summaryrefslogtreecommitdiffstats
path: root/source3/smbd/smb2_server.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--source3/smbd/smb2_server.c5235
1 files changed, 5235 insertions, 0 deletions
diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c
new file mode 100644
index 0000000..afb86ab
--- /dev/null
+++ b/source3/smbd/smb2_server.c
@@ -0,0 +1,5235 @@
+/*
+ Unix SMB/CIFS implementation.
+ Core SMB2 server
+
+ Copyright (C) Stefan Metzmacher 2009
+ Copyright (C) Jeremy Allison 2010
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "system/network.h"
+#include "smbd/smbd.h"
+#include "smbd/globals.h"
+#include "smbd/smbXsrv_open.h"
+#include "lib/param/param.h"
+#include "../libcli/smb/smb_common.h"
+#include "../lib/tsocket/tsocket.h"
+#include "../lib/util/tevent_ntstatus.h"
+#include "smbprofile.h"
+#include "../lib/util/bitmap.h"
+#include "../librpc/gen_ndr/krb5pac.h"
+#include "lib/util/iov_buf.h"
+#include "auth.h"
+#include "libcli/smb/smbXcli_base.h"
+#include "source3/lib/substitute.h"
+
+#if defined(LINUX)
+/* SIOCOUTQ TIOCOUTQ are the same */
+#define __IOCTL_SEND_QUEUE_SIZE_OPCODE TIOCOUTQ
+#define __HAVE_TCP_INFO_RTO 1
+#define __ALLOW_MULTI_CHANNEL_SUPPORT 1
+#elif defined(FREEBSD)
+#define __IOCTL_SEND_QUEUE_SIZE_OPCODE FIONWRITE
+#define __HAVE_TCP_INFO_RTO 1
+#define __ALLOW_MULTI_CHANNEL_SUPPORT 1
+#endif
+
+#include "lib/crypto/gnutls_helpers.h"
+#include <gnutls/gnutls.h>
+#include <gnutls/crypto.h>
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_SMB2
+
+static void smbd_smb2_connection_handler(struct tevent_context *ev,
+ struct tevent_fd *fde,
+ uint16_t flags,
+ void *private_data);
+static NTSTATUS smbd_smb2_flush_send_queue(struct smbXsrv_connection *xconn);
+
+static const struct smbd_smb2_dispatch_table {
+ uint16_t opcode;
+ uint16_t fileid_ofs;
+ bool need_session : 1;
+ bool need_tcon : 1;
+ bool as_root : 1;
+ bool modify : 1;
+} smbd_smb2_table[] = {
+ {
+ .opcode = SMB2_OP_NEGPROT,
+ .as_root = true,
+ },{
+ .opcode = SMB2_OP_SESSSETUP,
+ .as_root = true,
+ },{
+ .opcode = SMB2_OP_LOGOFF,
+ .need_session = true,
+ .as_root = true,
+ },{
+ .opcode = SMB2_OP_TCON,
+ .need_session = true,
+ /*
+ * This call needs to be run as root.
+ *
+ * smbd_smb2_request_process_tcon()
+ * calls make_connection_snum(), which will call
+ * change_to_user(), when needed.
+ */
+ .as_root = true,
+ },{
+ .opcode = SMB2_OP_TDIS,
+ .need_session = true,
+ .need_tcon = true,
+ .as_root = true,
+ },{
+ .opcode = SMB2_OP_CREATE,
+ .need_session = true,
+ .need_tcon = true,
+ },{
+ .opcode = SMB2_OP_CLOSE,
+ .need_session = true,
+ .need_tcon = true,
+ .fileid_ofs = 0x08,
+ },{
+ .opcode = SMB2_OP_FLUSH,
+ .need_session = true,
+ .need_tcon = true,
+ .fileid_ofs = 0x08,
+ },{
+ .opcode = SMB2_OP_READ,
+ .need_session = true,
+ .need_tcon = true,
+ .fileid_ofs = 0x10,
+ },{
+ .opcode = SMB2_OP_WRITE,
+ .need_session = true,
+ .need_tcon = true,
+ .fileid_ofs = 0x10,
+ .modify = true,
+ },{
+ .opcode = SMB2_OP_LOCK,
+ .need_session = true,
+ .need_tcon = true,
+ .fileid_ofs = 0x08,
+ },{
+ .opcode = SMB2_OP_IOCTL,
+ .need_session = true,
+ .need_tcon = true,
+ .fileid_ofs = 0x08,
+ .modify = true,
+ },{
+ .opcode = SMB2_OP_CANCEL,
+ .as_root = true,
+ },{
+ .opcode = SMB2_OP_KEEPALIVE,
+ },{
+ .opcode = SMB2_OP_QUERY_DIRECTORY,
+ .need_session = true,
+ .need_tcon = true,
+ .fileid_ofs = 0x08,
+ },{
+ .opcode = SMB2_OP_NOTIFY,
+ .need_session = true,
+ .need_tcon = true,
+ .fileid_ofs = 0x08,
+ },{
+ .opcode = SMB2_OP_GETINFO,
+ .need_session = true,
+ .need_tcon = true,
+ .fileid_ofs = 0x18,
+ },{
+ .opcode = SMB2_OP_SETINFO,
+ .need_session = true,
+ .need_tcon = true,
+ .fileid_ofs = 0x10,
+ .modify = true,
+ },{
+ .opcode = SMB2_OP_BREAK,
+ .need_session = true,
+ .need_tcon = true,
+ /*
+ * we do not set
+ * .fileid_ofs here
+ * as LEASE breaks does not
+ * have a file id
+ */
+ }
+};
+
+const char *smb2_opcode_name(uint16_t opcode)
+{
+ const char *result = "Bad SMB2 opcode";
+
+ switch (opcode) {
+ case SMB2_OP_NEGPROT:
+ result = "SMB2_OP_NEGPROT";
+ break;
+ case SMB2_OP_SESSSETUP:
+ result = "SMB2_OP_SESSSETUP";
+ break;
+ case SMB2_OP_LOGOFF:
+ result = "SMB2_OP_LOGOFF";
+ break;
+ case SMB2_OP_TCON:
+ result = "SMB2_OP_TCON";
+ break;
+ case SMB2_OP_TDIS:
+ result = "SMB2_OP_TDIS";
+ break;
+ case SMB2_OP_CREATE:
+ result = "SMB2_OP_CREATE";
+ break;
+ case SMB2_OP_CLOSE:
+ result = "SMB2_OP_CLOSE";
+ break;
+ case SMB2_OP_FLUSH:
+ result = "SMB2_OP_FLUSH";
+ break;
+ case SMB2_OP_READ:
+ result = "SMB2_OP_READ";
+ break;
+ case SMB2_OP_WRITE:
+ result = "SMB2_OP_WRITE";
+ break;
+ case SMB2_OP_LOCK:
+ result = "SMB2_OP_LOCK";
+ break;
+ case SMB2_OP_IOCTL:
+ result = "SMB2_OP_IOCTL";
+ break;
+ case SMB2_OP_CANCEL:
+ result = "SMB2_OP_CANCEL";
+ break;
+ case SMB2_OP_KEEPALIVE:
+ result = "SMB2_OP_KEEPALIVE";
+ break;
+ case SMB2_OP_QUERY_DIRECTORY:
+ result = "SMB2_OP_QUERY_DIRECTORY";
+ break;
+ case SMB2_OP_NOTIFY:
+ result = "SMB2_OP_NOTIFY";
+ break;
+ case SMB2_OP_GETINFO:
+ result = "SMB2_OP_GETINFO";
+ break;
+ case SMB2_OP_SETINFO:
+ result = "SMB2_OP_SETINFO";
+ break;
+ case SMB2_OP_BREAK:
+ result = "SMB2_OP_BREAK";
+ break;
+ default:
+ break;
+ }
+ return result;
+}
+
+static const struct smbd_smb2_dispatch_table *smbd_smb2_call(uint16_t opcode)
+{
+ const struct smbd_smb2_dispatch_table *ret = NULL;
+
+ if (opcode >= ARRAY_SIZE(smbd_smb2_table)) {
+ return NULL;
+ }
+
+ ret = &smbd_smb2_table[opcode];
+
+ SMB_ASSERT(ret->opcode == opcode);
+
+ return ret;
+}
+
+static void print_req_vectors(const struct smbd_smb2_request *req)
+{
+ int i;
+
+ for (i = 0; i < req->in.vector_count; i++) {
+ dbgtext("\treq->in.vector[%u].iov_len = %u\n",
+ (unsigned int)i,
+ (unsigned int)req->in.vector[i].iov_len);
+ }
+ for (i = 0; i < req->out.vector_count; i++) {
+ dbgtext("\treq->out.vector[%u].iov_len = %u\n",
+ (unsigned int)i,
+ (unsigned int)req->out.vector[i].iov_len);
+ }
+}
+
+bool smbd_is_smb2_header(const uint8_t *inbuf, size_t size)
+{
+ if (size < (4 + SMB2_HDR_BODY)) {
+ return false;
+ }
+
+ if (IVAL(inbuf, 4) != SMB2_MAGIC) {
+ return false;
+ }
+
+ return true;
+}
+
+bool smbd_smb2_is_compound(const struct smbd_smb2_request *req)
+{
+ return req->in.vector_count >= (2*SMBD_SMB2_NUM_IOV_PER_REQ);
+}
+
+bool smbd_smb2_is_last_in_compound(const struct smbd_smb2_request *req)
+{
+ return (req->current_idx + SMBD_SMB2_NUM_IOV_PER_REQ ==
+ req->in.vector_count);
+}
+
+static NTSTATUS smbd_initialize_smb2(struct smbXsrv_connection *xconn,
+ uint64_t expected_seq_low)
+{
+ int rc;
+
+ xconn->smb2.credits.seq_low = expected_seq_low;
+ xconn->smb2.credits.seq_range = 1;
+ xconn->smb2.credits.granted = 1;
+ xconn->smb2.credits.max = lp_smb2_max_credits();
+ xconn->smb2.credits.bitmap = bitmap_talloc(xconn,
+ xconn->smb2.credits.max);
+ if (xconn->smb2.credits.bitmap == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ tevent_fd_set_close_fn(xconn->transport.fde, NULL);
+ TALLOC_FREE(xconn->transport.fde);
+
+ xconn->transport.fde = tevent_add_fd(
+ xconn->client->raw_ev_ctx,
+ xconn,
+ xconn->transport.sock,
+ TEVENT_FD_ERROR | TEVENT_FD_READ,
+ smbd_smb2_connection_handler,
+ xconn);
+ if (xconn->transport.fde == NULL) {
+ close(xconn->transport.sock);
+ xconn->transport.sock = -1;
+ return NT_STATUS_NO_MEMORY;
+ }
+ tevent_fd_set_auto_close(xconn->transport.fde);
+
+ /*
+ * Ensure child is set to non-blocking mode,
+ * unless the system supports MSG_DONTWAIT,
+ * if MSG_DONTWAIT is available we should force
+ * blocking mode.
+ */
+#ifdef MSG_DONTWAIT
+ rc = set_blocking(xconn->transport.sock, true);
+ if (rc < 0) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+#else
+ rc = set_blocking(xconn->transport.sock, false);
+ if (rc < 0) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+#endif
+
+ return NT_STATUS_OK;
+}
+
+#define smb2_len(buf) (PVAL(buf,3)|(PVAL(buf,2)<<8)|(PVAL(buf,1)<<16))
+#define _smb2_setlen(_buf,len) do { \
+ uint8_t *buf = (uint8_t *)_buf; \
+ buf[0] = 0; \
+ buf[1] = ((len)&0xFF0000)>>16; \
+ buf[2] = ((len)&0xFF00)>>8; \
+ buf[3] = (len)&0xFF; \
+} while (0)
+
+static bool smb2_setup_nbt_length(struct iovec *vector, int count)
+{
+ ssize_t len;
+
+ if (count == 0) {
+ return false;
+ }
+
+ len = iov_buflen(vector+1, count-1);
+
+ if ((len == -1) || (len > 0xFFFFFF)) {
+ return false;
+ }
+
+ _smb2_setlen(vector[0].iov_base, len);
+ return true;
+}
+
+static int smbd_smb2_request_destructor(struct smbd_smb2_request *req)
+{
+ TALLOC_FREE(req->first_enc_key);
+ TALLOC_FREE(req->last_sign_key);
+ return 0;
+}
+
+void smb2_request_set_async_internal(struct smbd_smb2_request *req,
+ bool async_internal)
+{
+ req->async_internal = async_internal;
+}
+
+static struct smbd_smb2_request *smbd_smb2_request_allocate(struct smbXsrv_connection *xconn)
+{
+ TALLOC_CTX *mem_pool;
+ struct smbd_smb2_request *req;
+
+#if 0
+ /* Enable this to find subtle valgrind errors. */
+ mem_pool = talloc_init("smbd_smb2_request_allocate");
+#else
+ mem_pool = talloc_tos();
+#endif
+ if (mem_pool == NULL) {
+ return NULL;
+ }
+
+ req = talloc(mem_pool, struct smbd_smb2_request);
+ if (req == NULL) {
+ talloc_free(mem_pool);
+ return NULL;
+ }
+ talloc_reparent(mem_pool, xconn, req);
+#if 0
+ TALLOC_FREE(mem_pool);
+#endif
+ *req = (struct smbd_smb2_request) {
+ .sconn = xconn->client->sconn,
+ .xconn = xconn,
+ .last_session_id = UINT64_MAX,
+ .last_tid = UINT32_MAX,
+ };
+
+ talloc_set_destructor(req, smbd_smb2_request_destructor);
+
+ return req;
+}
+
+static NTSTATUS smbd_smb2_inbuf_parse_compound(struct smbXsrv_connection *xconn,
+ NTTIME now,
+ uint8_t *buf,
+ size_t buflen,
+ struct smbd_smb2_request *req,
+ struct iovec **piov,
+ int *pnum_iov)
+{
+ TALLOC_CTX *mem_ctx = req;
+ struct iovec *iov;
+ int num_iov = 1;
+ size_t taken = 0;
+ uint8_t *first_hdr = buf;
+ size_t verified_buflen = 0;
+ uint8_t *tf = NULL;
+ size_t tf_len = 0;
+
+ /*
+ * Note: index '0' is reserved for the transport protocol
+ */
+ iov = req->in._vector;
+
+ while (taken < buflen) {
+ size_t len = buflen - taken;
+ uint8_t *hdr = first_hdr + taken;
+ struct iovec *cur;
+ size_t full_size;
+ size_t next_command_ofs;
+ uint16_t body_size;
+ uint8_t *body = NULL;
+ uint32_t dyn_size;
+ uint8_t *dyn = NULL;
+ struct iovec *iov_alloc = NULL;
+
+ if (iov != req->in._vector) {
+ iov_alloc = iov;
+ }
+
+ if (verified_buflen > taken) {
+ len = verified_buflen - taken;
+ } else {
+ tf = NULL;
+ tf_len = 0;
+ }
+
+ if (len < 4) {
+ DEBUG(10, ("%d bytes left, expected at least %d\n",
+ (int)len, 4));
+ goto inval;
+ }
+ if (IVAL(hdr, 0) == SMB2_TF_MAGIC) {
+ struct smbXsrv_session *s = NULL;
+ uint64_t uid;
+ struct iovec tf_iov[2];
+ NTSTATUS status;
+ size_t enc_len;
+
+ if (xconn->protocol < PROTOCOL_SMB3_00) {
+ DEBUG(10, ("Got SMB2_TRANSFORM header, "
+ "but dialect[0x%04X] is used\n",
+ xconn->smb2.server.dialect));
+ goto inval;
+ }
+
+ if (xconn->smb2.server.cipher == 0) {
+ DEBUG(10, ("Got SMB2_TRANSFORM header, "
+ "but not negotiated "
+ "client[0x%08X] server[0x%08X]\n",
+ xconn->smb2.client.capabilities,
+ xconn->smb2.server.capabilities));
+ goto inval;
+ }
+
+ if (len < SMB2_TF_HDR_SIZE) {
+ DEBUG(1, ("%d bytes left, expected at least %d\n",
+ (int)len, SMB2_TF_HDR_SIZE));
+ goto inval;
+ }
+ tf = hdr;
+ tf_len = SMB2_TF_HDR_SIZE;
+ taken += tf_len;
+
+ hdr = first_hdr + taken;
+ enc_len = IVAL(tf, SMB2_TF_MSG_SIZE);
+ uid = BVAL(tf, SMB2_TF_SESSION_ID);
+
+ if (len < SMB2_TF_HDR_SIZE + enc_len) {
+ DEBUG(1, ("%d bytes left, expected at least %d\n",
+ (int)len,
+ (int)(SMB2_TF_HDR_SIZE + enc_len)));
+ goto inval;
+ }
+
+ status = smb2srv_session_lookup_conn(xconn, uid, now,
+ &s);
+ if (!NT_STATUS_IS_OK(status)) {
+ status = smb2srv_session_lookup_global(xconn->client,
+ uid, req, &s);
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("invalid session[%llu] in "
+ "SMB2_TRANSFORM header\n",
+ (unsigned long long)uid));
+ TALLOC_FREE(iov_alloc);
+ return NT_STATUS_USER_SESSION_DELETED;
+ }
+
+ tf_iov[0].iov_base = (void *)tf;
+ tf_iov[0].iov_len = tf_len;
+ tf_iov[1].iov_base = (void *)hdr;
+ tf_iov[1].iov_len = enc_len;
+
+ status = smb2_signing_decrypt_pdu(s->global->decryption_key,
+ tf_iov, 2);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(iov_alloc);
+ return status;
+ }
+
+ verified_buflen = taken + enc_len;
+ len = enc_len;
+ }
+
+ /*
+ * We need the header plus the body length field
+ */
+
+ if (len < SMB2_HDR_BODY + 2) {
+
+ if ((len == 5) &&
+ (IVAL(hdr, 0) == SMB_SUICIDE_PACKET) &&
+ lp_parm_bool(-1, "smbd", "suicide mode", false)) {
+ uint8_t exitcode = CVAL(hdr, 4);
+ DBG_WARNING("SUICIDE: Exiting immediately "
+ "with code %"PRIu8"\n",
+ exitcode);
+ exit(exitcode);
+ }
+
+ DEBUG(10, ("%d bytes left, expected at least %d\n",
+ (int)len, SMB2_HDR_BODY));
+ goto inval;
+ }
+ if (IVAL(hdr, 0) != SMB2_MAGIC) {
+ DEBUG(10, ("Got non-SMB2 PDU: %x\n",
+ IVAL(hdr, 0)));
+ goto inval;
+ }
+ if (SVAL(hdr, 4) != SMB2_HDR_BODY) {
+ DEBUG(10, ("Got HDR len %d, expected %d\n",
+ SVAL(hdr, 4), SMB2_HDR_BODY));
+ goto inval;
+ }
+
+ full_size = len;
+ next_command_ofs = IVAL(hdr, SMB2_HDR_NEXT_COMMAND);
+ body_size = SVAL(hdr, SMB2_HDR_BODY);
+
+ if (next_command_ofs != 0) {
+ if (next_command_ofs < (SMB2_HDR_BODY + 2)) {
+ goto inval;
+ }
+ if (next_command_ofs > full_size) {
+ goto inval;
+ }
+ full_size = next_command_ofs;
+ }
+ if (body_size < 2) {
+ goto inval;
+ }
+ body_size &= 0xfffe;
+
+ if (body_size > (full_size - SMB2_HDR_BODY)) {
+ /*
+ * let the caller handle the error
+ */
+ body_size = full_size - SMB2_HDR_BODY;
+ }
+ body = hdr + SMB2_HDR_BODY;
+ dyn = body + body_size;
+ dyn_size = full_size - (SMB2_HDR_BODY + body_size);
+
+ if (num_iov >= ARRAY_SIZE(req->in._vector)) {
+ struct iovec *iov_tmp = NULL;
+
+ iov_tmp = talloc_realloc(mem_ctx, iov_alloc,
+ struct iovec,
+ num_iov +
+ SMBD_SMB2_NUM_IOV_PER_REQ);
+ if (iov_tmp == NULL) {
+ TALLOC_FREE(iov_alloc);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (iov_alloc == NULL) {
+ memcpy(iov_tmp,
+ req->in._vector,
+ sizeof(req->in._vector));
+ }
+
+ iov = iov_tmp;
+ }
+ cur = &iov[num_iov];
+ num_iov += SMBD_SMB2_NUM_IOV_PER_REQ;
+
+ cur[SMBD_SMB2_TF_IOV_OFS].iov_base = tf;
+ cur[SMBD_SMB2_TF_IOV_OFS].iov_len = tf_len;
+ cur[SMBD_SMB2_HDR_IOV_OFS].iov_base = hdr;
+ cur[SMBD_SMB2_HDR_IOV_OFS].iov_len = SMB2_HDR_BODY;
+ cur[SMBD_SMB2_BODY_IOV_OFS].iov_base = body;
+ cur[SMBD_SMB2_BODY_IOV_OFS].iov_len = body_size;
+ cur[SMBD_SMB2_DYN_IOV_OFS].iov_base = dyn;
+ cur[SMBD_SMB2_DYN_IOV_OFS].iov_len = dyn_size;
+
+ taken += full_size;
+ }
+
+ *piov = iov;
+ *pnum_iov = num_iov;
+ return NT_STATUS_OK;
+
+inval:
+ if (iov != req->in._vector) {
+ TALLOC_FREE(iov);
+ }
+ return NT_STATUS_INVALID_PARAMETER;
+}
+
+static NTSTATUS smbd_smb2_request_create(struct smbXsrv_connection *xconn,
+ const uint8_t *_inpdu, size_t size,
+ struct smbd_smb2_request **_req)
+{
+ struct smbd_smb2_request *req;
+ uint32_t protocol_version;
+ uint8_t *inpdu = NULL;
+ const uint8_t *inhdr = NULL;
+ uint16_t cmd;
+ uint32_t next_command_ofs;
+ NTSTATUS status;
+ NTTIME now;
+
+ if (size < (SMB2_HDR_BODY + 2)) {
+ DEBUG(0,("Invalid SMB2 packet length count %ld\n", (long)size));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ inhdr = _inpdu;
+
+ protocol_version = IVAL(inhdr, SMB2_HDR_PROTOCOL_ID);
+ if (protocol_version != SMB2_MAGIC) {
+ DEBUG(0,("Invalid SMB packet: protocol prefix: 0x%08X\n",
+ protocol_version));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ cmd = SVAL(inhdr, SMB2_HDR_OPCODE);
+ if (cmd != SMB2_OP_NEGPROT) {
+ DEBUG(0,("Invalid SMB packet: first request: 0x%04X\n",
+ cmd));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ next_command_ofs = IVAL(inhdr, SMB2_HDR_NEXT_COMMAND);
+ if (next_command_ofs != 0) {
+ DEBUG(0,("Invalid SMB packet: next_command: 0x%08X\n",
+ next_command_ofs));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ req = smbd_smb2_request_allocate(xconn);
+ if (req == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ inpdu = talloc_memdup(req, _inpdu, size);
+ if (inpdu == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ req->request_time = timeval_current();
+ now = timeval_to_nttime(&req->request_time);
+
+ status = smbd_smb2_inbuf_parse_compound(xconn,
+ now,
+ inpdu,
+ size,
+ req, &req->in.vector,
+ &req->in.vector_count);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(req);
+ return status;
+ }
+
+ req->current_idx = 1;
+
+ *_req = req;
+ return NT_STATUS_OK;
+}
+
+static bool smb2_validate_sequence_number(struct smbXsrv_connection *xconn,
+ uint64_t message_id, uint64_t seq_id)
+{
+ struct bitmap *credits_bm = xconn->smb2.credits.bitmap;
+ unsigned int offset;
+ uint64_t seq_tmp;
+
+ seq_tmp = xconn->smb2.credits.seq_low;
+ if (seq_id < seq_tmp) {
+ DBGC_ERR(DBGC_SMB2_CREDITS,
+ "smb2_validate_sequence_number: bad message_id "
+ "%llu (sequence id %llu) "
+ "(granted = %u, low = %llu, range = %u)\n",
+ (unsigned long long)message_id,
+ (unsigned long long)seq_id,
+ (unsigned int)xconn->smb2.credits.granted,
+ (unsigned long long)xconn->smb2.credits.seq_low,
+ (unsigned int)xconn->smb2.credits.seq_range);
+ return false;
+ }
+
+ seq_tmp += xconn->smb2.credits.seq_range;
+ if (seq_id >= seq_tmp) {
+ DBGC_ERR(DBGC_SMB2_CREDITS,
+ "smb2_validate_sequence_number: bad message_id "
+ "%llu (sequence id %llu) "
+ "(granted = %u, low = %llu, range = %u)\n",
+ (unsigned long long)message_id,
+ (unsigned long long)seq_id,
+ (unsigned int)xconn->smb2.credits.granted,
+ (unsigned long long)xconn->smb2.credits.seq_low,
+ (unsigned int)xconn->smb2.credits.seq_range);
+ return false;
+ }
+
+ offset = seq_id % xconn->smb2.credits.max;
+
+ if (bitmap_query(credits_bm, offset)) {
+ DBGC_ERR(DBGC_SMB2_CREDITS,
+ "smb2_validate_sequence_number: duplicate message_id "
+ "%llu (sequence id %llu) "
+ "(granted = %u, low = %llu, range = %u) "
+ "(bm offset %u)\n",
+ (unsigned long long)message_id,
+ (unsigned long long)seq_id,
+ (unsigned int)xconn->smb2.credits.granted,
+ (unsigned long long)xconn->smb2.credits.seq_low,
+ (unsigned int)xconn->smb2.credits.seq_range,
+ offset);
+ return false;
+ }
+
+ /* Mark the message_ids as seen in the bitmap. */
+ bitmap_set(credits_bm, offset);
+
+ if (seq_id != xconn->smb2.credits.seq_low) {
+ return true;
+ }
+
+ /*
+ * Move the window forward by all the message_id's
+ * already seen.
+ */
+ while (bitmap_query(credits_bm, offset)) {
+ DBGC_DEBUG(DBGC_SMB2_CREDITS,
+ "smb2_validate_sequence_number: clearing "
+ "id %llu (position %u) from bitmap\n",
+ (unsigned long long)(xconn->smb2.credits.seq_low),
+ offset);
+ bitmap_clear(credits_bm, offset);
+
+ xconn->smb2.credits.seq_low += 1;
+ xconn->smb2.credits.seq_range -= 1;
+ offset = xconn->smb2.credits.seq_low % xconn->smb2.credits.max;
+ }
+
+ return true;
+}
+
+static bool smb2_validate_message_id(struct smbXsrv_connection *xconn,
+ const uint8_t *inhdr)
+{
+ uint64_t message_id = BVAL(inhdr, SMB2_HDR_MESSAGE_ID);
+ uint16_t opcode = SVAL(inhdr, SMB2_HDR_OPCODE);
+ uint16_t credit_charge = 1;
+ uint64_t i;
+
+ if (opcode == SMB2_OP_CANCEL) {
+ /* SMB2_CANCEL requests by definition resend messageids. */
+ return true;
+ }
+
+ if (xconn->smb2.credits.multicredit) {
+ credit_charge = SVAL(inhdr, SMB2_HDR_CREDIT_CHARGE);
+ credit_charge = MAX(credit_charge, 1);
+ }
+
+ DEBUGC(11,
+ DBGC_SMB2_CREDITS,
+ ("smb2_validate_message_id: mid %llu (charge %llu), "
+ "credits_granted %llu, "
+ "seqnum low/range: %llu/%llu\n",
+ (unsigned long long) message_id,
+ (unsigned long long) credit_charge,
+ (unsigned long long) xconn->smb2.credits.granted,
+ (unsigned long long) xconn->smb2.credits.seq_low,
+ (unsigned long long) xconn->smb2.credits.seq_range));
+
+ if (xconn->smb2.credits.granted < credit_charge) {
+ DBGC_ERR(DBGC_SMB2_CREDITS,
+ "smb2_validate_message_id: client used more "
+ "credits than granted, mid %llu, charge %llu, "
+ "credits_granted %llu, "
+ "seqnum low/range: %llu/%llu\n",
+ (unsigned long long) message_id,
+ (unsigned long long) credit_charge,
+ (unsigned long long) xconn->smb2.credits.granted,
+ (unsigned long long) xconn->smb2.credits.seq_low,
+ (unsigned long long) xconn->smb2.credits.seq_range);
+ return false;
+ }
+
+ /*
+ * now check the message ids
+ *
+ * for multi-credit requests we need to check all current mid plus
+ * the implicit mids caused by the credit charge
+ * e.g. current mid = 15, charge 5 => mark 15-19 as used
+ */
+
+ for (i = 0; i <= (credit_charge-1); i++) {
+ uint64_t id = message_id + i;
+ bool ok;
+
+ DEBUGC(11,
+ DBGC_SMB2_CREDITS,
+ ("Iterating mid %llu charge %u (sequence %llu)\n",
+ (unsigned long long)message_id,
+ credit_charge,
+ (unsigned long long)id));
+
+ ok = smb2_validate_sequence_number(xconn, message_id, id);
+ if (!ok) {
+ return false;
+ }
+ }
+
+ /* subtract used credits */
+ xconn->smb2.credits.granted -= credit_charge;
+
+ return true;
+}
+
+static NTSTATUS smbd_smb2_request_validate(struct smbd_smb2_request *req)
+{
+ int count;
+ int idx;
+
+ count = req->in.vector_count;
+
+ if (count < 1 + SMBD_SMB2_NUM_IOV_PER_REQ) {
+ /* It's not a SMB2 request */
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ for (idx=1; idx < count; idx += SMBD_SMB2_NUM_IOV_PER_REQ) {
+ struct iovec *hdr = SMBD_SMB2_IDX_HDR_IOV(req,in,idx);
+ struct iovec *body = SMBD_SMB2_IDX_BODY_IOV(req,in,idx);
+ const uint8_t *inhdr = NULL;
+
+ if (hdr->iov_len != SMB2_HDR_BODY) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (body->iov_len < 2) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ inhdr = (const uint8_t *)hdr->iov_base;
+
+ /* Check the SMB2 header */
+ if (IVAL(inhdr, SMB2_HDR_PROTOCOL_ID) != SMB2_MAGIC) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (!smb2_validate_message_id(req->xconn, inhdr)) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ }
+
+ return NT_STATUS_OK;
+}
+
+static void smb2_set_operation_credit(struct smbXsrv_connection *xconn,
+ const struct iovec *in_vector,
+ struct iovec *out_vector)
+{
+ const uint8_t *inhdr = (const uint8_t *)in_vector->iov_base;
+ uint8_t *outhdr = (uint8_t *)out_vector->iov_base;
+ uint16_t credit_charge = 1;
+ uint16_t credits_requested;
+ uint32_t out_flags;
+ uint16_t cmd;
+ NTSTATUS out_status;
+ uint16_t credits_granted = 0;
+ uint64_t credits_possible;
+ uint16_t current_max_credits;
+
+ /*
+ * first we grant only 1/16th of the max range.
+ *
+ * Windows also starts with the 1/16th and then grants
+ * more later. I was only able to trigger higher
+ * values, when using a very high credit charge.
+ *
+ * TODO: scale up depending on load, free memory
+ * or other stuff.
+ * Maybe also on the relationship between number
+ * of requests and the used sequence number.
+ * Which means we would grant more credits
+ * for client which use multi credit requests.
+ *
+ * The above is what Windows Server < 2016 is doing,
+ * but new servers use all credits (8192 by default).
+ */
+ current_max_credits = xconn->smb2.credits.max;
+ current_max_credits = MAX(current_max_credits, 1);
+
+ if (xconn->smb2.credits.multicredit) {
+ credit_charge = SVAL(inhdr, SMB2_HDR_CREDIT_CHARGE);
+ credit_charge = MAX(credit_charge, 1);
+ }
+
+ cmd = SVAL(inhdr, SMB2_HDR_OPCODE);
+ credits_requested = SVAL(inhdr, SMB2_HDR_CREDIT);
+ credits_requested = MAX(credits_requested, 1);
+ out_flags = IVAL(outhdr, SMB2_HDR_FLAGS);
+ out_status = NT_STATUS(IVAL(outhdr, SMB2_HDR_STATUS));
+
+ SMB_ASSERT(xconn->smb2.credits.max >= xconn->smb2.credits.granted);
+
+ if (xconn->smb2.credits.max < credit_charge) {
+ smbd_server_connection_terminate(xconn,
+ "client error: credit charge > max credits\n");
+ return;
+ }
+
+ if (out_flags & SMB2_HDR_FLAG_ASYNC) {
+ /*
+ * In case we already send an async interim
+ * response, we should not grant
+ * credits on the final response.
+ */
+ credits_granted = 0;
+ } else {
+ uint16_t additional_possible =
+ xconn->smb2.credits.max - credit_charge;
+ uint16_t additional_max = 0;
+ uint16_t additional_credits = credits_requested - 1;
+
+ switch (cmd) {
+ case SMB2_OP_NEGPROT:
+ break;
+ case SMB2_OP_SESSSETUP:
+ /*
+ * Windows 2012 RC1 starts to grant
+ * additional credits
+ * with a successful session setup
+ */
+ if (NT_STATUS_IS_OK(out_status)) {
+ additional_max = xconn->smb2.credits.max;
+ }
+ break;
+ default:
+ /*
+ * Windows Server < 2016 and older Samba versions
+ * used to only grant additional credits in
+ * chunks of 32 credits.
+ *
+ * But we match Windows Server 2016 and grant
+ * all credits as requested.
+ */
+ additional_max = xconn->smb2.credits.max;
+ break;
+ }
+
+ additional_max = MIN(additional_max, additional_possible);
+ additional_credits = MIN(additional_credits, additional_max);
+
+ credits_granted = credit_charge + additional_credits;
+ }
+
+ /*
+ * sequence numbers should not wrap
+ *
+ * 1. calculate the possible credits until
+ * the sequence numbers start to wrap on 64-bit.
+ *
+ * 2. UINT64_MAX is used for Break Notifications.
+ *
+ * 2. truncate the possible credits to the maximum
+ * credits we want to grant to the client in total.
+ *
+ * 3. remove the range we'll already granted to the client
+ * this makes sure the client consumes the lowest sequence
+ * number, before we can grant additional credits.
+ */
+ credits_possible = UINT64_MAX - xconn->smb2.credits.seq_low;
+ if (credits_possible > 0) {
+ /* remove UINT64_MAX */
+ credits_possible -= 1;
+ }
+ credits_possible = MIN(credits_possible, current_max_credits);
+ credits_possible -= xconn->smb2.credits.seq_range;
+
+ credits_granted = MIN(credits_granted, credits_possible);
+
+ SSVAL(outhdr, SMB2_HDR_CREDIT, credits_granted);
+ xconn->smb2.credits.granted += credits_granted;
+ xconn->smb2.credits.seq_range += credits_granted;
+
+ DBGC_DEBUG(DBGC_SMB2_CREDITS,
+ "smb2_set_operation_credit: requested %u, charge %u, "
+ "granted %u, current possible/max %u/%u, "
+ "total granted/max/low/range %u/%u/%llu/%u\n",
+ (unsigned int)credits_requested,
+ (unsigned int)credit_charge,
+ (unsigned int)credits_granted,
+ (unsigned int)credits_possible,
+ (unsigned int)current_max_credits,
+ (unsigned int)xconn->smb2.credits.granted,
+ (unsigned int)xconn->smb2.credits.max,
+ (unsigned long long)xconn->smb2.credits.seq_low,
+ (unsigned int)xconn->smb2.credits.seq_range);
+}
+
+static void smb2_calculate_credits(const struct smbd_smb2_request *inreq,
+ struct smbd_smb2_request *outreq)
+{
+ int count, idx;
+ uint16_t total_credits = 0;
+
+ count = outreq->out.vector_count;
+
+ for (idx=1; idx < count; idx += SMBD_SMB2_NUM_IOV_PER_REQ) {
+ struct iovec *inhdr_v = SMBD_SMB2_IDX_HDR_IOV(inreq,in,idx);
+ struct iovec *outhdr_v = SMBD_SMB2_IDX_HDR_IOV(outreq,out,idx);
+ uint8_t *outhdr = (uint8_t *)outhdr_v->iov_base;
+
+ smb2_set_operation_credit(outreq->xconn, inhdr_v, outhdr_v);
+
+ /* To match Windows, count up what we
+ just granted. */
+ total_credits += SVAL(outhdr, SMB2_HDR_CREDIT);
+ /* Set to zero in all but the last reply. */
+ if (idx + SMBD_SMB2_NUM_IOV_PER_REQ < count) {
+ SSVAL(outhdr, SMB2_HDR_CREDIT, 0);
+ } else {
+ SSVAL(outhdr, SMB2_HDR_CREDIT, total_credits);
+ }
+ }
+}
+
+DATA_BLOB smbd_smb2_generate_outbody(struct smbd_smb2_request *req, size_t size)
+{
+ if (req->current_idx <= 1) {
+ if (size <= sizeof(req->out._body)) {
+ return data_blob_const(req->out._body, size);
+ }
+ }
+
+ return data_blob_talloc(req, NULL, size);
+}
+
+static NTSTATUS smbd_smb2_request_setup_out(struct smbd_smb2_request *req)
+{
+ struct smbXsrv_connection *xconn = req->xconn;
+ TALLOC_CTX *mem_ctx;
+ struct iovec *vector;
+ int count;
+ int idx;
+ bool ok;
+
+ count = req->in.vector_count;
+ if (count <= ARRAY_SIZE(req->out._vector)) {
+ mem_ctx = req;
+ vector = req->out._vector;
+ } else {
+ vector = talloc_zero_array(req, struct iovec, count);
+ if (vector == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ mem_ctx = vector;
+ }
+
+ vector[0].iov_base = req->out.nbt_hdr;
+ vector[0].iov_len = 4;
+ SIVAL(req->out.nbt_hdr, 0, 0);
+
+ for (idx=1; idx < count; idx += SMBD_SMB2_NUM_IOV_PER_REQ) {
+ struct iovec *inhdr_v = SMBD_SMB2_IDX_HDR_IOV(req,in,idx);
+ const uint8_t *inhdr = (const uint8_t *)inhdr_v->iov_base;
+ uint8_t *outhdr = NULL;
+ uint8_t *outbody = NULL;
+ uint32_t next_command_ofs = 0;
+ struct iovec *current = &vector[idx];
+
+ if ((idx + SMBD_SMB2_NUM_IOV_PER_REQ) < count) {
+ /* we have a next command -
+ * setup for the error case. */
+ next_command_ofs = SMB2_HDR_BODY + 9;
+ }
+
+ if (idx == 1) {
+ outhdr = req->out._hdr;
+ } else {
+ outhdr = talloc_zero_array(mem_ctx, uint8_t,
+ OUTVEC_ALLOC_SIZE);
+ if (outhdr == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ outbody = outhdr + SMB2_HDR_BODY;
+
+ /*
+ * SMBD_SMB2_TF_IOV_OFS might be used later
+ */
+ current[SMBD_SMB2_TF_IOV_OFS].iov_base = NULL;
+ current[SMBD_SMB2_TF_IOV_OFS].iov_len = 0;
+
+ current[SMBD_SMB2_HDR_IOV_OFS].iov_base = (void *)outhdr;
+ current[SMBD_SMB2_HDR_IOV_OFS].iov_len = SMB2_HDR_BODY;
+
+ current[SMBD_SMB2_BODY_IOV_OFS].iov_base = (void *)outbody;
+ current[SMBD_SMB2_BODY_IOV_OFS].iov_len = 8;
+
+ current[SMBD_SMB2_DYN_IOV_OFS].iov_base = NULL;
+ current[SMBD_SMB2_DYN_IOV_OFS].iov_len = 0;
+
+ /* setup the SMB2 header */
+ SIVAL(outhdr, SMB2_HDR_PROTOCOL_ID, SMB2_MAGIC);
+ SSVAL(outhdr, SMB2_HDR_LENGTH, SMB2_HDR_BODY);
+ SSVAL(outhdr, SMB2_HDR_CREDIT_CHARGE,
+ SVAL(inhdr, SMB2_HDR_CREDIT_CHARGE));
+ SIVAL(outhdr, SMB2_HDR_STATUS,
+ NT_STATUS_V(NT_STATUS_INTERNAL_ERROR));
+ SSVAL(outhdr, SMB2_HDR_OPCODE,
+ SVAL(inhdr, SMB2_HDR_OPCODE));
+ SIVAL(outhdr, SMB2_HDR_FLAGS,
+ IVAL(inhdr, SMB2_HDR_FLAGS) | SMB2_HDR_FLAG_REDIRECT);
+ SIVAL(outhdr, SMB2_HDR_NEXT_COMMAND, next_command_ofs);
+ SBVAL(outhdr, SMB2_HDR_MESSAGE_ID,
+ BVAL(inhdr, SMB2_HDR_MESSAGE_ID));
+ SIVAL(outhdr, SMB2_HDR_PID,
+ IVAL(inhdr, SMB2_HDR_PID));
+ SIVAL(outhdr, SMB2_HDR_TID,
+ IVAL(inhdr, SMB2_HDR_TID));
+ SBVAL(outhdr, SMB2_HDR_SESSION_ID,
+ BVAL(inhdr, SMB2_HDR_SESSION_ID));
+ memcpy(outhdr + SMB2_HDR_SIGNATURE,
+ inhdr + SMB2_HDR_SIGNATURE, 16);
+
+ /* setup error body header */
+ SSVAL(outbody, 0x00, 0x08 + 1);
+ SSVAL(outbody, 0x02, 0);
+ SIVAL(outbody, 0x04, 0);
+ }
+
+ req->out.vector = vector;
+ req->out.vector_count = count;
+
+ /* setup the length of the NBT packet */
+ ok = smb2_setup_nbt_length(req->out.vector, req->out.vector_count);
+ if (!ok) {
+ return NT_STATUS_INVALID_PARAMETER_MIX;
+ }
+
+ DLIST_ADD_END(xconn->smb2.requests, req);
+
+ return NT_STATUS_OK;
+}
+
+bool smbXsrv_server_multi_channel_enabled(void)
+{
+ bool enabled = lp_server_multi_channel_support();
+#ifndef __ALLOW_MULTI_CHANNEL_SUPPORT
+ bool forced = false;
+ struct loadparm_context *lp_ctx = loadparm_init_s3(NULL, loadparm_s3_helpers());
+ bool unspecified = lpcfg_parm_is_unspecified(lp_ctx, "server multi channel support");
+ if (unspecified) {
+ enabled = false;
+ }
+ /*
+ * If we don't have support from the kernel
+ * to ask for the un-acked number of bytes
+ * in the socket send queue, we better
+ * don't support multi-channel.
+ */
+ forced = lp_parm_bool(-1, "force", "server multi channel support", false);
+ if (enabled && !forced) {
+ D_NOTICE("'server multi channel support' enabled "
+ "but not supported on %s (%s)\n",
+ SYSTEM_UNAME_SYSNAME, SYSTEM_UNAME_RELEASE);
+ DEBUGADD(DBGLVL_NOTICE, ("Please report this on "
+ "https://bugzilla.samba.org/show_bug.cgi?id=11897\n"));
+ enabled = false;
+ }
+ TALLOC_FREE(lp_ctx);
+#endif /* ! __ALLOW_MULTI_CHANNEL_SUPPORT */
+ return enabled;
+}
+
+static NTSTATUS smbXsrv_connection_get_rto_usecs(struct smbXsrv_connection *xconn,
+ uint32_t *_rto_usecs)
+{
+ /*
+ * Define an Retransmission Timeout
+ * of 1 second, if there's no way for the
+ * kernel to tell us the current value.
+ */
+ uint32_t rto_usecs = 1000000;
+
+#ifdef __HAVE_TCP_INFO_RTO
+ {
+ struct tcp_info info;
+ socklen_t ilen = sizeof(info);
+ int ret;
+
+ ZERO_STRUCT(info);
+ ret = getsockopt(xconn->transport.sock,
+ IPPROTO_TCP, TCP_INFO,
+ (void *)&info, &ilen);
+ if (ret != 0) {
+ int saved_errno = errno;
+ NTSTATUS status = map_nt_error_from_unix(errno);
+ DBG_ERR("getsockopt(TCP_INFO) errno[%d/%s] -s %s\n",
+ saved_errno, strerror(saved_errno),
+ nt_errstr(status));
+ return status;
+ }
+
+ DBG_DEBUG("tcpi_rto[%u] tcpi_rtt[%u] tcpi_rttvar[%u]\n",
+ (unsigned)info.tcpi_rto,
+ (unsigned)info.tcpi_rtt,
+ (unsigned)info.tcpi_rttvar);
+ rto_usecs = info.tcpi_rto;
+ }
+#endif /* __HAVE_TCP_INFO_RTO */
+
+ rto_usecs = MAX(rto_usecs, 200000); /* at least 0.2s */
+ rto_usecs = MIN(rto_usecs, 1000000); /* at max 1.0s */
+ *_rto_usecs = rto_usecs;
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS smbXsrv_connection_get_acked_bytes(struct smbXsrv_connection *xconn,
+ uint64_t *_acked_bytes)
+{
+ /*
+ * Unless the kernel has an interface
+ * to reveal the number of un-acked bytes
+ * in the socket send queue, we'll assume
+ * everything is already acked.
+ *
+ * But that would mean that we better don't
+ * pretent to support multi-channel.
+ */
+ uint64_t unacked_bytes = 0;
+
+ *_acked_bytes = 0;
+
+ if (xconn->ack.force_unacked_timeout) {
+ /*
+ * Smbtorture tries to test channel failures...
+ * Just pretend nothing was acked...
+ */
+ DBG_INFO("Simulating channel failure: "
+ "xconn->ack.unacked_bytes[%llu]\n",
+ (unsigned long long)xconn->ack.unacked_bytes);
+ return NT_STATUS_OK;
+ }
+
+#ifdef __IOCTL_SEND_QUEUE_SIZE_OPCODE
+ {
+ int value = 0;
+ int ret;
+
+ /*
+ * If we have kernel support to get
+ * the number of bytes waiting in
+ * the socket's send queue, we
+ * use that in order to find out
+ * the number of unacked bytes.
+ */
+ ret = ioctl(xconn->transport.sock,
+ __IOCTL_SEND_QUEUE_SIZE_OPCODE,
+ &value);
+ if (ret != 0) {
+ int saved_errno = errno;
+ NTSTATUS status = map_nt_error_from_unix(saved_errno);
+ DBG_ERR("Failed to get the SEND_QUEUE_SIZE - "
+ "errno %d (%s) - %s\n",
+ saved_errno, strerror(saved_errno),
+ nt_errstr(status));
+ return status;
+ }
+
+ if (value < 0) {
+ DBG_ERR("xconn->ack.unacked_bytes[%llu] value[%d]\n",
+ (unsigned long long)xconn->ack.unacked_bytes,
+ value);
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+ unacked_bytes = value;
+ }
+#endif
+ if (xconn->ack.unacked_bytes == 0) {
+ xconn->ack.unacked_bytes = unacked_bytes;
+ return NT_STATUS_OK;
+ }
+
+ if (xconn->ack.unacked_bytes < unacked_bytes) {
+ DBG_ERR("xconn->ack.unacked_bytes[%llu] unacked_bytes[%llu]\n",
+ (unsigned long long)xconn->ack.unacked_bytes,
+ (unsigned long long)unacked_bytes);
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ *_acked_bytes = xconn->ack.unacked_bytes - unacked_bytes;
+ xconn->ack.unacked_bytes = unacked_bytes;
+ return NT_STATUS_OK;
+}
+
+static void smbd_smb2_send_queue_ack_fail(struct smbd_smb2_send_queue **queue,
+ NTSTATUS status)
+{
+ struct smbd_smb2_send_queue *e = NULL;
+ struct smbd_smb2_send_queue *n = NULL;
+
+ for (e = *queue; e != NULL; e = n) {
+ n = e->next;
+
+ DLIST_REMOVE(*queue, e);
+ if (e->ack.req != NULL) {
+ tevent_req_nterror(e->ack.req, status);
+ }
+ }
+}
+
+static NTSTATUS smbd_smb2_send_queue_ack_bytes(struct smbd_smb2_send_queue **queue,
+ uint64_t acked_bytes)
+{
+ struct smbd_smb2_send_queue *e = NULL;
+ struct smbd_smb2_send_queue *n = NULL;
+
+ for (e = *queue; e != NULL; e = n) {
+ bool expired;
+
+ n = e->next;
+
+ if (e->ack.req == NULL) {
+ continue;
+ }
+
+ if (e->ack.required_acked_bytes <= acked_bytes) {
+ e->ack.required_acked_bytes = 0;
+ DLIST_REMOVE(*queue, e);
+ tevent_req_done(e->ack.req);
+ continue;
+ }
+ e->ack.required_acked_bytes -= acked_bytes;
+
+ expired = timeval_expired(&e->ack.timeout);
+ if (expired) {
+ return NT_STATUS_IO_TIMEOUT;
+ }
+ }
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS smbd_smb2_check_ack_queue(struct smbXsrv_connection *xconn)
+{
+ uint64_t acked_bytes = 0;
+ NTSTATUS status;
+
+ status = smbXsrv_connection_get_acked_bytes(xconn, &acked_bytes);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ status = smbd_smb2_send_queue_ack_bytes(&xconn->ack.queue, acked_bytes);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ status = smbd_smb2_send_queue_ack_bytes(&xconn->smb2.send_queue, 0);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ return NT_STATUS_OK;
+}
+
+static void smbXsrv_connection_ack_checker(struct tevent_req *subreq)
+{
+ struct smbXsrv_connection *xconn =
+ tevent_req_callback_data(subreq,
+ struct smbXsrv_connection);
+ struct smbXsrv_client *client = xconn->client;
+ struct timeval next_check;
+ NTSTATUS status;
+ bool ok;
+
+ xconn->ack.checker_subreq = NULL;
+
+ ok = tevent_wakeup_recv(subreq);
+ TALLOC_FREE(subreq);
+ if (!ok) {
+ smbd_server_connection_terminate(xconn,
+ "tevent_wakeup_recv() failed");
+ return;
+ }
+
+ status = smbd_smb2_check_ack_queue(xconn);
+ if (!NT_STATUS_IS_OK(status)) {
+ smbd_server_connection_terminate(xconn, nt_errstr(status));
+ return;
+ }
+
+ next_check = timeval_current_ofs_usec(xconn->ack.rto_usecs);
+ xconn->ack.checker_subreq = tevent_wakeup_send(xconn,
+ client->raw_ev_ctx,
+ next_check);
+ if (xconn->ack.checker_subreq == NULL) {
+ smbd_server_connection_terminate(xconn,
+ "tevent_wakeup_send() failed");
+ return;
+ }
+ tevent_req_set_callback(xconn->ack.checker_subreq,
+ smbXsrv_connection_ack_checker,
+ xconn);
+}
+
+static NTSTATUS smbXsrv_client_pending_breaks_updated(struct smbXsrv_client *client)
+{
+ struct smbXsrv_connection *xconn = NULL;
+
+ for (xconn = client->connections; xconn != NULL; xconn = xconn->next) {
+ struct timeval next_check;
+ uint64_t acked_bytes = 0;
+ NTSTATUS status;
+
+ /*
+ * A new 'pending break cycle' starts
+ * with a first pending break and lasts until
+ * all pending breaks are finished.
+ *
+ * This is typically a very short time,
+ * the value of one retransmission timeout.
+ */
+
+ if (client->pending_breaks == NULL) {
+ /*
+ * No more pending breaks, remove a pending
+ * checker timer
+ */
+ TALLOC_FREE(xconn->ack.checker_subreq);
+ continue;
+ }
+
+ if (xconn->ack.checker_subreq != NULL) {
+ /*
+ * The cycle already started =>
+ * nothing todo
+ */
+ continue;
+ }
+
+ /*
+ * Get the current retransmission timeout value.
+ *
+ * It may change over time, but fetching it once
+ * per 'pending break' cycled should be enough.
+ */
+ status = smbXsrv_connection_get_rto_usecs(xconn,
+ &xconn->ack.rto_usecs);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ /*
+ * At the start of the cycle we reset the
+ * unacked_bytes counter (first to 0 and
+ * within smbXsrv_connection_get_acked_bytes()
+ * to the current value in the kernel
+ * send queue.
+ */
+ xconn->ack.unacked_bytes = 0;
+ status = smbXsrv_connection_get_acked_bytes(xconn, &acked_bytes);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ /*
+ * We setup a timer in order to check for
+ * acked bytes after one retransmission timeout.
+ *
+ * The code that sets up the send_queue.ack.timeout
+ * uses a multiple of the retransmission timeout.
+ */
+ next_check = timeval_current_ofs_usec(xconn->ack.rto_usecs);
+ xconn->ack.checker_subreq = tevent_wakeup_send(xconn,
+ client->raw_ev_ctx,
+ next_check);
+ if (xconn->ack.checker_subreq == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ tevent_req_set_callback(xconn->ack.checker_subreq,
+ smbXsrv_connection_ack_checker,
+ xconn);
+ }
+
+ return NT_STATUS_OK;
+}
+
+void smbXsrv_connection_disconnect_transport(struct smbXsrv_connection *xconn,
+ NTSTATUS status)
+{
+ if (!NT_STATUS_IS_OK(xconn->transport.status)) {
+ return;
+ }
+
+ xconn->transport.status = status;
+ TALLOC_FREE(xconn->transport.fde);
+ if (xconn->transport.sock != -1) {
+ xconn->transport.sock = -1;
+ }
+ smbd_smb2_send_queue_ack_fail(&xconn->ack.queue, status);
+ smbd_smb2_send_queue_ack_fail(&xconn->smb2.send_queue, status);
+ xconn->smb2.send_queue_len = 0;
+ DO_PROFILE_INC(disconnect);
+}
+
+size_t smbXsrv_client_valid_connections(struct smbXsrv_client *client)
+{
+ struct smbXsrv_connection *xconn = NULL;
+ size_t num_ok = 0;
+
+ for (xconn = client->connections; xconn != NULL; xconn = xconn->next) {
+ if (NT_STATUS_IS_OK(xconn->transport.status)) {
+ num_ok++;
+ }
+ }
+
+ return num_ok;
+}
+
+struct smbXsrv_connection_shutdown_state {
+ struct smbXsrv_connection *xconn;
+};
+
+static void smbXsrv_connection_shutdown_wait_done(struct tevent_req *subreq);
+
+static struct tevent_req *smbXsrv_connection_shutdown_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct smbXsrv_connection *xconn)
+{
+ struct tevent_req *req = NULL;
+ struct smbXsrv_connection_shutdown_state *state = NULL;
+ struct tevent_req *subreq = NULL;
+ size_t len = 0;
+ struct smbd_smb2_request *preq = NULL;
+ NTSTATUS status;
+
+ /*
+ * The caller should have called
+ * smbXsrv_connection_disconnect_transport() before.
+ */
+ SMB_ASSERT(!NT_STATUS_IS_OK(xconn->transport.status));
+ SMB_ASSERT(xconn->transport.terminating);
+ SMB_ASSERT(xconn->transport.shutdown_wait_queue == NULL);
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct smbXsrv_connection_shutdown_state);
+ if (req == NULL) {
+ return NULL;
+ }
+
+ state->xconn = xconn;
+ tevent_req_defer_callback(req, ev);
+
+ xconn->transport.shutdown_wait_queue =
+ tevent_queue_create(state, "smbXsrv_connection_shutdown_queue");
+ if (tevent_req_nomem(xconn->transport.shutdown_wait_queue, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ for (preq = xconn->smb2.requests; preq != NULL; preq = preq->next) {
+ /*
+ * Now wait until the request is finished.
+ *
+ * We don't set a callback, as we just want to block the
+ * wait queue and the talloc_free() of the request will
+ * remove the item from the wait queue.
+ *
+ * Note that we don't cancel the requests here
+ * in order to keep the replay detection logic correct.
+ *
+ * However if we teardown the last channel of
+ * a connection, we'll call some logic via
+ * smbXsrv_session_disconnect_xconn()
+ * -> smbXsrv_session_disconnect_xconn_callback()
+ * -> smbXsrv_session_remove_channel()
+ * -> smb2srv_session_shutdown_send()
+ * will indeed cancel the request.
+ */
+ subreq = tevent_queue_wait_send(preq, ev,
+ xconn->transport.shutdown_wait_queue);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ }
+
+ /*
+ * This may attach sessions with num_channels == 0
+ * to xconn->transport.shutdown_wait_queue.
+ */
+ status = smbXsrv_session_disconnect_xconn(xconn);
+ if (tevent_req_nterror(req, status)) {
+ return tevent_req_post(req, ev);
+ }
+
+ len = tevent_queue_length(xconn->transport.shutdown_wait_queue);
+ if (len == 0) {
+ tevent_req_done(req);
+ return tevent_req_post(req, ev);
+ }
+
+ /*
+ * Now we add our own waiter to the end of the queue,
+ * this way we get notified when all pending requests are finished
+ * and send to the socket.
+ */
+ subreq = tevent_queue_wait_send(state, ev, xconn->transport.shutdown_wait_queue);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, smbXsrv_connection_shutdown_wait_done, req);
+
+ return req;
+}
+
+static void smbXsrv_connection_shutdown_wait_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req =
+ tevent_req_callback_data(subreq,
+ struct tevent_req);
+ struct smbXsrv_connection_shutdown_state *state =
+ tevent_req_data(req,
+ struct smbXsrv_connection_shutdown_state);
+ struct smbXsrv_connection *xconn = state->xconn;
+
+ tevent_queue_wait_recv(subreq);
+ TALLOC_FREE(subreq);
+
+ tevent_req_done(req);
+ /*
+ * make sure the xconn pointer is still valid,
+ * it should as we used tevent_req_defer_callback()
+ */
+ SMB_ASSERT(xconn->transport.terminating);
+}
+
+static NTSTATUS smbXsrv_connection_shutdown_recv(struct tevent_req *req)
+{
+ struct smbXsrv_connection_shutdown_state *state =
+ tevent_req_data(req,
+ struct smbXsrv_connection_shutdown_state);
+ struct smbXsrv_connection *xconn = state->xconn;
+ /*
+ * make sure the xconn pointer is still valid,
+ * it should as we used tevent_req_defer_callback()
+ */
+ SMB_ASSERT(xconn->transport.terminating);
+ return tevent_req_simple_recv_ntstatus(req);
+}
+
+static void smbd_server_connection_terminate_done(struct tevent_req *subreq)
+{
+ struct smbXsrv_connection *xconn =
+ tevent_req_callback_data(subreq,
+ struct smbXsrv_connection);
+ struct smbXsrv_client *client = xconn->client;
+ NTSTATUS status;
+
+ status = smbXsrv_connection_shutdown_recv(subreq);
+ TALLOC_FREE(subreq);
+ if (!NT_STATUS_IS_OK(status)) {
+ exit_server("smbXsrv_connection_shutdown_recv failed");
+ }
+
+ DLIST_REMOVE(client->connections, xconn);
+ TALLOC_FREE(xconn);
+}
+
+void smbd_server_connection_terminate_ex(struct smbXsrv_connection *xconn,
+ const char *reason,
+ const char *location)
+{
+ struct smbXsrv_client *client = xconn->client;
+ size_t num_ok = 0;
+
+ /*
+ * Make sure that no new request will be able to use this session.
+ *
+ * smbXsrv_connection_disconnect_transport() might be called already,
+ * but calling it again is a no-op.
+ */
+ smbXsrv_connection_disconnect_transport(xconn,
+ NT_STATUS_CONNECTION_DISCONNECTED);
+
+ num_ok = smbXsrv_client_valid_connections(client);
+
+ if (xconn->transport.terminating) {
+ DBG_DEBUG("skip recursion conn[%s] num_ok[%zu] reason[%s] at %s\n",
+ smbXsrv_connection_dbg(xconn), num_ok,
+ reason, location);
+ return;
+ }
+ xconn->transport.terminating = true;
+
+ DBG_DEBUG("conn[%s] num_ok[%zu] reason[%s] at %s\n",
+ smbXsrv_connection_dbg(xconn), num_ok,
+ reason, location);
+
+ if (xconn->has_cluster_movable_ip) {
+ /*
+ * If the connection has a movable cluster public address
+ * we disconnect all client connections,
+ * as the public address might be moved to
+ * a different node.
+ *
+ * In future we may recheck which node currently
+ * holds this address, but for now we keep it simple.
+ */
+ smbd_server_disconnect_client_ex(xconn->client,
+ reason,
+ location);
+ return;
+ }
+
+ if (num_ok != 0) {
+ struct tevent_req *subreq = NULL;
+
+ subreq = smbXsrv_connection_shutdown_send(client,
+ client->raw_ev_ctx,
+ xconn);
+ if (subreq == NULL) {
+ exit_server("smbXsrv_connection_shutdown_send failed");
+ }
+ tevent_req_set_callback(subreq,
+ smbd_server_connection_terminate_done,
+ xconn);
+ return;
+ }
+
+ /*
+ * The last connection was disconnected
+ */
+ exit_server_cleanly(reason);
+}
+
+void smbd_server_disconnect_client_ex(struct smbXsrv_client *client,
+ const char *reason,
+ const char *location)
+{
+ size_t num_ok = 0;
+
+ num_ok = smbXsrv_client_valid_connections(client);
+
+ DBG_WARNING("client[%s] num_ok[%zu] reason[%s] at %s\n",
+ client->global->remote_address, num_ok,
+ reason, location);
+
+ /*
+ * Something bad happened we need to disconnect all connections.
+ */
+ exit_server_cleanly(reason);
+}
+
+static bool dup_smb2_vec4(TALLOC_CTX *ctx,
+ struct iovec *outvec,
+ const struct iovec *srcvec)
+{
+ const uint8_t *srctf;
+ size_t srctf_len;
+ const uint8_t *srchdr;
+ size_t srchdr_len;
+ const uint8_t *srcbody;
+ size_t srcbody_len;
+ const uint8_t *expected_srcbody;
+ const uint8_t *srcdyn;
+ size_t srcdyn_len;
+ const uint8_t *expected_srcdyn;
+ uint8_t *dsttf;
+ uint8_t *dsthdr;
+ uint8_t *dstbody;
+ uint8_t *dstdyn;
+
+ srctf = (const uint8_t *)srcvec[SMBD_SMB2_TF_IOV_OFS].iov_base;
+ srctf_len = srcvec[SMBD_SMB2_TF_IOV_OFS].iov_len;
+ srchdr = (const uint8_t *)srcvec[SMBD_SMB2_HDR_IOV_OFS].iov_base;
+ srchdr_len = srcvec[SMBD_SMB2_HDR_IOV_OFS].iov_len;
+ srcbody = (const uint8_t *)srcvec[SMBD_SMB2_BODY_IOV_OFS].iov_base;
+ srcbody_len = srcvec[SMBD_SMB2_BODY_IOV_OFS].iov_len;
+ expected_srcbody = srchdr + SMB2_HDR_BODY;
+ srcdyn = (const uint8_t *)srcvec[SMBD_SMB2_DYN_IOV_OFS].iov_base;
+ srcdyn_len = srcvec[SMBD_SMB2_DYN_IOV_OFS].iov_len;
+ expected_srcdyn = srcbody + 8;
+
+ if ((srctf_len != SMB2_TF_HDR_SIZE) && (srctf_len != 0)) {
+ return false;
+ }
+
+ if (srchdr_len != SMB2_HDR_BODY) {
+ return false;
+ }
+
+ if (srctf_len == SMB2_TF_HDR_SIZE) {
+ dsttf = talloc_memdup(ctx, srctf, SMB2_TF_HDR_SIZE);
+ if (dsttf == NULL) {
+ return false;
+ }
+ } else {
+ dsttf = NULL;
+ }
+ outvec[SMBD_SMB2_TF_IOV_OFS].iov_base = (void *)dsttf;
+ outvec[SMBD_SMB2_TF_IOV_OFS].iov_len = srctf_len;
+
+ /* vec[SMBD_SMB2_HDR_IOV_OFS] is always boilerplate and must
+ * be allocated with size OUTVEC_ALLOC_SIZE. */
+
+ dsthdr = talloc_memdup(ctx, srchdr, OUTVEC_ALLOC_SIZE);
+ if (dsthdr == NULL) {
+ return false;
+ }
+ outvec[SMBD_SMB2_HDR_IOV_OFS].iov_base = (void *)dsthdr;
+ outvec[SMBD_SMB2_HDR_IOV_OFS].iov_len = SMB2_HDR_BODY;
+
+ /*
+ * If this is a "standard" vec[SMBD_SMB2_BOFY_IOV_OFS] of length 8,
+ * pointing to srcvec[SMBD_SMB2_HDR_IOV_OFS].iov_base + SMB2_HDR_BODY,
+ * then duplicate this. Else use talloc_memdup().
+ */
+
+ if ((srcbody == expected_srcbody) && (srcbody_len == 8)) {
+ dstbody = dsthdr + SMB2_HDR_BODY;
+ } else {
+ dstbody = talloc_memdup(ctx, srcbody, srcbody_len);
+ if (dstbody == NULL) {
+ return false;
+ }
+ }
+ outvec[SMBD_SMB2_BODY_IOV_OFS].iov_base = (void *)dstbody;
+ outvec[SMBD_SMB2_BODY_IOV_OFS].iov_len = srcbody_len;
+
+ /*
+ * If this is a "standard" vec[SMBD_SMB2_DYN_IOV_OFS] of length 1,
+ * pointing to
+ * srcvec[SMBD_SMB2_HDR_IOV_OFS].iov_base + 8
+ * then duplicate this. Else use talloc_memdup().
+ */
+
+ if ((srcdyn == expected_srcdyn) && (srcdyn_len == 1)) {
+ dstdyn = dsthdr + SMB2_HDR_BODY + 8;
+ } else if (srcdyn == NULL) {
+ dstdyn = NULL;
+ } else {
+ dstdyn = talloc_memdup(ctx, srcdyn, srcdyn_len);
+ if (dstdyn == NULL) {
+ return false;
+ }
+ }
+ outvec[SMBD_SMB2_DYN_IOV_OFS].iov_base = (void *)dstdyn;
+ outvec[SMBD_SMB2_DYN_IOV_OFS].iov_len = srcdyn_len;
+
+ return true;
+}
+
+static struct smbd_smb2_request *dup_smb2_req(const struct smbd_smb2_request *req)
+{
+ struct smbd_smb2_request *newreq = NULL;
+ struct iovec *outvec = NULL;
+ int count = req->out.vector_count;
+ int i;
+ bool ok;
+
+ newreq = smbd_smb2_request_allocate(req->xconn);
+ if (!newreq) {
+ return NULL;
+ }
+
+ newreq->session = req->session;
+ newreq->do_encryption = req->do_encryption;
+ newreq->do_signing = req->do_signing;
+ newreq->current_idx = req->current_idx;
+
+ outvec = talloc_zero_array(newreq, struct iovec, count);
+ if (!outvec) {
+ TALLOC_FREE(newreq);
+ return NULL;
+ }
+ newreq->out.vector = outvec;
+ newreq->out.vector_count = count;
+
+ /* Setup the outvec's identically to req. */
+ outvec[0].iov_base = newreq->out.nbt_hdr;
+ outvec[0].iov_len = 4;
+ memcpy(newreq->out.nbt_hdr, req->out.nbt_hdr, 4);
+
+ /* Setup the vectors identically to the ones in req. */
+ for (i = 1; i < count; i += SMBD_SMB2_NUM_IOV_PER_REQ) {
+ if (!dup_smb2_vec4(outvec, &outvec[i], &req->out.vector[i])) {
+ break;
+ }
+ }
+
+ if (i < count) {
+ /* Alloc failed. */
+ TALLOC_FREE(newreq);
+ return NULL;
+ }
+
+ ok = smb2_setup_nbt_length(newreq->out.vector,
+ newreq->out.vector_count);
+ if (!ok) {
+ TALLOC_FREE(newreq);
+ return NULL;
+ }
+
+ return newreq;
+}
+
+static NTSTATUS smb2_send_async_interim_response(const struct smbd_smb2_request *req)
+{
+ struct smbXsrv_connection *xconn = req->xconn;
+ int first_idx = 1;
+ struct iovec *firsttf = NULL;
+ struct iovec *outhdr_v = NULL;
+ uint8_t *outhdr = NULL;
+ struct smbd_smb2_request *nreq = NULL;
+ NTSTATUS status;
+ bool ok;
+
+ /* Create a new smb2 request we'll use
+ for the interim return. */
+ nreq = dup_smb2_req(req);
+ if (!nreq) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* Lose the last X out vectors. They're the
+ ones we'll be using for the async reply. */
+ nreq->out.vector_count -= SMBD_SMB2_NUM_IOV_PER_REQ;
+
+ ok = smb2_setup_nbt_length(nreq->out.vector,
+ nreq->out.vector_count);
+ if (!ok) {
+ return NT_STATUS_INVALID_PARAMETER_MIX;
+ }
+
+ /* Step back to the previous reply. */
+ nreq->current_idx -= SMBD_SMB2_NUM_IOV_PER_REQ;
+ firsttf = SMBD_SMB2_IDX_TF_IOV(nreq,out,first_idx);
+ outhdr_v = SMBD_SMB2_OUT_HDR_IOV(nreq);
+ outhdr = SMBD_SMB2_OUT_HDR_PTR(nreq);
+ /* And end the chain. */
+ SIVAL(outhdr, SMB2_HDR_NEXT_COMMAND, 0);
+
+ /* Calculate outgoing credits */
+ smb2_calculate_credits(req, nreq);
+
+ if (DEBUGLEVEL >= 10) {
+ dbgtext("smb2_send_async_interim_response: nreq->current_idx = %u\n",
+ (unsigned int)nreq->current_idx );
+ dbgtext("smb2_send_async_interim_response: returning %u vectors\n",
+ (unsigned int)nreq->out.vector_count );
+ print_req_vectors(nreq);
+ }
+
+ /*
+ * As we have changed the header (SMB2_HDR_NEXT_COMMAND),
+ * we need to sign/encrypt here with the last/first key we remembered
+ */
+ if (firsttf->iov_len == SMB2_TF_HDR_SIZE) {
+ status = smb2_signing_encrypt_pdu(req->first_enc_key,
+ firsttf,
+ nreq->out.vector_count - first_idx);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ } else if (smb2_signing_key_valid(req->last_sign_key)) {
+ status = smb2_signing_sign_pdu(req->last_sign_key,
+ outhdr_v,
+ SMBD_SMB2_NUM_IOV_PER_REQ - 1);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ }
+
+ nreq->queue_entry.mem_ctx = nreq;
+ nreq->queue_entry.vector = nreq->out.vector;
+ nreq->queue_entry.count = nreq->out.vector_count;
+ DLIST_ADD_END(xconn->smb2.send_queue, &nreq->queue_entry);
+ xconn->smb2.send_queue_len++;
+
+ status = smbd_smb2_flush_send_queue(xconn);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ return NT_STATUS_OK;
+}
+
+struct smbd_smb2_request_pending_state {
+ struct smbd_smb2_send_queue queue_entry;
+ uint8_t buf[NBT_HDR_SIZE + SMB2_TF_HDR_SIZE + SMB2_HDR_BODY + 0x08 + 1];
+ struct iovec vector[1 + SMBD_SMB2_NUM_IOV_PER_REQ];
+};
+
+static void smbd_smb2_request_pending_timer(struct tevent_context *ev,
+ struct tevent_timer *te,
+ struct timeval current_time,
+ void *private_data);
+
+NTSTATUS smbd_smb2_request_pending_queue(struct smbd_smb2_request *req,
+ struct tevent_req *subreq,
+ uint32_t defer_time)
+{
+ NTSTATUS status;
+ struct timeval defer_endtime;
+ uint8_t *outhdr = NULL;
+ uint32_t flags;
+
+ if (!tevent_req_is_in_progress(subreq)) {
+ /*
+ * This is a performance optimization,
+ * it avoids one tevent_loop iteration,
+ * which means we avoid one
+ * talloc_stackframe_pool/talloc_free pair.
+ */
+ tevent_req_notify_callback(subreq);
+ return NT_STATUS_OK;
+ }
+
+ req->subreq = subreq;
+ subreq = NULL;
+
+ if (req->async_te) {
+ /* We're already async. */
+ return NT_STATUS_OK;
+ }
+
+ outhdr = SMBD_SMB2_OUT_HDR_PTR(req);
+ flags = IVAL(outhdr, SMB2_HDR_FLAGS);
+ if (flags & SMB2_HDR_FLAG_ASYNC) {
+ /* We're already async. */
+ return NT_STATUS_OK;
+ }
+
+ if (req->async_internal || defer_time == 0) {
+ /*
+ * An SMB2 request implementation wants to handle the request
+ * asynchronously "internally" while keeping synchronous
+ * behaviour for the SMB2 request. This means we don't send an
+ * interim response and we can allow processing of compound SMB2
+ * requests (cf the subsequent check) for all cases.
+ */
+ return NT_STATUS_OK;
+ }
+
+ if (req->in.vector_count > req->current_idx + SMBD_SMB2_NUM_IOV_PER_REQ) {
+ /*
+ * We're trying to go async in a compound request
+ * chain. This is only allowed for opens that cause an
+ * oplock break or for the last operation in the
+ * chain, otherwise it is not allowed. See
+ * [MS-SMB2].pdf note <206> on Section 3.3.5.2.7.
+ */
+ const uint8_t *inhdr = SMBD_SMB2_IN_HDR_PTR(req);
+
+ if (SVAL(inhdr, SMB2_HDR_OPCODE) != SMB2_OP_CREATE) {
+ /*
+ * Cancel the outstanding request.
+ */
+ bool ok = tevent_req_cancel(req->subreq);
+ if (ok) {
+ return NT_STATUS_OK;
+ }
+ TALLOC_FREE(req->subreq);
+ return smbd_smb2_request_error(req,
+ NT_STATUS_INTERNAL_ERROR);
+ }
+ }
+
+ if (DEBUGLEVEL >= 10) {
+ dbgtext("smbd_smb2_request_pending_queue: req->current_idx = %u\n",
+ (unsigned int)req->current_idx );
+ print_req_vectors(req);
+ }
+
+ if (req->current_idx > 1) {
+ /*
+ * We're going async in a compound
+ * chain after the first request has
+ * already been processed. Send an
+ * interim response containing the
+ * set of replies already generated.
+ */
+ int idx = req->current_idx;
+
+ status = smb2_send_async_interim_response(req);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ TALLOC_FREE(req->first_enc_key);
+
+ req->current_idx = 1;
+
+ /*
+ * Re-arrange the in.vectors to remove what
+ * we just sent.
+ */
+ memmove(&req->in.vector[1],
+ &req->in.vector[idx],
+ sizeof(req->in.vector[0])*(req->in.vector_count - idx));
+ req->in.vector_count = 1 + (req->in.vector_count - idx);
+
+ /* Re-arrange the out.vectors to match. */
+ memmove(&req->out.vector[1],
+ &req->out.vector[idx],
+ sizeof(req->out.vector[0])*(req->out.vector_count - idx));
+ req->out.vector_count = 1 + (req->out.vector_count - idx);
+
+ if (req->in.vector_count == 1 + SMBD_SMB2_NUM_IOV_PER_REQ) {
+ /*
+ * We only have one remaining request as
+ * we've processed everything else.
+ * This is no longer a compound request.
+ */
+ req->compound_related = false;
+ outhdr = SMBD_SMB2_OUT_HDR_PTR(req);
+ flags = (IVAL(outhdr, SMB2_HDR_FLAGS) & ~SMB2_HDR_FLAG_CHAINED);
+ SIVAL(outhdr, SMB2_HDR_FLAGS, flags);
+ }
+ }
+ TALLOC_FREE(req->last_sign_key);
+
+ /*
+ * smbd_smb2_request_pending_timer() just send a packet
+ * to the client and doesn't need any impersonation.
+ * So we use req->xconn->client->raw_ev_ctx instead
+ * of req->ev_ctx here.
+ */
+ defer_endtime = timeval_current_ofs_usec(defer_time);
+ req->async_te = tevent_add_timer(req->xconn->client->raw_ev_ctx,
+ req, defer_endtime,
+ smbd_smb2_request_pending_timer,
+ req);
+ if (req->async_te == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ return NT_STATUS_OK;
+}
+
+static
+struct smb2_signing_key *smbd_smb2_signing_key(struct smbXsrv_session *session,
+ struct smbXsrv_connection *xconn,
+ bool *_has_channel)
+{
+ struct smbXsrv_channel_global0 *c = NULL;
+ NTSTATUS status;
+ struct smb2_signing_key *key = NULL;
+ bool has_channel = false;
+
+ status = smbXsrv_session_find_channel(session, xconn, &c);
+ if (NT_STATUS_IS_OK(status)) {
+ key = c->signing_key;
+ has_channel = true;
+ }
+
+ if (!smb2_signing_key_valid(key)) {
+ key = session->global->signing_key;
+ has_channel = false;
+ }
+
+ if (_has_channel != NULL) {
+ *_has_channel = has_channel;
+ }
+
+ return key;
+}
+
+static NTSTATUS smb2_get_new_nonce(struct smbXsrv_session *session,
+ uint64_t *new_nonce_high,
+ uint64_t *new_nonce_low)
+{
+ uint64_t nonce_high;
+ uint64_t nonce_low;
+
+ session->nonce_low += 1;
+ if (session->nonce_low == 0) {
+ session->nonce_low += 1;
+ session->nonce_high += 1;
+ }
+
+ /*
+ * CCM and GCM algorithms must never have their
+ * nonce wrap, or the security of the whole
+ * communication and the keys is destroyed.
+ * We must drop the connection once we have
+ * transferred too much data.
+ *
+ * NOTE: We assume nonces greater than 8 bytes.
+ */
+ if (session->nonce_high >= session->nonce_high_max) {
+ return NT_STATUS_ENCRYPTION_FAILED;
+ }
+
+ nonce_high = session->nonce_high_random;
+ nonce_high += session->nonce_high;
+ nonce_low = session->nonce_low;
+
+ *new_nonce_high = nonce_high;
+ *new_nonce_low = nonce_low;
+ return NT_STATUS_OK;
+}
+
+static void smbd_smb2_request_pending_timer(struct tevent_context *ev,
+ struct tevent_timer *te,
+ struct timeval current_time,
+ void *private_data)
+{
+ struct smbd_smb2_request *req =
+ talloc_get_type_abort(private_data,
+ struct smbd_smb2_request);
+ struct smbXsrv_connection *xconn = req->xconn;
+ struct smbd_smb2_request_pending_state *state = NULL;
+ uint8_t *outhdr = NULL;
+ const uint8_t *inhdr = NULL;
+ uint8_t *tf = NULL;
+ uint8_t *hdr = NULL;
+ uint8_t *body = NULL;
+ uint8_t *dyn = NULL;
+ uint32_t flags = 0;
+ uint64_t message_id = 0;
+ uint64_t async_id = 0;
+ NTSTATUS status;
+ bool ok;
+
+ TALLOC_FREE(req->async_te);
+
+ /* Ensure our final reply matches the interim one. */
+ inhdr = SMBD_SMB2_IN_HDR_PTR(req);
+ outhdr = SMBD_SMB2_OUT_HDR_PTR(req);
+ flags = IVAL(outhdr, SMB2_HDR_FLAGS);
+ message_id = BVAL(outhdr, SMB2_HDR_MESSAGE_ID);
+
+ async_id = message_id; /* keep it simple for now... */
+
+ SIVAL(outhdr, SMB2_HDR_FLAGS, flags | SMB2_HDR_FLAG_ASYNC);
+ SBVAL(outhdr, SMB2_HDR_ASYNC_ID, async_id);
+
+ DEBUG(10,("smbd_smb2_request_pending_queue: opcode[%s] mid %llu "
+ "going async\n",
+ smb2_opcode_name(SVAL(inhdr, SMB2_HDR_OPCODE)),
+ (unsigned long long)async_id ));
+
+ /*
+ * What we send is identical to a smbd_smb2_request_error
+ * packet with an error status of STATUS_PENDING. Make use
+ * of this fact sometime when refactoring. JRA.
+ */
+
+ state = talloc_zero(req->xconn, struct smbd_smb2_request_pending_state);
+ if (state == NULL) {
+ smbd_server_connection_terminate(xconn,
+ nt_errstr(NT_STATUS_NO_MEMORY));
+ return;
+ }
+
+ tf = state->buf + NBT_HDR_SIZE;
+
+ hdr = tf + SMB2_TF_HDR_SIZE;
+ body = hdr + SMB2_HDR_BODY;
+ dyn = body + 8;
+
+ if (req->do_encryption) {
+ uint64_t nonce_high = 0;
+ uint64_t nonce_low = 0;
+ uint64_t session_id = req->session->global->session_wire_id;
+
+ status = smb2_get_new_nonce(req->session,
+ &nonce_high,
+ &nonce_low);
+ if (!NT_STATUS_IS_OK(status)) {
+ smbd_server_connection_terminate(xconn,
+ nt_errstr(status));
+ return;
+ }
+
+ SIVAL(tf, SMB2_TF_PROTOCOL_ID, SMB2_TF_MAGIC);
+ SBVAL(tf, SMB2_TF_NONCE+0, nonce_low);
+ SBVAL(tf, SMB2_TF_NONCE+8, nonce_high);
+ SBVAL(tf, SMB2_TF_SESSION_ID, session_id);
+ }
+
+ SIVAL(hdr, SMB2_HDR_PROTOCOL_ID, SMB2_MAGIC);
+ SSVAL(hdr, SMB2_HDR_LENGTH, SMB2_HDR_BODY);
+ SSVAL(hdr, SMB2_HDR_EPOCH, 0);
+ SIVAL(hdr, SMB2_HDR_STATUS, NT_STATUS_V(NT_STATUS_PENDING));
+ SSVAL(hdr, SMB2_HDR_OPCODE, SVAL(outhdr, SMB2_HDR_OPCODE));
+
+ /*
+ * The STATUS_PENDING response has SMB2_HDR_FLAG_SIGNED
+ * clearedm, but echoes the signature field.
+ */
+ flags &= ~SMB2_HDR_FLAG_SIGNED;
+ SIVAL(hdr, SMB2_HDR_FLAGS, flags);
+ SIVAL(hdr, SMB2_HDR_NEXT_COMMAND, 0);
+ SBVAL(hdr, SMB2_HDR_MESSAGE_ID, message_id);
+ SBVAL(hdr, SMB2_HDR_PID, async_id);
+ SBVAL(hdr, SMB2_HDR_SESSION_ID,
+ BVAL(outhdr, SMB2_HDR_SESSION_ID));
+ memcpy(hdr+SMB2_HDR_SIGNATURE,
+ outhdr+SMB2_HDR_SIGNATURE, 16);
+
+ SSVAL(body, 0x00, 0x08 + 1);
+
+ SCVAL(body, 0x02, 0);
+ SCVAL(body, 0x03, 0);
+ SIVAL(body, 0x04, 0);
+ /* Match W2K8R2... */
+ SCVAL(dyn, 0x00, 0x21);
+
+ state->vector[0].iov_base = (void *)state->buf;
+ state->vector[0].iov_len = NBT_HDR_SIZE;
+
+ if (req->do_encryption) {
+ state->vector[1+SMBD_SMB2_TF_IOV_OFS].iov_base = tf;
+ state->vector[1+SMBD_SMB2_TF_IOV_OFS].iov_len =
+ SMB2_TF_HDR_SIZE;
+ } else {
+ state->vector[1+SMBD_SMB2_TF_IOV_OFS].iov_base = NULL;
+ state->vector[1+SMBD_SMB2_TF_IOV_OFS].iov_len = 0;
+ }
+
+ state->vector[1+SMBD_SMB2_HDR_IOV_OFS].iov_base = hdr;
+ state->vector[1+SMBD_SMB2_HDR_IOV_OFS].iov_len = SMB2_HDR_BODY;
+
+ state->vector[1+SMBD_SMB2_BODY_IOV_OFS].iov_base = body;
+ state->vector[1+SMBD_SMB2_BODY_IOV_OFS].iov_len = 8;
+
+ state->vector[1+SMBD_SMB2_DYN_IOV_OFS].iov_base = dyn;
+ state->vector[1+SMBD_SMB2_DYN_IOV_OFS].iov_len = 1;
+
+ ok = smb2_setup_nbt_length(state->vector,
+ 1 + SMBD_SMB2_NUM_IOV_PER_REQ);
+ if (!ok) {
+ smbd_server_connection_terminate(
+ xconn, nt_errstr(NT_STATUS_INTERNAL_ERROR));
+ return;
+ }
+
+ /* Ensure we correctly go through crediting. Grant
+ the credits now, and zero credits on the final
+ response. */
+ smb2_set_operation_credit(req->xconn,
+ SMBD_SMB2_IN_HDR_IOV(req),
+ &state->vector[1+SMBD_SMB2_HDR_IOV_OFS]);
+
+ /*
+ * We add SMB2_HDR_FLAG_ASYNC after smb2_set_operation_credit()
+ * as it reacts on it
+ */
+ SIVAL(hdr, SMB2_HDR_FLAGS, flags | SMB2_HDR_FLAG_ASYNC);
+
+ if (DEBUGLVL(10)) {
+ int i;
+
+ for (i = 0; i < ARRAY_SIZE(state->vector); i++) {
+ dbgtext("\tstate->vector[%u/%u].iov_len = %u\n",
+ (unsigned int)i,
+ (unsigned int)ARRAY_SIZE(state->vector),
+ (unsigned int)state->vector[i].iov_len);
+ }
+ }
+
+ if (req->do_encryption) {
+ struct smbXsrv_session *x = req->session;
+ struct smb2_signing_key *encryption_key = x->global->encryption_key;
+
+ status = smb2_signing_encrypt_pdu(encryption_key,
+ &state->vector[1+SMBD_SMB2_TF_IOV_OFS],
+ SMBD_SMB2_NUM_IOV_PER_REQ);
+ if (!NT_STATUS_IS_OK(status)) {
+ smbd_server_connection_terminate(xconn,
+ nt_errstr(status));
+ return;
+ }
+ }
+
+ state->queue_entry.mem_ctx = state;
+ state->queue_entry.vector = state->vector;
+ state->queue_entry.count = ARRAY_SIZE(state->vector);
+ DLIST_ADD_END(xconn->smb2.send_queue, &state->queue_entry);
+ xconn->smb2.send_queue_len++;
+
+ status = smbd_smb2_flush_send_queue(xconn);
+ if (!NT_STATUS_IS_OK(status)) {
+ smbd_server_connection_terminate(xconn,
+ nt_errstr(status));
+ return;
+ }
+}
+
+static NTSTATUS smbd_smb2_request_process_cancel(struct smbd_smb2_request *req)
+{
+ struct smbXsrv_connection *xconn = req->xconn;
+ struct smbd_smb2_request *cur;
+ const uint8_t *inhdr;
+ uint32_t flags;
+ uint64_t search_message_id;
+ uint64_t search_async_id;
+ uint64_t found_id = 0;
+
+ inhdr = SMBD_SMB2_IN_HDR_PTR(req);
+
+ flags = IVAL(inhdr, SMB2_HDR_FLAGS);
+ search_message_id = BVAL(inhdr, SMB2_HDR_MESSAGE_ID);
+ search_async_id = BVAL(inhdr, SMB2_HDR_PID);
+
+ /*
+ * We don't need the request anymore cancel requests never
+ * have a response.
+ *
+ * We defer the TALLOC_FREE(req) to the caller.
+ */
+ DLIST_REMOVE(xconn->smb2.requests, req);
+
+ for (cur = xconn->smb2.requests; cur; cur = cur->next) {
+ const uint8_t *outhdr;
+ uint64_t message_id;
+ uint64_t async_id;
+
+ if (cur->session != req->session) {
+ continue;
+ }
+
+ if (cur->compound_related) {
+ /*
+ * Never cancel anything in a compound request.
+ * Way too hard to deal with the result.
+ */
+ continue;
+ }
+
+ outhdr = SMBD_SMB2_OUT_HDR_PTR(cur);
+
+ message_id = BVAL(outhdr, SMB2_HDR_MESSAGE_ID);
+ async_id = BVAL(outhdr, SMB2_HDR_PID);
+
+ if (flags & SMB2_HDR_FLAG_ASYNC) {
+ if (search_async_id == async_id) {
+ found_id = async_id;
+ break;
+ }
+ } else {
+ if (search_message_id == message_id) {
+ found_id = message_id;
+ break;
+ }
+ }
+ }
+
+ if (cur && cur->subreq) {
+ inhdr = SMBD_SMB2_IN_HDR_PTR(cur);
+ DEBUG(10,("smbd_smb2_request_process_cancel: attempting to "
+ "cancel opcode[%s] mid %llu\n",
+ smb2_opcode_name(SVAL(inhdr, SMB2_HDR_OPCODE)),
+ (unsigned long long)found_id ));
+ tevent_req_cancel(cur->subreq);
+ }
+
+ return NT_STATUS_OK;
+}
+
+/*************************************************************
+ Ensure an incoming tid is a valid one for us to access.
+ Change to the associated uid credentials and chdir to the
+ valid tid directory.
+*************************************************************/
+
+static NTSTATUS smbd_smb2_request_check_tcon(struct smbd_smb2_request *req)
+{
+ const uint8_t *inhdr;
+ uint32_t in_flags;
+ uint32_t in_tid;
+ struct smbXsrv_tcon *tcon;
+ NTSTATUS status;
+ NTTIME now = timeval_to_nttime(&req->request_time);
+
+ req->tcon = NULL;
+
+ inhdr = SMBD_SMB2_IN_HDR_PTR(req);
+
+ in_flags = IVAL(inhdr, SMB2_HDR_FLAGS);
+ in_tid = IVAL(inhdr, SMB2_HDR_TID);
+
+ if (in_flags & SMB2_HDR_FLAG_CHAINED) {
+ in_tid = req->last_tid;
+ }
+
+ req->last_tid = 0;
+
+ status = smb2srv_tcon_lookup(req->session,
+ in_tid, now, &tcon);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ if (!change_to_user_and_service(
+ tcon->compat,
+ req->session->global->session_wire_id))
+ {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ req->tcon = tcon;
+ req->last_tid = in_tid;
+
+ return NT_STATUS_OK;
+}
+
+/*************************************************************
+ Ensure an incoming session_id is a valid one for us to access.
+*************************************************************/
+
+static NTSTATUS smbd_smb2_request_check_session(struct smbd_smb2_request *req)
+{
+ const uint8_t *inhdr;
+ uint32_t in_flags;
+ uint16_t in_opcode;
+ uint64_t in_session_id;
+ struct smbXsrv_session *session = NULL;
+ struct auth_session_info *session_info;
+ NTSTATUS status;
+ NTTIME now = timeval_to_nttime(&req->request_time);
+
+ req->session = NULL;
+ req->tcon = NULL;
+
+ inhdr = SMBD_SMB2_IN_HDR_PTR(req);
+
+ in_flags = IVAL(inhdr, SMB2_HDR_FLAGS);
+ in_opcode = SVAL(inhdr, SMB2_HDR_OPCODE);
+ in_session_id = BVAL(inhdr, SMB2_HDR_SESSION_ID);
+
+ if (in_flags & SMB2_HDR_FLAG_CHAINED) {
+ in_session_id = req->last_session_id;
+ }
+
+ req->last_session_id = 0;
+
+ /* look an existing session up */
+ switch (in_opcode) {
+ case SMB2_OP_SESSSETUP:
+ /*
+ * For a session bind request, we don't have the
+ * channel set up at this point yet, so we defer
+ * the verification that the connection belongs
+ * to the session to the session setup code, which
+ * can look at the session binding flags.
+ */
+ status = smb2srv_session_lookup_client(req->xconn->client,
+ in_session_id, now,
+ &session);
+ break;
+ default:
+ status = smb2srv_session_lookup_conn(req->xconn,
+ in_session_id, now,
+ &session);
+ break;
+ }
+ if (session) {
+ req->session = session;
+ req->last_session_id = in_session_id;
+ }
+ if (NT_STATUS_EQUAL(status, NT_STATUS_USER_SESSION_DELETED)) {
+ switch (in_opcode) {
+ case SMB2_OP_SESSSETUP:
+ status = smb2srv_session_lookup_global(req->xconn->client,
+ in_session_id,
+ req,
+ &session);
+ if (NT_STATUS_IS_OK(status)) {
+ /*
+ * We fallback to a session of
+ * another process in order to
+ * get the signing correct.
+ *
+ * We don't set req->last_session_id here.
+ */
+ req->session = session;
+ }
+ break;
+ default:
+ break;
+ }
+ }
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED)) {
+ switch (in_opcode) {
+ case SMB2_OP_SESSSETUP:
+ status = NT_STATUS_OK;
+ break;
+ case SMB2_OP_LOGOFF:
+ case SMB2_OP_CLOSE:
+ case SMB2_OP_LOCK:
+ case SMB2_OP_CANCEL:
+ case SMB2_OP_KEEPALIVE:
+ /*
+ * [MS-SMB2] 3.3.5.2.9 Verifying the Session
+ * specifies that LOGOFF, CLOSE and (UN)LOCK
+ * should always be processed even on expired sessions.
+ *
+ * Also see the logic in
+ * smbd_smb2_request_process_lock().
+ *
+ * The smb2.session.expire2 test shows that
+ * CANCEL and KEEPALIVE/ECHO should also
+ * be processed.
+ */
+ status = NT_STATUS_OK;
+ break;
+ default:
+ break;
+ }
+ }
+ if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+ switch (in_opcode) {
+ case SMB2_OP_TCON:
+ case SMB2_OP_CREATE:
+ case SMB2_OP_GETINFO:
+ case SMB2_OP_SETINFO:
+ return NT_STATUS_INVALID_HANDLE;
+ default:
+ /*
+ * Notice the check for
+ * (session_info == NULL)
+ * below.
+ */
+ status = NT_STATUS_OK;
+ break;
+ }
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ session_info = session->global->auth_session_info;
+ if (session_info == NULL) {
+ return NT_STATUS_INVALID_HANDLE;
+ }
+
+ return NT_STATUS_OK;
+}
+
+NTSTATUS smbd_smb2_request_verify_creditcharge(struct smbd_smb2_request *req,
+ uint32_t data_length)
+{
+ struct smbXsrv_connection *xconn = req->xconn;
+ uint16_t needed_charge;
+ uint16_t credit_charge = 1;
+ const uint8_t *inhdr;
+
+ inhdr = SMBD_SMB2_IN_HDR_PTR(req);
+
+ if (xconn->smb2.credits.multicredit) {
+ credit_charge = SVAL(inhdr, SMB2_HDR_CREDIT_CHARGE);
+ credit_charge = MAX(credit_charge, 1);
+ }
+
+ needed_charge = (data_length - 1)/ 65536 + 1;
+
+ DBGC_DEBUG(DBGC_SMB2_CREDITS,
+ "mid %llu, CreditCharge: %d, NeededCharge: %d\n",
+ (unsigned long long) BVAL(inhdr, SMB2_HDR_MESSAGE_ID),
+ credit_charge, needed_charge);
+
+ if (needed_charge > credit_charge) {
+ DBGC_WARNING(DBGC_SMB2_CREDITS,
+ "CreditCharge too low, given %d, needed %d\n",
+ credit_charge, needed_charge);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ return NT_STATUS_OK;
+}
+
+NTSTATUS smbd_smb2_request_verify_sizes(struct smbd_smb2_request *req,
+ size_t expected_body_size)
+{
+ struct iovec *inhdr_v;
+ const uint8_t *inhdr;
+ uint16_t opcode;
+ const uint8_t *inbody;
+ size_t body_size;
+ size_t min_dyn_size = expected_body_size & 0x00000001;
+ int max_idx = req->in.vector_count - SMBD_SMB2_NUM_IOV_PER_REQ;
+
+ /*
+ * The following should be checked already.
+ */
+ if (req->in.vector_count < SMBD_SMB2_NUM_IOV_PER_REQ) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+ if (req->current_idx > max_idx) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ inhdr_v = SMBD_SMB2_IN_HDR_IOV(req);
+ if (inhdr_v->iov_len != SMB2_HDR_BODY) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+ if (SMBD_SMB2_IN_BODY_LEN(req) < 2) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ inhdr = SMBD_SMB2_IN_HDR_PTR(req);
+ opcode = SVAL(inhdr, SMB2_HDR_OPCODE);
+
+ switch (opcode) {
+ case SMB2_OP_IOCTL:
+ case SMB2_OP_GETINFO:
+ case SMB2_OP_WRITE:
+ min_dyn_size = 0;
+ break;
+ }
+
+ /*
+ * Now check the expected body size,
+ * where the last byte might be in the
+ * dynamic section..
+ */
+ if (SMBD_SMB2_IN_BODY_LEN(req) != (expected_body_size & 0xFFFFFFFE)) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ if (SMBD_SMB2_IN_DYN_LEN(req) < min_dyn_size) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ inbody = SMBD_SMB2_IN_BODY_PTR(req);
+
+ body_size = SVAL(inbody, 0x00);
+ if (body_size != expected_body_size) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ return NT_STATUS_OK;
+}
+
+bool smbXsrv_is_encrypted(uint8_t encryption_flags)
+{
+ return (!(encryption_flags & SMBXSRV_PROCESSED_UNENCRYPTED_PACKET)
+ &&
+ (encryption_flags & (SMBXSRV_PROCESSED_ENCRYPTED_PACKET |
+ SMBXSRV_ENCRYPTION_DESIRED |
+ SMBXSRV_ENCRYPTION_REQUIRED)));
+}
+
+bool smbXsrv_is_partially_encrypted(uint8_t encryption_flags)
+{
+ return ((encryption_flags & SMBXSRV_PROCESSED_ENCRYPTED_PACKET) &&
+ (encryption_flags & SMBXSRV_PROCESSED_UNENCRYPTED_PACKET));
+}
+
+/* Set a flag if not already set, return true if set */
+bool smbXsrv_set_crypto_flag(uint8_t *flags, uint8_t flag)
+{
+ if ((flag == 0) || (*flags & flag)) {
+ return false;
+ }
+
+ *flags |= flag;
+ return true;
+}
+
+/*
+ * Update encryption state tracking flags, this can be used to
+ * determine whether whether the session or tcon is "encrypted".
+ */
+static void smb2srv_update_crypto_flags(struct smbd_smb2_request *req,
+ uint16_t opcode,
+ bool *update_session_globalp,
+ bool *update_tcon_globalp)
+{
+ /* Default: assume unecrypted and unsigned */
+ struct smbXsrv_session *session = req->session;
+ struct smbXsrv_tcon *tcon = req->tcon;
+ uint8_t encrypt_flag = SMBXSRV_PROCESSED_UNENCRYPTED_PACKET;
+ uint8_t sign_flag = SMBXSRV_PROCESSED_UNSIGNED_PACKET;
+ bool update_session = false;
+ bool update_tcon = false;
+
+ if (session->table == NULL) {
+ /*
+ * sessions from smb2srv_session_lookup_global()
+ * have NT_STATUS_BAD_LOGON_SESSION_STATE
+ * and session->table == NULL.
+ *
+ * They only used to give the correct error
+ * status, we should not update any state.
+ */
+ goto out;
+ }
+
+ if (req->was_encrypted && req->do_encryption) {
+ encrypt_flag = SMBXSRV_PROCESSED_ENCRYPTED_PACKET;
+ sign_flag = SMBXSRV_PROCESSED_SIGNED_PACKET;
+ } else {
+ /* Unencrypted packet, can be signed */
+ if (req->do_signing) {
+ sign_flag = SMBXSRV_PROCESSED_SIGNED_PACKET;
+ }
+ }
+
+ update_session |= smbXsrv_set_crypto_flag(
+ &session->global->encryption_flags, encrypt_flag);
+ update_session |= smbXsrv_set_crypto_flag(
+ &session->global->signing_flags, sign_flag);
+
+ if (tcon) {
+ update_tcon |= smbXsrv_set_crypto_flag(
+ &tcon->global->encryption_flags, encrypt_flag);
+ update_tcon |= smbXsrv_set_crypto_flag(
+ &tcon->global->signing_flags, sign_flag);
+ }
+
+out:
+ *update_session_globalp = update_session;
+ *update_tcon_globalp = update_tcon;
+ return;
+}
+
+bool smbXsrv_is_signed(uint8_t signing_flags)
+{
+ /*
+ * Signing is always enabled, so unless we got an unsigned
+ * packet and at least one signed packet that was not
+ * encrypted, the session or tcon is "signed".
+ */
+ return (!(signing_flags & SMBXSRV_PROCESSED_UNSIGNED_PACKET) &&
+ (signing_flags & SMBXSRV_PROCESSED_SIGNED_PACKET));
+}
+
+bool smbXsrv_is_partially_signed(uint8_t signing_flags)
+{
+ return ((signing_flags & SMBXSRV_PROCESSED_UNSIGNED_PACKET) &&
+ (signing_flags & SMBXSRV_PROCESSED_SIGNED_PACKET));
+}
+
+static NTSTATUS smbd_smb2_request_dispatch_update_counts(
+ struct smbd_smb2_request *req,
+ bool modify_call)
+{
+ struct smbXsrv_connection *xconn = req->xconn;
+ const uint8_t *inhdr;
+ uint16_t channel_sequence;
+ uint8_t generation_wrap = 0;
+ uint32_t flags;
+ int cmp;
+ struct smbXsrv_open *op;
+ bool update_open = false;
+ NTSTATUS status = NT_STATUS_OK;
+
+ SMB_ASSERT(!req->request_counters_updated);
+
+ if (xconn->protocol < PROTOCOL_SMB3_00) {
+ return NT_STATUS_OK;
+ }
+
+ if (req->compat_chain_fsp == NULL) {
+ return NT_STATUS_OK;
+ }
+
+ op = req->compat_chain_fsp->op;
+ if (op == NULL) {
+ return NT_STATUS_OK;
+ }
+
+ inhdr = SMBD_SMB2_IN_HDR_PTR(req);
+ flags = IVAL(inhdr, SMB2_HDR_FLAGS);
+ channel_sequence = SVAL(inhdr, SMB2_HDR_CHANNEL_SEQUENCE);
+
+ cmp = channel_sequence - op->global->channel_sequence;
+ if (cmp < 0) {
+ /*
+ * csn wrap. We need to watch out for long-running
+ * requests that are still sitting on a previously
+ * used csn. SMB2_OP_NOTIFY can take VERY long.
+ */
+ generation_wrap += 1;
+ }
+
+ if (abs(cmp) > INT16_MAX) {
+ /*
+ * [MS-SMB2] 3.3.5.2.10 - Verifying the Channel Sequence Number:
+ *
+ * If the channel sequence number of the request and the one
+ * known to the server are not equal, the channel sequence
+ * number and outstanding request counts are only updated
+ * "... if the unsigned difference using 16-bit arithmetic
+ * between ChannelSequence and Open.ChannelSequence is less than
+ * or equal to 0x7FFF ...".
+ * Otherwise, an error is returned for the modifying
+ * calls write, set_info, and ioctl.
+ *
+ * There are currently two issues with the description:
+ *
+ * * For the other calls, the document seems to imply
+ * that processing continues without adapting the
+ * counters (if the sequence numbers are not equal).
+ *
+ * TODO: This needs clarification!
+ *
+ * * Also, the behaviour if the difference is larger
+ * than 0x7FFF is not clear. The document seems to
+ * imply that if such a difference is reached,
+ * the server starts to ignore the counters or
+ * in the case of the modifying calls, return errors.
+ *
+ * TODO: This needs clarification!
+ *
+ * At this point Samba tries to be a little more
+ * clever than the description in the MS-SMB2 document
+ * by heuristically detecting and properly treating
+ * a 16 bit overflow of the client-submitted sequence
+ * number:
+ *
+ * If the stored channel sequence number is more than
+ * 0x7FFF larger than the one from the request, then
+ * the client-provided sequence number has likely
+ * overflown. We treat this case as valid instead
+ * of as failure.
+ *
+ * The MS-SMB2 behaviour would be setting cmp = -1.
+ */
+ cmp *= -1;
+ }
+
+ if (flags & SMB2_HDR_FLAG_REPLAY_OPERATION) {
+ if (cmp == 0 && op->pre_request_count == 0) {
+ op->request_count += 1;
+ req->request_counters_updated = true;
+ } else if (cmp > 0 && op->pre_request_count == 0) {
+ op->pre_request_count += op->request_count;
+ op->request_count = 1;
+ op->global->channel_sequence = channel_sequence;
+ op->global->channel_generation += generation_wrap;
+ update_open = true;
+ req->request_counters_updated = true;
+ } else if (modify_call) {
+ return NT_STATUS_FILE_NOT_AVAILABLE;
+ }
+ } else {
+ if (cmp == 0) {
+ op->request_count += 1;
+ req->request_counters_updated = true;
+ } else if (cmp > 0) {
+ op->pre_request_count += op->request_count;
+ op->request_count = 1;
+ op->global->channel_sequence = channel_sequence;
+ op->global->channel_generation += generation_wrap;
+ update_open = true;
+ req->request_counters_updated = true;
+ } else if (modify_call) {
+ return NT_STATUS_FILE_NOT_AVAILABLE;
+ }
+ }
+ req->channel_generation = op->global->channel_generation;
+
+ if (update_open) {
+ status = smbXsrv_open_update(op);
+ }
+
+ return status;
+}
+
+NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
+{
+ struct smbXsrv_connection *xconn = req->xconn;
+ const struct smbd_smb2_dispatch_table *call = NULL;
+ const struct iovec *intf_v = SMBD_SMB2_IN_TF_IOV(req);
+ const uint8_t *inhdr;
+ uint16_t opcode;
+ uint32_t flags;
+ uint64_t mid;
+ NTSTATUS status;
+ NTSTATUS session_status;
+ uint32_t allowed_flags;
+ NTSTATUS return_value;
+ struct smbXsrv_session *x = NULL;
+ bool signing_required = false;
+ bool encryption_desired = false;
+ bool encryption_required = false;
+
+ inhdr = SMBD_SMB2_IN_HDR_PTR(req);
+
+ DO_PROFILE_INC(request);
+
+ SMB_ASSERT(!req->request_counters_updated);
+
+ /* TODO: verify more things */
+
+ flags = IVAL(inhdr, SMB2_HDR_FLAGS);
+ opcode = SVAL(inhdr, SMB2_HDR_OPCODE);
+ mid = BVAL(inhdr, SMB2_HDR_MESSAGE_ID);
+ DBG_DEBUG("opcode[%s] mid = %"PRIu64"\n",
+ smb2_opcode_name(opcode),
+ mid);
+
+ if (xconn->protocol >= PROTOCOL_SMB2_02) {
+ /*
+ * once the protocol is negotiated
+ * SMB2_OP_NEGPROT is not allowed anymore
+ */
+ if (opcode == SMB2_OP_NEGPROT) {
+ /* drop the connection */
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ } else {
+ /*
+ * if the protocol is not negotiated yet
+ * only SMB2_OP_NEGPROT is allowed.
+ */
+ if (opcode != SMB2_OP_NEGPROT) {
+ /* drop the connection */
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ }
+
+ /*
+ * Check if the client provided a valid session id.
+ *
+ * As some command don't require a valid session id
+ * we defer the check of the session_status
+ */
+ session_status = smbd_smb2_request_check_session(req);
+ x = req->session;
+ if (x != NULL) {
+ signing_required = x->global->signing_flags & SMBXSRV_SIGNING_REQUIRED;
+ encryption_desired = x->global->encryption_flags & SMBXSRV_ENCRYPTION_DESIRED;
+ encryption_required = x->global->encryption_flags & SMBXSRV_ENCRYPTION_REQUIRED;
+ }
+
+ req->async_internal = false;
+ req->do_signing = false;
+ if (opcode != SMB2_OP_SESSSETUP) {
+ req->do_encryption = encryption_desired;
+ } else {
+ req->do_encryption = false;
+ }
+ req->was_encrypted = false;
+ if (intf_v->iov_len == SMB2_TF_HDR_SIZE) {
+ const uint8_t *intf = SMBD_SMB2_IN_TF_PTR(req);
+ uint64_t tf_session_id = BVAL(intf, SMB2_TF_SESSION_ID);
+
+ if (x != NULL && x->global->session_wire_id != tf_session_id) {
+ DEBUG(0,("smbd_smb2_request_dispatch: invalid session_id"
+ "in SMB2_HDR[%llu], SMB2_TF[%llu]\n",
+ (unsigned long long)x->global->session_wire_id,
+ (unsigned long long)tf_session_id));
+ /*
+ * TODO: windows allows this...
+ * should we drop the connection?
+ *
+ * For now we just return ACCESS_DENIED
+ * (Windows clients never trigger this)
+ * and wait for an update of [MS-SMB2].
+ */
+ return smbd_smb2_request_error(req,
+ NT_STATUS_ACCESS_DENIED);
+ }
+
+ req->was_encrypted = true;
+ req->do_encryption = true;
+ }
+
+ if (encryption_required && !req->was_encrypted) {
+ req->do_encryption = true;
+ return smbd_smb2_request_error(req,
+ NT_STATUS_ACCESS_DENIED);
+ }
+
+ call = smbd_smb2_call(opcode);
+ if (call == NULL) {
+ return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
+ }
+
+ allowed_flags = SMB2_HDR_FLAG_CHAINED |
+ SMB2_HDR_FLAG_SIGNED |
+ SMB2_HDR_FLAG_DFS;
+ if (xconn->protocol >= PROTOCOL_SMB3_11) {
+ allowed_flags |= SMB2_HDR_FLAG_PRIORITY_MASK;
+ }
+ if (opcode == SMB2_OP_NEGPROT) {
+ if (lp_server_max_protocol() >= PROTOCOL_SMB3_11) {
+ allowed_flags |= SMB2_HDR_FLAG_PRIORITY_MASK;
+ }
+ }
+ if (opcode == SMB2_OP_CANCEL) {
+ allowed_flags |= SMB2_HDR_FLAG_ASYNC;
+ }
+ if (xconn->protocol >= PROTOCOL_SMB3_00) {
+ allowed_flags |= SMB2_HDR_FLAG_REPLAY_OPERATION;
+ }
+ if ((flags & ~allowed_flags) != 0) {
+ return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
+ }
+
+ if (flags & SMB2_HDR_FLAG_CHAINED) {
+ /*
+ * This check is mostly for giving the correct error code
+ * for compounded requests.
+ */
+ if (!NT_STATUS_IS_OK(session_status)) {
+ return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
+ }
+ } else {
+ req->compat_chain_fsp = NULL;
+ }
+
+ if (req->was_encrypted) {
+ signing_required = false;
+ } else if (signing_required || (flags & SMB2_HDR_FLAG_SIGNED)) {
+ struct smb2_signing_key *signing_key = NULL;
+ bool has_channel = false;
+
+ if (x == NULL) {
+ /*
+ * MS-SMB2: 3.3.5.2.4 Verifying the Signature.
+ * If the SMB2 header of the SMB2 NEGOTIATE
+ * request has the SMB2_FLAGS_SIGNED bit set in the
+ * Flags field, the server MUST fail the request
+ * with STATUS_INVALID_PARAMETER.
+ *
+ * Microsoft test tool checks this.
+ */
+
+ if ((opcode == SMB2_OP_NEGPROT) &&
+ (flags & SMB2_HDR_FLAG_SIGNED)) {
+ status = NT_STATUS_INVALID_PARAMETER;
+ } else {
+ status = NT_STATUS_USER_SESSION_DELETED;
+ }
+ return smbd_smb2_request_error(req, status);
+ }
+
+ signing_key = smbd_smb2_signing_key(x, xconn, &has_channel);
+
+ /*
+ * If we have a signing key, we should
+ * sign the response
+ */
+ if (smb2_signing_key_valid(signing_key) && opcode != SMB2_OP_CANCEL) {
+ req->do_signing = true;
+ }
+
+ status = smb2_signing_check_pdu(signing_key,
+ SMBD_SMB2_IN_HDR_IOV(req),
+ SMBD_SMB2_NUM_IOV_PER_REQ - 1);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) &&
+ opcode == SMB2_OP_SESSSETUP && !has_channel &&
+ NT_STATUS_IS_OK(session_status))
+ {
+ if (!NT_STATUS_EQUAL(x->status, NT_STATUS_BAD_LOGON_SESSION_STATE)) {
+ struct smbXsrv_session *session = NULL;
+ NTSTATUS error;
+
+ error = smb2srv_session_lookup_global(req->xconn->client,
+ x->global->session_wire_id,
+ req,
+ &session);
+ if (!NT_STATUS_IS_OK(error)) {
+ return smbd_smb2_request_error(req, error);
+ }
+
+ /*
+ * We fallback to a session of
+ * another process in order to
+ * get the signing correct.
+ *
+ * We don't set req->last_session_id here.
+ */
+ req->session = x = session;
+ }
+ goto skipped_signing;
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ return smbd_smb2_request_error(req, status);
+ }
+
+ /*
+ * Now that we know the request was correctly signed
+ * we have to sign the response too.
+ */
+ if (opcode != SMB2_OP_CANCEL) {
+ req->do_signing = true;
+ }
+
+ if (!NT_STATUS_IS_OK(session_status)) {
+ return smbd_smb2_request_error(req, session_status);
+ }
+ }
+
+ if (opcode == SMB2_OP_IOCTL) {
+ /*
+ * Some special IOCTL calls don't require
+ * file, tcon nor session.
+ *
+ * They typically don't do any real action
+ * on behalf of the client.
+ *
+ * They are mainly used to alter the behavior
+ * of the connection for testing. So we can
+ * run as root and skip all file, tcon and session
+ * checks below.
+ */
+ static const struct smbd_smb2_dispatch_table _root_ioctl_call = {
+ .opcode = SMB2_OP_IOCTL,
+ .as_root = true,
+ };
+ const uint8_t *body = SMBD_SMB2_IN_BODY_PTR(req);
+ size_t body_size = SMBD_SMB2_IN_BODY_LEN(req);
+ uint32_t in_ctl_code;
+ size_t needed = 8;
+
+ if (needed > body_size) {
+ return smbd_smb2_request_error(req,
+ NT_STATUS_INVALID_PARAMETER);
+ }
+
+ in_ctl_code = IVAL(body, 0x04);
+ /*
+ * Only add trusted IOCTL codes here!
+ */
+ switch (in_ctl_code) {
+ case FSCTL_SMBTORTURE_FORCE_UNACKED_TIMEOUT:
+ call = &_root_ioctl_call;
+ break;
+ case FSCTL_VALIDATE_NEGOTIATE_INFO:
+ call = &_root_ioctl_call;
+ break;
+ case FSCTL_QUERY_NETWORK_INTERFACE_INFO:
+ call = &_root_ioctl_call;
+ break;
+ }
+ }
+
+skipped_signing:
+
+ if (flags & SMB2_HDR_FLAG_CHAINED) {
+ req->compound_related = true;
+ }
+
+ if (call->need_session) {
+ if (!NT_STATUS_IS_OK(session_status)) {
+ return smbd_smb2_request_error(req, session_status);
+ }
+ }
+
+ if (call->need_tcon) {
+ SMB_ASSERT(call->need_session);
+
+ /*
+ * This call needs to be run as user.
+ *
+ * smbd_smb2_request_check_tcon()
+ * calls change_to_user() on success.
+ * Which implies set_current_user_info()
+ * and chdir_current_service().
+ */
+ status = smbd_smb2_request_check_tcon(req);
+ if (!NT_STATUS_IS_OK(status)) {
+ return smbd_smb2_request_error(req, status);
+ }
+ if (req->tcon->global->encryption_flags & SMBXSRV_ENCRYPTION_DESIRED) {
+ encryption_desired = true;
+ }
+ if (req->tcon->global->encryption_flags & SMBXSRV_ENCRYPTION_REQUIRED) {
+ encryption_required = true;
+ }
+ if (encryption_required && !req->was_encrypted) {
+ req->do_encryption = true;
+ return smbd_smb2_request_error(req,
+ NT_STATUS_ACCESS_DENIED);
+ } else if (encryption_desired) {
+ req->do_encryption = true;
+ }
+ } else if (call->need_session) {
+ struct auth_session_info *session_info = NULL;
+
+ /*
+ * Unless we also have need_tcon (see above),
+ * we still need to call set_current_user_info().
+ */
+
+ session_info = req->session->global->auth_session_info;
+ if (session_info == NULL) {
+ return NT_STATUS_INVALID_HANDLE;
+ }
+
+ set_current_user_info(session_info->unix_info->sanitized_username,
+ session_info->unix_info->unix_name,
+ session_info->info->domain_name);
+ }
+
+ if (req->session) {
+ bool update_session_global = false;
+ bool update_tcon_global = false;
+
+ smb2srv_update_crypto_flags(req, opcode,
+ &update_session_global,
+ &update_tcon_global);
+
+ if (update_session_global) {
+ status = smbXsrv_session_update(x);
+ if (!NT_STATUS_IS_OK(status)) {
+ return smbd_smb2_request_error(req, status);
+ }
+ }
+ if (update_tcon_global) {
+ status = smbXsrv_tcon_update(req->tcon);
+ if (!NT_STATUS_IS_OK(status)) {
+ return smbd_smb2_request_error(req, status);
+ }
+ }
+ }
+
+ if (call->fileid_ofs != 0) {
+ size_t needed = call->fileid_ofs + 16;
+ const uint8_t *body = SMBD_SMB2_IN_BODY_PTR(req);
+ size_t body_size = SMBD_SMB2_IN_BODY_LEN(req);
+ uint64_t file_id_persistent;
+ uint64_t file_id_volatile;
+ struct files_struct *fsp;
+
+ SMB_ASSERT(call->need_tcon);
+
+ if (needed > body_size) {
+ return smbd_smb2_request_error(req,
+ NT_STATUS_INVALID_PARAMETER);
+ }
+
+ file_id_persistent = BVAL(body, call->fileid_ofs + 0);
+ file_id_volatile = BVAL(body, call->fileid_ofs + 8);
+
+ fsp = file_fsp_smb2(req, file_id_persistent, file_id_volatile);
+ if (fsp == NULL) {
+ if (req->compound_related &&
+ !NT_STATUS_IS_OK(req->compound_create_err))
+ {
+ return smbd_smb2_request_error(req,
+ req->compound_create_err);
+ }
+ /*
+ * smbd_smb2_request_process_ioctl()
+ * has more checks in order to return more
+ * detailed error codes...
+ */
+ if (opcode != SMB2_OP_IOCTL) {
+ return smbd_smb2_request_error(req,
+ NT_STATUS_FILE_CLOSED);
+ }
+ } else {
+ if (fsp->fsp_flags.encryption_required && !req->was_encrypted) {
+ return smbd_smb2_request_error(req,
+ NT_STATUS_ACCESS_DENIED);
+ }
+ }
+ }
+
+ status = smbd_smb2_request_dispatch_update_counts(req, call->modify);
+ if (!NT_STATUS_IS_OK(status)) {
+ return smbd_smb2_request_error(req, status);
+ }
+
+ if (call->as_root) {
+ SMB_ASSERT(call->fileid_ofs == 0);
+ /* This call needs to be run as root */
+ change_to_root_user();
+ } else if (opcode != SMB2_OP_KEEPALIVE) {
+ SMB_ASSERT(call->need_tcon);
+ }
+
+#define _INBYTES(_r) \
+ iov_buflen(SMBD_SMB2_IN_HDR_IOV(_r), SMBD_SMB2_NUM_IOV_PER_REQ-1)
+
+ switch (opcode) {
+ case SMB2_OP_NEGPROT:
+ SMBPROFILE_IOBYTES_ASYNC_START(smb2_negprot, profile_p,
+ req->profile, _INBYTES(req));
+ return_value = smbd_smb2_request_process_negprot(req);
+ break;
+
+ case SMB2_OP_SESSSETUP:
+ SMBPROFILE_IOBYTES_ASYNC_START(smb2_sesssetup, profile_p,
+ req->profile, _INBYTES(req));
+ return_value = smbd_smb2_request_process_sesssetup(req);
+ break;
+
+ case SMB2_OP_LOGOFF:
+ SMBPROFILE_IOBYTES_ASYNC_START(smb2_logoff, profile_p,
+ req->profile, _INBYTES(req));
+ return_value = smbd_smb2_request_process_logoff(req);
+ break;
+
+ case SMB2_OP_TCON:
+ SMBPROFILE_IOBYTES_ASYNC_START(smb2_tcon, profile_p,
+ req->profile, _INBYTES(req));
+ return_value = smbd_smb2_request_process_tcon(req);
+ break;
+
+ case SMB2_OP_TDIS:
+ SMBPROFILE_IOBYTES_ASYNC_START(smb2_tdis, profile_p,
+ req->profile, _INBYTES(req));
+ return_value = smbd_smb2_request_process_tdis(req);
+ break;
+
+ case SMB2_OP_CREATE:
+ if (req->subreq == NULL) {
+ SMBPROFILE_IOBYTES_ASYNC_START(smb2_create, profile_p,
+ req->profile, _INBYTES(req));
+ } else {
+ SMBPROFILE_IOBYTES_ASYNC_SET_BUSY(req->profile);
+ }
+ return_value = smbd_smb2_request_process_create(req);
+ break;
+
+ case SMB2_OP_CLOSE:
+ SMBPROFILE_IOBYTES_ASYNC_START(smb2_close, profile_p,
+ req->profile, _INBYTES(req));
+ return_value = smbd_smb2_request_process_close(req);
+ break;
+
+ case SMB2_OP_FLUSH:
+ SMBPROFILE_IOBYTES_ASYNC_START(smb2_flush, profile_p,
+ req->profile, _INBYTES(req));
+ return_value = smbd_smb2_request_process_flush(req);
+ break;
+
+ case SMB2_OP_READ:
+ SMBPROFILE_IOBYTES_ASYNC_START(smb2_read, profile_p,
+ req->profile, _INBYTES(req));
+ return_value = smbd_smb2_request_process_read(req);
+ break;
+
+ case SMB2_OP_WRITE:
+ SMBPROFILE_IOBYTES_ASYNC_START(smb2_write, profile_p,
+ req->profile, _INBYTES(req));
+ return_value = smbd_smb2_request_process_write(req);
+ break;
+
+ case SMB2_OP_LOCK:
+ SMBPROFILE_IOBYTES_ASYNC_START(smb2_lock, profile_p,
+ req->profile, _INBYTES(req));
+ return_value = smbd_smb2_request_process_lock(req);
+ break;
+
+ case SMB2_OP_IOCTL:
+ SMBPROFILE_IOBYTES_ASYNC_START(smb2_ioctl, profile_p,
+ req->profile, _INBYTES(req));
+ return_value = smbd_smb2_request_process_ioctl(req);
+ break;
+
+ case SMB2_OP_CANCEL:
+ SMBPROFILE_IOBYTES_ASYNC_START(smb2_cancel, profile_p,
+ req->profile, _INBYTES(req));
+ return_value = smbd_smb2_request_process_cancel(req);
+ SMBPROFILE_IOBYTES_ASYNC_END(req->profile, 0);
+
+ /*
+ * We don't need the request anymore cancel requests never
+ * have a response.
+ *
+ * smbd_smb2_request_process_cancel() already called
+ * DLIST_REMOVE(xconn->smb2.requests, req);
+ */
+ TALLOC_FREE(req);
+
+ break;
+
+ case SMB2_OP_KEEPALIVE:
+ SMBPROFILE_IOBYTES_ASYNC_START(smb2_keepalive, profile_p,
+ req->profile, _INBYTES(req));
+ return_value = smbd_smb2_request_process_keepalive(req);
+ break;
+
+ case SMB2_OP_QUERY_DIRECTORY:
+ SMBPROFILE_IOBYTES_ASYNC_START(smb2_find, profile_p,
+ req->profile, _INBYTES(req));
+ return_value = smbd_smb2_request_process_query_directory(req);
+ break;
+
+ case SMB2_OP_NOTIFY:
+ SMBPROFILE_IOBYTES_ASYNC_START(smb2_notify, profile_p,
+ req->profile, _INBYTES(req));
+ return_value = smbd_smb2_request_process_notify(req);
+ break;
+
+ case SMB2_OP_GETINFO:
+ SMBPROFILE_IOBYTES_ASYNC_START(smb2_getinfo, profile_p,
+ req->profile, _INBYTES(req));
+ return_value = smbd_smb2_request_process_getinfo(req);
+ break;
+
+ case SMB2_OP_SETINFO:
+ SMBPROFILE_IOBYTES_ASYNC_START(smb2_setinfo, profile_p,
+ req->profile, _INBYTES(req));
+ return_value = smbd_smb2_request_process_setinfo(req);
+ break;
+
+ case SMB2_OP_BREAK:
+ SMBPROFILE_IOBYTES_ASYNC_START(smb2_break, profile_p,
+ req->profile, _INBYTES(req));
+ return_value = smbd_smb2_request_process_break(req);
+ break;
+
+ default:
+ return_value = smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
+ break;
+ }
+ return return_value;
+}
+
+static void smbd_smb2_request_reply_update_counts(struct smbd_smb2_request *req)
+{
+ struct smbXsrv_connection *xconn = req->xconn;
+ const uint8_t *inhdr;
+ uint16_t channel_sequence;
+ struct smbXsrv_open *op;
+
+ if (!req->request_counters_updated) {
+ return;
+ }
+
+ req->request_counters_updated = false;
+
+ if (xconn->protocol < PROTOCOL_SMB3_00) {
+ return;
+ }
+
+ if (req->compat_chain_fsp == NULL) {
+ return;
+ }
+
+ op = req->compat_chain_fsp->op;
+ if (op == NULL) {
+ return;
+ }
+
+ inhdr = SMBD_SMB2_IN_HDR_PTR(req);
+ channel_sequence = SVAL(inhdr, SMB2_HDR_CHANNEL_SEQUENCE);
+
+ if ((op->global->channel_sequence == channel_sequence) &&
+ (op->global->channel_generation == req->channel_generation)) {
+ SMB_ASSERT(op->request_count > 0);
+ op->request_count -= 1;
+ } else {
+ SMB_ASSERT(op->pre_request_count > 0);
+ op->pre_request_count -= 1;
+ }
+}
+
+static NTSTATUS smbd_smb2_request_reply(struct smbd_smb2_request *req)
+{
+ struct smbXsrv_connection *xconn = req->xconn;
+ int first_idx = 1;
+ struct iovec *firsttf = SMBD_SMB2_IDX_TF_IOV(req,out,first_idx);
+ struct iovec *outhdr = SMBD_SMB2_OUT_HDR_IOV(req);
+ struct iovec *outdyn = SMBD_SMB2_OUT_DYN_IOV(req);
+ NTSTATUS status;
+ bool ok;
+
+ req->subreq = NULL;
+ TALLOC_FREE(req->async_te);
+
+ /* MS-SMB2: 3.3.4.1 Sending Any Outgoing Message */
+ smbd_smb2_request_reply_update_counts(req);
+
+ if (req->do_encryption &&
+ (firsttf->iov_len == 0) &&
+ (!smb2_signing_key_valid(req->first_enc_key)) &&
+ (req->session != NULL) &&
+ smb2_signing_key_valid(req->session->global->encryption_key))
+ {
+ struct smb2_signing_key *encryption_key =
+ req->session->global->encryption_key;
+ uint8_t *tf;
+ uint64_t session_id = req->session->global->session_wire_id;
+ uint64_t nonce_high;
+ uint64_t nonce_low;
+
+ status = smb2_get_new_nonce(req->session,
+ &nonce_high,
+ &nonce_low);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ /*
+ * We need to place the SMB2_TRANSFORM header before the
+ * first SMB2 header
+ */
+
+ /*
+ * we need to remember the encryption key
+ * and defer the signing/encryption until
+ * we are sure that we do not change
+ * the header again.
+ */
+ status = smb2_signing_key_copy(req,
+ encryption_key,
+ &req->first_enc_key);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ tf = talloc_zero_array(req, uint8_t,
+ SMB2_TF_HDR_SIZE);
+ if (tf == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ SIVAL(tf, SMB2_TF_PROTOCOL_ID, SMB2_TF_MAGIC);
+ SBVAL(tf, SMB2_TF_NONCE+0, nonce_low);
+ SBVAL(tf, SMB2_TF_NONCE+8, nonce_high);
+ SBVAL(tf, SMB2_TF_SESSION_ID, session_id);
+
+ firsttf->iov_base = (void *)tf;
+ firsttf->iov_len = SMB2_TF_HDR_SIZE;
+ }
+
+ if ((req->current_idx > SMBD_SMB2_NUM_IOV_PER_REQ) &&
+ (smb2_signing_key_valid(req->last_sign_key)) &&
+ (firsttf->iov_len == 0))
+ {
+ int last_idx = req->current_idx - SMBD_SMB2_NUM_IOV_PER_REQ;
+ struct iovec *lasthdr = SMBD_SMB2_IDX_HDR_IOV(req,out,last_idx);
+
+ /*
+ * As we are sure the header of the last request in the
+ * compound chain will not change, we can to sign here
+ * with the last signing key we remembered.
+ */
+ status = smb2_signing_sign_pdu(req->last_sign_key,
+ lasthdr,
+ SMBD_SMB2_NUM_IOV_PER_REQ - 1);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ }
+ TALLOC_FREE(req->last_sign_key);
+
+ SMBPROFILE_IOBYTES_ASYNC_END(req->profile,
+ iov_buflen(outhdr, SMBD_SMB2_NUM_IOV_PER_REQ-1));
+
+ req->current_idx += SMBD_SMB2_NUM_IOV_PER_REQ;
+
+ if (req->current_idx < req->out.vector_count) {
+ /*
+ * We must process the remaining compound
+ * SMB2 requests before any new incoming SMB2
+ * requests. This is because incoming SMB2
+ * requests may include a cancel for a
+ * compound request we haven't processed
+ * yet.
+ */
+ struct tevent_immediate *im = tevent_create_immediate(req);
+ if (!im) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (req->do_signing && firsttf->iov_len == 0) {
+ struct smbXsrv_session *x = req->session;
+ struct smb2_signing_key *signing_key =
+ smbd_smb2_signing_key(x, xconn, NULL);
+
+ /*
+ * we need to remember the signing key
+ * and defer the signing until
+ * we are sure that we do not change
+ * the header again.
+ */
+ status = smb2_signing_key_copy(req,
+ signing_key,
+ &req->last_sign_key);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ }
+
+ /*
+ * smbd_smb2_request_dispatch() will redo the impersonation.
+ * So we use req->xconn->client->raw_ev_ctx instead
+ * of req->ev_ctx here.
+ */
+ tevent_schedule_immediate(im,
+ req->xconn->client->raw_ev_ctx,
+ smbd_smb2_request_dispatch_immediate,
+ req);
+ return NT_STATUS_OK;
+ }
+
+ if (req->compound_related) {
+ req->compound_related = false;
+ }
+
+ ok = smb2_setup_nbt_length(req->out.vector, req->out.vector_count);
+ if (!ok) {
+ return NT_STATUS_INVALID_PARAMETER_MIX;
+ }
+
+ /* Set credit for these operations (zero credits if this
+ is a final reply for an async operation). */
+ smb2_calculate_credits(req, req);
+
+ /*
+ * now check if we need to sign the current response
+ */
+ if (firsttf->iov_len == SMB2_TF_HDR_SIZE) {
+ status = smb2_signing_encrypt_pdu(req->first_enc_key,
+ firsttf,
+ req->out.vector_count - first_idx);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ } else if (req->do_signing) {
+ struct smbXsrv_session *x = req->session;
+ struct smb2_signing_key *signing_key =
+ smbd_smb2_signing_key(x, xconn, NULL);
+
+ status = smb2_signing_sign_pdu(signing_key,
+ outhdr,
+ SMBD_SMB2_NUM_IOV_PER_REQ - 1);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ }
+ TALLOC_FREE(req->first_enc_key);
+
+ if (req->preauth != NULL) {
+ gnutls_hash_hd_t hash_hnd = NULL;
+ size_t i;
+ int rc;
+
+ rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_SHA512);
+ if (rc < 0) {
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
+ }
+ rc = gnutls_hash(hash_hnd,
+ req->preauth->sha512_value,
+ sizeof(req->preauth->sha512_value));
+ if (rc < 0) {
+ gnutls_hash_deinit(hash_hnd, NULL);
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
+ }
+ for (i = 1; i < req->in.vector_count; i++) {
+ rc = gnutls_hash(hash_hnd,
+ req->in.vector[i].iov_base,
+ req->in.vector[i].iov_len);
+ if (rc < 0) {
+ gnutls_hash_deinit(hash_hnd, NULL);
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
+ }
+ }
+ gnutls_hash_output(hash_hnd, req->preauth->sha512_value);
+
+ rc = gnutls_hash(hash_hnd,
+ req->preauth->sha512_value,
+ sizeof(req->preauth->sha512_value));
+ if (rc < 0) {
+ gnutls_hash_deinit(hash_hnd, NULL);
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
+ }
+ for (i = 1; i < req->out.vector_count; i++) {
+ rc = gnutls_hash(hash_hnd,
+ req->out.vector[i].iov_base,
+ req->out.vector[i].iov_len);
+ if (rc < 0) {
+ gnutls_hash_deinit(hash_hnd, NULL);
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
+ }
+ }
+
+ gnutls_hash_deinit(hash_hnd, req->preauth->sha512_value);
+
+ req->preauth = NULL;
+ }
+
+ /* I am a sick, sick man... :-). Sendfile hack ... JRA. */
+ if (req->out.vector_count < (2*SMBD_SMB2_NUM_IOV_PER_REQ) &&
+ outdyn->iov_base == NULL && outdyn->iov_len != 0) {
+ /* Dynamic part is NULL. Chop it off,
+ We're going to send it via sendfile. */
+ req->out.vector_count -= 1;
+ }
+
+ /*
+ * We're done with this request -
+ * move it off the "being processed" queue.
+ */
+ DLIST_REMOVE(xconn->smb2.requests, req);
+
+ req->queue_entry.mem_ctx = req;
+ req->queue_entry.vector = req->out.vector;
+ req->queue_entry.count = req->out.vector_count;
+ DLIST_ADD_END(xconn->smb2.send_queue, &req->queue_entry);
+ xconn->smb2.send_queue_len++;
+
+ status = smbd_smb2_flush_send_queue(xconn);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS smbd_smb2_request_next_incoming(struct smbXsrv_connection *xconn);
+
+void smbd_smb2_request_dispatch_immediate(struct tevent_context *ctx,
+ struct tevent_immediate *im,
+ void *private_data)
+{
+ struct smbd_smb2_request *req = talloc_get_type_abort(private_data,
+ struct smbd_smb2_request);
+ struct smbXsrv_connection *xconn = req->xconn;
+ NTSTATUS status;
+
+ TALLOC_FREE(im);
+
+ if (DEBUGLEVEL >= 10) {
+ DEBUG(10,("smbd_smb2_request_dispatch_immediate: idx[%d] of %d vectors\n",
+ req->current_idx, req->in.vector_count));
+ print_req_vectors(req);
+ }
+
+ status = smbd_smb2_request_dispatch(req);
+ if (!NT_STATUS_IS_OK(status)) {
+ smbd_server_connection_terminate(xconn, nt_errstr(status));
+ return;
+ }
+
+ status = smbd_smb2_request_next_incoming(xconn);
+ if (!NT_STATUS_IS_OK(status)) {
+ smbd_server_connection_terminate(xconn, nt_errstr(status));
+ return;
+ }
+}
+
+NTSTATUS smbd_smb2_request_done_ex(struct smbd_smb2_request *req,
+ NTSTATUS status,
+ DATA_BLOB body, DATA_BLOB *dyn,
+ const char *location)
+{
+ uint8_t *outhdr;
+ struct iovec *outbody_v;
+ struct iovec *outdyn_v;
+ uint32_t next_command_ofs;
+ uint64_t mid;
+
+ outhdr = SMBD_SMB2_OUT_HDR_PTR(req);
+ mid = BVAL(outhdr, SMB2_HDR_MESSAGE_ID);
+
+ DBG_DEBUG("mid [%"PRIu64"] idx[%d] status[%s] "
+ "body[%u] dyn[%s:%u] at %s\n",
+ mid,
+ req->current_idx,
+ nt_errstr(status),
+ (unsigned int)body.length,
+ dyn ? "yes" : "no",
+ (unsigned int)(dyn ? dyn->length : 0),
+ location);
+
+ if (body.length < 2) {
+ return smbd_smb2_request_error(req, NT_STATUS_INTERNAL_ERROR);
+ }
+
+ if ((body.length % 2) != 0) {
+ return smbd_smb2_request_error(req, NT_STATUS_INTERNAL_ERROR);
+ }
+
+ outbody_v = SMBD_SMB2_OUT_BODY_IOV(req);
+ outdyn_v = SMBD_SMB2_OUT_DYN_IOV(req);
+
+ next_command_ofs = IVAL(outhdr, SMB2_HDR_NEXT_COMMAND);
+ SIVAL(outhdr, SMB2_HDR_STATUS, NT_STATUS_V(status));
+
+ outbody_v->iov_base = (void *)body.data;
+ outbody_v->iov_len = body.length;
+
+ if (dyn) {
+ outdyn_v->iov_base = (void *)dyn->data;
+ outdyn_v->iov_len = dyn->length;
+ } else {
+ outdyn_v->iov_base = NULL;
+ outdyn_v->iov_len = 0;
+ }
+
+ /*
+ * See if we need to recalculate the offset to the next response
+ *
+ * Note that all responses may require padding (including the very last
+ * one).
+ */
+ if (req->out.vector_count >= (2 * SMBD_SMB2_NUM_IOV_PER_REQ)) {
+ next_command_ofs = SMB2_HDR_BODY;
+ next_command_ofs += SMBD_SMB2_OUT_BODY_LEN(req);
+ next_command_ofs += SMBD_SMB2_OUT_DYN_LEN(req);
+ }
+
+ if ((next_command_ofs % 8) != 0) {
+ size_t pad_size = 8 - (next_command_ofs % 8);
+ if (SMBD_SMB2_OUT_DYN_LEN(req) == 0) {
+ /*
+ * if the dyn buffer is empty
+ * we can use it to add padding
+ */
+ uint8_t *pad;
+
+ pad = talloc_zero_array(req,
+ uint8_t, pad_size);
+ if (pad == NULL) {
+ return smbd_smb2_request_error(req,
+ NT_STATUS_NO_MEMORY);
+ }
+
+ outdyn_v->iov_base = (void *)pad;
+ outdyn_v->iov_len = pad_size;
+ } else {
+ /*
+ * For now we copy the dynamic buffer
+ * and add the padding to the new buffer
+ */
+ size_t old_size;
+ uint8_t *old_dyn;
+ size_t new_size;
+ uint8_t *new_dyn;
+
+ old_size = SMBD_SMB2_OUT_DYN_LEN(req);
+ old_dyn = SMBD_SMB2_OUT_DYN_PTR(req);
+
+ new_size = old_size + pad_size;
+ new_dyn = talloc_zero_array(req,
+ uint8_t, new_size);
+ if (new_dyn == NULL) {
+ return smbd_smb2_request_error(req,
+ NT_STATUS_NO_MEMORY);
+ }
+
+ memcpy(new_dyn, old_dyn, old_size);
+ memset(new_dyn + old_size, 0, pad_size);
+
+ outdyn_v->iov_base = (void *)new_dyn;
+ outdyn_v->iov_len = new_size;
+ }
+ next_command_ofs += pad_size;
+ }
+
+ if ((req->current_idx + SMBD_SMB2_NUM_IOV_PER_REQ) >= req->out.vector_count) {
+ SIVAL(outhdr, SMB2_HDR_NEXT_COMMAND, 0);
+ } else {
+ SIVAL(outhdr, SMB2_HDR_NEXT_COMMAND, next_command_ofs);
+ }
+ return smbd_smb2_request_reply(req);
+}
+
+NTSTATUS smbd_smb2_request_error_ex(struct smbd_smb2_request *req,
+ NTSTATUS status,
+ uint8_t error_context_count,
+ DATA_BLOB *info,
+ const char *location)
+{
+ struct smbXsrv_connection *xconn = req->xconn;
+ DATA_BLOB body;
+ DATA_BLOB _dyn;
+ uint8_t *outhdr = SMBD_SMB2_OUT_HDR_PTR(req);
+ size_t unread_bytes = smbd_smb2_unread_bytes(req);
+
+ DBG_NOTICE("smbd_smb2_request_error_ex: idx[%d] status[%s] |%s| "
+ "at %s\n", req->current_idx, nt_errstr(status),
+ info ? " +info" : "", location);
+
+ if (unread_bytes) {
+ /* Recvfile error. Drain incoming socket. */
+ size_t ret;
+
+ errno = 0;
+ ret = drain_socket(xconn->transport.sock, unread_bytes);
+ if (ret != unread_bytes) {
+ NTSTATUS error;
+
+ if (errno == 0) {
+ error = NT_STATUS_IO_DEVICE_ERROR;
+ } else {
+ error = map_nt_error_from_unix_common(errno);
+ }
+
+ DEBUG(2, ("Failed to drain %u bytes from SMB2 socket: "
+ "ret[%u] errno[%d] => %s\n",
+ (unsigned)unread_bytes,
+ (unsigned)ret, errno, nt_errstr(error)));
+ return error;
+ }
+ }
+
+ body.data = outhdr + SMB2_HDR_BODY;
+ body.length = 8;
+ SSVAL(body.data, 0, 9);
+ SCVAL(body.data, 2, error_context_count);
+
+ if (info) {
+ SIVAL(body.data, 0x04, info->length);
+ } else {
+ /* Allocated size of req->out.vector[i].iov_base
+ * *MUST BE* OUTVEC_ALLOC_SIZE. So we have room for
+ * 1 byte without having to do an alloc.
+ */
+ info = &_dyn;
+ info->data = ((uint8_t *)outhdr) +
+ OUTVEC_ALLOC_SIZE - 1;
+ info->length = 1;
+ SCVAL(info->data, 0, 0);
+ }
+
+ /*
+ * Note: Even if there is an error, continue to process the request.
+ * per MS-SMB2.
+ */
+
+ return smbd_smb2_request_done_ex(req, status, body, info, __location__);
+}
+
+struct smbd_smb2_break_state {
+ struct tevent_req *req;
+ struct smbd_smb2_send_queue queue_entry;
+ uint8_t nbt_hdr[NBT_HDR_SIZE];
+ uint8_t hdr[SMB2_HDR_BODY];
+ struct iovec vector[1+SMBD_SMB2_NUM_IOV_PER_REQ];
+};
+
+static struct tevent_req *smbd_smb2_break_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct smbXsrv_connection *xconn,
+ uint64_t session_id,
+ const uint8_t *body,
+ size_t body_len)
+{
+ struct tevent_req *req = NULL;
+ struct smbd_smb2_break_state *state = NULL;
+ NTSTATUS status;
+ bool ok;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct smbd_smb2_break_state);
+ if (req == NULL) {
+ return NULL;
+ }
+
+ state->req = req;
+ tevent_req_defer_callback(req, ev);
+
+ SIVAL(state->hdr, 0, SMB2_MAGIC);
+ SSVAL(state->hdr, SMB2_HDR_LENGTH, SMB2_HDR_BODY);
+ SSVAL(state->hdr, SMB2_HDR_EPOCH, 0);
+ SIVAL(state->hdr, SMB2_HDR_STATUS, 0);
+ SSVAL(state->hdr, SMB2_HDR_OPCODE, SMB2_OP_BREAK);
+ SSVAL(state->hdr, SMB2_HDR_CREDIT, 0);
+ SIVAL(state->hdr, SMB2_HDR_FLAGS, SMB2_HDR_FLAG_REDIRECT);
+ SIVAL(state->hdr, SMB2_HDR_NEXT_COMMAND, 0);
+ SBVAL(state->hdr, SMB2_HDR_MESSAGE_ID, UINT64_MAX);
+ SIVAL(state->hdr, SMB2_HDR_PID, 0);
+ SIVAL(state->hdr, SMB2_HDR_TID, 0);
+ SBVAL(state->hdr, SMB2_HDR_SESSION_ID, session_id);
+ memset(state->hdr+SMB2_HDR_SIGNATURE, 0, 16);
+
+ state->vector[0] = (struct iovec) {
+ .iov_base = state->nbt_hdr,
+ .iov_len = sizeof(state->nbt_hdr)
+ };
+
+ state->vector[1+SMBD_SMB2_TF_IOV_OFS] = (struct iovec) {
+ .iov_base = NULL,
+ .iov_len = 0
+ };
+
+ state->vector[1+SMBD_SMB2_HDR_IOV_OFS] = (struct iovec) {
+ .iov_base = state->hdr,
+ .iov_len = sizeof(state->hdr)
+ };
+
+ state->vector[1+SMBD_SMB2_BODY_IOV_OFS] = (struct iovec) {
+ .iov_base = discard_const_p(uint8_t, body),
+ .iov_len = body_len,
+ };
+
+ /*
+ * state->vector[1+SMBD_SMB2_DYN_IOV_OFS] is NULL by talloc_zero above
+ */
+
+ ok = smb2_setup_nbt_length(state->vector,
+ 1 + SMBD_SMB2_NUM_IOV_PER_REQ);
+ if (!ok) {
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
+ return tevent_req_post(req, ev);
+ }
+
+ /*
+ * We require TCP acks for this PDU to the client!
+ * We want 5 retransmissions and timeout when the
+ * retransmission timeout (rto) passed 6 times.
+ *
+ * required_acked_bytes gets a dummy value of
+ * UINT64_MAX, as long it's in xconn->smb2.send_queue,
+ * it'll get the real value when it's moved to
+ * xconn->ack.queue.
+ *
+ * state->queue_entry.ack.req gets completed with
+ * 1. tevent_req_done(), when all bytes are acked.
+ * 2a. tevent_req_nterror(NT_STATUS_IO_TIMEOUT), when
+ * the timeout expired before all bytes were acked.
+ * 2b. tevent_req_nterror(transport_error), when the
+ * connection got a disconnect from the kernel.
+ */
+ state->queue_entry.ack.timeout =
+ timeval_current_ofs_usec(xconn->ack.rto_usecs * 6);
+ state->queue_entry.ack.required_acked_bytes = UINT64_MAX;
+ state->queue_entry.ack.req = req;
+ state->queue_entry.mem_ctx = state;
+ state->queue_entry.vector = state->vector;
+ state->queue_entry.count = ARRAY_SIZE(state->vector);
+ DLIST_ADD_END(xconn->smb2.send_queue, &state->queue_entry);
+ xconn->smb2.send_queue_len++;
+
+ status = smbd_smb2_flush_send_queue(xconn);
+ if (tevent_req_nterror(req, status)) {
+ return tevent_req_post(req, ev);
+ }
+
+ return req;
+}
+
+static NTSTATUS smbd_smb2_break_recv(struct tevent_req *req)
+{
+ return tevent_req_simple_recv_ntstatus(req);
+}
+
+struct smbXsrv_pending_break {
+ struct smbXsrv_pending_break *prev, *next;
+ struct smbXsrv_client *client;
+ bool disable_oplock_break_retries;
+ uint64_t session_id;
+ uint64_t last_channel_id;
+ union {
+ uint8_t generic[1];
+ uint8_t oplock[0x18];
+ uint8_t lease[0x2c];
+ } body;
+ size_t body_len;
+};
+
+static void smbXsrv_pending_break_done(struct tevent_req *subreq);
+
+static struct smbXsrv_pending_break *smbXsrv_pending_break_create(
+ struct smbXsrv_client *client,
+ uint64_t session_id)
+{
+ struct smbXsrv_pending_break *pb = NULL;
+
+ pb = talloc_zero(client, struct smbXsrv_pending_break);
+ if (pb == NULL) {
+ return NULL;
+ }
+ pb->client = client;
+ pb->session_id = session_id;
+ pb->disable_oplock_break_retries = lp_smb2_disable_oplock_break_retry();
+
+ return pb;
+}
+
+static NTSTATUS smbXsrv_pending_break_submit(struct smbXsrv_pending_break *pb);
+
+static NTSTATUS smbXsrv_pending_break_schedule(struct smbXsrv_pending_break *pb)
+{
+ struct smbXsrv_client *client = pb->client;
+ NTSTATUS status;
+
+ DLIST_ADD_END(client->pending_breaks, pb);
+ status = smbXsrv_client_pending_breaks_updated(client);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ status = smbXsrv_pending_break_submit(pb);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS smbXsrv_pending_break_submit(struct smbXsrv_pending_break *pb)
+{
+ struct smbXsrv_client *client = pb->client;
+ struct smbXsrv_session *session = NULL;
+ struct smbXsrv_connection *xconn = NULL;
+ struct smbXsrv_connection *oplock_xconn = NULL;
+ struct tevent_req *subreq = NULL;
+ NTSTATUS status;
+
+ if (pb->session_id != 0) {
+ status = get_valid_smbXsrv_session(client,
+ pb->session_id,
+ &session);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_USER_SESSION_DELETED)) {
+ return NT_STATUS_ABANDONED;
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ if (pb->last_channel_id != 0) {
+ /*
+ * This is what current Windows servers
+ * do, they don't retry on all available
+ * channels. They only use the last channel.
+ *
+ * But it doesn't match the specification in
+ * [MS-SMB2] "3.3.4.6 Object Store Indicates an
+ * Oplock Break"
+ *
+ * Per default disable_oplock_break_retries is false
+ * and we behave like the specification.
+ */
+ if (pb->disable_oplock_break_retries) {
+ return NT_STATUS_ABANDONED;
+ }
+ }
+ }
+
+ for (xconn = client->connections; xconn != NULL; xconn = xconn->next) {
+ if (!NT_STATUS_IS_OK(xconn->transport.status)) {
+ continue;
+ }
+
+ if (xconn->channel_id == 0) {
+ /*
+ * non-multichannel case
+ */
+ break;
+ }
+
+ if (session != NULL) {
+ struct smbXsrv_channel_global0 *c = NULL;
+
+ /*
+ * Having a session means we're handling
+ * an oplock break and we only need to
+ * use channels available on the
+ * session.
+ */
+ status = smbXsrv_session_find_channel(session, xconn, &c);
+ if (!NT_STATUS_IS_OK(status)) {
+ continue;
+ }
+
+ /*
+ * This is what current Windows servers
+ * do, they don't retry on all available
+ * channels. They only use the last channel.
+ *
+ * But it doesn't match the specification
+ * in [MS-SMB2] "3.3.4.6 Object Store Indicates an
+ * Oplock Break"
+ *
+ * Per default disable_oplock_break_retries is false
+ * and we behave like the specification.
+ */
+ if (pb->disable_oplock_break_retries) {
+ oplock_xconn = xconn;
+ continue;
+ }
+ }
+
+ if (xconn->channel_id > pb->last_channel_id) {
+ /*
+ * multichannel case
+ */
+ break;
+ }
+ }
+
+ if (xconn == NULL) {
+ xconn = oplock_xconn;
+ }
+
+ if (xconn == NULL) {
+ /*
+ * If there's no remaining connection available
+ * tell the caller to stop...
+ */
+ return NT_STATUS_ABANDONED;
+ }
+
+ pb->last_channel_id = xconn->channel_id;
+
+ subreq = smbd_smb2_break_send(pb,
+ client->raw_ev_ctx,
+ xconn,
+ pb->session_id,
+ pb->body.generic,
+ pb->body_len);
+ if (subreq == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ tevent_req_set_callback(subreq,
+ smbXsrv_pending_break_done,
+ pb);
+
+ return NT_STATUS_OK;
+}
+
+static void smbXsrv_pending_break_done(struct tevent_req *subreq)
+{
+ struct smbXsrv_pending_break *pb =
+ tevent_req_callback_data(subreq,
+ struct smbXsrv_pending_break);
+ struct smbXsrv_client *client = pb->client;
+ NTSTATUS status;
+
+ status = smbd_smb2_break_recv(subreq);
+ TALLOC_FREE(subreq);
+ if (!NT_STATUS_IS_OK(status)) {
+ status = smbXsrv_pending_break_submit(pb);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_ABANDONED)) {
+ /*
+ * If there's no remaining connection
+ * there's no need to send a break again.
+ */
+ goto remove;
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ smbd_server_disconnect_client(client, nt_errstr(status));
+ return;
+ }
+ return;
+ }
+
+remove:
+ DLIST_REMOVE(client->pending_breaks, pb);
+ TALLOC_FREE(pb);
+
+ status = smbXsrv_client_pending_breaks_updated(client);
+ if (!NT_STATUS_IS_OK(status)) {
+ smbd_server_disconnect_client(client, nt_errstr(status));
+ return;
+ }
+}
+
+NTSTATUS smbd_smb2_send_oplock_break(struct smbXsrv_client *client,
+ struct smbXsrv_open *op,
+ uint8_t oplock_level)
+{
+ struct smbXsrv_pending_break *pb = NULL;
+ uint8_t *body = NULL;
+
+ pb = smbXsrv_pending_break_create(client,
+ op->compat->vuid);
+ if (pb == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ pb->body_len = sizeof(pb->body.oplock);
+ body = pb->body.oplock;
+
+ SSVAL(body, 0x00, pb->body_len);
+ SCVAL(body, 0x02, oplock_level);
+ SCVAL(body, 0x03, 0); /* reserved */
+ SIVAL(body, 0x04, 0); /* reserved */
+ SBVAL(body, 0x08, op->global->open_persistent_id);
+ SBVAL(body, 0x10, op->global->open_volatile_id);
+
+ return smbXsrv_pending_break_schedule(pb);
+}
+
+NTSTATUS smbd_smb2_send_lease_break(struct smbXsrv_client *client,
+ uint16_t new_epoch,
+ uint32_t lease_flags,
+ struct smb2_lease_key *lease_key,
+ uint32_t current_lease_state,
+ uint32_t new_lease_state)
+{
+ struct smbXsrv_pending_break *pb = NULL;
+ uint8_t *body = NULL;
+
+ pb = smbXsrv_pending_break_create(client,
+ 0); /* no session_id */
+ if (pb == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ pb->body_len = sizeof(pb->body.lease);
+ body = pb->body.lease;
+
+ SSVAL(body, 0x00, pb->body_len);
+ SSVAL(body, 0x02, new_epoch);
+ SIVAL(body, 0x04, lease_flags);
+ SBVAL(body, 0x08, lease_key->data[0]);
+ SBVAL(body, 0x10, lease_key->data[1]);
+ SIVAL(body, 0x18, current_lease_state);
+ SIVAL(body, 0x1c, new_lease_state);
+ SIVAL(body, 0x20, 0); /* BreakReason, MUST be 0 */
+ SIVAL(body, 0x24, 0); /* AccessMaskHint, MUST be 0 */
+ SIVAL(body, 0x28, 0); /* ShareMaskHint, MUST be 0 */
+
+ return smbXsrv_pending_break_schedule(pb);
+}
+
+static bool is_smb2_recvfile_write(struct smbd_smb2_request_read_state *state)
+{
+ NTSTATUS status;
+ uint32_t flags;
+ uint64_t file_id_persistent;
+ uint64_t file_id_volatile;
+ struct smbXsrv_open *op = NULL;
+ struct files_struct *fsp = NULL;
+ const uint8_t *body = NULL;
+
+ /*
+ * This is only called with a pktbuf
+ * of at least SMBD_SMB2_SHORT_RECEIVEFILE_WRITE_LEN
+ * bytes
+ */
+
+ if (IVAL(state->pktbuf, 0) == SMB2_TF_MAGIC) {
+ /* Transform header. Cannot recvfile. */
+ return false;
+ }
+ if (IVAL(state->pktbuf, 0) != SMB2_MAGIC) {
+ /* Not SMB2. Normal error path will cope. */
+ return false;
+ }
+ if (SVAL(state->pktbuf, 4) != SMB2_HDR_BODY) {
+ /* Not SMB2. Normal error path will cope. */
+ return false;
+ }
+ if (SVAL(state->pktbuf, SMB2_HDR_OPCODE) != SMB2_OP_WRITE) {
+ /* Needs to be a WRITE. */
+ return false;
+ }
+ if (IVAL(state->pktbuf, SMB2_HDR_NEXT_COMMAND) != 0) {
+ /* Chained. Cannot recvfile. */
+ return false;
+ }
+ flags = IVAL(state->pktbuf, SMB2_HDR_FLAGS);
+ if (flags & SMB2_HDR_FLAG_CHAINED) {
+ /* Chained. Cannot recvfile. */
+ return false;
+ }
+ if (flags & SMB2_HDR_FLAG_SIGNED) {
+ /* Signed. Cannot recvfile. */
+ return false;
+ }
+
+ body = &state->pktbuf[SMB2_HDR_BODY];
+
+ file_id_persistent = BVAL(body, 0x10);
+ file_id_volatile = BVAL(body, 0x18);
+
+ status = smb2srv_open_lookup(state->req->xconn,
+ file_id_persistent,
+ file_id_volatile,
+ 0, /* now */
+ &op);
+ if (!NT_STATUS_IS_OK(status)) {
+ return false;
+ }
+
+ fsp = op->compat;
+ if (fsp == NULL) {
+ return false;
+ }
+ if (fsp->conn == NULL) {
+ return false;
+ }
+
+ if (IS_IPC(fsp->conn)) {
+ return false;
+ }
+ if (IS_PRINT(fsp->conn)) {
+ return false;
+ }
+ if (fsp_is_alternate_stream(fsp)) {
+ return false;
+ }
+
+ DEBUG(10,("Doing recvfile write len = %u\n",
+ (unsigned int)(state->pktfull - state->pktlen)));
+
+ return true;
+}
+
+static NTSTATUS smbd_smb2_request_next_incoming(struct smbXsrv_connection *xconn)
+{
+ struct smbd_smb2_request_read_state *state = &xconn->smb2.request_read_state;
+ struct smbd_smb2_request *req = NULL;
+ size_t max_send_queue_len;
+ size_t cur_send_queue_len;
+
+ if (!NT_STATUS_IS_OK(xconn->transport.status)) {
+ /*
+ * we're not supposed to do any io
+ */
+ return NT_STATUS_OK;
+ }
+
+ if (state->req != NULL) {
+ /*
+ * if there is already a tstream_readv_pdu
+ * pending, we are done.
+ */
+ return NT_STATUS_OK;
+ }
+
+ max_send_queue_len = MAX(1, xconn->smb2.credits.max/16);
+ cur_send_queue_len = xconn->smb2.send_queue_len;
+
+ if (cur_send_queue_len > max_send_queue_len) {
+ /*
+ * if we have a lot of requests to send,
+ * we wait until they are on the wire until we
+ * ask for the next request.
+ */
+ return NT_STATUS_OK;
+ }
+
+ /* ask for the next request */
+ req = smbd_smb2_request_allocate(xconn);
+ if (req == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ *state = (struct smbd_smb2_request_read_state) {
+ .req = req,
+ .min_recv_size = lp_min_receive_file_size(),
+ ._vector = {
+ [0] = (struct iovec) {
+ .iov_base = (void *)state->hdr.nbt,
+ .iov_len = NBT_HDR_SIZE,
+ },
+ },
+ .vector = state->_vector,
+ .count = 1,
+ };
+
+ TEVENT_FD_READABLE(xconn->transport.fde);
+
+ return NT_STATUS_OK;
+}
+
+NTSTATUS smbd_smb2_process_negprot(struct smbXsrv_connection *xconn,
+ uint64_t expected_seq_low,
+ const uint8_t *inpdu, size_t size)
+{
+ struct smbd_server_connection *sconn = xconn->client->sconn;
+ NTSTATUS status;
+ struct smbd_smb2_request *req = NULL;
+
+ DEBUG(10,("smbd_smb2_first_negprot: packet length %u\n",
+ (unsigned int)size));
+
+ status = smbd_initialize_smb2(xconn, expected_seq_low);
+ if (!NT_STATUS_IS_OK(status)) {
+ smbd_server_connection_terminate(xconn, nt_errstr(status));
+ return status;
+ }
+
+ /*
+ * If a new connection joins the process, when we're
+ * already in a "pending break cycle", we need to
+ * turn on the ack checker on the new connection.
+ */
+ status = smbXsrv_client_pending_breaks_updated(xconn->client);
+ if (!NT_STATUS_IS_OK(status)) {
+ /*
+ * If there's a problem, we disconnect the whole
+ * client with all connections here!
+ *
+ * Instead of just the new connection.
+ */
+ smbd_server_disconnect_client(xconn->client, nt_errstr(status));
+ return status;
+ }
+
+ status = smbd_smb2_request_create(xconn, inpdu, size, &req);
+ if (!NT_STATUS_IS_OK(status)) {
+ smbd_server_connection_terminate(xconn, nt_errstr(status));
+ return status;
+ }
+
+ status = smbd_smb2_request_validate(req);
+ if (!NT_STATUS_IS_OK(status)) {
+ smbd_server_connection_terminate(xconn, nt_errstr(status));
+ return status;
+ }
+
+ status = smbd_smb2_request_setup_out(req);
+ if (!NT_STATUS_IS_OK(status)) {
+ smbd_server_connection_terminate(xconn, nt_errstr(status));
+ return status;
+ }
+
+#ifdef WITH_PROFILE
+ /*
+ * this was already counted at the SMB1 layer =>
+ * smbd_smb2_request_dispatch() should not count it twice.
+ */
+ if (profile_p->values.request_stats.count > 0) {
+ profile_p->values.request_stats.count--;
+ }
+#endif
+ status = smbd_smb2_request_dispatch(req);
+ if (!NT_STATUS_IS_OK(status)) {
+ smbd_server_connection_terminate(xconn, nt_errstr(status));
+ return status;
+ }
+
+ status = smbd_smb2_request_next_incoming(xconn);
+ if (!NT_STATUS_IS_OK(status)) {
+ smbd_server_connection_terminate(xconn, nt_errstr(status));
+ return status;
+ }
+
+ sconn->num_requests++;
+ return NT_STATUS_OK;
+}
+
+static int socket_error_from_errno(int ret,
+ int sys_errno,
+ bool *retry)
+{
+ *retry = false;
+
+ if (ret >= 0) {
+ return 0;
+ }
+
+ if (ret != -1) {
+ return EIO;
+ }
+
+ if (sys_errno == 0) {
+ return EIO;
+ }
+
+ if (sys_errno == EINTR) {
+ *retry = true;
+ return sys_errno;
+ }
+
+ if (sys_errno == EINPROGRESS) {
+ *retry = true;
+ return sys_errno;
+ }
+
+ if (sys_errno == EAGAIN) {
+ *retry = true;
+ return sys_errno;
+ }
+
+ /* ENOMEM is retryable on Solaris/illumos, and possibly other systems. */
+ if (sys_errno == ENOMEM) {
+ *retry = true;
+ return sys_errno;
+ }
+
+#ifdef EWOULDBLOCK
+#if EWOULDBLOCK != EAGAIN
+ if (sys_errno == EWOULDBLOCK) {
+ *retry = true;
+ return sys_errno;
+ }
+#endif
+#endif
+
+ return sys_errno;
+}
+
+static NTSTATUS smbd_smb2_advance_send_queue(struct smbXsrv_connection *xconn,
+ struct smbd_smb2_send_queue **_e,
+ size_t n)
+{
+ struct smbd_smb2_send_queue *e = *_e;
+ bool ok;
+
+ xconn->ack.unacked_bytes += n;
+
+ ok = iov_advance(&e->vector, &e->count, n);
+ if (!ok) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ if (e->count > 0) {
+ return NT_STATUS_RETRY;
+ }
+
+ xconn->smb2.send_queue_len--;
+ DLIST_REMOVE(xconn->smb2.send_queue, e);
+
+ if (e->ack.req == NULL) {
+ *_e = NULL;
+ talloc_free(e->mem_ctx);
+ return NT_STATUS_OK;
+ }
+
+ e->ack.required_acked_bytes = xconn->ack.unacked_bytes;
+ DLIST_ADD_END(xconn->ack.queue, e);
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS smbd_smb2_flush_with_sendmsg(struct smbXsrv_connection *xconn)
+{
+ int ret;
+ int err;
+ bool retry;
+ NTSTATUS status;
+
+ if (xconn->smb2.send_queue == NULL) {
+ TEVENT_FD_NOT_WRITEABLE(xconn->transport.fde);
+ return NT_STATUS_OK;
+ }
+
+ while (xconn->smb2.send_queue != NULL) {
+ struct smbd_smb2_send_queue *e = xconn->smb2.send_queue;
+ unsigned sendmsg_flags = 0;
+
+ if (!NT_STATUS_IS_OK(xconn->transport.status)) {
+ /*
+ * we're not supposed to do any io
+ * just flush all pending stuff.
+ */
+ xconn->smb2.send_queue_len--;
+ DLIST_REMOVE(xconn->smb2.send_queue, e);
+
+ talloc_free(e->mem_ctx);
+ continue;
+ }
+
+ if (e->sendfile_header != NULL) {
+ size_t size = 0;
+ size_t i = 0;
+ uint8_t *buf;
+
+ status = NT_STATUS_INTERNAL_ERROR;
+
+ for (i=0; i < e->count; i++) {
+ size += e->vector[i].iov_len;
+ }
+
+ if (size <= e->sendfile_header->length) {
+ buf = e->sendfile_header->data;
+ } else {
+ buf = talloc_array(e->mem_ctx, uint8_t, size);
+ if (buf == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ size = 0;
+ for (i=0; i < e->count; i++) {
+ memcpy(buf+size,
+ e->vector[i].iov_base,
+ e->vector[i].iov_len);
+ size += e->vector[i].iov_len;
+ }
+
+ e->sendfile_header->data = buf;
+ e->sendfile_header->length = size;
+ e->sendfile_status = &status;
+ e->count = 0;
+
+ xconn->smb2.send_queue_len--;
+ DLIST_REMOVE(xconn->smb2.send_queue, e);
+
+ size += e->sendfile_body_size;
+
+ /*
+ * This triggers the sendfile path via
+ * the destructor.
+ */
+ talloc_free(e->mem_ctx);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ smbXsrv_connection_disconnect_transport(xconn,
+ status);
+ return status;
+ }
+ xconn->ack.unacked_bytes += size;
+ continue;
+ }
+
+ e->msg = (struct msghdr) {
+ .msg_iov = e->vector,
+ .msg_iovlen = e->count,
+ };
+
+#ifdef MSG_NOSIGNAL
+ sendmsg_flags |= MSG_NOSIGNAL;
+#endif
+#ifdef MSG_DONTWAIT
+ sendmsg_flags |= MSG_DONTWAIT;
+#endif
+
+ ret = sendmsg(xconn->transport.sock, &e->msg, sendmsg_flags);
+ if (ret == 0) {
+ /* propagate end of file */
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+ err = socket_error_from_errno(ret, errno, &retry);
+ if (retry) {
+ /* retry later */
+ TEVENT_FD_WRITEABLE(xconn->transport.fde);
+ return NT_STATUS_OK;
+ }
+ if (err != 0) {
+ status = map_nt_error_from_unix_common(err);
+ smbXsrv_connection_disconnect_transport(xconn,
+ status);
+ return status;
+ }
+
+ status = smbd_smb2_advance_send_queue(xconn, &e, ret);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_RETRY)) {
+ /* retry later */
+ TEVENT_FD_WRITEABLE(xconn->transport.fde);
+ return NT_STATUS_OK;
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ smbXsrv_connection_disconnect_transport(xconn,
+ status);
+ return status;
+ }
+ }
+
+ return NT_STATUS_MORE_PROCESSING_REQUIRED;
+}
+
+static NTSTATUS smbd_smb2_flush_send_queue(struct smbXsrv_connection *xconn)
+{
+ NTSTATUS status;
+
+ status = smbd_smb2_flush_with_sendmsg(xconn);
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+ return status;
+ }
+
+ /*
+ * Restart reads if we were blocked on
+ * draining the send queue.
+ */
+
+ status = smbd_smb2_request_next_incoming(xconn);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS smbd_smb2_advance_incoming(struct smbXsrv_connection *xconn, size_t n)
+{
+ struct smbd_server_connection *sconn = xconn->client->sconn;
+ struct smbd_smb2_request_read_state *state = &xconn->smb2.request_read_state;
+ struct smbd_smb2_request *req = NULL;
+ size_t min_recvfile_size = UINT32_MAX;
+ NTSTATUS status;
+ NTTIME now;
+ bool ok;
+
+ ok = iov_advance(&state->vector, &state->count, n);
+ if (!ok) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ if (state->count > 0) {
+ return NT_STATUS_PENDING;
+ }
+
+ if (state->pktlen > 0) {
+ if (!state->doing_receivefile) {
+ /*
+ * we have all the data.
+ */
+ goto got_full;
+ }
+
+ if (!is_smb2_recvfile_write(state)) {
+ size_t ofs = state->pktlen;
+
+ /*
+ * Not a possible receivefile write.
+ * Read the rest of the data.
+ */
+ state->doing_receivefile = false;
+
+ state->pktbuf = talloc_realloc(state->req,
+ state->pktbuf,
+ uint8_t,
+ state->pktfull);
+ if (state->pktbuf == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ state->_vector[0] = (struct iovec) {
+ .iov_base = (void *)(state->pktbuf + ofs),
+ .iov_len = (state->pktfull - ofs),
+ };
+ state->vector = state->_vector;
+ state->count = 1;
+
+ state->pktlen = state->pktfull;
+ return NT_STATUS_RETRY;
+ }
+
+ /*
+ * This is a receivefile write so we've
+ * done a short read.
+ */
+ goto got_full;
+ }
+
+ /*
+ * Now we analyze the NBT header
+ */
+ if (state->hdr.nbt[0] != 0x00) {
+ state->min_recv_size = 0;
+ }
+ state->pktfull = smb2_len(state->hdr.nbt);
+ if (state->pktfull == 0) {
+ goto got_full;
+ }
+
+ if (state->min_recv_size != 0) {
+ min_recvfile_size = SMBD_SMB2_SHORT_RECEIVEFILE_WRITE_LEN;
+ min_recvfile_size += state->min_recv_size;
+ }
+
+ if (state->pktfull > min_recvfile_size) {
+ /*
+ * Might be a receivefile write. Read the SMB2 HEADER +
+ * SMB2_WRITE header first. Set 'doing_receivefile'
+ * as we're *attempting* receivefile write. If this
+ * turns out not to be a SMB2_WRITE request or otherwise
+ * not suitable then we'll just read the rest of the data
+ * the next time this function is called.
+ */
+ state->pktlen = SMBD_SMB2_SHORT_RECEIVEFILE_WRITE_LEN;
+ state->doing_receivefile = true;
+ } else {
+ state->pktlen = state->pktfull;
+ }
+
+ state->pktbuf = talloc_array(state->req, uint8_t, state->pktlen);
+ if (state->pktbuf == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ state->_vector[0] = (struct iovec) {
+ .iov_base = (void *)state->pktbuf,
+ .iov_len = state->pktlen,
+ };
+ state->vector = state->_vector;
+ state->count = 1;
+
+ return NT_STATUS_RETRY;
+
+got_full:
+
+ if (state->hdr.nbt[0] != 0x00) {
+ DEBUG(1,("ignore NBT[0x%02X] msg\n",
+ state->hdr.nbt[0]));
+
+ req = state->req;
+ *state = (struct smbd_smb2_request_read_state) {
+ .req = req,
+ .min_recv_size = lp_min_receive_file_size(),
+ ._vector = {
+ [0] = (struct iovec) {
+ .iov_base = (void *)state->hdr.nbt,
+ .iov_len = NBT_HDR_SIZE,
+ },
+ },
+ .vector = state->_vector,
+ .count = 1,
+ };
+ return NT_STATUS_RETRY;
+ }
+
+ req = state->req;
+
+ req->request_time = timeval_current();
+ now = timeval_to_nttime(&req->request_time);
+
+ status = smbd_smb2_inbuf_parse_compound(xconn,
+ now,
+ state->pktbuf,
+ state->pktlen,
+ req,
+ &req->in.vector,
+ &req->in.vector_count);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ if (state->doing_receivefile) {
+ req->smb1req = talloc_zero(req, struct smb_request);
+ if (req->smb1req == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ req->smb1req->unread_bytes = state->pktfull - state->pktlen;
+ }
+
+ *state = (struct smbd_smb2_request_read_state) {
+ .req = NULL,
+ };
+
+ req->current_idx = 1;
+
+ DEBUG(10,("smbd_smb2_request idx[%d] of %d vectors\n",
+ req->current_idx, req->in.vector_count));
+
+ status = smbd_smb2_request_validate(req);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ status = smbd_smb2_request_setup_out(req);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ status = smbd_smb2_request_dispatch(req);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ sconn->num_requests++;
+
+ /* The timeout_processing function isn't run nearly
+ often enough to implement 'max log size' without
+ overrunning the size of the file by many megabytes.
+ This is especially true if we are running at debug
+ level 10. Checking every 50 SMB2s is a nice
+ tradeoff of performance vs log file size overrun. */
+
+ if ((sconn->num_requests % 50) == 0 &&
+ need_to_check_log_size()) {
+ change_to_root_user();
+ check_log_size();
+ }
+
+ status = smbd_smb2_request_next_incoming(xconn);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS smbd_smb2_io_handler(struct smbXsrv_connection *xconn,
+ uint16_t fde_flags)
+{
+ struct smbd_smb2_request_read_state *state = &xconn->smb2.request_read_state;
+ unsigned recvmsg_flags = 0;
+ int ret;
+ int err;
+ bool retry;
+ NTSTATUS status;
+
+ if (!NT_STATUS_IS_OK(xconn->transport.status)) {
+ /*
+ * we're not supposed to do any io
+ */
+ TEVENT_FD_NOT_READABLE(xconn->transport.fde);
+ TEVENT_FD_NOT_WRITEABLE(xconn->transport.fde);
+ TEVENT_FD_NOT_WANTERROR(xconn->transport.fde);
+ return NT_STATUS_OK;
+ }
+
+ if (fde_flags & TEVENT_FD_ERROR) {
+ ret = samba_socket_poll_or_sock_error(xconn->transport.sock);
+ if (ret == -1) {
+ err = errno;
+ status = map_nt_error_from_unix_common(err);
+ smbXsrv_connection_disconnect_transport(xconn,
+ status);
+ return status;
+ }
+ /* This should not happen */
+ status = NT_STATUS_REMOTE_DISCONNECT;
+ smbXsrv_connection_disconnect_transport(xconn,
+ status);
+ return status;
+ }
+
+ if (fde_flags & TEVENT_FD_WRITE) {
+ status = smbd_smb2_flush_send_queue(xconn);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ }
+
+ if (!(fde_flags & TEVENT_FD_READ)) {
+ return NT_STATUS_OK;
+ }
+
+ if (state->req == NULL) {
+ TEVENT_FD_NOT_READABLE(xconn->transport.fde);
+ return NT_STATUS_OK;
+ }
+
+again:
+
+ state->msg = (struct msghdr) {
+ .msg_iov = state->vector,
+ .msg_iovlen = state->count,
+ };
+
+#ifdef MSG_NOSIGNAL
+ recvmsg_flags |= MSG_NOSIGNAL;
+#endif
+#ifdef MSG_DONTWAIT
+ recvmsg_flags |= MSG_DONTWAIT;
+#endif
+
+ ret = recvmsg(xconn->transport.sock, &state->msg, recvmsg_flags);
+ if (ret == 0) {
+ /* propagate end of file */
+ status = NT_STATUS_END_OF_FILE;
+ smbXsrv_connection_disconnect_transport(xconn,
+ status);
+ return status;
+ }
+ err = socket_error_from_errno(ret, errno, &retry);
+ if (retry) {
+ /* retry later */
+ TEVENT_FD_READABLE(xconn->transport.fde);
+ return NT_STATUS_OK;
+ }
+ if (err != 0) {
+ status = map_nt_error_from_unix_common(err);
+ smbXsrv_connection_disconnect_transport(xconn,
+ status);
+ return status;
+ }
+
+ status = smbd_smb2_advance_incoming(xconn, ret);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_PENDING)) {
+ /* we have more to read */
+ TEVENT_FD_READABLE(xconn->transport.fde);
+ return NT_STATUS_OK;
+ }
+ if (NT_STATUS_EQUAL(status, NT_STATUS_RETRY)) {
+ /*
+ * smbd_smb2_advance_incoming setup a new vector
+ * that we should try to read immediately.
+ */
+ goto again;
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ return NT_STATUS_OK;
+}
+
+static void smbd_smb2_connection_handler(struct tevent_context *ev,
+ struct tevent_fd *fde,
+ uint16_t flags,
+ void *private_data)
+{
+ struct smbXsrv_connection *xconn =
+ talloc_get_type_abort(private_data,
+ struct smbXsrv_connection);
+ NTSTATUS status;
+
+ status = smbd_smb2_io_handler(xconn, flags);
+ if (!NT_STATUS_IS_OK(status)) {
+ smbd_server_connection_terminate(xconn, nt_errstr(status));
+ return;
+ }
+}