2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1998,
5 * Largely re-written : 2005
6 * Copyright (C) Jeremy Allison 1998 - 2005
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 3 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, see <http://www.gnu.org/licenses/>.
23 #include "librpc/gen_ndr/ndr_named_pipe_auth.h"
26 #define DBGC_CLASS DBGC_RPC_SRV
28 static int pipes_open;
30 static pipes_struct *InternalPipes;
33 * the following prototypes are declared here to avoid
34 * code being moved about too much for a patch to be
35 * disrupted / less obvious.
37 * these functions, and associated functions that they
38 * call, should be moved behind a .so module-loading
39 * system _anyway_. so that's the next step...
42 static int close_internal_rpc_pipe_hnd(struct pipes_struct *p);
44 /****************************************************************************
45 Internal Pipe iterator functions.
46 ****************************************************************************/
48 pipes_struct *get_first_internal_pipe(void)
53 pipes_struct *get_next_internal_pipe(pipes_struct *p)
58 /****************************************************************************
59 Initialise an outgoing packet.
60 ****************************************************************************/
62 static bool pipe_init_outgoing_data(pipes_struct *p)
64 output_data *o_data = &p->out_data;
66 /* Reset the offset counters. */
67 o_data->data_sent_length = 0;
68 o_data->current_pdu_len = 0;
69 o_data->current_pdu_sent = 0;
71 memset(o_data->current_pdu, '\0', sizeof(o_data->current_pdu));
73 /* Free any memory in the current return data buffer. */
74 prs_mem_free(&o_data->rdata);
77 * Initialize the outgoing RPC data buffer.
78 * we will use this as the raw data area for replying to rpc requests.
80 if(!prs_init(&o_data->rdata, RPC_MAX_PDU_FRAG_LEN, p->mem_ctx, MARSHALL)) {
81 DEBUG(0,("pipe_init_outgoing_data: malloc fail.\n"));
88 /****************************************************************************
89 Make an internal namedpipes structure
90 ****************************************************************************/
92 static struct pipes_struct *make_internal_rpc_pipe_p(TALLOC_CTX *mem_ctx,
93 const char *pipe_name,
94 const char *client_address,
95 struct auth_serversupplied_info *server_info)
99 DEBUG(4,("Create pipe requested %s\n", pipe_name));
101 p = TALLOC_ZERO_P(mem_ctx, struct pipes_struct);
104 DEBUG(0,("ERROR! no memory for pipes_struct!\n"));
108 if ((p->mem_ctx = talloc_init("pipe %s %p", pipe_name, p)) == NULL) {
109 DEBUG(0,("open_rpc_pipe_p: talloc_init failed.\n"));
114 if (!init_pipe_handle_list(p, pipe_name)) {
115 DEBUG(0,("open_rpc_pipe_p: init_pipe_handles failed.\n"));
116 talloc_destroy(p->mem_ctx);
122 * Initialize the incoming RPC data buffer with one PDU worth of memory.
123 * We cheat here and say we're marshalling, as we intend to add incoming
124 * data directly into the prs_struct and we want it to auto grow. We will
125 * change the type to UNMARSALLING before processing the stream.
128 if(!prs_init(&p->in_data.data, RPC_MAX_PDU_FRAG_LEN, p->mem_ctx, MARSHALL)) {
129 DEBUG(0,("open_rpc_pipe_p: malloc fail for in_data struct.\n"));
130 talloc_destroy(p->mem_ctx);
131 close_policy_by_pipe(p);
136 p->server_info = copy_serverinfo(p, server_info);
137 if (p->server_info == NULL) {
138 DEBUG(0, ("open_rpc_pipe_p: copy_serverinfo failed\n"));
139 talloc_destroy(p->mem_ctx);
140 close_policy_by_pipe(p);
145 DLIST_ADD(InternalPipes, p);
147 memcpy(p->client_address, client_address, sizeof(p->client_address));
149 p->endian = RPC_LITTLE_ENDIAN;
152 * Initialize the outgoing RPC data buffer with no memory.
154 prs_init_empty(&p->out_data.rdata, p->mem_ctx, MARSHALL);
156 fstrcpy(p->name, pipe_name);
158 DEBUG(4,("Created internal pipe %s (pipes_open=%d)\n",
159 pipe_name, pipes_open));
161 talloc_set_destructor(p, close_internal_rpc_pipe_hnd);
166 /****************************************************************************
167 Sets the fault state on incoming packets.
168 ****************************************************************************/
170 static void set_incoming_fault(pipes_struct *p)
172 prs_mem_free(&p->in_data.data);
173 p->in_data.pdu_needed_len = 0;
174 p->in_data.pdu_received_len = 0;
175 p->fault_state = True;
176 DEBUG(10, ("set_incoming_fault: Setting fault state on pipe %s\n",
180 /****************************************************************************
181 Ensures we have at least RPC_HEADER_LEN amount of data in the incoming buffer.
182 ****************************************************************************/
184 static ssize_t fill_rpc_header(pipes_struct *p, char *data, size_t data_to_copy)
186 size_t len_needed_to_complete_hdr = MIN(data_to_copy, RPC_HEADER_LEN - p->in_data.pdu_received_len);
188 DEBUG(10,("fill_rpc_header: data_to_copy = %u, len_needed_to_complete_hdr = %u, receive_len = %u\n",
189 (unsigned int)data_to_copy, (unsigned int)len_needed_to_complete_hdr,
190 (unsigned int)p->in_data.pdu_received_len ));
192 memcpy((char *)&p->in_data.current_in_pdu[p->in_data.pdu_received_len], data, len_needed_to_complete_hdr);
193 p->in_data.pdu_received_len += len_needed_to_complete_hdr;
195 return (ssize_t)len_needed_to_complete_hdr;
198 /****************************************************************************
199 Unmarshalls a new PDU header. Assumes the raw header data is in current_in_pdu.
200 ****************************************************************************/
202 static ssize_t unmarshall_rpc_header(pipes_struct *p)
205 * Unmarshall the header to determine the needed length.
210 if(p->in_data.pdu_received_len != RPC_HEADER_LEN) {
211 DEBUG(0,("unmarshall_rpc_header: assert on rpc header length failed.\n"));
212 set_incoming_fault(p);
216 prs_init_empty( &rpc_in, p->mem_ctx, UNMARSHALL);
217 prs_set_endian_data( &rpc_in, p->endian);
219 prs_give_memory( &rpc_in, (char *)&p->in_data.current_in_pdu[0],
220 p->in_data.pdu_received_len, False);
223 * Unmarshall the header as this will tell us how much
224 * data we need to read to get the complete pdu.
225 * This also sets the endian flag in rpc_in.
228 if(!smb_io_rpc_hdr("", &p->hdr, &rpc_in, 0)) {
229 DEBUG(0,("unmarshall_rpc_header: failed to unmarshall RPC_HDR.\n"));
230 set_incoming_fault(p);
231 prs_mem_free(&rpc_in);
236 * Validate the RPC header.
239 if(p->hdr.major != 5 && p->hdr.minor != 0) {
240 DEBUG(0,("unmarshall_rpc_header: invalid major/minor numbers in RPC_HDR.\n"));
241 set_incoming_fault(p);
242 prs_mem_free(&rpc_in);
247 * If there's not data in the incoming buffer this should be the start of a new RPC.
250 if(prs_offset(&p->in_data.data) == 0) {
253 * AS/U doesn't set FIRST flag in a BIND packet it seems.
256 if ((p->hdr.pkt_type == RPC_REQUEST) && !(p->hdr.flags & RPC_FLG_FIRST)) {
258 * Ensure that the FIRST flag is set. If not then we have
259 * a stream missmatch.
262 DEBUG(0,("unmarshall_rpc_header: FIRST flag not set in first PDU !\n"));
263 set_incoming_fault(p);
264 prs_mem_free(&rpc_in);
269 * If this is the first PDU then set the endianness
270 * flag in the pipe. We will need this when parsing all
274 p->endian = rpc_in.bigendian_data;
276 DEBUG(5,("unmarshall_rpc_header: using %sendian RPC\n",
277 p->endian == RPC_LITTLE_ENDIAN ? "little-" : "big-" ));
282 * If this is *NOT* the first PDU then check the endianness
283 * flag in the pipe is the same as that in the PDU.
286 if (p->endian != rpc_in.bigendian_data) {
287 DEBUG(0,("unmarshall_rpc_header: FIRST endianness flag (%d) different in next PDU !\n", (int)p->endian));
288 set_incoming_fault(p);
289 prs_mem_free(&rpc_in);
295 * Ensure that the pdu length is sane.
298 if((p->hdr.frag_len < RPC_HEADER_LEN) || (p->hdr.frag_len > RPC_MAX_PDU_FRAG_LEN)) {
299 DEBUG(0,("unmarshall_rpc_header: assert on frag length failed.\n"));
300 set_incoming_fault(p);
301 prs_mem_free(&rpc_in);
305 DEBUG(10,("unmarshall_rpc_header: type = %u, flags = %u\n", (unsigned int)p->hdr.pkt_type,
306 (unsigned int)p->hdr.flags ));
308 p->in_data.pdu_needed_len = (uint32)p->hdr.frag_len - RPC_HEADER_LEN;
310 prs_mem_free(&rpc_in);
312 return 0; /* No extra data processed. */
315 /****************************************************************************
316 Call this to free any talloc'ed memory. Do this before and after processing
318 ****************************************************************************/
320 static void free_pipe_context(pipes_struct *p)
323 DEBUG(3,("free_pipe_context: destroying talloc pool of size "
324 "%lu\n", (unsigned long)talloc_total_size(p->mem_ctx) ));
325 talloc_free_children(p->mem_ctx);
327 p->mem_ctx = talloc_init("pipe %s %p", p->name, p);
328 if (p->mem_ctx == NULL) {
329 p->fault_state = True;
334 /****************************************************************************
335 Processes a request pdu. This will do auth processing if needed, and
336 appends the data into the complete stream if the LAST flag is not set.
337 ****************************************************************************/
339 static bool process_request_pdu(pipes_struct *p, prs_struct *rpc_in_p)
341 uint32 ss_padding_len = 0;
342 size_t data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
343 (p->hdr.auth_len ? RPC_HDR_AUTH_LEN : 0) - p->hdr.auth_len;
346 DEBUG(0,("process_request_pdu: rpc request with no bind.\n"));
347 set_incoming_fault(p);
352 * Check if we need to do authentication processing.
353 * This is only done on requests, not binds.
357 * Read the RPC request header.
360 if(!smb_io_rpc_hdr_req("req", &p->hdr_req, rpc_in_p, 0)) {
361 DEBUG(0,("process_request_pdu: failed to unmarshall RPC_HDR_REQ.\n"));
362 set_incoming_fault(p);
366 switch(p->auth.auth_type) {
367 case PIPE_AUTH_TYPE_NONE:
370 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
371 case PIPE_AUTH_TYPE_NTLMSSP:
374 if(!api_pipe_ntlmssp_auth_process(p, rpc_in_p, &ss_padding_len, &status)) {
375 DEBUG(0,("process_request_pdu: failed to do auth processing.\n"));
376 DEBUG(0,("process_request_pdu: error was %s.\n", nt_errstr(status) ));
377 set_incoming_fault(p);
383 case PIPE_AUTH_TYPE_SCHANNEL:
384 if (!api_pipe_schannel_process(p, rpc_in_p, &ss_padding_len)) {
385 DEBUG(3,("process_request_pdu: failed to do schannel processing.\n"));
386 set_incoming_fault(p);
392 DEBUG(0,("process_request_pdu: unknown auth type %u set.\n", (unsigned int)p->auth.auth_type ));
393 set_incoming_fault(p);
397 /* Now we've done the sign/seal we can remove any padding data. */
398 if (data_len > ss_padding_len) {
399 data_len -= ss_padding_len;
403 * Check the data length doesn't go over the 15Mb limit.
404 * increased after observing a bug in the Windows NT 4.0 SP6a
405 * spoolsv.exe when the response to a GETPRINTERDRIVER2 RPC
406 * will not fit in the initial buffer of size 0x1068 --jerry 22/01/2002
409 if(prs_offset(&p->in_data.data) + data_len > 15*1024*1024) {
410 DEBUG(0,("process_request_pdu: rpc data buffer too large (%u) + (%u)\n",
411 (unsigned int)prs_data_size(&p->in_data.data), (unsigned int)data_len ));
412 set_incoming_fault(p);
417 * Append the data portion into the buffer and return.
420 if(!prs_append_some_prs_data(&p->in_data.data, rpc_in_p, prs_offset(rpc_in_p), data_len)) {
421 DEBUG(0,("process_request_pdu: Unable to append data size %u to parse buffer of size %u.\n",
422 (unsigned int)data_len, (unsigned int)prs_data_size(&p->in_data.data) ));
423 set_incoming_fault(p);
427 if(p->hdr.flags & RPC_FLG_LAST) {
430 * Ok - we finally have a complete RPC stream.
431 * Call the rpc command to process it.
435 * Ensure the internal prs buffer size is *exactly* the same
436 * size as the current offset.
439 if(!prs_set_buffer_size(&p->in_data.data, prs_offset(&p->in_data.data))) {
440 DEBUG(0,("process_request_pdu: Call to prs_set_buffer_size failed!\n"));
441 set_incoming_fault(p);
446 * Set the parse offset to the start of the data and set the
447 * prs_struct to UNMARSHALL.
450 prs_set_offset(&p->in_data.data, 0);
451 prs_switch_type(&p->in_data.data, UNMARSHALL);
454 * Process the complete data stream here.
457 free_pipe_context(p);
459 if(pipe_init_outgoing_data(p)) {
460 ret = api_pipe_request(p);
463 free_pipe_context(p);
466 * We have consumed the whole data stream. Set back to
467 * marshalling and set the offset back to the start of
468 * the buffer to re-use it (we could also do a prs_mem_free()
469 * and then re_init on the next start of PDU. Not sure which
470 * is best here.... JRA.
473 prs_switch_type(&p->in_data.data, MARSHALL);
474 prs_set_offset(&p->in_data.data, 0);
481 /****************************************************************************
482 Processes a finished PDU stored in current_in_pdu. The RPC_HEADER has
483 already been parsed and stored in p->hdr.
484 ****************************************************************************/
486 static void process_complete_pdu(pipes_struct *p)
489 size_t data_len = p->in_data.pdu_received_len - RPC_HEADER_LEN;
490 char *data_p = (char *)&p->in_data.current_in_pdu[RPC_HEADER_LEN];
494 DEBUG(10,("process_complete_pdu: pipe %s in fault state.\n",
496 set_incoming_fault(p);
497 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
501 prs_init_empty( &rpc_in, p->mem_ctx, UNMARSHALL);
504 * Ensure we're using the corrent endianness for both the
505 * RPC header flags and the raw data we will be reading from.
508 prs_set_endian_data( &rpc_in, p->endian);
509 prs_set_endian_data( &p->in_data.data, p->endian);
511 prs_give_memory( &rpc_in, data_p, (uint32)data_len, False);
513 DEBUG(10,("process_complete_pdu: processing packet type %u\n",
514 (unsigned int)p->hdr.pkt_type ));
516 switch (p->hdr.pkt_type) {
518 reply = process_request_pdu(p, &rpc_in);
521 case RPC_PING: /* CL request - ignore... */
522 DEBUG(0,("process_complete_pdu: Error. Connectionless packet type %u received on pipe %s.\n",
523 (unsigned int)p->hdr.pkt_type, p->name));
526 case RPC_RESPONSE: /* No responses here. */
527 DEBUG(0,("process_complete_pdu: Error. RPC_RESPONSE received from client on pipe %s.\n",
532 case RPC_WORKING: /* CL request - reply to a ping when a call in process. */
533 case RPC_NOCALL: /* CL - server reply to a ping call. */
539 DEBUG(0,("process_complete_pdu: Error. Connectionless packet type %u received on pipe %s.\n",
540 (unsigned int)p->hdr.pkt_type, p->name));
545 * We assume that a pipe bind is only in one pdu.
547 if(pipe_init_outgoing_data(p)) {
548 reply = api_pipe_bind_req(p, &rpc_in);
554 DEBUG(0,("process_complete_pdu: Error. RPC_BINDACK/RPC_BINDNACK packet type %u received on pipe %s.\n",
555 (unsigned int)p->hdr.pkt_type, p->name));
561 * We assume that a pipe bind is only in one pdu.
563 if(pipe_init_outgoing_data(p)) {
564 reply = api_pipe_alter_context(p, &rpc_in);
568 case RPC_ALTCONTRESP:
569 DEBUG(0,("process_complete_pdu: Error. RPC_ALTCONTRESP on pipe %s: Should only be server -> client.\n",
575 * The third packet in an NTLMSSP auth exchange.
577 if(pipe_init_outgoing_data(p)) {
578 reply = api_pipe_bind_auth3(p, &rpc_in);
583 DEBUG(0,("process_complete_pdu: Error. RPC_SHUTDOWN on pipe %s: Should only be server -> client.\n",
588 /* For now just free all client data and continue processing. */
589 DEBUG(3,("process_complete_pdu: RPC_ORPHANED. Abandoning rpc call.\n"));
590 /* As we never do asynchronous RPC serving, we can never cancel a
591 call (as far as I know). If we ever did we'd have to send a cancel_ack
592 reply. For now, just free all client data and continue processing. */
596 /* Enable this if we're doing async rpc. */
597 /* We must check the call-id matches the outstanding callid. */
598 if(pipe_init_outgoing_data(p)) {
599 /* Send a cancel_ack PDU reply. */
600 /* We should probably check the auth-verifier here. */
601 reply = setup_cancel_ack_reply(p, &rpc_in);
607 /* We should probably check the auth-verifier here.
608 For now just free all client data and continue processing. */
609 DEBUG(3,("process_complete_pdu: RPC_ORPHANED. Abandoning rpc call.\n"));
614 DEBUG(0,("process_complete_pdu: Unknown rpc type = %u received.\n", (unsigned int)p->hdr.pkt_type ));
618 /* Reset to little endian. Probably don't need this but it won't hurt. */
619 prs_set_endian_data( &p->in_data.data, RPC_LITTLE_ENDIAN);
622 DEBUG(3,("process_complete_pdu: DCE/RPC fault sent on pipe %s\n", p->pipe_srv_name));
623 set_incoming_fault(p);
624 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
625 prs_mem_free(&rpc_in);
628 * Reset the lengths. We're ready for a new pdu.
630 p->in_data.pdu_needed_len = 0;
631 p->in_data.pdu_received_len = 0;
634 prs_mem_free(&rpc_in);
637 /****************************************************************************
638 Accepts incoming data on an rpc pipe. Processes the data in pdu sized units.
639 ****************************************************************************/
641 static ssize_t process_incoming_data(pipes_struct *p, char *data, size_t n)
643 size_t data_to_copy = MIN(n, RPC_MAX_PDU_FRAG_LEN - p->in_data.pdu_received_len);
645 DEBUG(10,("process_incoming_data: Start: pdu_received_len = %u, pdu_needed_len = %u, incoming data = %u\n",
646 (unsigned int)p->in_data.pdu_received_len, (unsigned int)p->in_data.pdu_needed_len,
649 if(data_to_copy == 0) {
651 * This is an error - data is being received and there is no
652 * space in the PDU. Free the received data and go into the fault state.
654 DEBUG(0,("process_incoming_data: No space in incoming pdu buffer. Current size = %u \
655 incoming data size = %u\n", (unsigned int)p->in_data.pdu_received_len, (unsigned int)n ));
656 set_incoming_fault(p);
661 * If we have no data already, wait until we get at least a RPC_HEADER_LEN
662 * number of bytes before we can do anything.
665 if((p->in_data.pdu_needed_len == 0) && (p->in_data.pdu_received_len < RPC_HEADER_LEN)) {
667 * Always return here. If we have more data then the RPC_HEADER
668 * will be processed the next time around the loop.
670 return fill_rpc_header(p, data, data_to_copy);
674 * At this point we know we have at least an RPC_HEADER_LEN amount of data
675 * stored in current_in_pdu.
679 * If pdu_needed_len is zero this is a new pdu.
680 * Unmarshall the header so we know how much more
681 * data we need, then loop again.
684 if(p->in_data.pdu_needed_len == 0) {
685 ssize_t rret = unmarshall_rpc_header(p);
686 if (rret == -1 || p->in_data.pdu_needed_len > 0) {
689 /* If rret == 0 and pdu_needed_len == 0 here we have a PDU that consists
690 of an RPC_HEADER only. This is a RPC_SHUTDOWN, RPC_CO_CANCEL or RPC_ORPHANED
691 pdu type. Deal with this in process_complete_pdu(). */
695 * Ok - at this point we have a valid RPC_HEADER in p->hdr.
696 * Keep reading until we have a full pdu.
699 data_to_copy = MIN(data_to_copy, p->in_data.pdu_needed_len);
702 * Copy as much of the data as we need into the current_in_pdu buffer.
703 * pdu_needed_len becomes zero when we have a complete pdu.
706 memcpy( (char *)&p->in_data.current_in_pdu[p->in_data.pdu_received_len], data, data_to_copy);
707 p->in_data.pdu_received_len += data_to_copy;
708 p->in_data.pdu_needed_len -= data_to_copy;
711 * Do we have a complete PDU ?
712 * (return the number of bytes handled in the call)
715 if(p->in_data.pdu_needed_len == 0) {
716 process_complete_pdu(p);
720 DEBUG(10,("process_incoming_data: not a complete PDU yet. pdu_received_len = %u, pdu_needed_len = %u\n",
721 (unsigned int)p->in_data.pdu_received_len, (unsigned int)p->in_data.pdu_needed_len ));
723 return (ssize_t)data_to_copy;
726 /****************************************************************************
727 Accepts incoming data on an internal rpc pipe.
728 ****************************************************************************/
730 static ssize_t write_to_internal_pipe(struct pipes_struct *p, char *data, size_t n)
732 size_t data_left = n;
737 DEBUG(10,("write_to_pipe: data_left = %u\n", (unsigned int)data_left ));
739 data_used = process_incoming_data(p, data, data_left);
741 DEBUG(10,("write_to_pipe: data_used = %d\n", (int)data_used ));
747 data_left -= data_used;
754 /****************************************************************************
755 Replies to a request to read data from a pipe.
757 Headers are interspersed with the data at PDU intervals. By the time
758 this function is called, the start of the data could possibly have been
759 read by an SMBtrans (file_offset != 0).
761 Calling create_rpc_reply() here is a hack. The data should already
762 have been prepared into arrays of headers + data stream sections.
763 ****************************************************************************/
765 static ssize_t read_from_internal_pipe(struct pipes_struct *p, char *data, size_t n,
766 bool *is_data_outstanding)
768 uint32 pdu_remaining = 0;
769 ssize_t data_returned = 0;
772 DEBUG(0,("read_from_pipe: pipe not open\n"));
776 DEBUG(6,(" name: %s len: %u\n", p->name, (unsigned int)n));
779 * We cannot return more than one PDU length per
784 * This condition should result in the connection being closed.
785 * Netapp filers seem to set it to 0xffff which results in domain
786 * authentications failing. Just ignore it so things work.
789 if(n > RPC_MAX_PDU_FRAG_LEN) {
790 DEBUG(5,("read_from_pipe: too large read (%u) requested on \
791 pipe %s. We can only service %d sized reads.\n", (unsigned int)n, p->name, RPC_MAX_PDU_FRAG_LEN ));
792 n = RPC_MAX_PDU_FRAG_LEN;
796 * Determine if there is still data to send in the
797 * pipe PDU buffer. Always send this first. Never
798 * send more than is left in the current PDU. The
799 * client should send a new read request for a new
803 if((pdu_remaining = p->out_data.current_pdu_len - p->out_data.current_pdu_sent) > 0) {
804 data_returned = (ssize_t)MIN(n, pdu_remaining);
806 DEBUG(10,("read_from_pipe: %s: current_pdu_len = %u, current_pdu_sent = %u \
807 returning %d bytes.\n", p->name, (unsigned int)p->out_data.current_pdu_len,
808 (unsigned int)p->out_data.current_pdu_sent, (int)data_returned));
810 memcpy( data, &p->out_data.current_pdu[p->out_data.current_pdu_sent], (size_t)data_returned);
811 p->out_data.current_pdu_sent += (uint32)data_returned;
816 * At this point p->current_pdu_len == p->current_pdu_sent (which
817 * may of course be zero if this is the first return fragment.
820 DEBUG(10,("read_from_pipe: %s: fault_state = %d : data_sent_length \
821 = %u, prs_offset(&p->out_data.rdata) = %u.\n",
822 p->name, (int)p->fault_state, (unsigned int)p->out_data.data_sent_length, (unsigned int)prs_offset(&p->out_data.rdata) ));
824 if(p->out_data.data_sent_length >= prs_offset(&p->out_data.rdata)) {
826 * We have sent all possible data, return 0.
833 * We need to create a new PDU from the data left in p->rdata.
834 * Create the header/data/footers. This also sets up the fields
835 * p->current_pdu_len, p->current_pdu_sent, p->data_sent_length
836 * and stores the outgoing PDU in p->current_pdu.
839 if(!create_next_pdu(p)) {
840 DEBUG(0,("read_from_pipe: %s: create_next_pdu failed.\n", p->name));
844 data_returned = MIN(n, p->out_data.current_pdu_len);
846 memcpy( data, p->out_data.current_pdu, (size_t)data_returned);
847 p->out_data.current_pdu_sent += (uint32)data_returned;
851 (*is_data_outstanding) = p->out_data.current_pdu_len > n;
852 return data_returned;
855 /****************************************************************************
857 ****************************************************************************/
859 static int close_internal_rpc_pipe_hnd(struct pipes_struct *p)
862 DEBUG(0,("Invalid pipe in close_internal_rpc_pipe_hnd\n"));
866 prs_mem_free(&p->out_data.rdata);
867 prs_mem_free(&p->in_data.data);
869 if (p->auth.auth_data_free_func) {
870 (*p->auth.auth_data_free_func)(&p->auth);
873 TALLOC_FREE(p->mem_ctx);
875 free_pipe_rpc_context( p->contexts );
877 /* Free the handles database. */
878 close_policy_by_pipe(p);
880 DLIST_REMOVE(InternalPipes, p);
889 bool fsp_is_np(struct files_struct *fsp)
891 enum FAKE_FILE_TYPE type;
893 if ((fsp == NULL) || (fsp->fake_file_handle == NULL)) {
897 type = fsp->fake_file_handle->type;
899 return ((type == FAKE_FILE_TYPE_NAMED_PIPE)
900 || (type == FAKE_FILE_TYPE_NAMED_PIPE_PROXY));
903 struct np_proxy_state {
907 static int np_proxy_state_destructor(struct np_proxy_state *state)
909 if (state->fd != -1) {
915 static struct np_proxy_state *make_external_rpc_pipe_p(TALLOC_CTX *mem_ctx,
916 const char *pipe_name,
917 struct auth_serversupplied_info *server_info)
919 struct np_proxy_state *result;
920 struct sockaddr_un addr;
922 const char *socket_dir;
925 struct netr_SamInfo3 *info3;
926 struct named_pipe_auth_req req;
929 struct named_pipe_auth_rep rep;
930 enum ndr_err_code ndr_err;
934 result = talloc(mem_ctx, struct np_proxy_state);
935 if (result == NULL) {
936 DEBUG(0, ("talloc failed\n"));
940 result->fd = socket(AF_UNIX, SOCK_STREAM, 0);
941 if (result->fd == -1) {
942 DEBUG(10, ("socket(2) failed: %s\n", strerror(errno)));
945 talloc_set_destructor(result, np_proxy_state_destructor);
948 addr.sun_family = AF_UNIX;
950 socket_dir = lp_parm_const_string(
951 GLOBAL_SECTION_SNUM, "external_rpc_pipe", "socket_dir",
952 get_dyn_NCALRPCDIR());
953 if (socket_dir == NULL) {
954 DEBUG(0, ("externan_rpc_pipe:socket_dir not set\n"));
958 socket_path = talloc_asprintf(talloc_tos(), "%s/np/%s",
959 socket_dir, pipe_name);
960 if (socket_path == NULL) {
961 DEBUG(0, ("talloc_asprintf failed\n"));
964 strncpy(addr.sun_path, socket_path, sizeof(addr.sun_path));
965 TALLOC_FREE(socket_path);
968 if (sys_connect(result->fd, (struct sockaddr *)&addr) == -1) {
970 DEBUG(0, ("connect(%s) failed: %s\n", addr.sun_path,
976 info3 = talloc(talloc_tos(), struct netr_SamInfo3);
978 DEBUG(0, ("talloc failed\n"));
982 status = serverinfo_to_SamInfo3(server_info, NULL, 0, info3);
983 if (!NT_STATUS_IS_OK(status)) {
985 DEBUG(0, ("serverinfo_to_SamInfo3 failed: %s\n",
991 req.info.info1 = *info3;
993 ndr_err = ndr_push_struct_blob(
994 &req_blob, talloc_tos(), NULL, &req,
995 (ndr_push_flags_fn_t)ndr_push_named_pipe_auth_req);
997 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
998 DEBUG(10, ("ndr_push_named_pipe_auth_req failed: %s\n",
999 ndr_errstr(ndr_err)));
1003 DEBUG(10, ("named_pipe_auth_req(client)[%u]\n", (uint32_t)req_blob.length));
1004 dump_data(10, req_blob.data, req_blob.length);
1006 written = write_data(result->fd, (char *)req_blob.data,
1008 if (written == -1) {
1009 DEBUG(3, ("Could not write auth req data to RPC server\n"));
1013 status = read_data(result->fd, (char *)rep_buf, sizeof(rep_buf));
1014 if (!NT_STATUS_IS_OK(status)) {
1015 DEBUG(3, ("Could not read auth result\n"));
1019 rep_blob = data_blob_const(rep_buf, sizeof(rep_buf));
1021 DEBUG(10,("name_pipe_auth_rep(client)[%u]\n", (uint32_t)rep_blob.length));
1022 dump_data(10, rep_blob.data, rep_blob.length);
1024 ndr_err = ndr_pull_struct_blob(
1025 &rep_blob, talloc_tos(), NULL, &rep,
1026 (ndr_pull_flags_fn_t)ndr_pull_named_pipe_auth_rep);
1028 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1029 DEBUG(0, ("ndr_pull_named_pipe_auth_rep failed: %s\n",
1030 ndr_errstr(ndr_err)));
1034 if (rep.length != 16) {
1035 DEBUG(0, ("req invalid length: %u != 16\n",
1040 if (strcmp(NAMED_PIPE_AUTH_MAGIC, rep.magic) != 0) {
1041 DEBUG(0, ("req invalid magic: %s != %s\n",
1042 rep.magic, NAMED_PIPE_AUTH_MAGIC));
1046 if (!NT_STATUS_IS_OK(rep.status)) {
1047 DEBUG(0, ("req failed: %s\n",
1048 nt_errstr(rep.status)));
1052 if (rep.level != 1) {
1053 DEBUG(0, ("req invalid level: %u != 1\n",
1061 TALLOC_FREE(result);
1065 NTSTATUS np_open(TALLOC_CTX *mem_ctx, const char *name,
1066 const char *client_address,
1067 struct auth_serversupplied_info *server_info,
1068 struct fake_file_handle **phandle)
1070 const char **proxy_list;
1071 struct fake_file_handle *handle;
1073 proxy_list = lp_parm_string_list(-1, "np", "proxy", NULL);
1075 handle = talloc(mem_ctx, struct fake_file_handle);
1076 if (handle == NULL) {
1077 return NT_STATUS_NO_MEMORY;
1080 if ((proxy_list != NULL) && str_list_check_ci(proxy_list, name)) {
1081 struct np_proxy_state *p;
1083 p = make_external_rpc_pipe_p(handle, name, server_info);
1085 handle->type = FAKE_FILE_TYPE_NAMED_PIPE_PROXY;
1086 handle->private_data = p;
1088 struct pipes_struct *p;
1090 if (!is_known_pipename(name)) {
1091 TALLOC_FREE(handle);
1092 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1095 p = make_internal_rpc_pipe_p(handle, name, client_address,
1098 handle->type = FAKE_FILE_TYPE_NAMED_PIPE;
1099 handle->private_data = p;
1102 if (handle->private_data == NULL) {
1103 TALLOC_FREE(handle);
1104 return NT_STATUS_PIPE_NOT_AVAILABLE;
1109 return NT_STATUS_OK;
1112 struct np_write_state {
1116 static void np_write_done(struct async_req *subreq);
1118 struct async_req *np_write_send(TALLOC_CTX *mem_ctx, struct event_context *ev,
1119 struct fake_file_handle *handle,
1120 const uint8_t *data, size_t len)
1122 struct async_req *result, *subreq;
1123 struct np_write_state *state;
1126 DEBUG(6, ("np_write_send: len: %d\n", (int)len));
1127 dump_data(50, data, len);
1129 if (!async_req_setup(mem_ctx, &result, &state,
1130 struct np_write_state)) {
1135 state->nwritten = 0;
1136 status = NT_STATUS_OK;
1140 if (handle->type == FAKE_FILE_TYPE_NAMED_PIPE) {
1141 struct pipes_struct *p = talloc_get_type_abort(
1142 handle->private_data, struct pipes_struct);
1144 state->nwritten = write_to_internal_pipe(p, (char *)data, len);
1146 status = (state->nwritten >= 0)
1147 ? NT_STATUS_OK : NT_STATUS_UNEXPECTED_IO_ERROR;
1151 if (handle->type == FAKE_FILE_TYPE_NAMED_PIPE_PROXY) {
1152 struct np_proxy_state *p = talloc_get_type_abort(
1153 handle->private_data, struct np_proxy_state);
1155 state->nwritten = len;
1157 subreq = sendall_send(state, ev, p->fd, data, len, 0);
1158 if (subreq == NULL) {
1161 subreq->async.fn = np_write_done;
1162 subreq->async.priv = result;
1166 status = NT_STATUS_INVALID_HANDLE;
1168 if (async_post_status(result, ev, status)) {
1172 TALLOC_FREE(result);
1176 static void np_write_done(struct async_req *subreq)
1178 struct async_req *req = talloc_get_type_abort(
1179 subreq->async.priv, struct async_req);
1182 status = sendall_recv(subreq);
1183 if (!NT_STATUS_IS_OK(status)) {
1184 async_req_error(req, status);
1187 return async_req_done(req);
1190 NTSTATUS np_write_recv(struct async_req *req, ssize_t *pnwritten)
1192 struct np_write_state *state = talloc_get_type_abort(
1193 req->private_data, struct np_write_state);
1196 if (async_req_is_error(req, &status)) {
1199 *pnwritten = state->nwritten;
1200 return NT_STATUS_OK;
1203 NTSTATUS np_write(struct fake_file_handle *handle, const uint8_t *data,
1204 size_t len, ssize_t *nwritten)
1206 TALLOC_CTX *frame = talloc_stackframe();
1207 struct event_context *ev;
1208 struct async_req *req;
1211 ev = event_context_init(frame);
1213 status = NT_STATUS_NO_MEMORY;
1217 req = np_write_send(frame, ev, handle, data, len);
1219 status = NT_STATUS_NO_MEMORY;
1223 while (req->state < ASYNC_REQ_DONE) {
1224 event_loop_once(ev);
1227 status = np_write_recv(req, nwritten);
1233 struct np_read_state {
1235 bool is_data_outstanding;
1238 static void np_read_done(struct async_req *subreq);
1240 struct async_req *np_read_send(TALLOC_CTX *mem_ctx, struct event_context *ev,
1241 struct fake_file_handle *handle,
1242 uint8_t *data, size_t len)
1244 struct async_req *result, *subreq;
1245 struct np_read_state *state;
1248 if (!async_req_setup(mem_ctx, &result, &state,
1249 struct np_read_state)) {
1253 if (handle->type == FAKE_FILE_TYPE_NAMED_PIPE) {
1254 struct pipes_struct *p = talloc_get_type_abort(
1255 handle->private_data, struct pipes_struct);
1257 state->nread = read_from_internal_pipe(
1258 p, (char *)data, len, &state->is_data_outstanding);
1260 status = (state->nread >= 0)
1261 ? NT_STATUS_OK : NT_STATUS_UNEXPECTED_IO_ERROR;
1265 if (handle->type == FAKE_FILE_TYPE_NAMED_PIPE_PROXY) {
1266 struct np_proxy_state *p = talloc_get_type_abort(
1267 handle->private_data, struct np_proxy_state);
1271 subreq = recvall_send(state, ev, p->fd, data, len, 0);
1272 if (subreq == NULL) {
1275 subreq->async.fn = np_read_done;
1276 subreq->async.priv = result;
1280 status = NT_STATUS_INVALID_HANDLE;
1282 if (async_post_status(result, ev, status)) {
1286 TALLOC_FREE(result);
1290 static void np_read_done(struct async_req *subreq)
1292 struct async_req *req = talloc_get_type_abort(
1293 subreq->async.priv, struct async_req);
1296 status = recvall_recv(subreq);
1297 if (!NT_STATUS_IS_OK(status)) {
1298 async_req_error(req, status);
1301 async_req_done(req);
1304 NTSTATUS np_read_recv(struct async_req *req, ssize_t *nread,
1305 bool *is_data_outstanding)
1307 struct np_read_state *state = talloc_get_type_abort(
1308 req->private_data, struct np_read_state);
1311 if (async_req_is_error(req, &status)) {
1314 *nread = state->nread;
1315 *is_data_outstanding = state->is_data_outstanding;
1316 return NT_STATUS_OK;
1319 NTSTATUS np_read(struct fake_file_handle *handle, uint8_t *data, size_t len,
1320 ssize_t *nread, bool *is_data_outstanding)
1322 TALLOC_CTX *frame = talloc_stackframe();
1323 struct event_context *ev;
1324 struct async_req *req;
1327 ev = event_context_init(frame);
1329 status = NT_STATUS_NO_MEMORY;
1333 req = np_read_send(frame, ev, handle, data, len);
1335 status = NT_STATUS_NO_MEMORY;
1339 while (req->state < ASYNC_REQ_DONE) {
1340 event_loop_once(ev);
1343 status = np_read_recv(req, nread, is_data_outstanding);