diff options
Diffstat (limited to 'libcli/smb/reparse.c')
-rw-r--r-- | libcli/smb/reparse.c | 567 |
1 files changed, 567 insertions, 0 deletions
diff --git a/libcli/smb/reparse.c b/libcli/smb/reparse.c new file mode 100644 index 0000000..49ecc77 --- /dev/null +++ b/libcli/smb/reparse.c @@ -0,0 +1,567 @@ +/* + * Unix SMB/CIFS implementation. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + */ + +#include "replace.h" +#include "libcli/smb/reparse.h" +#include "lib/util/iov_buf.h" +#include "libcli/smb/smb_constants.h" +#include "libcli/util/error.h" +#include "lib/util/debug.h" +#include "lib/util/bytearray.h" +#include "lib/util/talloc_stack.h" +#include "lib/util/charset/charset.h" +#include "smb_util.h" + +static NTSTATUS reparse_buffer_check(const uint8_t *in_data, + size_t in_len, + uint32_t *reparse_tag, + const uint8_t **_reparse_data, + size_t *_reparse_data_length) +{ + uint16_t reparse_data_length; + + if (in_len == 0) { + DBG_DEBUG("in_len=0\n"); + return NT_STATUS_INVALID_BUFFER_SIZE; + } + if (in_len < 8) { + DBG_DEBUG("in_len=%zu\n", in_len); + return NT_STATUS_IO_REPARSE_DATA_INVALID; + } + + reparse_data_length = PULL_LE_U16(in_data, 4); + + if (reparse_data_length > (in_len - 8)) { + DBG_DEBUG("in_len=%zu, reparse_data_length=%" PRIu16 "\n", + in_len, + reparse_data_length); + return NT_STATUS_IO_REPARSE_DATA_INVALID; + } + + *reparse_tag = PULL_LE_U32(in_data, 0); + *_reparse_data = in_data + 8; + *_reparse_data_length = reparse_data_length; + + return NT_STATUS_OK; +} + +static int nfs_reparse_buffer_parse(TALLOC_CTX *mem_ctx, + struct nfs_reparse_data_buffer *dst, + const uint8_t *src, + size_t srclen) +{ + uint64_t type; + + if (srclen < 8) { + DBG_DEBUG("srclen=%zu too short\n", srclen); + return EINVAL; + } + + type = PULL_LE_U64(src, 0); + + switch (type) { + case NFS_SPECFILE_CHR: + FALL_THROUGH; + case NFS_SPECFILE_BLK: + if (srclen < 16) { + DBG_DEBUG("srclen %zu too short for type %" PRIx64 "\n", + srclen, + type); + return EINVAL; + } + dst->data.dev.major = PULL_LE_U32(src, 8); + dst->data.dev.minor = PULL_LE_U32(src, 12); + break; + case NFS_SPECFILE_LNK: { + bool ok; + + ok = convert_string_talloc(mem_ctx, + CH_UTF16, + CH_UNIX, + src + 8, + srclen - 8, + &dst->data.lnk_target, + NULL); + if (!ok) { + return errno; + } + break; + } + case NFS_SPECFILE_FIFO: + break; /* empty, no data */ + case NFS_SPECFILE_SOCK: + break; /* empty, no data */ + default: + DBG_DEBUG("Unknown NFS reparse type %" PRIx64 "\n", type); + return EINVAL; + } + + dst->type = type; + + return 0; +} + +static int symlink_reparse_buffer_parse(TALLOC_CTX *mem_ctx, + struct symlink_reparse_struct *dst, + const uint8_t *src, + size_t srclen) +{ + uint16_t reparse_data_length; + uint16_t substitute_name_offset, substitute_name_length; + uint16_t print_name_offset, print_name_length; + bool ok; + + if (srclen < 20) { + DBG_DEBUG("srclen = %zu, expected >= 20\n", srclen); + return EINVAL; + } + if (PULL_LE_U32(src, 0) != IO_REPARSE_TAG_SYMLINK) { + DBG_DEBUG("Got ReparseTag %8.8x, expected %8.8x\n", + PULL_LE_U32(src, 0), + IO_REPARSE_TAG_SYMLINK); + return EINVAL; + } + + reparse_data_length = PULL_LE_U16(src, 4); + substitute_name_offset = PULL_LE_U16(src, 8); + substitute_name_length = PULL_LE_U16(src, 10); + print_name_offset = PULL_LE_U16(src, 12); + print_name_length = PULL_LE_U16(src, 14); + + if (reparse_data_length < 12) { + DBG_DEBUG("reparse_data_length = %"PRIu16", expected >= 12\n", + reparse_data_length); + return EINVAL; + } + if (smb_buffer_oob(srclen - 8, reparse_data_length, 0)) { + DBG_DEBUG("reparse_data_length (%"PRIu16") too large for " + "src_len (%zu)\n", + reparse_data_length, + srclen); + return EINVAL; + } + if (smb_buffer_oob(reparse_data_length - 12, substitute_name_offset, + substitute_name_length)) { + DBG_DEBUG("substitute_name (%"PRIu16"/%"PRIu16") does not fit " + "in reparse_data_length (%"PRIu16")\n", + substitute_name_offset, + substitute_name_length, + reparse_data_length - 12); + return EINVAL; + } + if (smb_buffer_oob(reparse_data_length - 12, print_name_offset, + print_name_length)) { + DBG_DEBUG("print_name (%"PRIu16"/%"PRIu16") does not fit in " + "reparse_data_length (%"PRIu16")\n", + print_name_offset, + print_name_length, + reparse_data_length - 12); + return EINVAL; + } + + *dst = (struct symlink_reparse_struct) { + .unparsed_path_length = PULL_LE_U16(src, 6), + .flags = PULL_LE_U32(src, 16), + }; + + ok = convert_string_talloc(mem_ctx, + CH_UTF16, + CH_UNIX, + src + 20 + substitute_name_offset, + substitute_name_length, + &dst->substitute_name, + NULL); + if (!ok) { + int ret = errno; + DBG_DEBUG("convert_string_talloc for substitute_name " + "failed\n"); + return ret; + } + + ok = convert_string_talloc(mem_ctx, + CH_UTF16, + CH_UNIX, + src + 20 + print_name_offset, + print_name_length, + &dst->print_name, + NULL); + if (!ok) { + int ret = errno; + DBG_DEBUG("convert_string_talloc for print_name failed\n"); + TALLOC_FREE(dst->substitute_name); + return ret; + } + + return 0; +} + +NTSTATUS reparse_data_buffer_parse(TALLOC_CTX *mem_ctx, + struct reparse_data_buffer *dst, + const uint8_t *buf, + size_t buflen) +{ + const uint8_t *reparse_data; + size_t reparse_data_length; + NTSTATUS status; + int ret; + + status = reparse_buffer_check(buf, + buflen, + &dst->tag, + &reparse_data, + &reparse_data_length); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + switch (dst->tag) { + case IO_REPARSE_TAG_SYMLINK: + ret = symlink_reparse_buffer_parse(mem_ctx, + &dst->parsed.lnk, + buf, + buflen); + if (ret != 0) { + return map_nt_error_from_unix_common(ret); + } + break; + case IO_REPARSE_TAG_NFS: + ret = nfs_reparse_buffer_parse(mem_ctx, + &dst->parsed.nfs, + reparse_data, + reparse_data_length); + if (ret != 0) { + return map_nt_error_from_unix_common(ret); + } + break; + default: + dst->parsed.raw.data = talloc_memdup(mem_ctx, + reparse_data, + reparse_data_length); + if (dst->parsed.raw.data == NULL) { + return NT_STATUS_NO_MEMORY; + } + dst->parsed.raw.length = reparse_data_length; + dst->parsed.raw.reserved = PULL_LE_U16(buf, 6); + break; + } + + return NT_STATUS_OK; +} + +char *reparse_data_buffer_str(TALLOC_CTX *mem_ctx, + const struct reparse_data_buffer *dst) +{ + char *s = talloc_strdup(mem_ctx, ""); + + switch (dst->tag) { + case IO_REPARSE_TAG_SYMLINK: { + const struct symlink_reparse_struct *lnk = &dst->parsed.lnk; + talloc_asprintf_addbuf(&s, + "0x%" PRIx32 + " (IO_REPARSE_TAG_SYMLINK)\n", + dst->tag); + talloc_asprintf_addbuf(&s, + "unparsed=%" PRIu16 "\n", + lnk->unparsed_path_length); + talloc_asprintf_addbuf(&s, + "substitute_name=%s\n", + lnk->substitute_name); + talloc_asprintf_addbuf(&s, "print_name=%s\n", lnk->print_name); + talloc_asprintf_addbuf(&s, "flags=%" PRIu32 "\n", lnk->flags); + break; + } + case IO_REPARSE_TAG_NFS: { + const struct nfs_reparse_data_buffer *nfs = &dst->parsed.nfs; + + talloc_asprintf_addbuf(&s, + "0x%" PRIx32 " (IO_REPARSE_TAG_NFS)\n", + dst->tag); + + switch (nfs->type) { + case NFS_SPECFILE_FIFO: + talloc_asprintf_addbuf(&s, + " 0x%" PRIx64 + " (NFS_SPECFILE_FIFO)\n", + nfs->type); + break; + case NFS_SPECFILE_SOCK: + talloc_asprintf_addbuf(&s, + " 0x%" PRIx64 + " (NFS_SPECFILE_SOCK)\n", + nfs->type); + break; + case NFS_SPECFILE_LNK: + talloc_asprintf_addbuf(&s, + " 0x%" PRIx64 + " (NFS_SPECFILE_LNK)\n", + nfs->type); + talloc_asprintf_addbuf(&s, + " -> %s\n ", + nfs->data.lnk_target); + break; + case NFS_SPECFILE_BLK: + talloc_asprintf_addbuf(&s, + " 0x%" PRIx64 + " (NFS_SPECFILE_BLK)\n", + nfs->type); + talloc_asprintf_addbuf(&s, + " %" PRIu32 "/%" PRIu32 "\n", + nfs->data.dev.major, + nfs->data.dev.minor); + break; + case NFS_SPECFILE_CHR: + talloc_asprintf_addbuf(&s, + " 0x%" PRIx64 + " (NFS_SPECFILE_CHR)\n", + nfs->type); + talloc_asprintf_addbuf(&s, + " %" PRIu32 "/%" PRIu32 "\n", + nfs->data.dev.major, + nfs->data.dev.minor); + break; + default: + talloc_asprintf_addbuf(&s, + " 0x%" PRIu64 + " (Unknown type)\n", + nfs->type); + break; + } + break; + } + default: + talloc_asprintf_addbuf(&s, "%" PRIu32 "\n", dst->tag); + break; + } + return s; +} + +static ssize_t reparse_buffer_marshall(uint32_t reparse_tag, + uint16_t reserved, + const struct iovec *iov, + int iovlen, + uint8_t *buf, + size_t buflen) +{ + ssize_t reparse_data_length = iov_buflen(iov, iovlen); + size_t needed; + + if (reparse_data_length == -1) { + return -1; + } + if (reparse_data_length > UINT16_MAX) { + return -1; + } + + needed = reparse_data_length + 8; + if (needed < reparse_data_length) { + return -1; + } + + if (buflen >= needed) { + PUSH_LE_U32(buf, 0, reparse_tag); + PUSH_LE_U16(buf, 4, reparse_data_length); + PUSH_LE_U16(buf, 6, reserved); + iov_buf(iov, iovlen, buf + 8, buflen - 8); + } + + return needed; +} + +static ssize_t +reparse_data_buffer_marshall_syml(const struct symlink_reparse_struct *src, + uint8_t *buf, + size_t buflen) +{ + uint8_t sbuf[12]; + struct iovec iov[3]; + const char *print_name = src->print_name; + uint8_t *subst_utf16 = NULL; + uint8_t *print_utf16 = NULL; + size_t subst_len = 0; + size_t print_len = 0; + ssize_t ret = -1; + bool ok; + + if (src->substitute_name == NULL) { + return -1; + } + if (src->print_name == NULL) { + print_name = src->substitute_name; + } + + iov[0] = (struct iovec){ + .iov_base = sbuf, + .iov_len = sizeof(sbuf), + }; + + ok = convert_string_talloc(talloc_tos(), + CH_UNIX, + CH_UTF16, + src->substitute_name, + strlen(src->substitute_name), + &subst_utf16, + &subst_len); + if (!ok) { + goto fail; + } + if (subst_len > UINT16_MAX) { + goto fail; + } + iov[1] = (struct iovec){ + .iov_base = subst_utf16, + .iov_len = subst_len, + }; + + ok = convert_string_talloc(talloc_tos(), + CH_UNIX, + CH_UTF16, + print_name, + strlen(print_name), + &print_utf16, + &print_len); + if (!ok) { + goto fail; + } + if (print_len > UINT16_MAX) { + goto fail; + } + iov[2] = (struct iovec){ + .iov_base = print_utf16, + .iov_len = print_len, + }; + + PUSH_LE_U16(sbuf, 0, 0); /* SubstituteNameOffset */ + PUSH_LE_U16(sbuf, 2, subst_len); /* SubstituteNameLength */ + PUSH_LE_U16(sbuf, 4, subst_len); /* PrintNameOffset */ + PUSH_LE_U16(sbuf, 6, print_len); /* PrintNameLength */ + PUSH_LE_U32(sbuf, 8, src->flags); /* Flags */ + + ret = reparse_buffer_marshall(IO_REPARSE_TAG_SYMLINK, + src->unparsed_path_length, + iov, + ARRAY_SIZE(iov), + buf, + buflen); + +fail: + TALLOC_FREE(subst_utf16); + TALLOC_FREE(print_utf16); + return ret; +} + +static ssize_t +reparse_data_buffer_marshall_nfs(const struct nfs_reparse_data_buffer *src, + uint8_t *buf, + size_t buflen) +{ + uint8_t typebuf[8]; + uint8_t devbuf[8]; + struct iovec iov[2] = {}; + size_t iovlen; + uint8_t *lnk_utf16 = NULL; + size_t lnk_len = 0; + ssize_t ret; + + PUSH_LE_U64(typebuf, 0, src->type); + iov[0] = (struct iovec){ + .iov_base = typebuf, + .iov_len = sizeof(typebuf), + }; + iovlen = 1; + + switch (src->type) { + case NFS_SPECFILE_LNK: { + bool ok = convert_string_talloc(talloc_tos(), + CH_UNIX, + CH_UTF16, + src->data.lnk_target, + strlen(src->data.lnk_target), + &lnk_utf16, + &lnk_len); + if (!ok) { + return -1; + } + iov[1] = (struct iovec){ + .iov_base = lnk_utf16, + .iov_len = lnk_len, + }; + iovlen = 2; + break; + } + case NFS_SPECFILE_CHR: + FALL_THROUGH; + case NFS_SPECFILE_BLK: + PUSH_LE_U32(devbuf, 0, src->data.dev.major); + PUSH_LE_U32(devbuf, 4, src->data.dev.minor); + iov[1] = (struct iovec){ + .iov_base = devbuf, + .iov_len = sizeof(devbuf), + }; + iovlen = 2; + break; + default: + break; + /* Nothing to do for NFS_SPECFILE_FIFO and _SOCK */ + } + + ret = reparse_buffer_marshall(IO_REPARSE_TAG_NFS, + 0, + iov, + iovlen, + buf, + buflen); + TALLOC_FREE(lnk_utf16); + return ret; +} + +ssize_t reparse_data_buffer_marshall(const struct reparse_data_buffer *src, + uint8_t *buf, + size_t buflen) +{ + ssize_t ret = -1; + + switch (src->tag) { + case IO_REPARSE_TAG_SYMLINK: + + ret = reparse_data_buffer_marshall_syml(&src->parsed.lnk, + buf, + buflen); + break; + + case IO_REPARSE_TAG_NFS: + + ret = reparse_data_buffer_marshall_nfs(&src->parsed.nfs, + buf, + buflen); + break; + + default: { + struct iovec iov = { + .iov_base = src->parsed.raw.data, + .iov_len = src->parsed.raw.length, + }; + ret = reparse_buffer_marshall(src->tag, + src->parsed.raw.reserved, + &iov, + 1, + buf, + buflen); + } + } + + return ret; +} |