
3170                         pdata, data_len);
3171 }
3172 #endif /* HAVE_SYS_QUOTAS */
3173
3174 static void handle_nttrans(connection_struct *conn,
3175                            struct trans_state *state,
3176                            struct smb_request *req)
3177 {
3178         if (Protocol >= PROTOCOL_NT1) {
3179                 req->flags2 |= 0x40; /* IS_LONG_NAME */
3180                 SSVAL(req->inbuf,smb_flg2,req->flags2);
3181         }
3182
3183         /* Now we must call the relevant NT_TRANS function */
3184         switch(state->call) {
3185                 case NT_TRANSACT_CREATE:
3186                 {
3187                         START_PROFILE(NT_transact_create);
3188                         call_nt_transact_create(
3189                                 conn, req,
3190                                 &state->setup, state->setup_count,
3191                                 &state->param, state->total_param,
3192                                 &state->data, state->total_data,
3193                                 state->max_data_return);
3194                         END_PROFILE(NT_transact_create);
3195                         break;
3196                 }
3197
3198                 case NT_TRANSACT_IOCTL:
3199                 {
3200                         START_PROFILE(NT_transact_ioctl);
3201                         call_nt_transact_ioctl(
3202                                 conn, req,
3203                                 &state->setup, state->setup_count,
3204                                 &state->param, state->total_param,
3205                                 &state->data, state->total_data,
3206                                 state->max_data_return);
3207                         END_PROFILE(NT_transact_ioctl);
3208                         break;
3209                 }
3210
3211                 case NT_TRANSACT_SET_SECURITY_DESC:
3212                 {
3213                         START_PROFILE(NT_transact_set_security_desc);
3214                         call_nt_transact_set_security_desc(
3215                                 conn, req,
3216                                 &state->setup, state->setup_count,
3217                                 &state->param, state->total_param,
3218                                 &state->data, state->total_data,
3219                                 state->max_data_return);
3220                         END_PROFILE(NT_transact_set_security_desc);
3221                         break;
3222                 }
3223
3224                 case NT_TRANSACT_NOTIFY_CHANGE:
3225                 {
3226                         START_PROFILE(NT_transact_notify_change);
3227                         call_nt_transact_notify_change(
3228                                 conn, req,
3229                                 &state->setup, state->setup_count,
3230                                 &state->param, state->total_param,
3231                                 &state->data, state->total_data,
3232                                 state->max_data_return,
3233                                 state->max_param_return);
3234                         END_PROFILE(NT_transact_notify_change);
3235                         break;
3236                 }
3237
3238                 case NT_TRANSACT_RENAME:
3239                 {
3240                         START_PROFILE(NT_transact_rename);
3241                         call_nt_transact_rename(
3242                                 conn, req,
3243                                 &state->setup, state->setup_count,
3244                                 &state->param, state->total_param,
3245                                 &state->data, state->total_data,
3246                                 state->max_data_return);
3247                         END_PROFILE(NT_transact_rename);
3248                         break;
3249                 }
3250
3251                 case NT_TRANSACT_QUERY_SECURITY_DESC:
3252                 {
3253                         START_PROFILE(NT_transact_query_security_desc);
3254                         call_nt_transact_query_security_desc(
3255                                 conn, req,
3256                                 &state->setup, state->setup_count,
3257                                 &state->param, state->total_param,
3258                                 &state->data, state->total_data,
3259                                 state->max_data_return);
3260                         END_PROFILE(NT_transact_query_security_desc);
3261                         break;
3262                 }
3263
3264 #ifdef HAVE_SYS_QUOTAS
3265                 case NT_TRANSACT_GET_USER_QUOTA:
3266                 {
3267                         START_PROFILE(NT_transact_get_user_quota);
3268                         call_nt_transact_get_user_quota(
3269                                 conn, req,
3270                                 &state->setup, state->setup_count,
3271                                 &state->param, state->total_param,
3272                                 &state->data, state->total_data,
3273                                 state->max_data_return);
3274                         END_PROFILE(NT_transact_get_user_quota);
3275                         break;
3276                 }
3277
3278                 case NT_TRANSACT_SET_USER_QUOTA:
3279                 {
3280                         START_PROFILE(NT_transact_set_user_quota);
3281                         call_nt_transact_set_user_quota(
3282                                 conn, req,
3283                                 &state->setup, state->setup_count,
3284                                 &state->param, state->total_param,
3285                                 &state->data, state->total_data,
3286                                 state->max_data_return);
3287                         END_PROFILE(NT_transact_set_user_quota);
3288                         break;
3289                 }
3290 #endif /* HAVE_SYS_QUOTAS */
3291
3292                 default:
3293                         /* Error in request */
3294                         DEBUG(0,("handle_nttrans: Unknown request %d in "
3295                                  "nttrans call\n", state->call));
3296                         reply_doserror(req, ERRSRV, ERRerror);
3297                         return;
3298         }
3299         return;
3300 }
3301
3302 /****************************************************************************
3303  Reply to a SMBNTtrans.
3304 ****************************************************************************/
3305
3306 void reply_nttrans(connection_struct *conn, struct smb_request *req)
3307 {
3308         uint32 pscnt;
3309         uint32 psoff;
3310         uint32 dscnt;
3311         uint32 dsoff;
3312         uint16 function_code;
3313         NTSTATUS result;
3314         struct trans_state *state;
3315         int size;
3316
3317         START_PROFILE(SMBnttrans);
3318
3319         if (req->wct < 19) {
3320                 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
3321                 END_PROFILE(SMBnttrans);
3322                 return;
3323         }
3324
3325         size = smb_len(req->inbuf) + 4;
3326         pscnt = IVAL(req->inbuf,smb_nt_ParameterCount);
3327         psoff = IVAL(req->inbuf,smb_nt_ParameterOffset);
3328         dscnt = IVAL(req->inbuf,smb_nt_DataCount);
3329         dsoff = IVAL(req->inbuf,smb_nt_DataOffset);
3330         function_code = SVAL(req->inbuf, smb_nt_Function);
3331
3332         if (IS_IPC(conn) && (function_code != NT_TRANSACT_CREATE)) {
3333                 reply_doserror(req, ERRSRV, ERRaccess);
3334                 END_PROFILE(SMBnttrans);
3335                 return;
3336         }
3337
3338         result = allow_new_trans(conn->pending_trans, req->mid);
3339         if (!NT_STATUS_IS_OK(result)) {
3340                 DEBUG(2, ("Got invalid nttrans request: %s\n", nt_errstr(result)));
3341                 reply_nterror(req, result);
3342                 END_PROFILE(SMBnttrans);
3343                 return;
3344         }
3345
3346         if ((state = TALLOC_P(conn->mem_ctx, struct trans_state)) == NULL) {
3347                 reply_doserror(req, ERRSRV, ERRaccess);
3348                 END_PROFILE(SMBnttrans);
3349                 return;
3350         }
3351
3352         state->cmd = SMBnttrans;
3353
3354         state->mid = req->mid;
3355         state->vuid = req->vuid;
3356         state->total_data = IVAL(req->inbuf, smb_nt_TotalDataCount);
3357         state->data = NULL;
3358         state->total_param = IVAL(req->inbuf, smb_nt_TotalParameterCount);
3359         state->param = NULL;
3360         state->max_data_return = IVAL(req->inbuf,smb_nt_MaxDataCount);
3361         state->max_param_return = IVAL(req->inbuf,smb_nt_MaxParameterCount);
3362
3363         /* setup count is in *words* */
3364         state->setup_count = 2*CVAL(req->inbuf,smb_nt_SetupCount);
3365         state->setup = NULL;
3366         state->call = function_code;
3367
3368         /*
3369          * All nttrans messages we handle have smb_wct == 19 +
3370          * state->setup_count.  Ensure this is so as a sanity check.
3371          */
3372
3373         if(req->wct != 19 + (state->setup_count/2)) {
3374                 DEBUG(2,("Invalid smb_wct %d in nttrans call (should be %d)\n",
3375                          req->wct, 19 + (state->setup_count/2)));
3376                 goto bad_param;
3377         }
3378
3379         /* Don't allow more than 128mb for each value. */
3380         if ((state->total_data > (1024*1024*128)) ||
3381             (state->total_param > (1024*1024*128))) {
3382                 reply_doserror(req, ERRDOS, ERRnomem);
3383                 END_PROFILE(SMBnttrans);
3384                 return;
3385         }
3386
3387         if ((dscnt > state->total_data) || (pscnt > state->total_param))
3388                 goto bad_param;
3389
3390         if (state->total_data)  {
3391                 /* Can't use talloc here, the core routines do realloc on the
3392                  * params and data. */
3393                 if ((state->data = (char *)SMB_MALLOC(state->total_data)) == NULL) {
3394                         DEBUG(0,("reply_nttrans: data malloc fail for %u "
3395                                  "bytes !\n", (unsigned int)state->total_data));
3396                         TALLOC_FREE(state);
3397                         reply_doserror(req, ERRDOS, ERRnomem);
3398                         END_PROFILE(SMBnttrans);
3399                         return;
3400                 }
3401                 if ((dsoff+dscnt < dsoff) || (dsoff+dscnt < dscnt))
3402                         goto bad_param;
3403                 if ((smb_base(req->inbuf)+dsoff+dscnt
3404                      > (char *)req->inbuf + size) ||
3405                     (smb_base(req->inbuf)+dsoff+dscnt < smb_base(req->inbuf)))
3406                         goto bad_param;
3407
3408                 memcpy(state->data,smb_base(req->inbuf)+dsoff,dscnt);
3409         }
3410
3411         if (state->total_param) {
3412                 /* Can't use talloc here, the core routines do realloc on the
3413                  * params and data. */
3414                 if ((state->param = (char *)SMB_MALLOC(state->total_param)) == NULL) {
3415                         DEBUG(0,("reply_nttrans: param malloc fail for %u "
3416                                  "bytes !\n", (unsigned int)state->total_param));
3417                         SAFE_FREE(state->data);
3418                         TALLOC_FREE(state);
3419                         reply_doserror(req, ERRDOS, ERRnomem);
3420                         END_PROFILE(SMBnttrans);
3421                         return;
3422                 }
3423                 if ((psoff+pscnt < psoff) || (psoff+pscnt < pscnt))
3424                         goto bad_param;
3425                 if ((smb_base(req->inbuf)+psoff+pscnt
3426                      > (char *)req->inbuf + size) ||
3427                     (smb_base(req->inbuf)+psoff+pscnt < smb_base(req->inbuf)))
3428                         goto bad_param;
3429
3430                 memcpy(state->param,smb_base(req->inbuf)+psoff,pscnt);
3431         }
3432
3433         state->received_data  = dscnt;
3434         state->received_param = pscnt;
3435
3436         if(state->setup_count > 0) {
3437                 DEBUG(10,("reply_nttrans: state->setup_count = %d\n",
3438                           state->setup_count));
3439                 state->setup = (uint16 *)TALLOC(state, state->setup_count);
3440                 if (state->setup == NULL) {
3441                         DEBUG(0,("reply_nttrans : Out of memory\n"));
3442                         SAFE_FREE(state->data);
3443                         SAFE_FREE(state->param);
3444                         TALLOC_FREE(state);
3445                         reply_doserror(req, ERRDOS, ERRnomem);
3446                         END_PROFILE(SMBnttrans);
3447                         return;
3448                 }
3449
3450                 if ((smb_nt_SetupStart + state->setup_count < smb_nt_SetupStart) ||
3451                     (smb_nt_SetupStart + state->setup_count < state->setup_count)) {
3452                         goto bad_param;
3453                 }
3454                 if (smb_nt_SetupStart + state->setup_count > size) {
3455                         goto bad_param;
3456                 }
3457
3458                 memcpy( state->setup, &req->inbuf[smb_nt_SetupStart],
3459                         state->setup_count);
3460                 dump_data(10, (uint8 *)state->setup, state->setup_count);
3461         }
3462
3463         if ((state->received_data == state->total_data) &&
3464             (state->received_param == state->total_param)) {
3465                 handle_nttrans(conn, state, req);
3466                 SAFE_FREE(state->param);
3467                 SAFE_FREE(state->data);
3468                 TALLOC_FREE(state);
3469                 END_PROFILE(SMBnttrans);
3470                 return;
3471         }
3472
3473         DLIST_ADD(conn->pending_trans, state);
3474
3475         /* We need to send an interim response then receive the rest
3476            of the parameter/data bytes */
3477         reply_outbuf(req, 0, 0);
3478         show_msg((char *)req->outbuf);
3479         END_PROFILE(SMBnttrans);
3480         return;
3481
3482   bad_param:
3483
3484         DEBUG(0,("reply_nttrans: invalid trans parameters\n"));
3485         SAFE_FREE(state->data);
3486         SAFE_FREE(state->param);
3487         TALLOC_FREE(state);
3488         reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
3489         END_PROFILE(SMBnttrans);
3490         return;
3491 }
3492
3493 /****************************************************************************
3494  Reply to a SMBnttranss
3495  ****************************************************************************/
3496
3497 void reply_nttranss(connection_struct *conn, struct smb_request *req)
3498 {
3499         unsigned int pcnt,poff,dcnt,doff,pdisp,ddisp;
3500         struct trans_state *state;
3501
3502         int size;
3503
3504         START_PROFILE(SMBnttranss);
3505
3506         show_msg((char *)req->inbuf);
3507
3508         if (req->wct < 18) {
3509                 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
3510                 END_PROFILE(SMBnttranss);
3511                 return;
3512         }
3513
3514         for (state = conn->pending_trans; state != NULL;
3515              state = state->next) {
3516                 if (state->mid == req->mid) {
3517                         break;
3518                 }
3519         }
3520
3521         if ((state == NULL) || (state->cmd != SMBnttrans)) {
3522                 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
3523                 END_PROFILE(SMBnttranss);
3524                 return;
3525         }
3526
3527         /* Revise state->total_param and state->total_data in case they have
3528            changed downwards */
3529         if (IVAL(req->inbuf, smb_nts_TotalParameterCount)
3530             < state->total_param) {
3531                 state->total_param = IVAL(req->inbuf,
3532                                           smb_nts_TotalParameterCount);
3533         }
3534         if (IVAL(req->inbuf, smb_nts_TotalDataCount) < state->total_data) {
3535                 state->total_data = IVAL(req->inbuf, smb_nts_TotalDataCount);
3536         }
3537