diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-05 17:47:29 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-05 17:47:29 +0000 |
commit | 4f5791ebd03eaec1c7da0865a383175b05102712 (patch) | |
tree | 8ce7b00f7a76baa386372422adebbe64510812d4 /source3/smbd/smb1_pipes.c | |
parent | Initial commit. (diff) | |
download | samba-upstream.tar.xz samba-upstream.zip |
Adding upstream version 2:4.17.12+dfsg.upstream/2%4.17.12+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'source3/smbd/smb1_pipes.c')
-rw-r--r-- | source3/smbd/smb1_pipes.c | 456 |
1 files changed, 456 insertions, 0 deletions
diff --git a/source3/smbd/smb1_pipes.c b/source3/smbd/smb1_pipes.c new file mode 100644 index 0000000..21ec2df --- /dev/null +++ b/source3/smbd/smb1_pipes.c @@ -0,0 +1,456 @@ +/* + Unix SMB/CIFS implementation. + Pipe SMB reply routines + Copyright (C) Andrew Tridgell 1992-1998 + Copyright (C) Luke Kenneth Casson Leighton 1996-1998 + Copyright (C) Paul Ashton 1997-1998. + Copyright (C) Jeremy Allison 2005. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ +/* + This file handles reply_ calls on named pipes that the server + makes to handle specific protocols +*/ + + +#include "includes.h" +#include "smbd/smbd.h" +#include "smbd/globals.h" +#include "libcli/security/security.h" +#include "rpc_server/srv_pipe_hnd.h" +#include "auth/auth_util.h" +#include "librpc/rpc/dcerpc_helper.h" + +/**************************************************************************** + Reply to an open and X on a named pipe. + This code is basically stolen from reply_open_and_X with some + wrinkles to handle pipes. +****************************************************************************/ + +void reply_open_pipe_and_X(connection_struct *conn, struct smb_request *req) +{ + const char *fname = NULL; + char *pipe_name = NULL; + files_struct *fsp; + TALLOC_CTX *ctx = talloc_tos(); + NTSTATUS status; + + /* XXXX we need to handle passed times, sattr and flags */ + srvstr_pull_req_talloc(ctx, req, &pipe_name, req->buf, STR_TERMINATE); + if (!pipe_name) { + reply_botherror(req, NT_STATUS_OBJECT_NAME_NOT_FOUND, + ERRDOS, ERRbadpipe); + return; + } + + /* If the name doesn't start \PIPE\ then this is directed */ + /* at a mailslot or something we really, really don't understand, */ + /* not just something we really don't understand. */ + +#define PIPE "PIPE\\" +#define PIPELEN strlen(PIPE) + + fname = pipe_name; + while (fname[0] == '\\') { + fname++; + } + if (!strnequal(fname, PIPE, PIPELEN)) { + reply_nterror(req, NT_STATUS_OBJECT_PATH_SYNTAX_BAD); + return; + } + fname += PIPELEN; + while (fname[0] == '\\') { + fname++; + } + + DEBUG(4,("Opening pipe %s => %s.\n", pipe_name, fname)); + +#if 0 + /* + * Hack for NT printers... JRA. + */ + if(should_fail_next_srvsvc_open(fname)) { + reply_nterror(req, NT_STATUS_ACCESS_DENIED); + return; + } +#endif + + status = open_np_file(req, fname, &fsp); + if (!NT_STATUS_IS_OK(status)) { + if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) { + reply_botherror(req, NT_STATUS_OBJECT_NAME_NOT_FOUND, + ERRDOS, ERRbadpipe); + return; + } + reply_nterror(req, status); + return; + } + + /* Prepare the reply */ + reply_smb1_outbuf(req, 15, 0); + + SSVAL(req->outbuf, smb_vwv0, 0xff); /* andx chain ends */ + SSVAL(req->outbuf, smb_vwv1, 0); /* no andx offset */ + + /* Mark the opened file as an existing named pipe in message mode. */ + SSVAL(req->outbuf,smb_vwv9,2); + SSVAL(req->outbuf,smb_vwv10,0xc700); + + SSVAL(req->outbuf, smb_vwv2, fsp->fnum); + SSVAL(req->outbuf, smb_vwv3, 0); /* fmode */ + srv_put_dos_date3((char *)req->outbuf, smb_vwv4, 0); /* mtime */ + SIVAL(req->outbuf, smb_vwv6, 0); /* size */ + SSVAL(req->outbuf, smb_vwv8, 0); /* rmode */ + SSVAL(req->outbuf, smb_vwv11, 0x0001); +} + +/**************************************************************************** + Reply to a write and X. + + This code is basically stolen from reply_write_and_X with some + wrinkles to handle pipes. +****************************************************************************/ + +struct pipe_write_andx_state { + bool pipe_start_message_raw; + size_t numtowrite; +}; + +static void pipe_write_andx_done(struct tevent_req *subreq); + +void reply_pipe_write_and_X(struct smb_request *req) +{ + files_struct *fsp = file_fsp(req, SVAL(req->vwv+2, 0)); + int smb_doff = SVAL(req->vwv+11, 0); + const uint8_t *data; + struct pipe_write_andx_state *state; + struct tevent_req *subreq; + + if (!fsp_is_np(fsp)) { + reply_nterror(req, NT_STATUS_INVALID_HANDLE); + return; + } + + if (fsp->vuid != req->vuid) { + reply_nterror(req, NT_STATUS_INVALID_HANDLE); + return; + } + + state = talloc(req, struct pipe_write_andx_state); + if (state == NULL) { + reply_nterror(req, NT_STATUS_NO_MEMORY); + return; + } + req->async_priv = state; + + state->numtowrite = SVAL(req->vwv+10, 0); + state->pipe_start_message_raw = + ((SVAL(req->vwv+7, 0) & (PIPE_START_MESSAGE|PIPE_RAW_MODE)) + == (PIPE_START_MESSAGE|PIPE_RAW_MODE)); + + DEBUG(6, ("reply_pipe_write_and_X: %s, name: %s len: %d\n", + fsp_fnum_dbg(fsp), fsp_str_dbg(fsp), (int)state->numtowrite)); + + data = (const uint8_t *)smb_base(req->inbuf) + smb_doff; + + if (state->pipe_start_message_raw) { + /* + * For the start of a message in named pipe byte mode, + * the first two bytes are a length-of-pdu field. Ignore + * them (we don't trust the client). JRA. + */ + if (state->numtowrite < 2) { + DEBUG(0,("reply_pipe_write_and_X: start of message " + "set and not enough data sent.(%u)\n", + (unsigned int)state->numtowrite )); + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + return; + } + + data += 2; + state->numtowrite -= 2; + } + + subreq = np_write_send(state, req->sconn->ev_ctx, + fsp->fake_file_handle, data, state->numtowrite); + if (subreq == NULL) { + TALLOC_FREE(state); + reply_nterror(req, NT_STATUS_NO_MEMORY); + return; + } + tevent_req_set_callback(subreq, pipe_write_andx_done, + talloc_move(req->conn, &req)); +} + +static void pipe_write_andx_done(struct tevent_req *subreq) +{ + struct smb_request *req = tevent_req_callback_data( + subreq, struct smb_request); + struct pipe_write_andx_state *state = talloc_get_type_abort( + req->async_priv, struct pipe_write_andx_state); + NTSTATUS status; + ssize_t nwritten = -1; + + status = np_write_recv(subreq, &nwritten); + TALLOC_FREE(subreq); + + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + goto done; + } + + /* Looks bogus to me now. Is this error message correct ? JRA. */ + if (nwritten != state->numtowrite) { + reply_nterror(req, NT_STATUS_ACCESS_DENIED); + goto done; + } + + reply_smb1_outbuf(req, 6, 0); + + SSVAL(req->outbuf, smb_vwv0, 0xff); /* andx chain ends */ + SSVAL(req->outbuf, smb_vwv1, 0); /* no andx offset */ + + nwritten = (state->pipe_start_message_raw ? nwritten + 2 : nwritten); + SSVAL(req->outbuf,smb_vwv2,nwritten); + + DEBUG(3,("writeX-IPC nwritten=%d\n", (int)nwritten)); + + done: + /* + * We must free here as the ownership of req was + * moved to the connection struct in reply_pipe_write_and_X(). + */ + smb_request_done(req); +} + +/**************************************************************************** + Reply to a read and X. + This code is basically stolen from reply_read_and_X with some + wrinkles to handle pipes. +****************************************************************************/ + +struct pipe_read_andx_state { + uint8_t *outbuf; + int smb_mincnt; + int smb_maxcnt; +}; + +static void pipe_read_andx_done(struct tevent_req *subreq); + +void reply_pipe_read_and_X(struct smb_request *req) +{ + files_struct *fsp = file_fsp(req, SVAL(req->vwv+0, 0)); + uint8_t *data; + struct pipe_read_andx_state *state; + struct tevent_req *subreq; + + /* we don't use the offset given to use for pipe reads. This + is deliberate, instead we always return the next lump of + data on the pipe */ +#if 0 + uint32_t smb_offs = IVAL(req->vwv+3, 0); +#endif + + if (!fsp_is_np(fsp)) { + reply_nterror(req, NT_STATUS_INVALID_HANDLE); + return; + } + + if (fsp->vuid != req->vuid) { + reply_nterror(req, NT_STATUS_INVALID_HANDLE); + return; + } + + state = talloc(req, struct pipe_read_andx_state); + if (state == NULL) { + reply_nterror(req, NT_STATUS_NO_MEMORY); + return; + } + req->async_priv = state; + + state->smb_maxcnt = SVAL(req->vwv+5, 0); + state->smb_mincnt = SVAL(req->vwv+6, 0); + + reply_smb1_outbuf(req, 12, state->smb_maxcnt + 1 /* padding byte */); + SSVAL(req->outbuf, smb_vwv0, 0xff); /* andx chain ends */ + SSVAL(req->outbuf, smb_vwv1, 0); /* no andx offset */ + SCVAL(smb_buf(req->outbuf), 0, 0); /* padding byte */ + + data = (uint8_t *)smb_buf(req->outbuf) + 1 /* padding byte */; + + /* + * We have to tell the upper layers that we're async. + */ + state->outbuf = req->outbuf; + req->outbuf = NULL; + + subreq = np_read_send(state, req->sconn->ev_ctx, + fsp->fake_file_handle, data, + state->smb_maxcnt); + if (subreq == NULL) { + reply_nterror(req, NT_STATUS_NO_MEMORY); + return; + } + tevent_req_set_callback(subreq, pipe_read_andx_done, + talloc_move(req->conn, &req)); +} + +static void pipe_read_andx_done(struct tevent_req *subreq) +{ + struct smb_request *req = tevent_req_callback_data( + subreq, struct smb_request); + struct pipe_read_andx_state *state = talloc_get_type_abort( + req->async_priv, struct pipe_read_andx_state); + NTSTATUS status; + ssize_t nread; + bool is_data_outstanding; + + status = np_read_recv(subreq, &nread, &is_data_outstanding); + TALLOC_FREE(subreq); + if (!NT_STATUS_IS_OK(status)) { + NTSTATUS old = status; + status = nt_status_np_pipe(old); + reply_nterror(req, status); + goto done; + } + + req->outbuf = state->outbuf; + state->outbuf = NULL; + + srv_smb1_set_message((char *)req->outbuf, 12, nread + 1 /* padding byte */, + false); + +#if 0 + /* + * we should return STATUS_BUFFER_OVERFLOW if there's + * out standing data. + * + * But we can't enable it yet, as it has bad interactions + * with fixup_chain_error_packet() in chain_reply(). + */ + if (is_data_outstanding) { + error_packet_set((char *)req->outbuf, ERRDOS, ERRmoredata, + STATUS_BUFFER_OVERFLOW, __LINE__, __FILE__); + } +#endif + + SSVAL(req->outbuf,smb_vwv5,nread); + SSVAL(req->outbuf,smb_vwv6, + (smb_wct - 4) /* offset from smb header to wct */ + + 1 /* the wct field */ + + 12 * sizeof(uint16_t) /* vwv */ + + 2 /* the buflen field */ + + 1); /* padding byte */ + + DEBUG(3,("readX-IPC min=%d max=%d nread=%d\n", + state->smb_mincnt, state->smb_maxcnt, (int)nread)); + + done: + /* + * We must free here as the ownership of req was + * moved to the connection struct in reply_pipe_read_and_X(). + */ + smb_request_done(req); +} + +/**************************************************************************** + Reply to a write on a pipe. +****************************************************************************/ + +struct pipe_write_state { + size_t numtowrite; +}; + +static void pipe_write_done(struct tevent_req *subreq); + +void reply_pipe_write(struct smb_request *req) +{ + files_struct *fsp = file_fsp(req, SVAL(req->vwv+0, 0)); + const uint8_t *data; + struct pipe_write_state *state; + struct tevent_req *subreq; + + if (!fsp_is_np(fsp)) { + reply_nterror(req, NT_STATUS_INVALID_HANDLE); + return; + } + + if (fsp->vuid != req->vuid) { + reply_nterror(req, NT_STATUS_INVALID_HANDLE); + return; + } + + state = talloc(req, struct pipe_write_state); + if (state == NULL) { + reply_nterror(req, NT_STATUS_NO_MEMORY); + return; + } + req->async_priv = state; + + state->numtowrite = SVAL(req->vwv+1, 0); + + data = req->buf + 3; + + DEBUG(6, ("reply_pipe_write: %s, name: %s len: %d\n", fsp_fnum_dbg(fsp), + fsp_str_dbg(fsp), (int)state->numtowrite)); + + subreq = np_write_send(state, req->sconn->ev_ctx, + fsp->fake_file_handle, data, state->numtowrite); + if (subreq == NULL) { + TALLOC_FREE(state); + reply_nterror(req, NT_STATUS_NO_MEMORY); + return; + } + tevent_req_set_callback(subreq, pipe_write_done, + talloc_move(req->conn, &req)); +} + +static void pipe_write_done(struct tevent_req *subreq) +{ + struct smb_request *req = tevent_req_callback_data( + subreq, struct smb_request); + struct pipe_write_state *state = talloc_get_type_abort( + req->async_priv, struct pipe_write_state); + NTSTATUS status; + ssize_t nwritten = -1; + + status = np_write_recv(subreq, &nwritten); + TALLOC_FREE(subreq); + if (nwritten < 0) { + reply_nterror(req, status); + goto send; + } + + /* Looks bogus to me now. Needs to be removed ? JRA. */ + if ((nwritten == 0 && state->numtowrite != 0)) { + reply_nterror(req, NT_STATUS_ACCESS_DENIED); + goto send; + } + + reply_smb1_outbuf(req, 1, 0); + + SSVAL(req->outbuf,smb_vwv0,nwritten); + + DEBUG(3,("write-IPC nwritten=%d\n", (int)nwritten)); + + send: + if (!smb1_srv_send(req->xconn, (char *)req->outbuf, + true, req->seqnum+1, + IS_CONN_ENCRYPTED(req->conn)||req->encrypted, + &req->pcd)) { + exit_server_cleanly("construct_reply: smb1_srv_send failed."); + } + TALLOC_FREE(req); +} |