summaryrefslogtreecommitdiffstats
path: root/source3/smbd/smb1_pipes.c
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-05 17:47:29 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-05 17:47:29 +0000
commit4f5791ebd03eaec1c7da0865a383175b05102712 (patch)
tree8ce7b00f7a76baa386372422adebbe64510812d4 /source3/smbd/smb1_pipes.c
parentInitial commit. (diff)
downloadsamba-upstream.tar.xz
samba-upstream.zip
Adding upstream version 2:4.17.12+dfsg.upstream/2%4.17.12+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'source3/smbd/smb1_pipes.c')
-rw-r--r--source3/smbd/smb1_pipes.c456
1 files changed, 456 insertions, 0 deletions
diff --git a/source3/smbd/smb1_pipes.c b/source3/smbd/smb1_pipes.c
new file mode 100644
index 0000000..21ec2df
--- /dev/null
+++ b/source3/smbd/smb1_pipes.c
@@ -0,0 +1,456 @@
+/*
+ Unix SMB/CIFS implementation.
+ Pipe SMB reply routines
+ Copyright (C) Andrew Tridgell 1992-1998
+ Copyright (C) Luke Kenneth Casson Leighton 1996-1998
+ Copyright (C) Paul Ashton 1997-1998.
+ Copyright (C) Jeremy Allison 2005.
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+/*
+ This file handles reply_ calls on named pipes that the server
+ makes to handle specific protocols
+*/
+
+
+#include "includes.h"
+#include "smbd/smbd.h"
+#include "smbd/globals.h"
+#include "libcli/security/security.h"
+#include "rpc_server/srv_pipe_hnd.h"
+#include "auth/auth_util.h"
+#include "librpc/rpc/dcerpc_helper.h"
+
+/****************************************************************************
+ Reply to an open and X on a named pipe.
+ This code is basically stolen from reply_open_and_X with some
+ wrinkles to handle pipes.
+****************************************************************************/
+
+void reply_open_pipe_and_X(connection_struct *conn, struct smb_request *req)
+{
+ const char *fname = NULL;
+ char *pipe_name = NULL;
+ files_struct *fsp;
+ TALLOC_CTX *ctx = talloc_tos();
+ NTSTATUS status;
+
+ /* XXXX we need to handle passed times, sattr and flags */
+ srvstr_pull_req_talloc(ctx, req, &pipe_name, req->buf, STR_TERMINATE);
+ if (!pipe_name) {
+ reply_botherror(req, NT_STATUS_OBJECT_NAME_NOT_FOUND,
+ ERRDOS, ERRbadpipe);
+ return;
+ }
+
+ /* If the name doesn't start \PIPE\ then this is directed */
+ /* at a mailslot or something we really, really don't understand, */
+ /* not just something we really don't understand. */
+
+#define PIPE "PIPE\\"
+#define PIPELEN strlen(PIPE)
+
+ fname = pipe_name;
+ while (fname[0] == '\\') {
+ fname++;
+ }
+ if (!strnequal(fname, PIPE, PIPELEN)) {
+ reply_nterror(req, NT_STATUS_OBJECT_PATH_SYNTAX_BAD);
+ return;
+ }
+ fname += PIPELEN;
+ while (fname[0] == '\\') {
+ fname++;
+ }
+
+ DEBUG(4,("Opening pipe %s => %s.\n", pipe_name, fname));
+
+#if 0
+ /*
+ * Hack for NT printers... JRA.
+ */
+ if(should_fail_next_srvsvc_open(fname)) {
+ reply_nterror(req, NT_STATUS_ACCESS_DENIED);
+ return;
+ }
+#endif
+
+ status = open_np_file(req, fname, &fsp);
+ if (!NT_STATUS_IS_OK(status)) {
+ if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
+ reply_botherror(req, NT_STATUS_OBJECT_NAME_NOT_FOUND,
+ ERRDOS, ERRbadpipe);
+ return;
+ }
+ reply_nterror(req, status);
+ return;
+ }
+
+ /* Prepare the reply */
+ reply_smb1_outbuf(req, 15, 0);
+
+ SSVAL(req->outbuf, smb_vwv0, 0xff); /* andx chain ends */
+ SSVAL(req->outbuf, smb_vwv1, 0); /* no andx offset */
+
+ /* Mark the opened file as an existing named pipe in message mode. */
+ SSVAL(req->outbuf,smb_vwv9,2);
+ SSVAL(req->outbuf,smb_vwv10,0xc700);
+
+ SSVAL(req->outbuf, smb_vwv2, fsp->fnum);
+ SSVAL(req->outbuf, smb_vwv3, 0); /* fmode */
+ srv_put_dos_date3((char *)req->outbuf, smb_vwv4, 0); /* mtime */
+ SIVAL(req->outbuf, smb_vwv6, 0); /* size */
+ SSVAL(req->outbuf, smb_vwv8, 0); /* rmode */
+ SSVAL(req->outbuf, smb_vwv11, 0x0001);
+}
+
+/****************************************************************************
+ Reply to a write and X.
+
+ This code is basically stolen from reply_write_and_X with some
+ wrinkles to handle pipes.
+****************************************************************************/
+
+struct pipe_write_andx_state {
+ bool pipe_start_message_raw;
+ size_t numtowrite;
+};
+
+static void pipe_write_andx_done(struct tevent_req *subreq);
+
+void reply_pipe_write_and_X(struct smb_request *req)
+{
+ files_struct *fsp = file_fsp(req, SVAL(req->vwv+2, 0));
+ int smb_doff = SVAL(req->vwv+11, 0);
+ const uint8_t *data;
+ struct pipe_write_andx_state *state;
+ struct tevent_req *subreq;
+
+ if (!fsp_is_np(fsp)) {
+ reply_nterror(req, NT_STATUS_INVALID_HANDLE);
+ return;
+ }
+
+ if (fsp->vuid != req->vuid) {
+ reply_nterror(req, NT_STATUS_INVALID_HANDLE);
+ return;
+ }
+
+ state = talloc(req, struct pipe_write_andx_state);
+ if (state == NULL) {
+ reply_nterror(req, NT_STATUS_NO_MEMORY);
+ return;
+ }
+ req->async_priv = state;
+
+ state->numtowrite = SVAL(req->vwv+10, 0);
+ state->pipe_start_message_raw =
+ ((SVAL(req->vwv+7, 0) & (PIPE_START_MESSAGE|PIPE_RAW_MODE))
+ == (PIPE_START_MESSAGE|PIPE_RAW_MODE));
+
+ DEBUG(6, ("reply_pipe_write_and_X: %s, name: %s len: %d\n",
+ fsp_fnum_dbg(fsp), fsp_str_dbg(fsp), (int)state->numtowrite));
+
+ data = (const uint8_t *)smb_base(req->inbuf) + smb_doff;
+
+ if (state->pipe_start_message_raw) {
+ /*
+ * For the start of a message in named pipe byte mode,
+ * the first two bytes are a length-of-pdu field. Ignore
+ * them (we don't trust the client). JRA.
+ */
+ if (state->numtowrite < 2) {
+ DEBUG(0,("reply_pipe_write_and_X: start of message "
+ "set and not enough data sent.(%u)\n",
+ (unsigned int)state->numtowrite ));
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return;
+ }
+
+ data += 2;
+ state->numtowrite -= 2;
+ }
+
+ subreq = np_write_send(state, req->sconn->ev_ctx,
+ fsp->fake_file_handle, data, state->numtowrite);
+ if (subreq == NULL) {
+ TALLOC_FREE(state);
+ reply_nterror(req, NT_STATUS_NO_MEMORY);
+ return;
+ }
+ tevent_req_set_callback(subreq, pipe_write_andx_done,
+ talloc_move(req->conn, &req));
+}
+
+static void pipe_write_andx_done(struct tevent_req *subreq)
+{
+ struct smb_request *req = tevent_req_callback_data(
+ subreq, struct smb_request);
+ struct pipe_write_andx_state *state = talloc_get_type_abort(
+ req->async_priv, struct pipe_write_andx_state);
+ NTSTATUS status;
+ ssize_t nwritten = -1;
+
+ status = np_write_recv(subreq, &nwritten);
+ TALLOC_FREE(subreq);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ reply_nterror(req, status);
+ goto done;
+ }
+
+ /* Looks bogus to me now. Is this error message correct ? JRA. */
+ if (nwritten != state->numtowrite) {
+ reply_nterror(req, NT_STATUS_ACCESS_DENIED);
+ goto done;
+ }
+
+ reply_smb1_outbuf(req, 6, 0);
+
+ SSVAL(req->outbuf, smb_vwv0, 0xff); /* andx chain ends */
+ SSVAL(req->outbuf, smb_vwv1, 0); /* no andx offset */
+
+ nwritten = (state->pipe_start_message_raw ? nwritten + 2 : nwritten);
+ SSVAL(req->outbuf,smb_vwv2,nwritten);
+
+ DEBUG(3,("writeX-IPC nwritten=%d\n", (int)nwritten));
+
+ done:
+ /*
+ * We must free here as the ownership of req was
+ * moved to the connection struct in reply_pipe_write_and_X().
+ */
+ smb_request_done(req);
+}
+
+/****************************************************************************
+ Reply to a read and X.
+ This code is basically stolen from reply_read_and_X with some
+ wrinkles to handle pipes.
+****************************************************************************/
+
+struct pipe_read_andx_state {
+ uint8_t *outbuf;
+ int smb_mincnt;
+ int smb_maxcnt;
+};
+
+static void pipe_read_andx_done(struct tevent_req *subreq);
+
+void reply_pipe_read_and_X(struct smb_request *req)
+{
+ files_struct *fsp = file_fsp(req, SVAL(req->vwv+0, 0));
+ uint8_t *data;
+ struct pipe_read_andx_state *state;
+ struct tevent_req *subreq;
+
+ /* we don't use the offset given to use for pipe reads. This
+ is deliberate, instead we always return the next lump of
+ data on the pipe */
+#if 0
+ uint32_t smb_offs = IVAL(req->vwv+3, 0);
+#endif
+
+ if (!fsp_is_np(fsp)) {
+ reply_nterror(req, NT_STATUS_INVALID_HANDLE);
+ return;
+ }
+
+ if (fsp->vuid != req->vuid) {
+ reply_nterror(req, NT_STATUS_INVALID_HANDLE);
+ return;
+ }
+
+ state = talloc(req, struct pipe_read_andx_state);
+ if (state == NULL) {
+ reply_nterror(req, NT_STATUS_NO_MEMORY);
+ return;
+ }
+ req->async_priv = state;
+
+ state->smb_maxcnt = SVAL(req->vwv+5, 0);
+ state->smb_mincnt = SVAL(req->vwv+6, 0);
+
+ reply_smb1_outbuf(req, 12, state->smb_maxcnt + 1 /* padding byte */);
+ SSVAL(req->outbuf, smb_vwv0, 0xff); /* andx chain ends */
+ SSVAL(req->outbuf, smb_vwv1, 0); /* no andx offset */
+ SCVAL(smb_buf(req->outbuf), 0, 0); /* padding byte */
+
+ data = (uint8_t *)smb_buf(req->outbuf) + 1 /* padding byte */;
+
+ /*
+ * We have to tell the upper layers that we're async.
+ */
+ state->outbuf = req->outbuf;
+ req->outbuf = NULL;
+
+ subreq = np_read_send(state, req->sconn->ev_ctx,
+ fsp->fake_file_handle, data,
+ state->smb_maxcnt);
+ if (subreq == NULL) {
+ reply_nterror(req, NT_STATUS_NO_MEMORY);
+ return;
+ }
+ tevent_req_set_callback(subreq, pipe_read_andx_done,
+ talloc_move(req->conn, &req));
+}
+
+static void pipe_read_andx_done(struct tevent_req *subreq)
+{
+ struct smb_request *req = tevent_req_callback_data(
+ subreq, struct smb_request);
+ struct pipe_read_andx_state *state = talloc_get_type_abort(
+ req->async_priv, struct pipe_read_andx_state);
+ NTSTATUS status;
+ ssize_t nread;
+ bool is_data_outstanding;
+
+ status = np_read_recv(subreq, &nread, &is_data_outstanding);
+ TALLOC_FREE(subreq);
+ if (!NT_STATUS_IS_OK(status)) {
+ NTSTATUS old = status;
+ status = nt_status_np_pipe(old);
+ reply_nterror(req, status);
+ goto done;
+ }
+
+ req->outbuf = state->outbuf;
+ state->outbuf = NULL;
+
+ srv_smb1_set_message((char *)req->outbuf, 12, nread + 1 /* padding byte */,
+ false);
+
+#if 0
+ /*
+ * we should return STATUS_BUFFER_OVERFLOW if there's
+ * out standing data.
+ *
+ * But we can't enable it yet, as it has bad interactions
+ * with fixup_chain_error_packet() in chain_reply().
+ */
+ if (is_data_outstanding) {
+ error_packet_set((char *)req->outbuf, ERRDOS, ERRmoredata,
+ STATUS_BUFFER_OVERFLOW, __LINE__, __FILE__);
+ }
+#endif
+
+ SSVAL(req->outbuf,smb_vwv5,nread);
+ SSVAL(req->outbuf,smb_vwv6,
+ (smb_wct - 4) /* offset from smb header to wct */
+ + 1 /* the wct field */
+ + 12 * sizeof(uint16_t) /* vwv */
+ + 2 /* the buflen field */
+ + 1); /* padding byte */
+
+ DEBUG(3,("readX-IPC min=%d max=%d nread=%d\n",
+ state->smb_mincnt, state->smb_maxcnt, (int)nread));
+
+ done:
+ /*
+ * We must free here as the ownership of req was
+ * moved to the connection struct in reply_pipe_read_and_X().
+ */
+ smb_request_done(req);
+}
+
+/****************************************************************************
+ Reply to a write on a pipe.
+****************************************************************************/
+
+struct pipe_write_state {
+ size_t numtowrite;
+};
+
+static void pipe_write_done(struct tevent_req *subreq);
+
+void reply_pipe_write(struct smb_request *req)
+{
+ files_struct *fsp = file_fsp(req, SVAL(req->vwv+0, 0));
+ const uint8_t *data;
+ struct pipe_write_state *state;
+ struct tevent_req *subreq;
+
+ if (!fsp_is_np(fsp)) {
+ reply_nterror(req, NT_STATUS_INVALID_HANDLE);
+ return;
+ }
+
+ if (fsp->vuid != req->vuid) {
+ reply_nterror(req, NT_STATUS_INVALID_HANDLE);
+ return;
+ }
+
+ state = talloc(req, struct pipe_write_state);
+ if (state == NULL) {
+ reply_nterror(req, NT_STATUS_NO_MEMORY);
+ return;
+ }
+ req->async_priv = state;
+
+ state->numtowrite = SVAL(req->vwv+1, 0);
+
+ data = req->buf + 3;
+
+ DEBUG(6, ("reply_pipe_write: %s, name: %s len: %d\n", fsp_fnum_dbg(fsp),
+ fsp_str_dbg(fsp), (int)state->numtowrite));
+
+ subreq = np_write_send(state, req->sconn->ev_ctx,
+ fsp->fake_file_handle, data, state->numtowrite);
+ if (subreq == NULL) {
+ TALLOC_FREE(state);
+ reply_nterror(req, NT_STATUS_NO_MEMORY);
+ return;
+ }
+ tevent_req_set_callback(subreq, pipe_write_done,
+ talloc_move(req->conn, &req));
+}
+
+static void pipe_write_done(struct tevent_req *subreq)
+{
+ struct smb_request *req = tevent_req_callback_data(
+ subreq, struct smb_request);
+ struct pipe_write_state *state = talloc_get_type_abort(
+ req->async_priv, struct pipe_write_state);
+ NTSTATUS status;
+ ssize_t nwritten = -1;
+
+ status = np_write_recv(subreq, &nwritten);
+ TALLOC_FREE(subreq);
+ if (nwritten < 0) {
+ reply_nterror(req, status);
+ goto send;
+ }
+
+ /* Looks bogus to me now. Needs to be removed ? JRA. */
+ if ((nwritten == 0 && state->numtowrite != 0)) {
+ reply_nterror(req, NT_STATUS_ACCESS_DENIED);
+ goto send;
+ }
+
+ reply_smb1_outbuf(req, 1, 0);
+
+ SSVAL(req->outbuf,smb_vwv0,nwritten);
+
+ DEBUG(3,("write-IPC nwritten=%d\n", (int)nwritten));
+
+ send:
+ if (!smb1_srv_send(req->xconn, (char *)req->outbuf,
+ true, req->seqnum+1,
+ IS_CONN_ENCRYPTED(req->conn)||req->encrypted,
+ &req->pcd)) {
+ exit_server_cleanly("construct_reply: smb1_srv_send failed.");
+ }
+ TALLOC_FREE(req);
+}