From 8daa83a594a2e98f39d764422bfbdbc62c9efd44 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Fri, 19 Apr 2024 19:20:00 +0200 Subject: Adding upstream version 2:4.20.0+dfsg. Signed-off-by: Daniel Baumann --- source3/smbd/smb1_reply.c | 7178 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 7178 insertions(+) create mode 100644 source3/smbd/smb1_reply.c (limited to 'source3/smbd/smb1_reply.c') diff --git a/source3/smbd/smb1_reply.c b/source3/smbd/smb1_reply.c new file mode 100644 index 0000000..b2f317a --- /dev/null +++ b/source3/smbd/smb1_reply.c @@ -0,0 +1,7178 @@ +/* + Unix SMB/CIFS implementation. + Main SMB reply routines + Copyright (C) Andrew Tridgell 1992-1998 + Copyright (C) Andrew Bartlett 2001 + Copyright (C) Jeremy Allison 1992-2007. + Copyright (C) Volker Lendecke 2007 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + This file handles most of the reply_ calls that the server + makes to handle specific protocols +*/ + +#include "includes.h" +#include "libsmb/namequery.h" +#include "system/filesys.h" +#include "printing.h" +#include "locking/share_mode_lock.h" +#include "smbd/smbd.h" +#include "smbd/globals.h" +#include "smbd/smbXsrv_open.h" +#include "fake_file.h" +#include "rpc_client/rpc_client.h" +#include "../librpc/gen_ndr/ndr_spoolss_c.h" +#include "rpc_client/cli_spoolss.h" +#include "rpc_client/init_spoolss.h" +#include "rpc_server/rpc_ncacn_np.h" +#include "libcli/security/security.h" +#include "libsmb/nmblib.h" +#include "auth.h" +#include "smbprofile.h" +#include "../lib/tsocket/tsocket.h" +#include "lib/util/tevent_ntstatus.h" +#include "libcli/smb/smb_signing.h" +#include "lib/util/sys_rw_data.h" +#include "librpc/gen_ndr/open_files.h" +#include "libcli/smb/smb2_posix.h" +#include "lib/util/string_wrappers.h" +#include "source3/printing/rap_jobid.h" +#include "source3/lib/substitute.h" +#include "source3/smbd/dir.h" + +/**************************************************************************** + Check if we have a correct fsp pointing to a file. Basic check for open fsp. +****************************************************************************/ + +bool check_fsp_open(connection_struct *conn, struct smb_request *req, + files_struct *fsp) +{ + if ((fsp == NULL) || (conn == NULL)) { + reply_nterror(req, NT_STATUS_INVALID_HANDLE); + return false; + } + if ((conn != fsp->conn) || (req->vuid != fsp->vuid)) { + reply_nterror(req, NT_STATUS_INVALID_HANDLE); + return false; + } + return true; +} + +/**************************************************************************** + SMB1 version of smb2_strip_dfs_path() + Differs from SMB2 in that all Windows path separator '\' characters + have already been converted to '/' by check_path_syntax(). +****************************************************************************/ + +NTSTATUS smb1_strip_dfs_path(TALLOC_CTX *mem_ctx, + uint32_t *_ucf_flags, + char **in_path) +{ + uint32_t ucf_flags = *_ucf_flags; + char *path = *in_path; + char *return_path = NULL; + + if (!(ucf_flags & UCF_DFS_PATHNAME)) { + return NT_STATUS_OK; + } + + /* Strip any leading '/' characters - MacOSX client behavior. */ + while (*path == '/') { + path++; + } + + /* We should now be pointing at the server name. Go past it. */ + for (;;) { + if (*path == '\0') { + /* End of complete path. Exit OK. */ + goto done; + } + if (*path == '/') { + /* End of server name. Go past and break. */ + path++; + break; + } + path++; /* Continue looking for end of server name or string. */ + } + + /* We should now be pointing at the share name. Go past it. */ + for (;;) { + if (*path == '\0') { + /* End of complete path. Exit OK. */ + goto done; + } + if (*path == '/') { + /* End of share name. Go past and break. */ + path++; + break; + } + if (*path == ':') { + /* Only invalid character in sharename. */ + return NT_STATUS_OBJECT_NAME_INVALID; + } + path++; /* Continue looking for end of share name or string. */ + } + + done: + /* path now points at the start of the real filename (if any). */ + /* Duplicate it first. */ + return_path = talloc_strdup(mem_ctx, path); + if (return_path == NULL) { + return NT_STATUS_NO_MEMORY; + } + + /* Now we can free the original (path points to part of this). */ + TALLOC_FREE(*in_path); + + *in_path = return_path; + ucf_flags &= ~UCF_DFS_PATHNAME; + *_ucf_flags = ucf_flags; + return NT_STATUS_OK; +} + +/**************************************************************************** + Check if we have a correct fsp pointing to a file. +****************************************************************************/ + +bool check_fsp(connection_struct *conn, struct smb_request *req, + files_struct *fsp) +{ + if (!check_fsp_open(conn, req, fsp)) { + return false; + } + if (fsp->fsp_flags.is_directory) { + reply_nterror(req, NT_STATUS_INVALID_DEVICE_REQUEST); + return false; + } + if (fsp_get_pathref_fd(fsp) == -1) { + reply_nterror(req, NT_STATUS_ACCESS_DENIED); + return false; + } + fsp->num_smb_operations++; + return true; +} + +/**************************************************************************** + Reply to a tcon. + conn POINTER CAN BE NULL HERE ! +****************************************************************************/ + +void reply_tcon(struct smb_request *req) +{ + connection_struct *conn = req->conn; + const char *service; + char *service_buf = NULL; + char *password = NULL; + char *dev = NULL; + int pwlen=0; + NTSTATUS nt_status; + const uint8_t *p; + const char *p2; + TALLOC_CTX *ctx = talloc_tos(); + struct smbXsrv_connection *xconn = req->xconn; + NTTIME now = timeval_to_nttime(&req->request_time); + + START_PROFILE(SMBtcon); + + if (req->buflen < 4) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + END_PROFILE(SMBtcon); + return; + } + + p = req->buf + 1; + p += srvstr_pull_req_talloc(ctx, req, &service_buf, p, STR_TERMINATE); + p += 1; + pwlen = srvstr_pull_req_talloc(ctx, req, &password, p, STR_TERMINATE); + p += pwlen+1; + p += srvstr_pull_req_talloc(ctx, req, &dev, p, STR_TERMINATE); + p += 1; + + if (service_buf == NULL || password == NULL || dev == NULL) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + END_PROFILE(SMBtcon); + return; + } + p2 = strrchr_m(service_buf,'\\'); + if (p2) { + service = p2+1; + } else { + service = service_buf; + } + + conn = make_connection(req, now, service, dev, + req->vuid,&nt_status); + req->conn = conn; + + if (!conn) { + reply_nterror(req, nt_status); + END_PROFILE(SMBtcon); + return; + } + + reply_smb1_outbuf(req, 2, 0); + SSVAL(req->outbuf,smb_vwv0,xconn->smb1.negprot.max_recv); + SSVAL(req->outbuf,smb_vwv1,conn->cnum); + SSVAL(req->outbuf,smb_tid,conn->cnum); + + DEBUG(3,("tcon service=%s cnum=%d\n", + service, conn->cnum)); + + END_PROFILE(SMBtcon); + return; +} + +/**************************************************************************** + Reply to a tcon and X. + conn POINTER CAN BE NULL HERE ! +****************************************************************************/ + +void reply_tcon_and_X(struct smb_request *req) +{ + const struct loadparm_substitution *lp_sub = + loadparm_s3_global_substitution(); + connection_struct *conn = req->conn; + const char *service = NULL; + TALLOC_CTX *ctx = talloc_tos(); + /* what the client thinks the device is */ + char *client_devicetype = NULL; + /* what the server tells the client the share represents */ + const char *server_devicetype; + NTSTATUS nt_status; + int passlen; + char *path = NULL; + const uint8_t *p; + const char *q; + uint16_t tcon_flags; + struct smbXsrv_session *session = NULL; + NTTIME now = timeval_to_nttime(&req->request_time); + bool session_key_updated = false; + uint16_t optional_support = 0; + struct smbXsrv_connection *xconn = req->xconn; + + START_PROFILE(SMBtconX); + + if (req->wct < 4) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + END_PROFILE(SMBtconX); + return; + } + + passlen = SVAL(req->vwv+3, 0); + tcon_flags = SVAL(req->vwv+2, 0); + + /* we might have to close an old one */ + if ((tcon_flags & TCONX_FLAG_DISCONNECT_TID) && conn) { + struct smbXsrv_tcon *tcon; + NTSTATUS status; + + tcon = conn->tcon; + req->conn = NULL; + conn = NULL; + + /* + * TODO: cancel all outstanding requests on the tcon + */ + status = smbXsrv_tcon_disconnect(tcon, req->vuid); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("reply_tcon_and_X: " + "smbXsrv_tcon_disconnect() failed: %s\n", + nt_errstr(status))); + /* + * If we hit this case, there is something completely + * wrong, so we better disconnect the transport connection. + */ + END_PROFILE(SMBtconX); + exit_server(__location__ ": smbXsrv_tcon_disconnect failed"); + return; + } + + TALLOC_FREE(tcon); + /* + * This tree id is gone. Make sure we can't re-use it + * by accident. + */ + req->tid = 0; + } + + if ((passlen > MAX_PASS_LEN) || (passlen >= req->buflen)) { + reply_force_doserror(req, ERRDOS, ERRbuftoosmall); + END_PROFILE(SMBtconX); + return; + } + + if (xconn->smb1.negprot.encrypted_passwords) { + p = req->buf + passlen; + } else { + p = req->buf + passlen + 1; + } + + p += srvstr_pull_req_talloc(ctx, req, &path, p, STR_TERMINATE); + + if (path == NULL) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + END_PROFILE(SMBtconX); + return; + } + + /* + * the service name can be either: \\server\share + * or share directly like on the DELL PowerVault 705 + */ + if (*path=='\\') { + q = strchr_m(path+2,'\\'); + if (!q) { + reply_nterror(req, NT_STATUS_BAD_NETWORK_NAME); + END_PROFILE(SMBtconX); + return; + } + service = q+1; + } else { + service = path; + } + + p += srvstr_pull_talloc(ctx, req->inbuf, req->flags2, + &client_devicetype, p, + MIN(6, smbreq_bufrem(req, p)), STR_ASCII); + + if (client_devicetype == NULL) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + END_PROFILE(SMBtconX); + return; + } + + DEBUG(4,("Client requested device type [%s] for share [%s]\n", client_devicetype, service)); + + nt_status = smb1srv_session_lookup(xconn, + req->vuid, now, &session); + if (NT_STATUS_EQUAL(nt_status, NT_STATUS_USER_SESSION_DELETED)) { + reply_force_doserror(req, ERRSRV, ERRbaduid); + END_PROFILE(SMBtconX); + return; + } + if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NETWORK_SESSION_EXPIRED)) { + reply_nterror(req, nt_status); + END_PROFILE(SMBtconX); + return; + } + if (!NT_STATUS_IS_OK(nt_status)) { + reply_nterror(req, NT_STATUS_INVALID_HANDLE); + END_PROFILE(SMBtconX); + return; + } + + if (session->global->auth_session_info == NULL) { + reply_nterror(req, NT_STATUS_INVALID_HANDLE); + END_PROFILE(SMBtconX); + return; + } + + /* + * If there is no application key defined yet + * we create one. + * + * This means we setup the application key on the + * first tcon that happens via the given session. + * + * Once the application key is defined, it does not + * change any more. + */ + if (session->global->application_key_blob.length == 0 && + smb2_signing_key_valid(session->global->signing_key)) + { + struct smbXsrv_session *x = session; + struct auth_session_info *session_info = + session->global->auth_session_info; + uint8_t session_key[16]; + + ZERO_STRUCT(session_key); + memcpy(session_key, x->global->signing_key->blob.data, + MIN(x->global->signing_key->blob.length, sizeof(session_key))); + + /* + * The application key is truncated/padded to 16 bytes + */ + x->global->application_key_blob = data_blob_talloc(x->global, + session_key, + sizeof(session_key)); + ZERO_STRUCT(session_key); + if (x->global->application_key_blob.data == NULL) { + reply_nterror(req, NT_STATUS_NO_MEMORY); + END_PROFILE(SMBtconX); + return; + } + talloc_keep_secret(x->global->application_key_blob.data); + + if (tcon_flags & TCONX_FLAG_EXTENDED_SIGNATURES) { + NTSTATUS status; + + status = smb1_key_derivation(x->global->application_key_blob.data, + x->global->application_key_blob.length, + x->global->application_key_blob.data); + if (!NT_STATUS_IS_OK(status)) { + DBG_ERR("smb1_key_derivation failed: %s\n", + nt_errstr(status)); + END_PROFILE(SMBtconX); + return; + } + optional_support |= SMB_EXTENDED_SIGNATURES; + } + + /* + * Place the application key into the session_info + */ + data_blob_clear_free(&session_info->session_key); + session_info->session_key = data_blob_dup_talloc(session_info, + x->global->application_key_blob); + if (session_info->session_key.data == NULL) { + data_blob_clear_free(&x->global->application_key_blob); + reply_nterror(req, NT_STATUS_NO_MEMORY); + END_PROFILE(SMBtconX); + return; + } + talloc_keep_secret(session_info->session_key.data); + session_key_updated = true; + } + + conn = make_connection(req, now, service, client_devicetype, + req->vuid, &nt_status); + req->conn =conn; + + if (!conn) { + if (session_key_updated) { + struct smbXsrv_session *x = session; + struct auth_session_info *session_info = + session->global->auth_session_info; + data_blob_clear_free(&x->global->application_key_blob); + data_blob_clear_free(&session_info->session_key); + } + reply_nterror(req, nt_status); + END_PROFILE(SMBtconX); + return; + } + + if ( IS_IPC(conn) ) + server_devicetype = "IPC"; + else if ( IS_PRINT(conn) ) + server_devicetype = "LPT1:"; + else + server_devicetype = "A:"; + + if (xconn->protocol < PROTOCOL_NT1) { + reply_smb1_outbuf(req, 2, 0); + if (message_push_string(&req->outbuf, server_devicetype, + STR_TERMINATE|STR_ASCII) == -1) { + reply_nterror(req, NT_STATUS_NO_MEMORY); + END_PROFILE(SMBtconX); + return; + } + } else { + /* NT sets the fstype of IPC$ to the null string */ + const char *fstype = IS_IPC(conn) ? "" : lp_fstype(SNUM(conn)); + + if (tcon_flags & TCONX_FLAG_EXTENDED_RESPONSE) { + /* Return permissions. */ + uint32_t perm1 = 0; + uint32_t perm2 = 0; + + reply_smb1_outbuf(req, 7, 0); + + if (IS_IPC(conn)) { + perm1 = FILE_ALL_ACCESS; + perm2 = FILE_ALL_ACCESS; + } else { + perm1 = conn->share_access; + } + + SIVAL(req->outbuf, smb_vwv3, perm1); + SIVAL(req->outbuf, smb_vwv5, perm2); + } else { + reply_smb1_outbuf(req, 3, 0); + } + + if ((message_push_string(&req->outbuf, server_devicetype, + STR_TERMINATE|STR_ASCII) == -1) + || (message_push_string(&req->outbuf, fstype, + STR_TERMINATE) == -1)) { + reply_nterror(req, NT_STATUS_NO_MEMORY); + END_PROFILE(SMBtconX); + return; + } + + /* what does setting this bit do? It is set by NT4 and + may affect the ability to autorun mounted cdroms */ + optional_support |= SMB_SUPPORT_SEARCH_BITS; + optional_support |= + (lp_csc_policy(SNUM(conn)) << SMB_CSC_POLICY_SHIFT); + + if (lp_msdfs_root(SNUM(conn)) && lp_host_msdfs()) { + DEBUG(2,("Serving %s as a Dfs root\n", + lp_servicename(ctx, lp_sub, SNUM(conn)) )); + optional_support |= SMB_SHARE_IN_DFS; + } + + SSVAL(req->outbuf, smb_vwv2, optional_support); + } + + SSVAL(req->outbuf, smb_vwv0, 0xff); /* andx chain ends */ + SSVAL(req->outbuf, smb_vwv1, 0); /* no andx offset */ + + DEBUG(3,("tconX service=%s \n", + service)); + + /* set the incoming and outgoing tid to the just created one */ + SSVAL(discard_const_p(uint8_t, req->inbuf),smb_tid,conn->cnum); + SSVAL(req->outbuf,smb_tid,conn->cnum); + + END_PROFILE(SMBtconX); + + req->tid = conn->cnum; +} + +/**************************************************************************** + Reply to an unknown type. +****************************************************************************/ + +void reply_unknown_new(struct smb_request *req, uint8_t type) +{ + DEBUG(0, ("unknown command type (%s): type=%d (0x%X)\n", + smb_fn_name(type), type, type)); + reply_force_doserror(req, ERRSRV, ERRunknownsmb); + return; +} + +/**************************************************************************** + Reply to an ioctl. + conn POINTER CAN BE NULL HERE ! +****************************************************************************/ + +void reply_ioctl(struct smb_request *req) +{ + const struct loadparm_substitution *lp_sub = + loadparm_s3_global_substitution(); + connection_struct *conn = req->conn; + uint16_t device; + uint16_t function; + uint32_t ioctl_code; + int replysize; + char *p; + + START_PROFILE(SMBioctl); + + if (req->wct < 3) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + END_PROFILE(SMBioctl); + return; + } + + device = SVAL(req->vwv+1, 0); + function = SVAL(req->vwv+2, 0); + ioctl_code = (device << 16) + function; + + DEBUG(4, ("Received IOCTL (code 0x%x)\n", ioctl_code)); + + switch (ioctl_code) { + case IOCTL_QUERY_JOB_INFO: + replysize = 32; + break; + default: + reply_force_doserror(req, ERRSRV, ERRnosupport); + END_PROFILE(SMBioctl); + return; + } + + reply_smb1_outbuf(req, 8, replysize+1); + SSVAL(req->outbuf,smb_vwv1,replysize); /* Total data bytes returned */ + SSVAL(req->outbuf,smb_vwv5,replysize); /* Data bytes this buffer */ + SSVAL(req->outbuf,smb_vwv6,52); /* Offset to data */ + p = smb_buf(req->outbuf); + memset(p, '\0', replysize+1); /* valgrind-safe. */ + p += 1; /* Allow for alignment */ + + switch (ioctl_code) { + case IOCTL_QUERY_JOB_INFO: + { + NTSTATUS status; + size_t len = 0; + files_struct *fsp = file_fsp( + req, SVAL(req->vwv+0, 0)); + if (!fsp) { + reply_nterror(req, NT_STATUS_INVALID_HANDLE); + END_PROFILE(SMBioctl); + return; + } + /* Job number */ + SSVAL(p, 0, print_spool_rap_jobid(fsp->print_file)); + + status = srvstr_push((char *)req->outbuf, req->flags2, p+2, + lp_netbios_name(), 15, + STR_TERMINATE|STR_ASCII, &len); + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + END_PROFILE(SMBioctl); + return; + } + if (conn) { + status = srvstr_push((char *)req->outbuf, req->flags2, + p+18, + lp_servicename(talloc_tos(), + lp_sub, + SNUM(conn)), + 13, STR_TERMINATE|STR_ASCII, &len); + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + END_PROFILE(SMBioctl); + return; + } + } else { + memset(p+18, 0, 13); + } + break; + } + } + + END_PROFILE(SMBioctl); + return; +} + +/**************************************************************************** + Strange checkpath NTSTATUS mapping. +****************************************************************************/ + +static NTSTATUS map_checkpath_error(uint16_t flags2, NTSTATUS status) +{ + /* Strange DOS error code semantics only for checkpath... */ + if (!(flags2 & FLAGS2_32_BIT_ERROR_CODES)) { + if (NT_STATUS_EQUAL(NT_STATUS_OBJECT_NAME_INVALID,status)) { + /* We need to map to ERRbadpath */ + return NT_STATUS_OBJECT_PATH_NOT_FOUND; + } + } + return status; +} + +/**************************************************************************** + Reply to a checkpath. +****************************************************************************/ + +void reply_checkpath(struct smb_request *req) +{ + connection_struct *conn = req->conn; + struct smb_filename *smb_fname = NULL; + char *name = NULL; + NTSTATUS status; + struct files_struct *dirfsp = NULL; + uint32_t ucf_flags = ucf_flags_from_smb_request(req); + NTTIME twrp = 0; + TALLOC_CTX *ctx = talloc_tos(); + + START_PROFILE(SMBcheckpath); + + srvstr_get_path_req(ctx, req, &name, (const char *)req->buf + 1, + STR_TERMINATE, &status); + + if (!NT_STATUS_IS_OK(status)) { + status = map_checkpath_error(req->flags2, status); + reply_nterror(req, status); + END_PROFILE(SMBcheckpath); + return; + } + + DEBUG(3,("reply_checkpath %s mode=%d\n", name, (int)SVAL(req->vwv+0, 0))); + + if (ucf_flags & UCF_GMT_PATHNAME) { + extract_snapshot_token(name, &twrp); + } + status = smb1_strip_dfs_path(ctx, &ucf_flags, &name); + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + goto out; + } + + status = filename_convert_dirfsp(ctx, + conn, + name, + ucf_flags, + twrp, + &dirfsp, + &smb_fname); + if (!NT_STATUS_IS_OK(status)) { + if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) { + reply_botherror(req, NT_STATUS_PATH_NOT_COVERED, + ERRSRV, ERRbadpath); + END_PROFILE(SMBcheckpath); + return; + } + goto path_err; + } + + if (!VALID_STAT(smb_fname->st) && + (SMB_VFS_STAT(conn, smb_fname) != 0)) { + DEBUG(3,("reply_checkpath: stat of %s failed (%s)\n", + smb_fname_str_dbg(smb_fname), strerror(errno))); + status = map_nt_error_from_unix(errno); + goto path_err; + } + + if (!S_ISDIR(smb_fname->st.st_ex_mode)) { + reply_botherror(req, NT_STATUS_NOT_A_DIRECTORY, + ERRDOS, ERRbadpath); + goto out; + } + + reply_smb1_outbuf(req, 0, 0); + + path_err: + /* We special case this - as when a Windows machine + is parsing a path is steps through the components + one at a time - if a component fails it expects + ERRbadpath, not ERRbadfile. + */ + status = map_checkpath_error(req->flags2, status); + if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) { + /* + * Windows returns different error codes if + * the parent directory is valid but not the + * last component - it returns NT_STATUS_OBJECT_NAME_NOT_FOUND + * for that case and NT_STATUS_OBJECT_PATH_NOT_FOUND + * if the path is invalid. + */ + reply_botherror(req, NT_STATUS_OBJECT_NAME_NOT_FOUND, + ERRDOS, ERRbadpath); + goto out; + } + + reply_nterror(req, status); + + out: + TALLOC_FREE(smb_fname); + END_PROFILE(SMBcheckpath); + return; +} + +/**************************************************************************** + Reply to a getatr. +****************************************************************************/ + +void reply_getatr(struct smb_request *req) +{ + struct smbXsrv_connection *xconn = req->xconn; + connection_struct *conn = req->conn; + struct smb_filename *smb_fname = NULL; + char *fname = NULL; + int mode=0; + off_t size=0; + time_t mtime=0; + const char *p; + NTSTATUS status; + TALLOC_CTX *ctx = talloc_tos(); + + START_PROFILE(SMBgetatr); + + p = (const char *)req->buf + 1; + p += srvstr_get_path_req(ctx, req, &fname, p, STR_TERMINATE, &status); + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + goto out; + } + + /* + * dos sometimes asks for a stat of "" - it returns a "hidden + * directory" under WfWg - weird! + */ + if (*fname == '\0') { + mode = FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_DIRECTORY; + if (!CAN_WRITE(conn)) { + mode |= FILE_ATTRIBUTE_READONLY; + } + size = 0; + mtime = 0; + } else { + struct files_struct *dirfsp = NULL; + uint32_t ucf_flags = ucf_flags_from_smb_request(req); + NTTIME twrp = 0; + bool ask_sharemode; + + if (ucf_flags & UCF_GMT_PATHNAME) { + extract_snapshot_token(fname, &twrp); + } + status = smb1_strip_dfs_path(ctx, &ucf_flags, &fname); + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + goto out; + } + status = filename_convert_dirfsp(ctx, + conn, + fname, + ucf_flags, + twrp, + &dirfsp, + &smb_fname); + if (!NT_STATUS_IS_OK(status)) { + if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) { + reply_botherror(req, NT_STATUS_PATH_NOT_COVERED, + ERRSRV, ERRbadpath); + goto out; + } + reply_nterror(req, status); + goto out; + } + if (!VALID_STAT(smb_fname->st) && + (SMB_VFS_STAT(conn, smb_fname) != 0)) { + DEBUG(3,("reply_getatr: stat of %s failed (%s)\n", + smb_fname_str_dbg(smb_fname), + strerror(errno))); + reply_nterror(req, map_nt_error_from_unix(errno)); + goto out; + } + + mode = fdos_mode(smb_fname->fsp); + size = smb_fname->st.st_ex_size; + + ask_sharemode = fsp_search_ask_sharemode(smb_fname->fsp); + if (ask_sharemode) { + struct timespec write_time_ts; + struct file_id fileid; + + ZERO_STRUCT(write_time_ts); + fileid = vfs_file_id_from_sbuf(conn, &smb_fname->st); + get_file_infos(fileid, 0, NULL, &write_time_ts); + if (!is_omit_timespec(&write_time_ts)) { + update_stat_ex_mtime(&smb_fname->st, write_time_ts); + } + } + + mtime = convert_timespec_to_time_t(smb_fname->st.st_ex_mtime); + if (mode & FILE_ATTRIBUTE_DIRECTORY) { + size = 0; + } + } + + reply_smb1_outbuf(req, 10, 0); + + SSVAL(req->outbuf,smb_vwv0,mode); + if(lp_dos_filetime_resolution(SNUM(conn)) ) { + srv_put_dos_date3((char *)req->outbuf,smb_vwv1,mtime & ~1); + } else { + srv_put_dos_date3((char *)req->outbuf,smb_vwv1,mtime); + } + SIVAL(req->outbuf,smb_vwv3,(uint32_t)size); + + if (xconn->protocol >= PROTOCOL_NT1) { + SSVAL(req->outbuf, smb_flg2, + SVAL(req->outbuf, smb_flg2) | FLAGS2_IS_LONG_NAME); + } + + DEBUG(3,("reply_getatr: name=%s mode=%d size=%u\n", + smb_fname_str_dbg(smb_fname), mode, (unsigned int)size)); + + out: + TALLOC_FREE(smb_fname); + TALLOC_FREE(fname); + END_PROFILE(SMBgetatr); + return; +} + +/**************************************************************************** + Reply to a setatr. +****************************************************************************/ + +void reply_setatr(struct smb_request *req) +{ + struct smb_file_time ft; + connection_struct *conn = req->conn; + struct smb_filename *smb_fname = NULL; + struct files_struct *dirfsp = NULL; + char *fname = NULL; + int mode; + time_t mtime; + const char *p; + NTSTATUS status; + uint32_t ucf_flags = ucf_flags_from_smb_request(req); + NTTIME twrp = 0; + TALLOC_CTX *ctx = talloc_tos(); + + START_PROFILE(SMBsetatr); + init_smb_file_time(&ft); + + if (req->wct < 2) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + goto out; + } + + p = (const char *)req->buf + 1; + p += srvstr_get_path_req(ctx, req, &fname, p, STR_TERMINATE, &status); + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + goto out; + } + + if (ucf_flags & UCF_GMT_PATHNAME) { + extract_snapshot_token(fname, &twrp); + } + status = smb1_strip_dfs_path(ctx, &ucf_flags, &fname); + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + goto out; + } + status = filename_convert_dirfsp(ctx, + conn, + fname, + ucf_flags, + twrp, + &dirfsp, + &smb_fname); + if (!NT_STATUS_IS_OK(status)) { + if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) { + reply_botherror(req, NT_STATUS_PATH_NOT_COVERED, + ERRSRV, ERRbadpath); + goto out; + } + reply_nterror(req, status); + goto out; + } + + if (ISDOT(smb_fname->base_name)) { + /* + * Not sure here is the right place to catch this + * condition. Might be moved to somewhere else later -- vl + */ + reply_nterror(req, NT_STATUS_ACCESS_DENIED); + goto out; + } + + if (smb_fname->fsp == NULL) { + /* Can't set access rights on a symlink. */ + reply_nterror(req, NT_STATUS_ACCESS_DENIED); + goto out; + } + + mode = SVAL(req->vwv+0, 0); + mtime = srv_make_unix_date3(req->vwv+1); + + if (mode != FILE_ATTRIBUTE_NORMAL) { + if (VALID_STAT_OF_DIR(smb_fname->st)) + mode |= FILE_ATTRIBUTE_DIRECTORY; + else + mode &= ~FILE_ATTRIBUTE_DIRECTORY; + + status = smbd_check_access_rights_fsp(conn->cwd_fsp, + smb_fname->fsp, + false, + FILE_WRITE_ATTRIBUTES); + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + goto out; + } + + if (file_set_dosmode(conn, smb_fname, mode, NULL, + false) != 0) { + reply_nterror(req, map_nt_error_from_unix(errno)); + goto out; + } + } + + ft.mtime = time_t_to_full_timespec(mtime); + + status = smb_set_file_time(conn, smb_fname->fsp, smb_fname, &ft, true); + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + goto out; + } + + reply_smb1_outbuf(req, 0, 0); + + DEBUG(3, ("setatr name=%s mode=%d\n", smb_fname_str_dbg(smb_fname), + mode)); + out: + TALLOC_FREE(smb_fname); + END_PROFILE(SMBsetatr); + return; +} + +/**************************************************************************** + Reply to a dskattr. +****************************************************************************/ + +void reply_dskattr(struct smb_request *req) +{ + struct smbXsrv_connection *xconn = req->xconn; + connection_struct *conn = req->conn; + uint64_t ret; + uint64_t dfree,dsize,bsize; + struct smb_filename smb_fname; + START_PROFILE(SMBdskattr); + + ZERO_STRUCT(smb_fname); + smb_fname.base_name = discard_const_p(char, "."); + + if (SMB_VFS_STAT(conn, &smb_fname) != 0) { + reply_nterror(req, map_nt_error_from_unix(errno)); + DBG_WARNING("stat of . failed (%s)\n", strerror(errno)); + END_PROFILE(SMBdskattr); + return; + } + + ret = get_dfree_info(conn, &smb_fname, &bsize, &dfree, &dsize); + if (ret == (uint64_t)-1) { + reply_nterror(req, map_nt_error_from_unix(errno)); + END_PROFILE(SMBdskattr); + return; + } + + /* + * Force max to fit in 16 bit fields. + */ + while (dfree > WORDMAX || dsize > WORDMAX || bsize < 512) { + dfree /= 2; + dsize /= 2; + bsize *= 2; + if (bsize > (WORDMAX*512)) { + bsize = (WORDMAX*512); + if (dsize > WORDMAX) + dsize = WORDMAX; + if (dfree > WORDMAX) + dfree = WORDMAX; + break; + } + } + + reply_smb1_outbuf(req, 5, 0); + + if (xconn->protocol <= PROTOCOL_LANMAN2) { + double total_space, free_space; + /* we need to scale this to a number that DOS6 can handle. We + use floating point so we can handle large drives on systems + that don't have 64 bit integers + + we end up displaying a maximum of 2G to DOS systems + */ + total_space = dsize * (double)bsize; + free_space = dfree * (double)bsize; + + dsize = (uint64_t)((total_space+63*512) / (64*512)); + dfree = (uint64_t)((free_space+63*512) / (64*512)); + + if (dsize > 0xFFFF) dsize = 0xFFFF; + if (dfree > 0xFFFF) dfree = 0xFFFF; + + SSVAL(req->outbuf,smb_vwv0,dsize); + SSVAL(req->outbuf,smb_vwv1,64); /* this must be 64 for dos systems */ + SSVAL(req->outbuf,smb_vwv2,512); /* and this must be 512 */ + SSVAL(req->outbuf,smb_vwv3,dfree); + } else { + SSVAL(req->outbuf,smb_vwv0,dsize); + SSVAL(req->outbuf,smb_vwv1,bsize/512); + SSVAL(req->outbuf,smb_vwv2,512); + SSVAL(req->outbuf,smb_vwv3,dfree); + } + + DEBUG(3,("dskattr dfree=%d\n", (unsigned int)dfree)); + + END_PROFILE(SMBdskattr); + return; +} + +/**************************************************************************** + Make a dir struct. +****************************************************************************/ + +static void make_dir_struct(TALLOC_CTX *ctx, + char *buf, + const char *mask, + const char *fname, + off_t size, + uint32_t mode, + time_t date, + bool uc) +{ + char *p; + + if ((mode & FILE_ATTRIBUTE_DIRECTORY) != 0) { + size = 0; + } + + memset(buf+1,' ',11); + if ((p = strchr_m(mask, '.')) != NULL) { + char name[p - mask + 1]; + strlcpy(name, mask, sizeof(name)); + push_ascii(buf + 1, name, 8, 0); + push_ascii(buf+9,p+1,3, 0); + } else { + push_ascii(buf + 1, mask, 11, 0); + } + + memset(buf+21,'\0',DIR_STRUCT_SIZE-21); + SCVAL(buf,21,mode); + srv_put_dos_date(buf,22,date); + SSVAL(buf,26,size & 0xFFFF); + SSVAL(buf,28,(size >> 16)&0xFFFF); + /* We only uppercase if FLAGS2_LONG_PATH_COMPONENTS is zero in the input buf. + Strange, but verified on W2K3. Needed for OS/2. JRA. */ + push_ascii(buf+30,fname,12, uc ? STR_UPPER : 0); + DEBUG(8,("put name [%s] from [%s] into dir struct\n",buf+30, fname)); +} + +/******************************************************************* + A wrapper that handles case sensitivity and the special handling + of the ".." name. +*******************************************************************/ + +static bool mask_match_search(const char *string, + const char *pattern, + bool is_case_sensitive) +{ + if (ISDOTDOT(string)) { + string = "."; + } + if (ISDOT(pattern)) { + return False; + } + + return ms_fnmatch(pattern, string, True, is_case_sensitive) == 0; +} + +static bool mangle_mask_match(connection_struct *conn, + const char *filename, + const char *mask) +{ + char mname[13]; + + if (!name_to_8_3(filename, mname, False, conn->params)) { + return False; + } + return mask_match_search(mname, mask, False); +} + +/**************************************************************************** + Get an 8.3 directory entry. +****************************************************************************/ + +static bool smbd_dirptr_8_3_match_fn(TALLOC_CTX *ctx, + void *private_data, + const char *dname, + const char *mask, + char **_fname) +{ + connection_struct *conn = (connection_struct *)private_data; + + if ((strcmp(mask, "*.*") == 0) || + mask_match_search(dname, mask, false) || + mangle_mask_match(conn, dname, mask)) { + char mname[13]; + const char *fname; + /* + * Ensure we can push the original name as UCS2. If + * not, then just don't return this name. + */ + NTSTATUS status; + size_t ret_len = 0; + size_t len = (strlen(dname) + 2) * 4; /* Allow enough space. */ + uint8_t *tmp = talloc_array(talloc_tos(), uint8_t, len); + + status = srvstr_push(NULL, + FLAGS2_UNICODE_STRINGS, + tmp, + dname, + len, + STR_TERMINATE, + &ret_len); + + TALLOC_FREE(tmp); + + if (!NT_STATUS_IS_OK(status)) { + return false; + } + + if (!mangle_is_8_3(dname, false, conn->params)) { + bool ok = + name_to_8_3(dname, mname, false, conn->params); + if (!ok) { + return false; + } + fname = mname; + } else { + fname = dname; + } + + *_fname = talloc_strdup(ctx, fname); + if (*_fname == NULL) { + return false; + } + + return true; + } + + return false; +} + +static bool get_dir_entry(TALLOC_CTX *ctx, + connection_struct *conn, + struct dptr_struct *dirptr, + const char *mask, + uint32_t dirtype, + char **_fname, + off_t *_size, + uint32_t *_mode, + struct timespec *_date, + bool check_descend, + bool ask_sharemode) +{ + char *fname = NULL; + struct smb_filename *smb_fname = NULL; + uint32_t mode = 0; + bool ok; + +again: + ok = smbd_dirptr_get_entry(ctx, + dirptr, + mask, + dirtype, + check_descend, + ask_sharemode, + true, + smbd_dirptr_8_3_match_fn, + conn, + &fname, + &smb_fname, + &mode); + if (!ok) { + return false; + } + if (mode & FILE_ATTRIBUTE_REPARSE_POINT) { + /* hide reparse points from ancient clients */ + TALLOC_FREE(fname); + TALLOC_FREE(smb_fname); + goto again; + } + + *_fname = talloc_move(ctx, &fname); + *_size = smb_fname->st.st_ex_size; + *_mode = mode; + *_date = smb_fname->st.st_ex_mtime; + TALLOC_FREE(smb_fname); + return true; +} + +/**************************************************************************** + Reply to a search. + Can be called from SMBsearch, SMBffirst or SMBfunique. +****************************************************************************/ + +void reply_search(struct smb_request *req) +{ + connection_struct *conn = req->conn; + char *path = NULL; + char *mask = NULL; + char *directory = NULL; + struct smb_filename *smb_fname = NULL; + char *fname = NULL; + off_t size; + uint32_t mode; + struct timespec date; + uint32_t dirtype; + unsigned int numentries = 0; + unsigned int maxentries = 0; + bool finished = False; + const char *p; + int status_len; + char status[21]; + int dptr_num= -1; + bool check_descend = False; + bool expect_close = False; + NTSTATUS nt_status; + bool mask_contains_wcard = False; + bool allow_long_path_components = (req->flags2 & FLAGS2_LONG_PATH_COMPONENTS) ? True : False; + TALLOC_CTX *ctx = talloc_tos(); + struct smbXsrv_connection *xconn = req->xconn; + struct smbd_server_connection *sconn = req->sconn; + files_struct *fsp = NULL; + const struct loadparm_substitution *lp_sub = + loadparm_s3_global_substitution(); + + START_PROFILE(SMBsearch); + + if (req->wct < 2) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + goto out; + } + + if (req->posix_pathnames) { + reply_unknown_new(req, req->cmd); + goto out; + } + + /* If we were called as SMBffirst then we must expect close. */ + if(req->cmd == SMBffirst) { + expect_close = True; + } + + reply_smb1_outbuf(req, 1, 3); + maxentries = SVAL(req->vwv+0, 0); + dirtype = SVAL(req->vwv+1, 0); + p = (const char *)req->buf + 1; + p += srvstr_get_path_req(ctx, req, &path, p, STR_TERMINATE, + &nt_status); + if (!NT_STATUS_IS_OK(nt_status)) { + reply_nterror(req, nt_status); + goto out; + } + + if (smbreq_bufrem(req, p) < 3) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + goto out; + } + + p++; + status_len = SVAL(p, 0); + p += 2; + + /* dirtype &= ~FILE_ATTRIBUTE_DIRECTORY; */ + + if (status_len == 0) { + const char *dirpath; + struct files_struct *dirfsp = NULL; + struct smb_filename *smb_dname = NULL; + uint32_t ucf_flags = ucf_flags_from_smb_request(req); + + nt_status = smb1_strip_dfs_path(ctx, &ucf_flags, &path); + if (!NT_STATUS_IS_OK(nt_status)) { + reply_nterror(req, nt_status); + goto out; + } + + nt_status = filename_convert_smb1_search_path(ctx, + conn, + path, + ucf_flags, + &dirfsp, + &smb_dname, + &mask); + + if (!NT_STATUS_IS_OK(nt_status)) { + if (NT_STATUS_EQUAL(nt_status,NT_STATUS_PATH_NOT_COVERED)) { + reply_botherror(req, NT_STATUS_PATH_NOT_COVERED, + ERRSRV, ERRbadpath); + goto out; + } + reply_nterror(req, nt_status); + goto out; + } + + memset((char *)status,'\0',21); + SCVAL(status,0,(dirtype & 0x1F)); + + /* + * Open an fsp on this directory for the dptr. + */ + nt_status = SMB_VFS_CREATE_FILE( + conn, /* conn */ + req, /* req */ + dirfsp, /* dirfsp */ + smb_dname, /* dname */ + FILE_LIST_DIRECTORY, /* access_mask */ + FILE_SHARE_READ| + FILE_SHARE_WRITE, /* share_access */ + FILE_OPEN, /* create_disposition*/ + FILE_DIRECTORY_FILE, /* create_options */ + FILE_ATTRIBUTE_DIRECTORY,/* file_attributes */ + NO_OPLOCK, /* oplock_request */ + NULL, /* lease */ + 0, /* allocation_size */ + 0, /* private_flags */ + NULL, /* sd */ + NULL, /* ea_list */ + &fsp, /* result */ + NULL, /* pinfo */ + NULL, /* in_context */ + NULL);/* out_context */ + + if (!NT_STATUS_IS_OK(nt_status)) { + DBG_ERR("failed to open directory %s\n", + smb_fname_str_dbg(smb_dname)); + reply_nterror(req, nt_status); + goto out; + } + + nt_status = dptr_create(conn, + NULL, /* req */ + fsp, /* fsp */ + True, + mask, + dirtype, + &fsp->dptr); + + TALLOC_FREE(smb_dname); + + if (!NT_STATUS_IS_OK(nt_status)) { + /* + * Use NULL here for the first parameter (req) + * as this is not a client visible handle so + * can't be part of an SMB1 chain. + */ + close_file_free(NULL, &fsp, NORMAL_CLOSE); + reply_nterror(req, nt_status); + goto out; + } + + dptr_num = dptr_dnum(fsp->dptr); + dirpath = dptr_path(sconn, dptr_num); + directory = talloc_strdup(ctx, dirpath); + if (!directory) { + reply_nterror(req, NT_STATUS_NO_MEMORY); + goto out; + } + + } else { + int status_dirtype; + const char *dirpath; + unsigned int dptr_filenum; + uint32_t resume_key_index; + + if (smbreq_bufrem(req, p) < 21) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + goto out; + } + + memcpy(status,p,21); + status_dirtype = CVAL(status,0) & 0x1F; + if (status_dirtype != (dirtype & 0x1F)) { + dirtype = status_dirtype; + } + + dptr_num = CVAL(status, 12); + fsp = dptr_fetch_lanman2_fsp(sconn, dptr_num); + if (fsp == NULL) { + goto SearchEmpty; + } + + resume_key_index = PULL_LE_U32(status, 13); + dptr_filenum = dptr_FileNumber(fsp->dptr); + + if (resume_key_index > dptr_filenum) { + /* + * Haven't seen this resume key yet. Just stop + * the search. + */ + goto SearchEmpty; + } + + if (resume_key_index < dptr_filenum) { + /* + * The resume key was not the last one we + * sent, rewind and skip to what the client + * sent. + */ + dptr_RewindDir(fsp->dptr); + + dptr_filenum = dptr_FileNumber(fsp->dptr); + SMB_ASSERT(dptr_filenum == 0); + + while (dptr_filenum < resume_key_index) { + bool ok = get_dir_entry( + ctx, + conn, + fsp->dptr, + dptr_wcard(sconn, dptr_num), + dirtype, + &fname, + &size, + &mode, + &date, + check_descend, + false); + TALLOC_FREE(fname); + if (!ok) { + goto SearchEmpty; + } + + dptr_filenum = dptr_FileNumber(fsp->dptr); + } + } + + dirpath = dptr_path(sconn, dptr_num); + directory = talloc_strdup(ctx, dirpath); + if (!directory) { + reply_nterror(req, NT_STATUS_NO_MEMORY); + goto out; + } + + mask = talloc_strdup(ctx, dptr_wcard(sconn, dptr_num)); + if (!mask) { + goto SearchEmpty; + } + dirtype = dptr_attr(sconn, dptr_num); + } + + mask_contains_wcard = dptr_has_wild(fsp->dptr); + + DEBUG(4,("dptr_num is %d\n",dptr_num)); + + if ((dirtype&0x1F) == FILE_ATTRIBUTE_VOLUME) { + char buf[DIR_STRUCT_SIZE]; + memcpy(buf,status,21); + make_dir_struct(ctx, + buf, + "???????????", + volume_label(ctx, SNUM(conn)), + 0, + FILE_ATTRIBUTE_VOLUME, + 0, + !allow_long_path_components); + SCVAL(buf, 12, dptr_num); + numentries = 1; + if (message_push_blob(&req->outbuf, + data_blob_const(buf, sizeof(buf))) + == -1) { + reply_nterror(req, NT_STATUS_NO_MEMORY); + goto out; + } + } else { + unsigned int i; + size_t hdr_size = ((uint8_t *)smb_buf(req->outbuf) + 3 - req->outbuf); + size_t available_space = xconn->smb1.sessions.max_send - hdr_size; + bool ask_sharemode; + + maxentries = MIN(maxentries, available_space/DIR_STRUCT_SIZE); + + DEBUG(8,("dirpath=<%s> dontdescend=<%s>\n", + directory,lp_dont_descend(ctx, lp_sub, SNUM(conn)))); + if (in_list(directory, lp_dont_descend(ctx, lp_sub, SNUM(conn)),True)) { + check_descend = True; + } + + ask_sharemode = fsp_search_ask_sharemode(fsp); + + for (i=numentries;(idptr, + mask, + dirtype, + &fname, + &size, + &mode, + &date, + check_descend, + ask_sharemode); + if (!finished) { + char buf[DIR_STRUCT_SIZE]; + memcpy(buf,status,21); + make_dir_struct( + ctx, + buf, + mask, + fname, + size, + mode, + convert_timespec_to_time_t(date), + !allow_long_path_components); + SCVAL(buf, 12, dptr_num); + PUSH_LE_U32(buf, + 13, + dptr_FileNumber(fsp->dptr)); + if (message_push_blob(&req->outbuf, + data_blob_const(buf, sizeof(buf))) + == -1) { + reply_nterror(req, NT_STATUS_NO_MEMORY); + goto out; + } + numentries++; + } + TALLOC_FREE(fname); + } + } + + SearchEmpty: + + /* If we were called as SMBffirst with smb_search_id == NULL + and no entries were found then return error and close fsp->dptr + (X/Open spec) */ + + if (numentries == 0) { + dptr_num = -1; + if (fsp != NULL) { + close_file_free(NULL, &fsp, NORMAL_CLOSE); + } + } else if(expect_close && status_len == 0) { + /* Close the dptr - we know it's gone */ + dptr_num = -1; + if (fsp != NULL) { + close_file_free(NULL, &fsp, NORMAL_CLOSE); + } + } + + /* If we were called as SMBfunique, then we can close the fsp->dptr now ! */ + if(dptr_num >= 0 && req->cmd == SMBfunique) { + dptr_num = -1; + /* fsp may have been closed above. */ + if (fsp != NULL) { + close_file_free(NULL, &fsp, NORMAL_CLOSE); + } + } + + if ((numentries == 0) && !mask_contains_wcard) { + reply_botherror(req, STATUS_NO_MORE_FILES, ERRDOS, ERRnofiles); + goto out; + } + + SSVAL(req->outbuf,smb_vwv0,numentries); + SSVAL(req->outbuf,smb_vwv1,3 + numentries * DIR_STRUCT_SIZE); + SCVAL(smb_buf(req->outbuf),0,5); + SSVAL(smb_buf(req->outbuf),1,numentries*DIR_STRUCT_SIZE); + + /* The replies here are never long name. */ + SSVAL(req->outbuf, smb_flg2, + SVAL(req->outbuf, smb_flg2) & (~FLAGS2_IS_LONG_NAME)); + if (!allow_long_path_components) { + SSVAL(req->outbuf, smb_flg2, + SVAL(req->outbuf, smb_flg2) + & (~FLAGS2_LONG_PATH_COMPONENTS)); + } + + /* This SMB *always* returns ASCII names. Remove the unicode bit in flags2. */ + SSVAL(req->outbuf, smb_flg2, + (SVAL(req->outbuf, smb_flg2) & (~FLAGS2_UNICODE_STRINGS))); + + DEBUG(4,("%s mask=%s path=%s dtype=%d nument=%u of %u\n", + smb_fn_name(req->cmd), + mask, + directory, + dirtype, + numentries, + maxentries )); + out: + TALLOC_FREE(directory); + TALLOC_FREE(mask); + TALLOC_FREE(smb_fname); + END_PROFILE(SMBsearch); + return; +} + +/**************************************************************************** + Reply to a fclose (stop directory search). +****************************************************************************/ + +void reply_fclose(struct smb_request *req) +{ + int status_len; + int dptr_num= -2; + const char *p; + char *path = NULL; + NTSTATUS err; + TALLOC_CTX *ctx = talloc_tos(); + struct smbd_server_connection *sconn = req->sconn; + files_struct *fsp = NULL; + + START_PROFILE(SMBfclose); + + if (req->posix_pathnames) { + reply_unknown_new(req, req->cmd); + END_PROFILE(SMBfclose); + return; + } + + p = (const char *)req->buf + 1; + p += srvstr_get_path_req(ctx, req, &path, p, STR_TERMINATE, + &err); + if (!NT_STATUS_IS_OK(err)) { + reply_nterror(req, err); + END_PROFILE(SMBfclose); + return; + } + + if (smbreq_bufrem(req, p) < 3) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + END_PROFILE(SMBfclose); + return; + } + + p++; + status_len = SVAL(p,0); + p += 2; + + if (status_len == 0) { + reply_force_doserror(req, ERRSRV, ERRsrverror); + END_PROFILE(SMBfclose); + return; + } + + if (smbreq_bufrem(req, p) < 21) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + END_PROFILE(SMBfclose); + return; + } + + dptr_num = CVAL(p, 12); + + fsp = dptr_fetch_lanman2_fsp(sconn, dptr_num); + if(fsp != NULL) { + /* Close the file - we know it's gone */ + close_file_free(NULL, &fsp, NORMAL_CLOSE); + dptr_num = -1; + } + + reply_smb1_outbuf(req, 1, 0); + SSVAL(req->outbuf,smb_vwv0,0); + + DEBUG(3,("search close\n")); + + END_PROFILE(SMBfclose); + return; +} + +/**************************************************************************** + Reply to an open. +****************************************************************************/ + +void reply_open(struct smb_request *req) +{ + connection_struct *conn = req->conn; + struct smb_filename *smb_fname = NULL; + char *fname = NULL; + uint32_t fattr=0; + off_t size = 0; + time_t mtime=0; + int info; + struct files_struct *dirfsp = NULL; + files_struct *fsp; + int oplock_request; + int deny_mode; + uint32_t dos_attr; + uint32_t access_mask; + uint32_t share_mode; + uint32_t create_disposition; + uint32_t create_options = 0; + uint32_t private_flags = 0; + NTSTATUS status; + uint32_t ucf_flags; + NTTIME twrp = 0; + TALLOC_CTX *ctx = talloc_tos(); + + START_PROFILE(SMBopen); + + if (req->wct < 2) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + goto out; + } + + oplock_request = CORE_OPLOCK_REQUEST(req->inbuf); + deny_mode = SVAL(req->vwv+0, 0); + dos_attr = SVAL(req->vwv+1, 0); + + srvstr_get_path_req(ctx, req, &fname, (const char *)req->buf+1, + STR_TERMINATE, &status); + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + goto out; + } + + if (!map_open_params_to_ntcreate(fname, deny_mode, + OPENX_FILE_EXISTS_OPEN, &access_mask, + &share_mode, &create_disposition, + &create_options, &private_flags)) { + reply_force_doserror(req, ERRDOS, ERRbadaccess); + goto out; + } + + ucf_flags = filename_create_ucf_flags(req, create_disposition); + + if (ucf_flags & UCF_GMT_PATHNAME) { + extract_snapshot_token(fname, &twrp); + } + status = smb1_strip_dfs_path(ctx, &ucf_flags, &fname); + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + goto out; + } + status = filename_convert_dirfsp(ctx, + conn, + fname, + ucf_flags, + twrp, + &dirfsp, + &smb_fname); + if (!NT_STATUS_IS_OK(status)) { + if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) { + reply_botherror(req, + NT_STATUS_PATH_NOT_COVERED, + ERRSRV, ERRbadpath); + goto out; + } + reply_nterror(req, status); + goto out; + } + + status = SMB_VFS_CREATE_FILE( + conn, /* conn */ + req, /* req */ + dirfsp, /* dirfsp */ + smb_fname, /* fname */ + access_mask, /* access_mask */ + share_mode, /* share_access */ + create_disposition, /* create_disposition*/ + create_options, /* create_options */ + dos_attr, /* file_attributes */ + oplock_request, /* oplock_request */ + NULL, /* lease */ + 0, /* allocation_size */ + private_flags, + NULL, /* sd */ + NULL, /* ea_list */ + &fsp, /* result */ + &info, /* pinfo */ + NULL, NULL); /* create context */ + + if (!NT_STATUS_IS_OK(status)) { + if (open_was_deferred(req->xconn, req->mid)) { + /* We have re-scheduled this call. */ + goto out; + } + + if (!NT_STATUS_EQUAL(status, NT_STATUS_SHARING_VIOLATION)) { + reply_openerror(req, status); + goto out; + } + + fsp = fcb_or_dos_open( + req, + smb_fname, + access_mask, + create_options, + private_flags); + if (fsp == NULL) { + bool ok = defer_smb1_sharing_violation(req); + if (ok) { + goto out; + } + reply_openerror(req, status); + goto out; + } + } + + /* Ensure we're pointing at the correct stat struct. */ + TALLOC_FREE(smb_fname); + smb_fname = fsp->fsp_name; + + size = smb_fname->st.st_ex_size; + fattr = fdos_mode(fsp); + + mtime = convert_timespec_to_time_t(smb_fname->st.st_ex_mtime); + + if (fattr & FILE_ATTRIBUTE_DIRECTORY) { + DEBUG(3,("attempt to open a directory %s\n", + fsp_str_dbg(fsp))); + close_file_free(req, &fsp, ERROR_CLOSE); + reply_botherror(req, NT_STATUS_ACCESS_DENIED, + ERRDOS, ERRnoaccess); + goto out; + } + + reply_smb1_outbuf(req, 7, 0); + SSVAL(req->outbuf,smb_vwv0,fsp->fnum); + SSVAL(req->outbuf,smb_vwv1,fattr); + if(lp_dos_filetime_resolution(SNUM(conn)) ) { + srv_put_dos_date3((char *)req->outbuf,smb_vwv2,mtime & ~1); + } else { + srv_put_dos_date3((char *)req->outbuf,smb_vwv2,mtime); + } + SIVAL(req->outbuf,smb_vwv4,(uint32_t)size); + SSVAL(req->outbuf,smb_vwv6,deny_mode); + + if (oplock_request && lp_fake_oplocks(SNUM(conn))) { + SCVAL(req->outbuf,smb_flg, + CVAL(req->outbuf,smb_flg)|CORE_OPLOCK_GRANTED); + } + + if(EXCLUSIVE_OPLOCK_TYPE(fsp->oplock_type)) { + SCVAL(req->outbuf,smb_flg, + CVAL(req->outbuf,smb_flg)|CORE_OPLOCK_GRANTED); + } + out: + END_PROFILE(SMBopen); + return; +} + +/**************************************************************************** + Reply to an open and X. +****************************************************************************/ + +void reply_open_and_X(struct smb_request *req) +{ + connection_struct *conn = req->conn; + struct smb_filename *smb_fname = NULL; + char *fname = NULL; + uint16_t open_flags; + int deny_mode; + uint32_t smb_attr; + /* Breakout the oplock request bits so we can set the + reply bits separately. */ + int ex_oplock_request; + int core_oplock_request; + int oplock_request; +#if 0 + int smb_sattr = SVAL(req->vwv+4, 0); + uint32_t smb_time = make_unix_date3(req->vwv+6); +#endif + int smb_ofun; + uint32_t fattr=0; + int mtime=0; + int smb_action = 0; + struct files_struct *dirfsp = NULL; + files_struct *fsp; + NTSTATUS status; + uint64_t allocation_size; + ssize_t retval = -1; + uint32_t access_mask; + uint32_t share_mode; + uint32_t create_disposition; + uint32_t create_options = 0; + uint32_t private_flags = 0; + uint32_t ucf_flags; + NTTIME twrp = 0; + TALLOC_CTX *ctx = talloc_tos(); + + START_PROFILE(SMBopenX); + + if (req->wct < 15) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + goto out; + } + + open_flags = SVAL(req->vwv+2, 0); + deny_mode = SVAL(req->vwv+3, 0); + smb_attr = SVAL(req->vwv+5, 0); + ex_oplock_request = EXTENDED_OPLOCK_REQUEST(req->inbuf); + core_oplock_request = CORE_OPLOCK_REQUEST(req->inbuf); + oplock_request = ex_oplock_request | core_oplock_request; + smb_ofun = SVAL(req->vwv+8, 0); + allocation_size = (uint64_t)IVAL(req->vwv+9, 0); + + /* If it's an IPC, pass off the pipe handler. */ + if (IS_IPC(conn)) { + if (lp_nt_pipe_support()) { + reply_open_pipe_and_X(conn, req); + } else { + reply_nterror(req, NT_STATUS_NETWORK_ACCESS_DENIED); + } + goto out; + } + + /* XXXX we need to handle passed times, sattr and flags */ + srvstr_get_path_req(ctx, req, &fname, (const char *)req->buf, + STR_TERMINATE, &status); + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + goto out; + } + + if (!map_open_params_to_ntcreate(fname, deny_mode, + smb_ofun, + &access_mask, &share_mode, + &create_disposition, + &create_options, + &private_flags)) { + reply_force_doserror(req, ERRDOS, ERRbadaccess); + goto out; + } + + ucf_flags = filename_create_ucf_flags(req, create_disposition); + + if (ucf_flags & UCF_GMT_PATHNAME) { + extract_snapshot_token(fname, &twrp); + } + status = smb1_strip_dfs_path(ctx, &ucf_flags, &fname); + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + goto out; + } + + status = filename_convert_dirfsp(ctx, + conn, + fname, + ucf_flags, + twrp, + &dirfsp, + &smb_fname); + if (!NT_STATUS_IS_OK(status)) { + if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) { + reply_botherror(req, + NT_STATUS_PATH_NOT_COVERED, + ERRSRV, ERRbadpath); + goto out; + } + reply_nterror(req, status); + goto out; + } + + status = SMB_VFS_CREATE_FILE( + conn, /* conn */ + req, /* req */ + dirfsp, /* dirfsp */ + smb_fname, /* fname */ + access_mask, /* access_mask */ + share_mode, /* share_access */ + create_disposition, /* create_disposition*/ + create_options, /* create_options */ + smb_attr, /* file_attributes */ + oplock_request, /* oplock_request */ + NULL, /* lease */ + 0, /* allocation_size */ + private_flags, + NULL, /* sd */ + NULL, /* ea_list */ + &fsp, /* result */ + &smb_action, /* pinfo */ + NULL, NULL); /* create context */ + + if (!NT_STATUS_IS_OK(status)) { + if (open_was_deferred(req->xconn, req->mid)) { + /* We have re-scheduled this call. */ + goto out; + } + + if (!NT_STATUS_EQUAL(status, NT_STATUS_SHARING_VIOLATION)) { + reply_openerror(req, status); + goto out; + } + + fsp = fcb_or_dos_open( + req, + smb_fname, + access_mask, + create_options, + private_flags); + if (fsp == NULL) { + bool ok = defer_smb1_sharing_violation(req); + if (ok) { + goto out; + } + reply_openerror(req, status); + goto out; + } + + + smb_action = FILE_WAS_OPENED; + } + + /* Setting the "size" field in vwv9 and vwv10 causes the file to be set to this size, + if the file is truncated or created. */ + if (((smb_action == FILE_WAS_CREATED) || (smb_action == FILE_WAS_OVERWRITTEN)) && allocation_size) { + fsp->initial_allocation_size = smb_roundup(fsp->conn, allocation_size); + if (vfs_allocate_file_space(fsp, fsp->initial_allocation_size) == -1) { + close_file_free(req, &fsp, ERROR_CLOSE); + reply_nterror(req, NT_STATUS_DISK_FULL); + goto out; + } + retval = vfs_set_filelen(fsp, (off_t)allocation_size); + if (retval < 0) { + close_file_free(req, &fsp, ERROR_CLOSE); + reply_nterror(req, NT_STATUS_DISK_FULL); + goto out; + } + status = vfs_stat_fsp(fsp); + if (!NT_STATUS_IS_OK(status)) { + close_file_free(req, &fsp, ERROR_CLOSE); + reply_nterror(req, status); + goto out; + } + } + + fattr = fdos_mode(fsp); + if (fattr & FILE_ATTRIBUTE_DIRECTORY) { + close_file_free(req, &fsp, ERROR_CLOSE); + reply_nterror(req, NT_STATUS_ACCESS_DENIED); + goto out; + } + mtime = convert_timespec_to_time_t(fsp->fsp_name->st.st_ex_mtime); + + /* If the caller set the extended oplock request bit + and we granted one (by whatever means) - set the + correct bit for extended oplock reply. + */ + + if (ex_oplock_request && lp_fake_oplocks(SNUM(conn))) { + smb_action |= EXTENDED_OPLOCK_GRANTED; + } + + if(ex_oplock_request && EXCLUSIVE_OPLOCK_TYPE(fsp->oplock_type)) { + smb_action |= EXTENDED_OPLOCK_GRANTED; + } + + /* If the caller set the core oplock request bit + and we granted one (by whatever means) - set the + correct bit for core oplock reply. + */ + + if (open_flags & EXTENDED_RESPONSE_REQUIRED) { + reply_smb1_outbuf(req, 19, 0); + } else { + reply_smb1_outbuf(req, 15, 0); + } + + SSVAL(req->outbuf, smb_vwv0, 0xff); /* andx chain ends */ + SSVAL(req->outbuf, smb_vwv1, 0); /* no andx offset */ + + if (core_oplock_request && lp_fake_oplocks(SNUM(conn))) { + SCVAL(req->outbuf, smb_flg, + CVAL(req->outbuf,smb_flg)|CORE_OPLOCK_GRANTED); + } + + if(core_oplock_request && EXCLUSIVE_OPLOCK_TYPE(fsp->oplock_type)) { + SCVAL(req->outbuf, smb_flg, + CVAL(req->outbuf,smb_flg)|CORE_OPLOCK_GRANTED); + } + + SSVAL(req->outbuf,smb_vwv2,fsp->fnum); + SSVAL(req->outbuf,smb_vwv3,fattr); + if(lp_dos_filetime_resolution(SNUM(conn)) ) { + srv_put_dos_date3((char *)req->outbuf,smb_vwv4,mtime & ~1); + } else { + srv_put_dos_date3((char *)req->outbuf,smb_vwv4,mtime); + } + SIVAL(req->outbuf,smb_vwv6,(uint32_t)fsp->fsp_name->st.st_ex_size); + SSVAL(req->outbuf,smb_vwv8,GET_OPENX_MODE(deny_mode)); + SSVAL(req->outbuf,smb_vwv11,smb_action); + + if (open_flags & EXTENDED_RESPONSE_REQUIRED) { + SIVAL(req->outbuf, smb_vwv15, SEC_STD_ALL); + } + + out: + TALLOC_FREE(smb_fname); + END_PROFILE(SMBopenX); + return; +} + +/**************************************************************************** + Reply to a SMBulogoffX. +****************************************************************************/ + +static struct tevent_req *reply_ulogoffX_send(struct smb_request *smb1req, + struct smbXsrv_session *session); +static void reply_ulogoffX_done(struct tevent_req *req); + +void reply_ulogoffX(struct smb_request *smb1req) +{ + struct timeval now = timeval_current(); + struct smbXsrv_session *session = NULL; + struct tevent_req *req; + NTSTATUS status; + + /* + * Don't setup the profile charge here, take + * it in reply_ulogoffX_done(). Not strictly correct + * but better than the other SMB1 async + * code that double-charges at the moment. + */ + + status = smb1srv_session_lookup(smb1req->xconn, + smb1req->vuid, + timeval_to_nttime(&now), + &session); + if (!NT_STATUS_IS_OK(status)) { + /* Not going async, profile here. */ + START_PROFILE(SMBulogoffX); + DBG_WARNING("ulogoff, vuser id %llu does not map to user.\n", + (unsigned long long)smb1req->vuid); + + smb1req->vuid = UID_FIELD_INVALID; + reply_force_doserror(smb1req, ERRSRV, ERRbaduid); + END_PROFILE(SMBulogoffX); + return; + } + + req = reply_ulogoffX_send(smb1req, session); + if (req == NULL) { + /* Not going async, profile here. */ + START_PROFILE(SMBulogoffX); + reply_force_doserror(smb1req, ERRDOS, ERRnomem); + END_PROFILE(SMBulogoffX); + return; + } + + /* We're async. This will complete later. */ + tevent_req_set_callback(req, reply_ulogoffX_done, smb1req); + return; +} + +struct reply_ulogoffX_state { + struct tevent_queue *wait_queue; + struct smbXsrv_session *session; +}; + +static void reply_ulogoffX_wait_done(struct tevent_req *subreq); + +/**************************************************************************** + Async SMB1 ulogoffX. + Note, on failure here we deallocate and return NULL to allow the caller to + SMB1 return an error of ERRnomem immediately. +****************************************************************************/ + +static struct tevent_req *reply_ulogoffX_send(struct smb_request *smb1req, + struct smbXsrv_session *session) +{ + struct tevent_req *req; + struct reply_ulogoffX_state *state; + struct tevent_req *subreq; + files_struct *fsp; + struct smbd_server_connection *sconn = session->client->sconn; + uint64_t vuid = session->global->session_wire_id; + + req = tevent_req_create(smb1req, &state, + struct reply_ulogoffX_state); + if (req == NULL) { + return NULL; + } + state->wait_queue = tevent_queue_create(state, + "reply_ulogoffX_wait_queue"); + if (tevent_req_nomem(state->wait_queue, req)) { + TALLOC_FREE(req); + return NULL; + } + state->session = session; + + /* + * Make sure that no new request will be able to use this session. + * This ensures that once all outstanding fsp->aio_requests + * on this session are done, we are safe to close it. + */ + session->status = NT_STATUS_USER_SESSION_DELETED; + + for (fsp = sconn->files; fsp; fsp = fsp->next) { + if (fsp->vuid != vuid) { + continue; + } + /* + * Flag the file as close in progress. + * This will prevent any more IO being + * done on it. + */ + fsp->fsp_flags.closing = true; + + if (fsp->num_aio_requests > 0) { + /* + * Now wait until all aio requests on this fsp are + * finished. + * + * We don't set a callback, as we just want to block the + * wait queue and the talloc_free() of fsp->aio_request + * will remove the item from the wait queue. + */ + subreq = tevent_queue_wait_send(fsp->aio_requests, + sconn->ev_ctx, + state->wait_queue); + if (tevent_req_nomem(subreq, req)) { + TALLOC_FREE(req); + return NULL; + } + } + } + + /* + * Now we add our own waiter to the end of the queue, + * this way we get notified when all pending requests are finished + * and reply to the outstanding SMB1 request. + */ + subreq = tevent_queue_wait_send(state, + sconn->ev_ctx, + state->wait_queue); + if (tevent_req_nomem(subreq, req)) { + TALLOC_FREE(req); + return NULL; + } + + /* + * We're really going async - move the SMB1 request from + * a talloc stackframe above us to the sconn talloc-context. + * We need this to stick around until the wait_done + * callback is invoked. + */ + smb1req = talloc_move(sconn, &smb1req); + + tevent_req_set_callback(subreq, reply_ulogoffX_wait_done, req); + + return req; +} + +static void reply_ulogoffX_wait_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data( + subreq, struct tevent_req); + + tevent_queue_wait_recv(subreq); + TALLOC_FREE(subreq); + tevent_req_done(req); +} + +static NTSTATUS reply_ulogoffX_recv(struct tevent_req *req) +{ + return tevent_req_simple_recv_ntstatus(req); +} + +static void reply_ulogoffX_done(struct tevent_req *req) +{ + struct smb_request *smb1req = tevent_req_callback_data( + req, struct smb_request); + struct reply_ulogoffX_state *state = tevent_req_data(req, + struct reply_ulogoffX_state); + struct smbXsrv_session *session = state->session; + NTSTATUS status; + + /* + * Take the profile charge here. Not strictly + * correct but better than the other SMB1 async + * code that double-charges at the moment. + */ + START_PROFILE(SMBulogoffX); + + status = reply_ulogoffX_recv(req); + TALLOC_FREE(req); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(smb1req); + END_PROFILE(SMBulogoffX); + exit_server(__location__ ": reply_ulogoffX_recv failed"); + return; + } + + status = smbXsrv_session_logoff(session); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(smb1req); + END_PROFILE(SMBulogoffX); + exit_server(__location__ ": smbXsrv_session_logoff failed"); + return; + } + + TALLOC_FREE(session); + + reply_smb1_outbuf(smb1req, 2, 0); + SSVAL(smb1req->outbuf, smb_vwv0, 0xff); /* andx chain ends */ + SSVAL(smb1req->outbuf, smb_vwv1, 0); /* no andx offset */ + + DBG_NOTICE("ulogoffX vuid=%llu\n", + (unsigned long long)smb1req->vuid); + + smb1req->vuid = UID_FIELD_INVALID; + /* + * The following call is needed to push the + * reply data back out the socket after async + * return. Plus it frees smb1req. + */ + smb_request_done(smb1req); + END_PROFILE(SMBulogoffX); +} + +/**************************************************************************** + Reply to a mknew or a create. +****************************************************************************/ + +void reply_mknew(struct smb_request *req) +{ + connection_struct *conn = req->conn; + struct smb_filename *smb_fname = NULL; + char *fname = NULL; + uint32_t fattr = 0; + struct smb_file_time ft; + struct files_struct *dirfsp = NULL; + files_struct *fsp; + int oplock_request = 0; + NTSTATUS status; + uint32_t access_mask = FILE_GENERIC_READ | FILE_GENERIC_WRITE; + uint32_t share_mode = FILE_SHARE_READ|FILE_SHARE_WRITE; + uint32_t create_disposition; + uint32_t create_options = 0; + uint32_t ucf_flags; + NTTIME twrp = 0; + TALLOC_CTX *ctx = talloc_tos(); + + START_PROFILE(SMBcreate); + init_smb_file_time(&ft); + + if (req->wct < 3) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + goto out; + } + + fattr = SVAL(req->vwv+0, 0); + oplock_request = CORE_OPLOCK_REQUEST(req->inbuf); + + if (req->cmd == SMBmknew) { + /* We should fail if file exists. */ + create_disposition = FILE_CREATE; + } else { + /* Create if file doesn't exist, truncate if it does. */ + create_disposition = FILE_OVERWRITE_IF; + } + + /* mtime. */ + ft.mtime = time_t_to_full_timespec(srv_make_unix_date3(req->vwv+1)); + + srvstr_get_path_req(ctx, req, &fname, (const char *)req->buf + 1, + STR_TERMINATE, &status); + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + goto out; + } + + ucf_flags = filename_create_ucf_flags(req, create_disposition); + if (ucf_flags & UCF_GMT_PATHNAME) { + extract_snapshot_token(fname, &twrp); + } + status = smb1_strip_dfs_path(ctx, &ucf_flags, &fname); + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + goto out; + } + + status = filename_convert_dirfsp(ctx, + conn, + fname, + ucf_flags, + twrp, + &dirfsp, + &smb_fname); + if (!NT_STATUS_IS_OK(status)) { + if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) { + reply_botherror(req, + NT_STATUS_PATH_NOT_COVERED, + ERRSRV, ERRbadpath); + goto out; + } + reply_nterror(req, status); + goto out; + } + + if (fattr & FILE_ATTRIBUTE_VOLUME) { + DEBUG(0,("Attempt to create file (%s) with volid set - " + "please report this\n", + smb_fname_str_dbg(smb_fname))); + } + + status = SMB_VFS_CREATE_FILE( + conn, /* conn */ + req, /* req */ + dirfsp, /* dirfsp */ + smb_fname, /* fname */ + access_mask, /* access_mask */ + share_mode, /* share_access */ + create_disposition, /* create_disposition*/ + create_options, /* create_options */ + fattr, /* file_attributes */ + oplock_request, /* oplock_request */ + NULL, /* lease */ + 0, /* allocation_size */ + 0, /* private_flags */ + NULL, /* sd */ + NULL, /* ea_list */ + &fsp, /* result */ + NULL, /* pinfo */ + NULL, NULL); /* create context */ + + if (!NT_STATUS_IS_OK(status)) { + if (open_was_deferred(req->xconn, req->mid)) { + /* We have re-scheduled this call. */ + goto out; + } + if (NT_STATUS_EQUAL(status, NT_STATUS_SHARING_VIOLATION)) { + bool ok = defer_smb1_sharing_violation(req); + if (ok) { + goto out; + } + } + reply_openerror(req, status); + goto out; + } + + ft.atime = smb_fname->st.st_ex_atime; /* atime. */ + status = smb_set_file_time(conn, fsp, smb_fname, &ft, true); + if (!NT_STATUS_IS_OK(status)) { + END_PROFILE(SMBcreate); + goto out; + } + + reply_smb1_outbuf(req, 1, 0); + SSVAL(req->outbuf,smb_vwv0,fsp->fnum); + + if (oplock_request && lp_fake_oplocks(SNUM(conn))) { + SCVAL(req->outbuf,smb_flg, + CVAL(req->outbuf,smb_flg)|CORE_OPLOCK_GRANTED); + } + + if(EXCLUSIVE_OPLOCK_TYPE(fsp->oplock_type)) { + SCVAL(req->outbuf,smb_flg, + CVAL(req->outbuf,smb_flg)|CORE_OPLOCK_GRANTED); + } + + DEBUG(2, ("reply_mknew: file %s\n", smb_fname_str_dbg(smb_fname))); + DEBUG(3, ("reply_mknew %s fd=%d dmode=0x%x\n", + smb_fname_str_dbg(smb_fname), fsp_get_io_fd(fsp), + (unsigned int)fattr)); + + out: + TALLOC_FREE(smb_fname); + END_PROFILE(SMBcreate); + return; +} + +/**************************************************************************** + Reply to a create temporary file. +****************************************************************************/ + +void reply_ctemp(struct smb_request *req) +{ + connection_struct *conn = req->conn; + struct smb_filename *smb_fname = NULL; + char *wire_name = NULL; + char *fname = NULL; + uint32_t fattr; + struct files_struct *dirfsp = NULL; + files_struct *fsp; + int oplock_request; + char *s; + NTSTATUS status; + int i; + uint32_t ucf_flags; + NTTIME twrp = 0; + TALLOC_CTX *ctx = talloc_tos(); + + START_PROFILE(SMBctemp); + + if (req->wct < 3) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + goto out; + } + + fattr = SVAL(req->vwv+0, 0); + oplock_request = CORE_OPLOCK_REQUEST(req->inbuf); + + srvstr_get_path_req(ctx, req, &wire_name, (const char *)req->buf+1, + STR_TERMINATE, &status); + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + goto out; + } + + for (i = 0; i < 10; i++) { + if (*wire_name) { + fname = talloc_asprintf(ctx, + "%s/TMP%s", + wire_name, + generate_random_str_list(ctx, 5, "0123456789")); + } else { + fname = talloc_asprintf(ctx, + "TMP%s", + generate_random_str_list(ctx, 5, "0123456789")); + } + + if (!fname) { + reply_nterror(req, NT_STATUS_NO_MEMORY); + goto out; + } + + ucf_flags = filename_create_ucf_flags(req, FILE_CREATE); + if (ucf_flags & UCF_GMT_PATHNAME) { + extract_snapshot_token(fname, &twrp); + } + status = smb1_strip_dfs_path(ctx, &ucf_flags, &fname); + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + goto out; + } + + status = filename_convert_dirfsp(ctx, + conn, + fname, + ucf_flags, + twrp, + &dirfsp, + &smb_fname); + if (!NT_STATUS_IS_OK(status)) { + if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) { + reply_botherror(req, NT_STATUS_PATH_NOT_COVERED, + ERRSRV, ERRbadpath); + goto out; + } + reply_nterror(req, status); + goto out; + } + + /* Create the file. */ + status = SMB_VFS_CREATE_FILE( + conn, /* conn */ + req, /* req */ + dirfsp, /* dirfsp */ + smb_fname, /* fname */ + FILE_GENERIC_READ | FILE_GENERIC_WRITE, /* access_mask */ + FILE_SHARE_READ | FILE_SHARE_WRITE, /* share_access */ + FILE_CREATE, /* create_disposition*/ + 0, /* create_options */ + fattr, /* file_attributes */ + oplock_request, /* oplock_request */ + NULL, /* lease */ + 0, /* allocation_size */ + 0, /* private_flags */ + NULL, /* sd */ + NULL, /* ea_list */ + &fsp, /* result */ + NULL, /* pinfo */ + NULL, NULL); /* create context */ + + if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_COLLISION)) { + TALLOC_FREE(fname); + TALLOC_FREE(dirfsp); + TALLOC_FREE(smb_fname); + continue; + } + + if (!NT_STATUS_IS_OK(status)) { + if (open_was_deferred(req->xconn, req->mid)) { + /* We have re-scheduled this call. */ + goto out; + } + if (NT_STATUS_EQUAL( + status, NT_STATUS_SHARING_VIOLATION)) { + bool ok = defer_smb1_sharing_violation(req); + if (ok) { + goto out; + } + } + reply_openerror(req, status); + goto out; + } + + break; + } + + if (i == 10) { + /* Collision after 10 times... */ + reply_nterror(req, status); + goto out; + } + + reply_smb1_outbuf(req, 1, 0); + SSVAL(req->outbuf,smb_vwv0,fsp->fnum); + + /* the returned filename is relative to the directory */ + s = strrchr_m(fsp->fsp_name->base_name, '/'); + if (!s) { + s = fsp->fsp_name->base_name; + } else { + s++; + } + +#if 0 + /* Tested vs W2K3 - this doesn't seem to be here - null terminated filename is the only + thing in the byte section. JRA */ + SSVALS(p, 0, -1); /* what is this? not in spec */ +#endif + if (message_push_string(&req->outbuf, s, STR_ASCII|STR_TERMINATE) + == -1) { + reply_nterror(req, NT_STATUS_NO_MEMORY); + goto out; + } + + if (oplock_request && lp_fake_oplocks(SNUM(conn))) { + SCVAL(req->outbuf, smb_flg, + CVAL(req->outbuf,smb_flg)|CORE_OPLOCK_GRANTED); + } + + if (EXCLUSIVE_OPLOCK_TYPE(fsp->oplock_type)) { + SCVAL(req->outbuf, smb_flg, + CVAL(req->outbuf,smb_flg)|CORE_OPLOCK_GRANTED); + } + + DEBUG(2, ("reply_ctemp: created temp file %s\n", fsp_str_dbg(fsp))); + DEBUG(3, ("reply_ctemp %s fd=%d umode=0%o\n", fsp_str_dbg(fsp), + fsp_get_io_fd(fsp), (unsigned int)smb_fname->st.st_ex_mode)); + out: + TALLOC_FREE(smb_fname); + TALLOC_FREE(wire_name); + END_PROFILE(SMBctemp); + return; +} + +/**************************************************************************** + Reply to a unlink +****************************************************************************/ + +void reply_unlink(struct smb_request *req) +{ + connection_struct *conn = req->conn; + char *name = NULL; + struct files_struct *dirfsp = NULL; + struct smb_filename *smb_fname = NULL; + uint32_t dirtype; + NTSTATUS status; + uint32_t ucf_flags = ucf_flags_from_smb_request(req); + NTTIME twrp = 0; + TALLOC_CTX *ctx = talloc_tos(); + + START_PROFILE(SMBunlink); + + if (req->wct < 1) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + goto out; + } + + dirtype = SVAL(req->vwv+0, 0); + + srvstr_get_path_req(ctx, req, &name, (const char *)req->buf + 1, + STR_TERMINATE, &status); + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + goto out; + } + + if (ucf_flags & UCF_GMT_PATHNAME) { + extract_snapshot_token(name, &twrp); + } + status = smb1_strip_dfs_path(ctx, &ucf_flags, &name); + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + goto out; + } + status = filename_convert_dirfsp(ctx, + conn, + name, + ucf_flags | UCF_LCOMP_LNK_OK, + twrp, + &dirfsp, + &smb_fname); + if (!NT_STATUS_IS_OK(status)) { + if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) { + reply_botherror(req, NT_STATUS_PATH_NOT_COVERED, + ERRSRV, ERRbadpath); + goto out; + } + reply_nterror(req, status); + goto out; + } + + DEBUG(3,("reply_unlink : %s\n", smb_fname_str_dbg(smb_fname))); + + status = unlink_internals(conn, req, dirtype, dirfsp, smb_fname); + if (!NT_STATUS_IS_OK(status)) { + if (open_was_deferred(req->xconn, req->mid)) { + /* We have re-scheduled this call. */ + goto out; + } + if (NT_STATUS_EQUAL(status, NT_STATUS_SHARING_VIOLATION)) { + bool ok = defer_smb1_sharing_violation(req); + if (ok) { + goto out; + } + } + reply_nterror(req, status); + goto out; + } + + reply_smb1_outbuf(req, 0, 0); + out: + TALLOC_FREE(smb_fname); + END_PROFILE(SMBunlink); + return; +} + +/**************************************************************************** + Fail for readbraw. +****************************************************************************/ + +static void fail_readraw(void) +{ + const char *errstr = talloc_asprintf(talloc_tos(), + "FAIL ! reply_readbraw: socket write fail (%s)", + strerror(errno)); + if (!errstr) { + errstr = ""; + } + exit_server_cleanly(errstr); +} + +/**************************************************************************** + Return a readbraw error (4 bytes of zero). +****************************************************************************/ + +static void reply_readbraw_error(struct smbXsrv_connection *xconn) +{ + char header[4]; + + SIVAL(header,0,0); + + smbd_lock_socket(xconn); + if (write_data(xconn->transport.sock,header,4) != 4) { + int saved_errno = errno; + /* + * Try and give an error message saying what + * client failed. + */ + DEBUG(0, ("write_data failed for client %s. " + "Error %s\n", + smbXsrv_connection_dbg(xconn), + strerror(saved_errno))); + errno = saved_errno; + + fail_readraw(); + } + smbd_unlock_socket(xconn); +} + +/******************************************************************* + Ensure we don't use sendfile if server smb signing is active. +********************************************************************/ + +static bool lp_use_sendfile(struct smbXsrv_connection *xconn, + int snum, + struct smb1_signing_state *signing_state) +{ + bool sign_active = false; + + /* Using sendfile blows the brains out of any DOS or Win9x TCP stack... JRA. */ + if (xconn->protocol < PROTOCOL_NT1) { + return false; + } + if (signing_state) { + sign_active = smb1_signing_is_active(signing_state); + } + return (lp__use_sendfile(snum) && + (get_remote_arch() != RA_WIN95) && + !sign_active); +} +/**************************************************************************** + Use sendfile in readbraw. +****************************************************************************/ + +static void send_file_readbraw(connection_struct *conn, + struct smb_request *req, + files_struct *fsp, + off_t startpos, + size_t nread, + ssize_t mincount) +{ + struct smbXsrv_connection *xconn = req->xconn; + char *outbuf = NULL; + ssize_t ret=0; + + /* + * We can only use sendfile on a non-chained packet + * but we can use on a non-oplocked file. tridge proved this + * on a train in Germany :-). JRA. + * reply_readbraw has already checked the length. + */ + + if ( !req_is_in_chain(req) && + (nread > 0) && + !fsp_is_alternate_stream(fsp) && + lp_use_sendfile(xconn, SNUM(conn), xconn->smb1.signing_state) ) { + ssize_t sendfile_read = -1; + char header[4]; + DATA_BLOB header_blob; + + _smb_setlen(header,nread); + header_blob = data_blob_const(header, 4); + + sendfile_read = SMB_VFS_SENDFILE(xconn->transport.sock, fsp, + &header_blob, startpos, + nread); + if (sendfile_read == -1) { + /* Returning ENOSYS means no data at all was sent. + * Do this as a normal read. */ + if (errno == ENOSYS) { + goto normal_readbraw; + } + + /* + * Special hack for broken Linux with no working sendfile. If we + * return EINTR we sent the header but not the rest of the data. + * Fake this up by doing read/write calls. + */ + if (errno == EINTR) { + /* Ensure we don't do this again. */ + set_use_sendfile(SNUM(conn), False); + DEBUG(0,("send_file_readbraw: sendfile not available. Faking..\n")); + + if (fake_sendfile(xconn, fsp, startpos, nread) == -1) { + DEBUG(0,("send_file_readbraw: " + "fake_sendfile failed for " + "file %s (%s).\n", + fsp_str_dbg(fsp), + strerror(errno))); + exit_server_cleanly("send_file_readbraw fake_sendfile failed"); + } + return; + } + + DEBUG(0,("send_file_readbraw: sendfile failed for " + "file %s (%s). Terminating\n", + fsp_str_dbg(fsp), strerror(errno))); + exit_server_cleanly("send_file_readbraw sendfile failed"); + } else if (sendfile_read == 0) { + /* + * Some sendfile implementations return 0 to indicate + * that there was a short read, but nothing was + * actually written to the socket. In this case, + * fallback to the normal read path so the header gets + * the correct byte count. + */ + DEBUG(3, ("send_file_readbraw: sendfile sent zero " + "bytes falling back to the normal read: " + "%s\n", fsp_str_dbg(fsp))); + goto normal_readbraw; + } + + /* Deal with possible short send. */ + if (sendfile_read != 4+nread) { + ret = sendfile_short_send(xconn, fsp, + sendfile_read, 4, nread); + if (ret == -1) { + fail_readraw(); + } + } + return; + } + +normal_readbraw: + + outbuf = talloc_array(NULL, char, nread+4); + if (!outbuf) { + DEBUG(0,("send_file_readbraw: talloc_array failed for size %u.\n", + (unsigned)(nread+4))); + reply_readbraw_error(xconn); + return; + } + + if (nread > 0) { + ret = read_file(fsp,outbuf+4,startpos,nread); +#if 0 /* mincount appears to be ignored in a W2K server. JRA. */ + if (ret < mincount) + ret = 0; +#else + if (ret < nread) + ret = 0; +#endif + } + + _smb_setlen(outbuf,ret); + if (write_data(xconn->transport.sock, outbuf, 4+ret) != 4+ret) { + int saved_errno = errno; + /* + * Try and give an error message saying what + * client failed. + */ + DEBUG(0, ("write_data failed for client %s. Error %s\n", + smbXsrv_connection_dbg(xconn), + strerror(saved_errno))); + errno = saved_errno; + + fail_readraw(); + } + + TALLOC_FREE(outbuf); +} + +/**************************************************************************** + Reply to a readbraw (core+ protocol). +****************************************************************************/ + +void reply_readbraw(struct smb_request *req) +{ + connection_struct *conn = req->conn; + struct smbXsrv_connection *xconn = req->xconn; + ssize_t maxcount,mincount; + size_t nread = 0; + off_t startpos; + files_struct *fsp; + struct lock_struct lock; + off_t size = 0; + NTSTATUS status; + + START_PROFILE(SMBreadbraw); + + if (smb1_srv_is_signing_active(xconn) || req->encrypted) { + exit_server_cleanly("reply_readbraw: SMB signing/sealing is active - " + "raw reads/writes are disallowed."); + } + + if (req->wct < 8) { + reply_readbraw_error(xconn); + END_PROFILE(SMBreadbraw); + return; + } + + if (xconn->smb1.echo_handler.trusted_fde) { + DEBUG(2,("SMBreadbraw rejected with NOT_SUPPORTED because of " + "'async smb echo handler = yes'\n")); + reply_readbraw_error(xconn); + END_PROFILE(SMBreadbraw); + return; + } + + /* + * Special check if an oplock break has been issued + * and the readraw request croses on the wire, we must + * return a zero length response here. + */ + + fsp = file_fsp(req, SVAL(req->vwv+0, 0)); + + /* + * We have to do a check_fsp by hand here, as + * we must always return 4 zero bytes on error, + * not a NTSTATUS. + */ + + if (fsp == NULL || + conn == NULL || + conn != fsp->conn || + req->vuid != fsp->vuid || + fsp->fsp_flags.is_directory || + fsp_get_io_fd(fsp) == -1) + { + /* + * fsp could be NULL here so use the value from the packet. JRA. + */ + DEBUG(3,("reply_readbraw: fnum %d not valid " + "- cache prime?\n", + (int)SVAL(req->vwv+0, 0))); + reply_readbraw_error(xconn); + END_PROFILE(SMBreadbraw); + return; + } + + /* Do a "by hand" version of CHECK_READ. */ + if (!(fsp->fsp_flags.can_read || + ((req->flags2 & FLAGS2_READ_PERMIT_EXECUTE) && + (fsp->access_mask & FILE_EXECUTE)))) { + DEBUG(3,("reply_readbraw: fnum %d not readable.\n", + (int)SVAL(req->vwv+0, 0))); + reply_readbraw_error(xconn); + END_PROFILE(SMBreadbraw); + return; + } + + startpos = IVAL_TO_SMB_OFF_T(req->vwv+1, 0); + if(req->wct == 10) { + /* + * This is a large offset (64 bit) read. + */ + + startpos |= (((off_t)IVAL(req->vwv+8, 0)) << 32); + + if(startpos < 0) { + DEBUG(0,("reply_readbraw: negative 64 bit " + "readraw offset (%.0f) !\n", + (double)startpos )); + reply_readbraw_error(xconn); + END_PROFILE(SMBreadbraw); + return; + } + } + + maxcount = (SVAL(req->vwv+3, 0) & 0xFFFF); + mincount = (SVAL(req->vwv+4, 0) & 0xFFFF); + + /* ensure we don't overrun the packet size */ + maxcount = MIN(65535,maxcount); + + init_strict_lock_struct(fsp, + (uint64_t)req->smbpid, + (uint64_t)startpos, + (uint64_t)maxcount, + READ_LOCK, + lp_posix_cifsu_locktype(fsp), + &lock); + + if (!SMB_VFS_STRICT_LOCK_CHECK(conn, fsp, &lock)) { + reply_readbraw_error(xconn); + END_PROFILE(SMBreadbraw); + return; + } + + status = vfs_stat_fsp(fsp); + if (NT_STATUS_IS_OK(status)) { + size = fsp->fsp_name->st.st_ex_size; + } + + if (startpos >= size) { + nread = 0; + } else { + nread = MIN(maxcount,(size - startpos)); + } + +#if 0 /* mincount appears to be ignored in a W2K server. JRA. */ + if (nread < mincount) + nread = 0; +#endif + + DEBUG( 3, ( "reply_readbraw: %s start=%.0f max=%lu " + "min=%lu nread=%lu\n", + fsp_fnum_dbg(fsp), (double)startpos, + (unsigned long)maxcount, + (unsigned long)mincount, + (unsigned long)nread ) ); + + send_file_readbraw(conn, req, fsp, startpos, nread, mincount); + + DEBUG(5,("reply_readbraw finished\n")); + + END_PROFILE(SMBreadbraw); + return; +} + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_LOCKING + +/**************************************************************************** + Reply to a lockread (core+ protocol). +****************************************************************************/ + +static void reply_lockread_locked(struct tevent_req *subreq); + +void reply_lockread(struct smb_request *req) +{ + struct tevent_req *subreq = NULL; + connection_struct *conn = req->conn; + files_struct *fsp; + struct smbd_lock_element *lck = NULL; + + START_PROFILE(SMBlockread); + + if (req->wct < 5) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + END_PROFILE(SMBlockread); + return; + } + + fsp = file_fsp(req, SVAL(req->vwv+0, 0)); + + if (!check_fsp(conn, req, fsp)) { + END_PROFILE(SMBlockread); + return; + } + + if (!CHECK_READ(fsp,req)) { + reply_nterror(req, NT_STATUS_ACCESS_DENIED); + END_PROFILE(SMBlockread); + return; + } + + lck = talloc(req, struct smbd_lock_element); + if (lck == NULL) { + reply_nterror(req, NT_STATUS_NO_MEMORY); + END_PROFILE(SMBlockread); + return; + } + + /* + * NB. Discovered by Menny Hamburger at Mainsoft. This is a core+ + * protocol request that predates the read/write lock concept. + * Thus instead of asking for a read lock here we need to ask + * for a write lock. JRA. + * Note that the requested lock size is unaffected by max_send. + */ + + *lck = (struct smbd_lock_element) { + .req_guid = smbd_request_guid(req, 0), + .smblctx = req->smbpid, + .brltype = WRITE_LOCK, + .lock_flav = WINDOWS_LOCK, + .count = SVAL(req->vwv+1, 0), + .offset = IVAL_TO_SMB_OFF_T(req->vwv+2, 0), + }; + + subreq = smbd_smb1_do_locks_send( + fsp, + req->sconn->ev_ctx, + &req, + fsp, + 0, + false, /* large_offset */ + 1, + lck); + if (subreq == NULL) { + reply_nterror(req, NT_STATUS_NO_MEMORY); + END_PROFILE(SMBlockread); + return; + } + tevent_req_set_callback(subreq, reply_lockread_locked, NULL); + END_PROFILE(SMBlockread); +} + +static void reply_lockread_locked(struct tevent_req *subreq) +{ + struct smb_request *req = NULL; + ssize_t nread = -1; + char *data = NULL; + NTSTATUS status; + bool ok; + off_t startpos; + size_t numtoread, maxtoread; + struct files_struct *fsp = NULL; + char *p = NULL; + + START_PROFILE(SMBlockread); + + ok = smbd_smb1_do_locks_extract_smbreq(subreq, talloc_tos(), &req); + SMB_ASSERT(ok); + + status = smbd_smb1_do_locks_recv(subreq); + TALLOC_FREE(subreq); + + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + goto send; + } + + fsp = file_fsp(req, SVAL(req->vwv+0, 0)); + if (fsp == NULL) { + reply_nterror(req, NT_STATUS_INTERNAL_ERROR); + goto send; + } + + numtoread = SVAL(req->vwv+1, 0); + startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0); + + /* + * However the requested READ size IS affected by max_send. Insanity.... JRA. + */ + maxtoread = req->xconn->smb1.sessions.max_send - (MIN_SMB_SIZE + 5*2 + 3); + + if (numtoread > maxtoread) { + DBG_WARNING("requested read size (%zu) is greater than " + "maximum allowed (%zu/%d). " + "Returning short read of maximum allowed for " + "compatibility with Windows 2000.\n", + numtoread, + maxtoread, + req->xconn->smb1.sessions.max_send); + numtoread = maxtoread; + } + + reply_smb1_outbuf(req, 5, numtoread + 3); + + data = smb_buf(req->outbuf) + 3; + + nread = read_file(fsp,data,startpos,numtoread); + + if (nread < 0) { + reply_nterror(req, map_nt_error_from_unix(errno)); + goto send; + } + + srv_smb1_set_message((char *)req->outbuf, 5, nread+3, False); + + SSVAL(req->outbuf,smb_vwv0,nread); + SSVAL(req->outbuf,smb_vwv5,nread+3); + p = smb_buf(req->outbuf); + SCVAL(p,0,0); /* pad byte. */ + SSVAL(p,1,nread); + + DEBUG(3,("lockread %s num=%d nread=%d\n", + fsp_fnum_dbg(fsp), (int)numtoread, (int)nread)); + +send: + ok = smb1_srv_send(req->xconn, + (char *)req->outbuf, + true, + req->seqnum + 1, + IS_CONN_ENCRYPTED(req->conn)); + if (!ok) { + exit_server_cleanly("reply_lock_done: smb1_srv_send failed."); + } + TALLOC_FREE(req); + END_PROFILE(SMBlockread); + return; +} + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_ALL + +/**************************************************************************** + Reply to a read. +****************************************************************************/ + +void reply_read(struct smb_request *req) +{ + connection_struct *conn = req->conn; + size_t numtoread; + size_t maxtoread; + ssize_t nread = 0; + char *data; + off_t startpos; + files_struct *fsp; + struct lock_struct lock; + struct smbXsrv_connection *xconn = req->xconn; + + START_PROFILE(SMBread); + + if (req->wct < 3) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + END_PROFILE(SMBread); + return; + } + + fsp = file_fsp(req, SVAL(req->vwv+0, 0)); + + if (!check_fsp(conn, req, fsp)) { + END_PROFILE(SMBread); + return; + } + + if (!CHECK_READ(fsp,req)) { + reply_nterror(req, NT_STATUS_ACCESS_DENIED); + END_PROFILE(SMBread); + return; + } + + numtoread = SVAL(req->vwv+1, 0); + startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0); + + /* + * The requested read size cannot be greater than max_send. JRA. + */ + maxtoread = xconn->smb1.sessions.max_send - (MIN_SMB_SIZE + 5*2 + 3); + + if (numtoread > maxtoread) { + DEBUG(0,("reply_read: requested read size (%u) is greater than maximum allowed (%u/%u). \ +Returning short read of maximum allowed for compatibility with Windows 2000.\n", + (unsigned int)numtoread, (unsigned int)maxtoread, + (unsigned int)xconn->smb1.sessions.max_send)); + numtoread = maxtoread; + } + + reply_smb1_outbuf(req, 5, numtoread+3); + + data = smb_buf(req->outbuf) + 3; + + init_strict_lock_struct(fsp, + (uint64_t)req->smbpid, + (uint64_t)startpos, + (uint64_t)numtoread, + READ_LOCK, + lp_posix_cifsu_locktype(fsp), + &lock); + + if (!SMB_VFS_STRICT_LOCK_CHECK(conn, fsp, &lock)) { + reply_nterror(req, NT_STATUS_FILE_LOCK_CONFLICT); + END_PROFILE(SMBread); + return; + } + + if (numtoread > 0) + nread = read_file(fsp,data,startpos,numtoread); + + if (nread < 0) { + reply_nterror(req, map_nt_error_from_unix(errno)); + goto out; + } + + srv_smb1_set_message((char *)req->outbuf, 5, nread+3, False); + + SSVAL(req->outbuf,smb_vwv0,nread); + SSVAL(req->outbuf,smb_vwv5,nread+3); + SCVAL(smb_buf(req->outbuf),0,1); + SSVAL(smb_buf(req->outbuf),1,nread); + + DEBUG(3, ("read %s num=%d nread=%d\n", + fsp_fnum_dbg(fsp), (int)numtoread, (int)nread)); + +out: + END_PROFILE(SMBread); + return; +} + +/**************************************************************************** + Setup readX header. +****************************************************************************/ + +size_t setup_readX_header(char *outbuf, size_t smb_maxcnt) +{ + size_t outsize; + + outsize = srv_smb1_set_message(outbuf,12,smb_maxcnt + 1 /* padding byte */, + False); + + memset(outbuf+smb_vwv0,'\0',24); /* valgrind init. */ + + SCVAL(outbuf,smb_vwv0,0xFF); + SSVAL(outbuf,smb_vwv2,0xFFFF); /* Remaining - must be -1. */ + SSVAL(outbuf,smb_vwv5,smb_maxcnt); + SSVAL(outbuf,smb_vwv6, + (smb_wct - 4) /* offset from smb header to wct */ + + 1 /* the wct field */ + + 12 * sizeof(uint16_t) /* vwv */ + + 2 /* the buflen field */ + + 1); /* padding byte */ + SSVAL(outbuf,smb_vwv7,(smb_maxcnt >> 16)); + SCVAL(smb_buf(outbuf), 0, 0); /* padding byte */ + /* Reset the outgoing length, set_message truncates at 0x1FFFF. */ + _smb_setlen_large(outbuf, + smb_size + 12*2 + smb_maxcnt - 4 + 1 /* pad */); + return outsize; +} + +/**************************************************************************** + Reply to a read and X - possibly using sendfile. +****************************************************************************/ + +static void send_file_readX(connection_struct *conn, struct smb_request *req, + files_struct *fsp, off_t startpos, + size_t smb_maxcnt) +{ + struct smbXsrv_connection *xconn = req->xconn; + ssize_t nread = -1; + struct lock_struct lock; + int saved_errno = 0; + NTSTATUS status; + + init_strict_lock_struct(fsp, + (uint64_t)req->smbpid, + (uint64_t)startpos, + (uint64_t)smb_maxcnt, + READ_LOCK, + lp_posix_cifsu_locktype(fsp), + &lock); + + if (!SMB_VFS_STRICT_LOCK_CHECK(conn, fsp, &lock)) { + reply_nterror(req, NT_STATUS_FILE_LOCK_CONFLICT); + return; + } + + /* + * We can only use sendfile on a non-chained packet + * but we can use on a non-oplocked file. tridge proved this + * on a train in Germany :-). JRA. + */ + + if (!req_is_in_chain(req) && + !req->encrypted && + !fsp_is_alternate_stream(fsp) && + lp_use_sendfile(xconn, SNUM(conn), xconn->smb1.signing_state) ) { + uint8_t headerbuf[smb_size + 12 * 2 + 1 /* padding byte */]; + DATA_BLOB header; + + status = vfs_stat_fsp(fsp); + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + goto out; + } + + if (!S_ISREG(fsp->fsp_name->st.st_ex_mode) || + (startpos > fsp->fsp_name->st.st_ex_size) || + (smb_maxcnt > (fsp->fsp_name->st.st_ex_size - startpos))) { + /* + * We already know that we would do a short read, so don't + * try the sendfile() path. + */ + goto nosendfile_read; + } + + /* + * Set up the packet header before send. We + * assume here the sendfile will work (get the + * correct amount of data). + */ + + header = data_blob_const(headerbuf, sizeof(headerbuf)); + + construct_smb1_reply_common_req(req, (char *)headerbuf); + setup_readX_header((char *)headerbuf, smb_maxcnt); + + nread = SMB_VFS_SENDFILE(xconn->transport.sock, fsp, &header, + startpos, smb_maxcnt); + if (nread == -1) { + saved_errno = errno; + + /* Returning ENOSYS means no data at all was sent. + Do this as a normal read. */ + if (errno == ENOSYS) { + goto normal_read; + } + + /* + * Special hack for broken Linux with no working sendfile. If we + * return EINTR we sent the header but not the rest of the data. + * Fake this up by doing read/write calls. + */ + + if (errno == EINTR) { + /* Ensure we don't do this again. */ + set_use_sendfile(SNUM(conn), False); + DEBUG(0,("send_file_readX: sendfile not available. Faking..\n")); + nread = fake_sendfile(xconn, fsp, startpos, + smb_maxcnt); + if (nread == -1) { + saved_errno = errno; + DEBUG(0,("send_file_readX: " + "fake_sendfile failed for " + "file %s (%s) for client %s. " + "Terminating\n", + fsp_str_dbg(fsp), + smbXsrv_connection_dbg(xconn), + strerror(saved_errno))); + errno = saved_errno; + exit_server_cleanly("send_file_readX: fake_sendfile failed"); + } + DEBUG(3, ("send_file_readX: fake_sendfile %s max=%d nread=%d\n", + fsp_fnum_dbg(fsp), (int)smb_maxcnt, (int)nread)); + /* No outbuf here means successful sendfile. */ + goto out; + } + + DEBUG(0,("send_file_readX: sendfile failed for file " + "%s (%s). Terminating\n", fsp_str_dbg(fsp), + strerror(errno))); + exit_server_cleanly("send_file_readX sendfile failed"); + } else if (nread == 0) { + /* + * Some sendfile implementations return 0 to indicate + * that there was a short read, but nothing was + * actually written to the socket. In this case, + * fallback to the normal read path so the header gets + * the correct byte count. + */ + DEBUG(3, ("send_file_readX: sendfile sent zero bytes " + "falling back to the normal read: %s\n", + fsp_str_dbg(fsp))); + goto normal_read; + } + + DEBUG(3, ("send_file_readX: sendfile %s max=%d nread=%d\n", + fsp_fnum_dbg(fsp), (int)smb_maxcnt, (int)nread)); + + /* Deal with possible short send. */ + if (nread != smb_maxcnt + sizeof(headerbuf)) { + ssize_t ret; + + ret = sendfile_short_send(xconn, fsp, nread, + sizeof(headerbuf), smb_maxcnt); + if (ret == -1) { + const char *r; + r = "send_file_readX: sendfile_short_send failed"; + DEBUG(0,("%s for file %s (%s).\n", + r, fsp_str_dbg(fsp), strerror(errno))); + exit_server_cleanly(r); + } + } + /* No outbuf here means successful sendfile. */ + goto out; + } + +normal_read: + + if ((smb_maxcnt & 0xFF0000) > 0x10000) { + uint8_t headerbuf[smb_size + 2*12 + 1 /* padding byte */]; + ssize_t ret; + + if (!S_ISREG(fsp->fsp_name->st.st_ex_mode) || + (startpos > fsp->fsp_name->st.st_ex_size) || + (smb_maxcnt > (fsp->fsp_name->st.st_ex_size - startpos))) { + /* + * We already know that we would do a short + * read, so don't try the sendfile() path. + */ + goto nosendfile_read; + } + + construct_smb1_reply_common_req(req, (char *)headerbuf); + setup_readX_header((char *)headerbuf, smb_maxcnt); + + /* Send out the header. */ + ret = write_data(xconn->transport.sock, (char *)headerbuf, + sizeof(headerbuf)); + if (ret != sizeof(headerbuf)) { + saved_errno = errno; + /* + * Try and give an error message saying what + * client failed. + */ + DEBUG(0,("send_file_readX: write_data failed for file " + "%s (%s) for client %s. Terminating\n", + fsp_str_dbg(fsp), + smbXsrv_connection_dbg(xconn), + strerror(saved_errno))); + errno = saved_errno; + exit_server_cleanly("send_file_readX sendfile failed"); + } + nread = fake_sendfile(xconn, fsp, startpos, smb_maxcnt); + if (nread == -1) { + saved_errno = errno; + DEBUG(0,("send_file_readX: fake_sendfile failed for file " + "%s (%s) for client %s. Terminating\n", + fsp_str_dbg(fsp), + smbXsrv_connection_dbg(xconn), + strerror(saved_errno))); + errno = saved_errno; + exit_server_cleanly("send_file_readX: fake_sendfile failed"); + } + goto out; + } + +nosendfile_read: + + reply_smb1_outbuf(req, 12, smb_maxcnt + 1 /* padding byte */); + SSVAL(req->outbuf, smb_vwv0, 0xff); /* andx chain ends */ + SSVAL(req->outbuf, smb_vwv1, 0); /* no andx offset */ + + nread = read_file(fsp, smb_buf(req->outbuf) + 1 /* padding byte */, + startpos, smb_maxcnt); + saved_errno = errno; + + if (nread < 0) { + reply_nterror(req, map_nt_error_from_unix(saved_errno)); + return; + } + + setup_readX_header((char *)req->outbuf, nread); + + DEBUG(3, ("send_file_readX %s max=%d nread=%d\n", + fsp_fnum_dbg(fsp), (int)smb_maxcnt, (int)nread)); + return; + +out: + TALLOC_FREE(req->outbuf); + return; +} + +/**************************************************************************** + Work out how much space we have for a read return. +****************************************************************************/ + +static size_t calc_max_read_pdu(const struct smb_request *req) +{ + struct smbXsrv_connection *xconn = req->xconn; + + if (xconn->protocol < PROTOCOL_NT1) { + return xconn->smb1.sessions.max_send; + } + + if (!lp_large_readwrite()) { + return xconn->smb1.sessions.max_send; + } + + if (req_is_in_chain(req)) { + return xconn->smb1.sessions.max_send; + } + + if (req->encrypted) { + /* + * Don't take encrypted traffic up to the + * limit. There are padding considerations + * that make that tricky. + */ + return xconn->smb1.sessions.max_send; + } + + if (smb1_srv_is_signing_active(xconn)) { + return 0x1FFFF; + } + + if (!lp_smb1_unix_extensions()) { + return 0x1FFFF; + } + + /* + * We can do ultra-large POSIX reads. + */ + return 0xFFFFFF; +} + +/**************************************************************************** + Calculate how big a read can be. Copes with all clients. It's always + safe to return a short read - Windows does this. +****************************************************************************/ + +static size_t calc_read_size(const struct smb_request *req, + size_t upper_size, + size_t lower_size) +{ + struct smbXsrv_connection *xconn = req->xconn; + size_t max_pdu = calc_max_read_pdu(req); + size_t total_size = 0; + size_t hdr_len = MIN_SMB_SIZE + VWV(12); + size_t max_len = max_pdu - hdr_len - 1 /* padding byte */; + + /* + * Windows explicitly ignores upper size of 0xFFFF. + * See [MS-SMB].pdf <26> Section 2.2.4.2.1: + * We must do the same as these will never fit even in + * an extended size NetBIOS packet. + */ + if (upper_size == 0xFFFF) { + upper_size = 0; + } + + if (xconn->protocol < PROTOCOL_NT1) { + upper_size = 0; + } + + total_size = ((upper_size<<16) | lower_size); + + /* + * LARGE_READX test shows it's always safe to return + * a short read. Windows does so. + */ + return MIN(total_size, max_len); +} + +/**************************************************************************** + Reply to a read and X. +****************************************************************************/ + +void reply_read_and_X(struct smb_request *req) +{ + connection_struct *conn = req->conn; + files_struct *fsp; + off_t startpos; + size_t smb_maxcnt; + size_t upper_size; + bool big_readX = False; +#if 0 + size_t smb_mincnt = SVAL(req->vwv+6, 0); +#endif + + START_PROFILE(SMBreadX); + + if ((req->wct != 10) && (req->wct != 12)) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + return; + } + + fsp = file_fsp(req, SVAL(req->vwv+2, 0)); + startpos = IVAL_TO_SMB_OFF_T(req->vwv+3, 0); + smb_maxcnt = SVAL(req->vwv+5, 0); + + /* If it's an IPC, pass off the pipe handler. */ + if (IS_IPC(conn)) { + reply_pipe_read_and_X(req); + END_PROFILE(SMBreadX); + return; + } + + if (!check_fsp(conn, req, fsp)) { + END_PROFILE(SMBreadX); + return; + } + + if (!CHECK_READ(fsp,req)) { + reply_nterror(req, NT_STATUS_ACCESS_DENIED); + END_PROFILE(SMBreadX); + return; + } + + upper_size = SVAL(req->vwv+7, 0); + smb_maxcnt = calc_read_size(req, upper_size, smb_maxcnt); + if (smb_maxcnt > (0x1FFFF - (MIN_SMB_SIZE + VWV(12)))) { + /* + * This is a heuristic to avoid keeping large + * outgoing buffers around over long-lived aio + * requests. + */ + big_readX = True; + } + + if (req->wct == 12) { + /* + * This is a large offset (64 bit) read. + */ + startpos |= (((off_t)IVAL(req->vwv+10, 0)) << 32); + + } + + if (!big_readX) { + NTSTATUS status = schedule_aio_read_and_X(conn, + req, + fsp, + startpos, + smb_maxcnt); + if (NT_STATUS_IS_OK(status)) { + /* Read scheduled - we're done. */ + goto out; + } + if (!NT_STATUS_EQUAL(status, NT_STATUS_RETRY)) { + /* Real error - report to client. */ + END_PROFILE(SMBreadX); + reply_nterror(req, status); + return; + } + /* NT_STATUS_RETRY - fall back to sync read. */ + } + + smbd_lock_socket(req->xconn); + send_file_readX(conn, req, fsp, startpos, smb_maxcnt); + smbd_unlock_socket(req->xconn); + + out: + END_PROFILE(SMBreadX); + return; +} + +/**************************************************************************** + Error replies to writebraw must have smb_wct == 1. Fix this up. +****************************************************************************/ + +void error_to_writebrawerr(struct smb_request *req) +{ + uint8_t *old_outbuf = req->outbuf; + + reply_smb1_outbuf(req, 1, 0); + + memcpy(req->outbuf, old_outbuf, smb_size); + TALLOC_FREE(old_outbuf); +} + +/**************************************************************************** + Read 4 bytes of a smb packet and return the smb length of the packet. + Store the result in the buffer. This version of the function will + never return a session keepalive (length of zero). + Timeout is in milliseconds. +****************************************************************************/ + +static NTSTATUS read_smb_length(int fd, char *inbuf, unsigned int timeout, + size_t *len) +{ + uint8_t msgtype = NBSSkeepalive; + + while (msgtype == NBSSkeepalive) { + NTSTATUS status; + + status = read_smb_length_return_keepalive(fd, inbuf, timeout, + len); + if (!NT_STATUS_IS_OK(status)) { + char addr[INET6_ADDRSTRLEN]; + /* Try and give an error message + * saying what client failed. */ + DEBUG(0, ("read_smb_length_return_keepalive failed for " + "client %s read error = %s.\n", + get_peer_addr(fd,addr,sizeof(addr)), + nt_errstr(status))); + return status; + } + + msgtype = CVAL(inbuf, 0); + } + + DEBUG(10,("read_smb_length: got smb length of %lu\n", + (unsigned long)len)); + + return NT_STATUS_OK; +} + +/**************************************************************************** + Reply to a writebraw (core+ or LANMAN1.0 protocol). +****************************************************************************/ + +void reply_writebraw(struct smb_request *req) +{ + connection_struct *conn = req->conn; + struct smbXsrv_connection *xconn = req->xconn; + char *buf = NULL; + ssize_t nwritten=0; + ssize_t total_written=0; + size_t numtowrite=0; + size_t tcount; + off_t startpos; + const char *data=NULL; + bool write_through; + files_struct *fsp; + struct lock_struct lock; + NTSTATUS status; + + START_PROFILE(SMBwritebraw); + + /* + * If we ever reply with an error, it must have the SMB command + * type of SMBwritec, not SMBwriteBraw, as this tells the client + * we're finished. + */ + SCVAL(discard_const_p(uint8_t, req->inbuf),smb_com,SMBwritec); + + if (smb1_srv_is_signing_active(xconn)) { + END_PROFILE(SMBwritebraw); + exit_server_cleanly("reply_writebraw: SMB signing is active - " + "raw reads/writes are disallowed."); + } + + if (req->wct < 12) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + error_to_writebrawerr(req); + END_PROFILE(SMBwritebraw); + return; + } + + if (xconn->smb1.echo_handler.trusted_fde) { + DEBUG(2,("SMBwritebraw rejected with NOT_SUPPORTED because of " + "'async smb echo handler = yes'\n")); + reply_nterror(req, NT_STATUS_NOT_SUPPORTED); + error_to_writebrawerr(req); + END_PROFILE(SMBwritebraw); + return; + } + + fsp = file_fsp(req, SVAL(req->vwv+0, 0)); + if (!check_fsp(conn, req, fsp)) { + error_to_writebrawerr(req); + END_PROFILE(SMBwritebraw); + return; + } + + status = check_any_access_fsp(fsp, FILE_WRITE_DATA|FILE_APPEND_DATA); + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + error_to_writebrawerr(req); + END_PROFILE(SMBwritebraw); + return; + } + + tcount = IVAL(req->vwv+1, 0); + startpos = IVAL_TO_SMB_OFF_T(req->vwv+3, 0); + write_through = BITSETW(req->vwv+7,0); + + /* We have to deal with slightly different formats depending + on whether we are using the core+ or lanman1.0 protocol */ + + if(xconn->protocol <= PROTOCOL_COREPLUS) { + numtowrite = SVAL(smb_buf_const(req->inbuf),-2); + data = smb_buf_const(req->inbuf); + } else { + numtowrite = SVAL(req->vwv+10, 0); + data = smb_base(req->inbuf) + SVAL(req->vwv+11, 0); + } + + /* Ensure we don't write bytes past the end of this packet. */ + /* + * This already protects us against CVE-2017-12163. + */ + if (data + numtowrite > smb_base(req->inbuf) + smb_len(req->inbuf)) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + error_to_writebrawerr(req); + END_PROFILE(SMBwritebraw); + return; + } + + if (!fsp->print_file) { + init_strict_lock_struct(fsp, + (uint64_t)req->smbpid, + (uint64_t)startpos, + (uint64_t)tcount, + WRITE_LOCK, + lp_posix_cifsu_locktype(fsp), + &lock); + + if (!SMB_VFS_STRICT_LOCK_CHECK(conn, fsp, &lock)) { + reply_nterror(req, NT_STATUS_FILE_LOCK_CONFLICT); + error_to_writebrawerr(req); + END_PROFILE(SMBwritebraw); + return; + } + } + + if (numtowrite>0) { + nwritten = write_file(req,fsp,data,startpos,numtowrite); + } + + DEBUG(3, ("reply_writebraw: initial write %s start=%.0f num=%d " + "wrote=%d sync=%d\n", + fsp_fnum_dbg(fsp), (double)startpos, (int)numtowrite, + (int)nwritten, (int)write_through)); + + if (nwritten < (ssize_t)numtowrite) { + reply_nterror(req, NT_STATUS_DISK_FULL); + error_to_writebrawerr(req); + goto out; + } + + total_written = nwritten; + + /* Allocate a buffer of 64k + length. */ + buf = talloc_array(NULL, char, 65540); + if (!buf) { + reply_nterror(req, NT_STATUS_NO_MEMORY); + error_to_writebrawerr(req); + goto out; + } + + /* Return a SMBwritebraw message to the redirector to tell + * it to send more bytes */ + + memcpy(buf, req->inbuf, smb_size); + srv_smb1_set_message(buf,xconn->protocol>PROTOCOL_COREPLUS?1:0,0,True); + SCVAL(buf,smb_com,SMBwritebraw); + SSVALS(buf,smb_vwv0,0xFFFF); + show_msg(buf); + if (!smb1_srv_send(req->xconn, + buf, + false, + 0, /* no signing */ + IS_CONN_ENCRYPTED(conn))) { + exit_server_cleanly("reply_writebraw: smb1_srv_send " + "failed."); + } + + /* Now read the raw data into the buffer and write it */ + status = read_smb_length(xconn->transport.sock, buf, SMB_SECONDARY_WAIT, + &numtowrite); + if (!NT_STATUS_IS_OK(status)) { + exit_server_cleanly("secondary writebraw failed"); + } + + /* Set up outbuf to return the correct size */ + reply_smb1_outbuf(req, 1, 0); + + if (numtowrite != 0) { + + if (numtowrite > 0xFFFF) { + DEBUG(0,("reply_writebraw: Oversize secondary write " + "raw requested (%u). Terminating\n", + (unsigned int)numtowrite )); + exit_server_cleanly("secondary writebraw failed"); + } + + if (tcount > nwritten+numtowrite) { + DEBUG(3,("reply_writebraw: Client overestimated the " + "write %d %d %d\n", + (int)tcount,(int)nwritten,(int)numtowrite)); + } + + status = read_data_ntstatus(xconn->transport.sock, buf+4, + numtowrite); + + if (!NT_STATUS_IS_OK(status)) { + /* Try and give an error message + * saying what client failed. */ + DEBUG(0, ("reply_writebraw: Oversize secondary write " + "raw read failed (%s) for client %s. " + "Terminating\n", nt_errstr(status), + smbXsrv_connection_dbg(xconn))); + exit_server_cleanly("secondary writebraw failed"); + } + + /* + * We are not vulnerable to CVE-2017-12163 + * here as we are guaranteed to have numtowrite + * bytes available - we just read from the client. + */ + nwritten = write_file(req,fsp,buf+4,startpos+nwritten,numtowrite); + if (nwritten == -1) { + TALLOC_FREE(buf); + reply_nterror(req, map_nt_error_from_unix(errno)); + error_to_writebrawerr(req); + goto out; + } + + if (nwritten < (ssize_t)numtowrite) { + SCVAL(req->outbuf,smb_rcls,ERRHRD); + SSVAL(req->outbuf,smb_err,ERRdiskfull); + } + + if (nwritten > 0) { + total_written += nwritten; + } + } + + TALLOC_FREE(buf); + SSVAL(req->outbuf,smb_vwv0,total_written); + + status = sync_file(conn, fsp, write_through); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(5,("reply_writebraw: sync_file for %s returned %s\n", + fsp_str_dbg(fsp), nt_errstr(status))); + reply_nterror(req, status); + error_to_writebrawerr(req); + goto out; + } + + DEBUG(3,("reply_writebraw: secondary write %s start=%.0f num=%d " + "wrote=%d\n", + fsp_fnum_dbg(fsp), (double)startpos, (int)numtowrite, + (int)total_written)); + + /* We won't return a status if write through is not selected - this + * follows what WfWg does */ + END_PROFILE(SMBwritebraw); + + if (!write_through && total_written==tcount) { + +#if RABBIT_PELLET_FIX + /* + * Fix for "rabbit pellet" mode, trigger an early TCP ack by + * sending a NBSSkeepalive. Thanks to DaveCB at Sun for this. + * JRA. + */ + if (!send_keepalive(xconn->transport.sock)) { + exit_server_cleanly("reply_writebraw: send of " + "keepalive failed"); + } +#endif + TALLOC_FREE(req->outbuf); + } + return; + +out: + END_PROFILE(SMBwritebraw); + return; +} + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_LOCKING + +/**************************************************************************** + Reply to a writeunlock (core+). +****************************************************************************/ + +void reply_writeunlock(struct smb_request *req) +{ + connection_struct *conn = req->conn; + ssize_t nwritten = -1; + size_t numtowrite; + size_t remaining; + off_t startpos; + const char *data; + NTSTATUS status = NT_STATUS_OK; + files_struct *fsp; + struct lock_struct lock; + int saved_errno = 0; + + START_PROFILE(SMBwriteunlock); + + if (req->wct < 5) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + END_PROFILE(SMBwriteunlock); + return; + } + + fsp = file_fsp(req, SVAL(req->vwv+0, 0)); + + if (!check_fsp(conn, req, fsp)) { + END_PROFILE(SMBwriteunlock); + return; + } + + status = check_any_access_fsp(fsp, FILE_WRITE_DATA|FILE_APPEND_DATA); + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + END_PROFILE(SMBwriteunlock); + return; + } + + numtowrite = SVAL(req->vwv+1, 0); + startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0); + data = (const char *)req->buf + 3; + + /* + * Ensure client isn't asking us to write more than + * they sent. CVE-2017-12163. + */ + remaining = smbreq_bufrem(req, data); + if (numtowrite > remaining) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + END_PROFILE(SMBwriteunlock); + return; + } + + if (!fsp->print_file && numtowrite > 0) { + init_strict_lock_struct(fsp, + (uint64_t)req->smbpid, + (uint64_t)startpos, + (uint64_t)numtowrite, + WRITE_LOCK, + lp_posix_cifsu_locktype(fsp), + &lock); + + if (!SMB_VFS_STRICT_LOCK_CHECK(conn, fsp, &lock)) { + reply_nterror(req, NT_STATUS_FILE_LOCK_CONFLICT); + END_PROFILE(SMBwriteunlock); + return; + } + } + + /* The special X/Open SMB protocol handling of + zero length writes is *NOT* done for + this call */ + if(numtowrite == 0) { + nwritten = 0; + } else { + nwritten = write_file(req,fsp,data,startpos,numtowrite); + saved_errno = errno; + } + + status = sync_file(conn, fsp, False /* write through */); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(5,("reply_writeunlock: sync_file for %s returned %s\n", + fsp_str_dbg(fsp), nt_errstr(status))); + reply_nterror(req, status); + goto out; + } + + if(nwritten < 0) { + reply_nterror(req, map_nt_error_from_unix(saved_errno)); + goto out; + } + + if((nwritten < numtowrite) && (numtowrite != 0)) { + reply_nterror(req, NT_STATUS_DISK_FULL); + goto out; + } + + if (numtowrite && !fsp->print_file) { + struct smbd_lock_element l = { + .req_guid = smbd_request_guid(req, 0), + .smblctx = req->smbpid, + .brltype = UNLOCK_LOCK, + .lock_flav = WINDOWS_LOCK, + .offset = startpos, + .count = numtowrite, + }; + status = smbd_do_unlocking(req, fsp, 1, &l); + if (NT_STATUS_V(status)) { + reply_nterror(req, status); + goto out; + } + } + + reply_smb1_outbuf(req, 1, 0); + + SSVAL(req->outbuf,smb_vwv0,nwritten); + + DEBUG(3, ("writeunlock %s num=%d wrote=%d\n", + fsp_fnum_dbg(fsp), (int)numtowrite, (int)nwritten)); + +out: + END_PROFILE(SMBwriteunlock); + return; +} + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_ALL + +/**************************************************************************** + Reply to a write. +****************************************************************************/ + +void reply_write(struct smb_request *req) +{ + connection_struct *conn = req->conn; + size_t numtowrite; + size_t remaining; + ssize_t nwritten = -1; + off_t startpos; + const char *data; + files_struct *fsp; + struct lock_struct lock; + NTSTATUS status; + int saved_errno = 0; + + START_PROFILE(SMBwrite); + + if (req->wct < 5) { + END_PROFILE(SMBwrite); + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + return; + } + + /* If it's an IPC, pass off the pipe handler. */ + if (IS_IPC(conn)) { + reply_pipe_write(req); + END_PROFILE(SMBwrite); + return; + } + + fsp = file_fsp(req, SVAL(req->vwv+0, 0)); + + if (!check_fsp(conn, req, fsp)) { + END_PROFILE(SMBwrite); + return; + } + + status = check_any_access_fsp(fsp, FILE_WRITE_DATA|FILE_APPEND_DATA); + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + END_PROFILE(SMBwrite); + return; + } + + numtowrite = SVAL(req->vwv+1, 0); + startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0); + data = (const char *)req->buf + 3; + + /* + * Ensure client isn't asking us to write more than + * they sent. CVE-2017-12163. + */ + remaining = smbreq_bufrem(req, data); + if (numtowrite > remaining) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + END_PROFILE(SMBwrite); + return; + } + + if (!fsp->print_file) { + init_strict_lock_struct(fsp, + (uint64_t)req->smbpid, + (uint64_t)startpos, + (uint64_t)numtowrite, + WRITE_LOCK, + lp_posix_cifsu_locktype(fsp), + &lock); + + if (!SMB_VFS_STRICT_LOCK_CHECK(conn, fsp, &lock)) { + reply_nterror(req, NT_STATUS_FILE_LOCK_CONFLICT); + END_PROFILE(SMBwrite); + return; + } + } + + /* + * X/Open SMB protocol says that if smb_vwv1 is + * zero then the file size should be extended or + * truncated to the size given in smb_vwv[2-3]. + */ + + if(numtowrite == 0) { + /* + * This is actually an allocate call, and set EOF. JRA. + */ + nwritten = vfs_allocate_file_space(fsp, (off_t)startpos); + if (nwritten < 0) { + reply_nterror(req, NT_STATUS_DISK_FULL); + goto out; + } + nwritten = vfs_set_filelen(fsp, (off_t)startpos); + if (nwritten < 0) { + reply_nterror(req, NT_STATUS_DISK_FULL); + goto out; + } + trigger_write_time_update_immediate(fsp); + } else { + nwritten = write_file(req,fsp,data,startpos,numtowrite); + } + + status = sync_file(conn, fsp, False); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(5,("reply_write: sync_file for %s returned %s\n", + fsp_str_dbg(fsp), nt_errstr(status))); + reply_nterror(req, status); + goto out; + } + + if(nwritten < 0) { + reply_nterror(req, map_nt_error_from_unix(saved_errno)); + goto out; + } + + if((nwritten == 0) && (numtowrite != 0)) { + reply_nterror(req, NT_STATUS_DISK_FULL); + goto out; + } + + reply_smb1_outbuf(req, 1, 0); + + SSVAL(req->outbuf,smb_vwv0,nwritten); + + if (nwritten < (ssize_t)numtowrite) { + SCVAL(req->outbuf,smb_rcls,ERRHRD); + SSVAL(req->outbuf,smb_err,ERRdiskfull); + } + + DEBUG(3, ("write %s num=%d wrote=%d\n", fsp_fnum_dbg(fsp), (int)numtowrite, (int)nwritten)); + +out: + END_PROFILE(SMBwrite); + return; +} + +/**************************************************************************** + Ensure a buffer is a valid writeX for recvfile purposes. +****************************************************************************/ + +#define STANDARD_WRITE_AND_X_HEADER_SIZE (smb_size - 4 + /* basic header */ \ + (2*14) + /* word count (including bcc) */ \ + 1 /* pad byte */) + +bool is_valid_writeX_buffer(struct smbXsrv_connection *xconn, + const uint8_t *inbuf) +{ + size_t numtowrite; + unsigned int doff = 0; + size_t len = smb_len_large(inbuf); + uint16_t fnum; + struct smbXsrv_open *op = NULL; + struct files_struct *fsp = NULL; + NTSTATUS status; + + if (is_encrypted_packet(inbuf)) { + /* Can't do this on encrypted + * connections. */ + return false; + } + + if (CVAL(inbuf,smb_com) != SMBwriteX) { + return false; + } + + if (CVAL(inbuf,smb_vwv0) != 0xFF || + CVAL(inbuf,smb_wct) != 14) { + DEBUG(10,("is_valid_writeX_buffer: chained or " + "invalid word length.\n")); + return false; + } + + fnum = SVAL(inbuf, smb_vwv2); + status = smb1srv_open_lookup(xconn, + fnum, + 0, /* now */ + &op); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10,("is_valid_writeX_buffer: bad fnum\n")); + return false; + } + fsp = op->compat; + if (fsp == NULL) { + DEBUG(10,("is_valid_writeX_buffer: bad fsp\n")); + return false; + } + if (fsp->conn == NULL) { + DEBUG(10,("is_valid_writeX_buffer: bad fsp->conn\n")); + return false; + } + + if (IS_IPC(fsp->conn)) { + DEBUG(10,("is_valid_writeX_buffer: IPC$ tid\n")); + return false; + } + if (IS_PRINT(fsp->conn)) { + DEBUG(10,("is_valid_writeX_buffer: printing tid\n")); + return false; + } + if (fsp_is_alternate_stream(fsp)) { + DEBUG(10,("is_valid_writeX_buffer: stream fsp\n")); + return false; + } + doff = SVAL(inbuf,smb_vwv11); + + numtowrite = SVAL(inbuf,smb_vwv10); + + if (len > doff && len - doff > 0xFFFF) { + numtowrite |= (((size_t)SVAL(inbuf,smb_vwv9))<<16); + } + + if (numtowrite == 0) { + DEBUG(10,("is_valid_writeX_buffer: zero write\n")); + return false; + } + + /* Ensure the sizes match up. */ + if (doff < STANDARD_WRITE_AND_X_HEADER_SIZE) { + /* no pad byte...old smbclient :-( */ + DEBUG(10,("is_valid_writeX_buffer: small doff %u (min %u)\n", + (unsigned int)doff, + (unsigned int)STANDARD_WRITE_AND_X_HEADER_SIZE)); + return false; + } + + if (len - doff != numtowrite) { + DEBUG(10,("is_valid_writeX_buffer: doff mismatch " + "len = %u, doff = %u, numtowrite = %u\n", + (unsigned int)len, + (unsigned int)doff, + (unsigned int)numtowrite )); + return false; + } + + DEBUG(10,("is_valid_writeX_buffer: true " + "len = %u, doff = %u, numtowrite = %u\n", + (unsigned int)len, + (unsigned int)doff, + (unsigned int)numtowrite )); + + return true; +} + +/**************************************************************************** + Reply to a write and X. +****************************************************************************/ + +void reply_write_and_X(struct smb_request *req) +{ + connection_struct *conn = req->conn; + struct smbXsrv_connection *xconn = req->xconn; + files_struct *fsp; + struct lock_struct lock; + off_t startpos; + size_t numtowrite; + bool write_through; + ssize_t nwritten; + unsigned int smb_doff; + unsigned int smblen; + const char *data; + NTSTATUS status; + int saved_errno = 0; + + START_PROFILE(SMBwriteX); + + if ((req->wct != 12) && (req->wct != 14)) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + goto out; + } + + numtowrite = SVAL(req->vwv+10, 0); + smb_doff = SVAL(req->vwv+11, 0); + smblen = smb_len(req->inbuf); + + if (req->unread_bytes > 0xFFFF || + (smblen > smb_doff && + smblen - smb_doff > 0xFFFF)) { + numtowrite |= (((size_t)SVAL(req->vwv+9, 0))<<16); + } + + if (req->unread_bytes) { + /* Can't do a recvfile write on IPC$ */ + if (IS_IPC(conn)) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + goto out; + } + if (numtowrite != req->unread_bytes) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + goto out; + } + } else { + /* + * This already protects us against CVE-2017-12163. + */ + if (smb_doff > smblen || smb_doff + numtowrite < numtowrite || + smb_doff + numtowrite > smblen) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + goto out; + } + } + + /* If it's an IPC, pass off the pipe handler. */ + if (IS_IPC(conn)) { + if (req->unread_bytes) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + goto out; + } + reply_pipe_write_and_X(req); + goto out; + } + + fsp = file_fsp(req, SVAL(req->vwv+2, 0)); + startpos = IVAL_TO_SMB_OFF_T(req->vwv+3, 0); + write_through = BITSETW(req->vwv+7,0); + + if (!check_fsp(conn, req, fsp)) { + goto out; + } + + status = check_any_access_fsp(fsp, FILE_WRITE_DATA|FILE_APPEND_DATA); + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + goto out; + } + + data = smb_base(req->inbuf) + smb_doff; + + if(req->wct == 14) { + /* + * This is a large offset (64 bit) write. + */ + startpos |= (((off_t)IVAL(req->vwv+12, 0)) << 32); + + } + + /* X/Open SMB protocol says that, unlike SMBwrite + if the length is zero then NO truncation is + done, just a write of zero. To truncate a file, + use SMBwrite. */ + + if(numtowrite == 0) { + nwritten = 0; + } else { + if (req->unread_bytes == 0) { + status = schedule_aio_write_and_X(conn, + req, + fsp, + data, + startpos, + numtowrite); + + if (NT_STATUS_IS_OK(status)) { + /* write scheduled - we're done. */ + goto out; + } + if (!NT_STATUS_EQUAL(status, NT_STATUS_RETRY)) { + /* Real error - report to client. */ + reply_nterror(req, status); + goto out; + } + /* NT_STATUS_RETRY - fall through to sync write. */ + } + + init_strict_lock_struct(fsp, + (uint64_t)req->smbpid, + (uint64_t)startpos, + (uint64_t)numtowrite, + WRITE_LOCK, + lp_posix_cifsu_locktype(fsp), + &lock); + + if (!SMB_VFS_STRICT_LOCK_CHECK(conn, fsp, &lock)) { + reply_nterror(req, NT_STATUS_FILE_LOCK_CONFLICT); + goto out; + } + + nwritten = write_file(req,fsp,data,startpos,numtowrite); + saved_errno = errno; + } + + if(nwritten < 0) { + reply_nterror(req, map_nt_error_from_unix(saved_errno)); + goto out; + } + + if((nwritten == 0) && (numtowrite != 0)) { + reply_nterror(req, NT_STATUS_DISK_FULL); + goto out; + } + + reply_smb1_outbuf(req, 6, 0); + SSVAL(req->outbuf, smb_vwv0, 0xff); /* andx chain ends */ + SSVAL(req->outbuf, smb_vwv1, 0); /* no andx offset */ + SSVAL(req->outbuf,smb_vwv2,nwritten); + SSVAL(req->outbuf,smb_vwv4,nwritten>>16); + + DEBUG(3,("writeX %s num=%d wrote=%d\n", + fsp_fnum_dbg(fsp), (int)numtowrite, (int)nwritten)); + + status = sync_file(conn, fsp, write_through); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(5,("reply_write_and_X: sync_file for %s returned %s\n", + fsp_str_dbg(fsp), nt_errstr(status))); + reply_nterror(req, status); + goto out; + } + + END_PROFILE(SMBwriteX); + return; + +out: + if (req->unread_bytes) { + /* writeX failed. drain socket. */ + if (drain_socket(xconn->transport.sock, req->unread_bytes) != + req->unread_bytes) { + smb_panic("failed to drain pending bytes"); + } + req->unread_bytes = 0; + } + + END_PROFILE(SMBwriteX); + return; +} + +/**************************************************************************** + Reply to a lseek. +****************************************************************************/ + +void reply_lseek(struct smb_request *req) +{ + connection_struct *conn = req->conn; + off_t startpos; + off_t res= -1; + int mode,umode; + files_struct *fsp; + NTSTATUS status; + + START_PROFILE(SMBlseek); + + if (req->wct < 4) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + END_PROFILE(SMBlseek); + return; + } + + fsp = file_fsp(req, SVAL(req->vwv+0, 0)); + + if (!check_fsp(conn, req, fsp)) { + return; + } + + mode = SVAL(req->vwv+1, 0) & 3; + /* NB. This doesn't use IVAL_TO_SMB_OFF_T as startpos can be signed in this case. */ + startpos = (off_t)IVALS(req->vwv+2, 0); + + switch (mode) { + case 0: + umode = SEEK_SET; + res = startpos; + break; + case 1: + umode = SEEK_CUR; + res = fh_get_pos(fsp->fh) + startpos; + break; + case 2: + umode = SEEK_END; + break; + default: + umode = SEEK_SET; + res = startpos; + break; + } + + if (umode == SEEK_END) { + if((res = SMB_VFS_LSEEK(fsp,startpos,umode)) == -1) { + if(errno == EINVAL) { + off_t current_pos = startpos; + + status = vfs_stat_fsp(fsp); + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + END_PROFILE(SMBlseek); + return; + } + + current_pos += fsp->fsp_name->st.st_ex_size; + if(current_pos < 0) + res = SMB_VFS_LSEEK(fsp,0,SEEK_SET); + } + } + + if(res == -1) { + reply_nterror(req, map_nt_error_from_unix(errno)); + END_PROFILE(SMBlseek); + return; + } + } + + fh_set_pos(fsp->fh, res); + + reply_smb1_outbuf(req, 2, 0); + SIVAL(req->outbuf,smb_vwv0,res); + + DEBUG(3,("lseek %s ofs=%.0f newpos = %.0f mode=%d\n", + fsp_fnum_dbg(fsp), (double)startpos, (double)res, mode)); + + END_PROFILE(SMBlseek); + return; +} + +static struct files_struct *file_sync_one_fn(struct files_struct *fsp, + void *private_data) +{ + connection_struct *conn = talloc_get_type_abort( + private_data, connection_struct); + + if (conn != fsp->conn) { + return NULL; + } + if (fsp_get_io_fd(fsp) == -1) { + return NULL; + } + sync_file(conn, fsp, True /* write through */); + + if (fsp->fsp_flags.modified) { + trigger_write_time_update_immediate(fsp); + } + + return NULL; +} + +/**************************************************************************** + Reply to a flush. +****************************************************************************/ + +void reply_flush(struct smb_request *req) +{ + connection_struct *conn = req->conn; + uint16_t fnum; + files_struct *fsp; + + START_PROFILE(SMBflush); + + if (req->wct < 1) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + return; + } + + fnum = SVAL(req->vwv+0, 0); + fsp = file_fsp(req, fnum); + + if ((fnum != 0xFFFF) && !check_fsp(conn, req, fsp)) { + return; + } + + if (!fsp) { + files_forall(req->sconn, file_sync_one_fn, conn); + } else { + NTSTATUS status = sync_file(conn, fsp, True); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(5,("reply_flush: sync_file for %s returned %s\n", + fsp_str_dbg(fsp), nt_errstr(status))); + reply_nterror(req, status); + END_PROFILE(SMBflush); + return; + } + if (fsp->fsp_flags.modified) { + trigger_write_time_update_immediate(fsp); + } + } + + reply_smb1_outbuf(req, 0, 0); + + DEBUG(3,("flush\n")); + END_PROFILE(SMBflush); + return; +} + +/**************************************************************************** + Reply to a exit. + conn POINTER CAN BE NULL HERE ! +****************************************************************************/ + +static struct tevent_req *reply_exit_send(struct smb_request *smb1req); +static void reply_exit_done(struct tevent_req *req); + +void reply_exit(struct smb_request *smb1req) +{ + struct tevent_req *req; + + /* + * Don't setup the profile charge here, take + * it in reply_exit_done(). Not strictly correct + * but better than the other SMB1 async + * code that double-charges at the moment. + */ + req = reply_exit_send(smb1req); + if (req == NULL) { + /* Not going async, profile here. */ + START_PROFILE(SMBexit); + reply_force_doserror(smb1req, ERRDOS, ERRnomem); + END_PROFILE(SMBexit); + return; + } + + /* We're async. This will complete later. */ + tevent_req_set_callback(req, reply_exit_done, smb1req); + return; +} + +struct reply_exit_state { + struct tevent_queue *wait_queue; +}; + +static void reply_exit_wait_done(struct tevent_req *subreq); + +/**************************************************************************** + Async SMB1 exit. + Note, on failure here we deallocate and return NULL to allow the caller to + SMB1 return an error of ERRnomem immediately. +****************************************************************************/ + +static struct tevent_req *reply_exit_send(struct smb_request *smb1req) +{ + struct tevent_req *req; + struct reply_exit_state *state; + struct tevent_req *subreq; + files_struct *fsp; + struct smbd_server_connection *sconn = smb1req->sconn; + + req = tevent_req_create(smb1req, &state, + struct reply_exit_state); + if (req == NULL) { + return NULL; + } + state->wait_queue = tevent_queue_create(state, + "reply_exit_wait_queue"); + if (tevent_req_nomem(state->wait_queue, req)) { + TALLOC_FREE(req); + return NULL; + } + + for (fsp = sconn->files; fsp; fsp = fsp->next) { + if (fsp->file_pid != smb1req->smbpid) { + continue; + } + if (fsp->vuid != smb1req->vuid) { + continue; + } + /* + * Flag the file as close in progress. + * This will prevent any more IO being + * done on it. + */ + fsp->fsp_flags.closing = true; + + if (fsp->num_aio_requests > 0) { + /* + * Now wait until all aio requests on this fsp are + * finished. + * + * We don't set a callback, as we just want to block the + * wait queue and the talloc_free() of fsp->aio_request + * will remove the item from the wait queue. + */ + subreq = tevent_queue_wait_send(fsp->aio_requests, + sconn->ev_ctx, + state->wait_queue); + if (tevent_req_nomem(subreq, req)) { + TALLOC_FREE(req); + return NULL; + } + } + } + + /* + * Now we add our own waiter to the end of the queue, + * this way we get notified when all pending requests are finished + * and reply to the outstanding SMB1 request. + */ + subreq = tevent_queue_wait_send(state, + sconn->ev_ctx, + state->wait_queue); + if (tevent_req_nomem(subreq, req)) { + TALLOC_FREE(req); + return NULL; + } + + /* + * We're really going async - move the SMB1 request from + * a talloc stackframe above us to the conn talloc-context. + * We need this to stick around until the wait_done + * callback is invoked. + */ + smb1req = talloc_move(sconn, &smb1req); + + tevent_req_set_callback(subreq, reply_exit_wait_done, req); + + return req; +} + +static void reply_exit_wait_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data( + subreq, struct tevent_req); + + tevent_queue_wait_recv(subreq); + TALLOC_FREE(subreq); + tevent_req_done(req); +} + +static NTSTATUS reply_exit_recv(struct tevent_req *req) +{ + return tevent_req_simple_recv_ntstatus(req); +} + +static void reply_exit_done(struct tevent_req *req) +{ + struct smb_request *smb1req = tevent_req_callback_data( + req, struct smb_request); + struct smbd_server_connection *sconn = smb1req->sconn; + struct smbXsrv_connection *xconn = smb1req->xconn; + NTTIME now = timeval_to_nttime(&smb1req->request_time); + struct smbXsrv_session *session = NULL; + files_struct *fsp, *next; + NTSTATUS status; + + /* + * Take the profile charge here. Not strictly + * correct but better than the other SMB1 async + * code that double-charges at the moment. + */ + START_PROFILE(SMBexit); + + status = reply_exit_recv(req); + TALLOC_FREE(req); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(smb1req); + END_PROFILE(SMBexit); + exit_server(__location__ ": reply_exit_recv failed"); + return; + } + + /* + * Ensure the session is still valid. + */ + status = smb1srv_session_lookup(xconn, + smb1req->vuid, + now, + &session); + if (!NT_STATUS_IS_OK(status)) { + reply_force_doserror(smb1req, ERRSRV, ERRinvnid); + smb_request_done(smb1req); + END_PROFILE(SMBexit); + return; + } + + /* + * Ensure the vuid is still valid - no one + * called reply_ulogoffX() in the meantime. + * reply_exit() doesn't have AS_USER set, so + * use set_current_user_info() directly. + * This is the same logic as in switch_message(). + */ + if (session->global->auth_session_info != NULL) { + set_current_user_info( + session->global->auth_session_info->unix_info->sanitized_username, + session->global->auth_session_info->unix_info->unix_name, + session->global->auth_session_info->info->domain_name); + } + + /* No more aio - do the actual closes. */ + for (fsp = sconn->files; fsp; fsp = next) { + bool ok; + next = fsp->next; + + if (fsp->file_pid != smb1req->smbpid) { + continue; + } + if (fsp->vuid != smb1req->vuid) { + continue; + } + if (!fsp->fsp_flags.closing) { + continue; + } + + /* + * reply_exit() has the DO_CHDIR flag set. + */ + ok = chdir_current_service(fsp->conn); + if (!ok) { + reply_force_doserror(smb1req, ERRSRV, ERRinvnid); + smb_request_done(smb1req); + END_PROFILE(SMBexit); + return; + } + close_file_free(NULL, &fsp, SHUTDOWN_CLOSE); + } + + reply_smb1_outbuf(smb1req, 0, 0); + /* + * The following call is needed to push the + * reply data back out the socket after async + * return. Plus it frees smb1req. + */ + smb_request_done(smb1req); + DBG_INFO("reply_exit complete\n"); + END_PROFILE(SMBexit); + return; +} + +static struct tevent_req *reply_close_send(struct smb_request *smb1req, + files_struct *fsp); +static void reply_close_done(struct tevent_req *req); + +void reply_close(struct smb_request *smb1req) +{ + connection_struct *conn = smb1req->conn; + NTSTATUS status = NT_STATUS_OK; + files_struct *fsp = NULL; + START_PROFILE(SMBclose); + + if (smb1req->wct < 3) { + reply_nterror(smb1req, NT_STATUS_INVALID_PARAMETER); + END_PROFILE(SMBclose); + return; + } + + fsp = file_fsp(smb1req, SVAL(smb1req->vwv+0, 0)); + + /* + * We can only use check_fsp if we know it's not a directory. + */ + + if (!check_fsp_open(conn, smb1req, fsp)) { + END_PROFILE(SMBclose); + return; + } + + DBG_NOTICE("Close %s fd=%d %s (numopen=%d)\n", + fsp->fsp_flags.is_directory ? + "directory" : "file", + fsp_get_pathref_fd(fsp), fsp_fnum_dbg(fsp), + conn->num_files_open); + + if (!fsp->fsp_flags.is_directory) { + time_t t; + + /* + * Take care of any time sent in the close. + */ + + t = srv_make_unix_date3(smb1req->vwv+1); + set_close_write_time(fsp, time_t_to_full_timespec(t)); + } + + if (fsp->num_aio_requests != 0) { + struct tevent_req *req; + + req = reply_close_send(smb1req, fsp); + if (req == NULL) { + status = NT_STATUS_NO_MEMORY; + goto done; + } + /* We're async. This will complete later. */ + tevent_req_set_callback(req, reply_close_done, smb1req); + END_PROFILE(SMBclose); + return; + } + + /* + * close_file_free() returns the unix errno if an error was detected on + * close - normally this is due to a disk full error. If not then it + * was probably an I/O error. + */ + + status = close_file_free(smb1req, &fsp, NORMAL_CLOSE); +done: + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(smb1req, status); + END_PROFILE(SMBclose); + return; + } + + reply_smb1_outbuf(smb1req, 0, 0); + END_PROFILE(SMBclose); + return; +} + +struct reply_close_state { + files_struct *fsp; + struct tevent_queue *wait_queue; +}; + +static void reply_close_wait_done(struct tevent_req *subreq); + +/**************************************************************************** + Async SMB1 close. + Note, on failure here we deallocate and return NULL to allow the caller to + SMB1 return an error of ERRnomem immediately. +****************************************************************************/ + +static struct tevent_req *reply_close_send(struct smb_request *smb1req, + files_struct *fsp) +{ + struct tevent_req *req; + struct reply_close_state *state; + struct tevent_req *subreq; + struct smbd_server_connection *sconn = smb1req->sconn; + + req = tevent_req_create(smb1req, &state, + struct reply_close_state); + if (req == NULL) { + return NULL; + } + state->wait_queue = tevent_queue_create(state, + "reply_close_wait_queue"); + if (tevent_req_nomem(state->wait_queue, req)) { + TALLOC_FREE(req); + return NULL; + } + + /* + * Flag the file as close in progress. + * This will prevent any more IO being + * done on it. + */ + fsp->fsp_flags.closing = true; + + /* + * Now wait until all aio requests on this fsp are + * finished. + * + * We don't set a callback, as we just want to block the + * wait queue and the talloc_free() of fsp->aio_request + * will remove the item from the wait queue. + */ + subreq = tevent_queue_wait_send(fsp->aio_requests, + sconn->ev_ctx, + state->wait_queue); + if (tevent_req_nomem(subreq, req)) { + TALLOC_FREE(req); + return NULL; + } + + /* + * Now we add our own waiter to the end of the queue, + * this way we get notified when all pending requests are finished + * and reply to the outstanding SMB1 request. + */ + subreq = tevent_queue_wait_send(state, + sconn->ev_ctx, + state->wait_queue); + if (tevent_req_nomem(subreq, req)) { + TALLOC_FREE(req); + return NULL; + } + + /* + * We're really going async - move the SMB1 request from + * a talloc stackframe above us to the conn talloc-context. + * We need this to stick around until the wait_done + * callback is invoked. + */ + smb1req = talloc_move(sconn, &smb1req); + + tevent_req_set_callback(subreq, reply_close_wait_done, req); + + return req; +} + +static void reply_close_wait_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data( + subreq, struct tevent_req); + + tevent_queue_wait_recv(subreq); + TALLOC_FREE(subreq); + tevent_req_done(req); +} + +static NTSTATUS reply_close_recv(struct tevent_req *req) +{ + return tevent_req_simple_recv_ntstatus(req); +} + +static void reply_close_done(struct tevent_req *req) +{ + struct smb_request *smb1req = tevent_req_callback_data( + req, struct smb_request); + struct reply_close_state *state = tevent_req_data(req, + struct reply_close_state); + NTSTATUS status; + + status = reply_close_recv(req); + TALLOC_FREE(req); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(smb1req); + exit_server(__location__ ": reply_close_recv failed"); + return; + } + + status = close_file_free(smb1req, &state->fsp, NORMAL_CLOSE); + if (NT_STATUS_IS_OK(status)) { + reply_smb1_outbuf(smb1req, 0, 0); + } else { + reply_nterror(smb1req, status); + } + /* + * The following call is needed to push the + * reply data back out the socket after async + * return. Plus it frees smb1req. + */ + smb_request_done(smb1req); +} + +/**************************************************************************** + Reply to a writeclose (Core+ protocol). +****************************************************************************/ + +void reply_writeclose(struct smb_request *req) +{ + connection_struct *conn = req->conn; + size_t numtowrite; + size_t remaining; + ssize_t nwritten = -1; + NTSTATUS close_status = NT_STATUS_OK; + off_t startpos; + const char *data; + struct timespec mtime; + files_struct *fsp; + struct lock_struct lock; + NTSTATUS status; + + START_PROFILE(SMBwriteclose); + + if (req->wct < 6) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + END_PROFILE(SMBwriteclose); + return; + } + + fsp = file_fsp(req, SVAL(req->vwv+0, 0)); + + if (!check_fsp(conn, req, fsp)) { + END_PROFILE(SMBwriteclose); + return; + } + status = check_any_access_fsp(fsp, FILE_WRITE_DATA|FILE_APPEND_DATA); + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + END_PROFILE(SMBwriteclose); + return; + } + + numtowrite = SVAL(req->vwv+1, 0); + startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0); + mtime = time_t_to_full_timespec(srv_make_unix_date3(req->vwv+4)); + data = (const char *)req->buf + 1; + + /* + * Ensure client isn't asking us to write more than + * they sent. CVE-2017-12163. + */ + remaining = smbreq_bufrem(req, data); + if (numtowrite > remaining) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + END_PROFILE(SMBwriteclose); + return; + } + + if (fsp->print_file == NULL) { + init_strict_lock_struct(fsp, + (uint64_t)req->smbpid, + (uint64_t)startpos, + (uint64_t)numtowrite, + WRITE_LOCK, + lp_posix_cifsu_locktype(fsp), + &lock); + + if (!SMB_VFS_STRICT_LOCK_CHECK(conn, fsp, &lock)) { + reply_nterror(req, NT_STATUS_FILE_LOCK_CONFLICT); + END_PROFILE(SMBwriteclose); + return; + } + } + + nwritten = write_file(req,fsp,data,startpos,numtowrite); + + set_close_write_time(fsp, mtime); + + /* + * More insanity. W2K only closes the file if writelen > 0. + * JRA. + */ + + DEBUG(3,("writeclose %s num=%d wrote=%d (numopen=%d)\n", + fsp_fnum_dbg(fsp), (int)numtowrite, (int)nwritten, + (numtowrite) ? conn->num_files_open - 1 : conn->num_files_open)); + + if (numtowrite) { + DEBUG(3,("reply_writeclose: zero length write doesn't close " + "file %s\n", fsp_str_dbg(fsp))); + close_status = close_file_free(req, &fsp, NORMAL_CLOSE); + } + + if(((nwritten == 0) && (numtowrite != 0))||(nwritten < 0)) { + reply_nterror(req, NT_STATUS_DISK_FULL); + goto out; + } + + if(!NT_STATUS_IS_OK(close_status)) { + reply_nterror(req, close_status); + goto out; + } + + reply_smb1_outbuf(req, 1, 0); + + SSVAL(req->outbuf,smb_vwv0,nwritten); + +out: + + END_PROFILE(SMBwriteclose); + return; +} + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_LOCKING + +/**************************************************************************** + Reply to a lock. +****************************************************************************/ + +static void reply_lock_done(struct tevent_req *subreq); + +void reply_lock(struct smb_request *req) +{ + struct tevent_req *subreq = NULL; + connection_struct *conn = req->conn; + files_struct *fsp; + struct smbd_lock_element *lck = NULL; + + START_PROFILE(SMBlock); + + if (req->wct < 5) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + END_PROFILE(SMBlock); + return; + } + + fsp = file_fsp(req, SVAL(req->vwv+0, 0)); + + if (!check_fsp(conn, req, fsp)) { + END_PROFILE(SMBlock); + return; + } + + lck = talloc(req, struct smbd_lock_element); + if (lck == NULL) { + reply_nterror(req, NT_STATUS_NO_MEMORY); + END_PROFILE(SMBlock); + return; + } + + *lck = (struct smbd_lock_element) { + .req_guid = smbd_request_guid(req, 0), + .smblctx = req->smbpid, + .brltype = WRITE_LOCK, + .lock_flav = WINDOWS_LOCK, + .count = IVAL(req->vwv+1, 0), + .offset = IVAL(req->vwv+3, 0), + }; + + DBG_NOTICE("lock fd=%d %s offset=%"PRIu64" count=%"PRIu64"\n", + fsp_get_io_fd(fsp), + fsp_fnum_dbg(fsp), + lck->offset, + lck->count); + + subreq = smbd_smb1_do_locks_send( + fsp, + req->sconn->ev_ctx, + &req, + fsp, + 0, + false, /* large_offset */ + 1, + lck); + if (subreq == NULL) { + reply_nterror(req, NT_STATUS_NO_MEMORY); + END_PROFILE(SMBlock); + return; + } + tevent_req_set_callback(subreq, reply_lock_done, NULL); + END_PROFILE(SMBlock); +} + +static void reply_lock_done(struct tevent_req *subreq) +{ + struct smb_request *req = NULL; + NTSTATUS status; + bool ok; + + START_PROFILE(SMBlock); + + ok = smbd_smb1_do_locks_extract_smbreq(subreq, talloc_tos(), &req); + SMB_ASSERT(ok); + + status = smbd_smb1_do_locks_recv(subreq); + TALLOC_FREE(subreq); + + if (NT_STATUS_IS_OK(status)) { + reply_smb1_outbuf(req, 0, 0); + } else { + reply_nterror(req, status); + } + + ok = smb1_srv_send(req->xconn, + (char *)req->outbuf, + true, + req->seqnum + 1, + IS_CONN_ENCRYPTED(req->conn)); + if (!ok) { + exit_server_cleanly("reply_lock_done: smb1_srv_send failed."); + } + TALLOC_FREE(req); + END_PROFILE(SMBlock); +} + +/**************************************************************************** + Reply to a unlock. +****************************************************************************/ + +void reply_unlock(struct smb_request *req) +{ + connection_struct *conn = req->conn; + NTSTATUS status; + files_struct *fsp; + struct smbd_lock_element lck; + + START_PROFILE(SMBunlock); + + if (req->wct < 5) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + END_PROFILE(SMBunlock); + return; + } + + fsp = file_fsp(req, SVAL(req->vwv+0, 0)); + + if (!check_fsp(conn, req, fsp)) { + END_PROFILE(SMBunlock); + return; + } + + lck = (struct smbd_lock_element) { + .req_guid = smbd_request_guid(req, 0), + .smblctx = req->smbpid, + .brltype = UNLOCK_LOCK, + .lock_flav = WINDOWS_LOCK, + .offset = IVAL(req->vwv+3, 0), + .count = IVAL(req->vwv+1, 0), + }; + + status = smbd_do_unlocking(req, fsp, 1, &lck); + + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + END_PROFILE(SMBunlock); + return; + } + + DBG_NOTICE("unlock fd=%d %s offset=%"PRIu64" count=%"PRIu64"\n", + fsp_get_io_fd(fsp), + fsp_fnum_dbg(fsp), + lck.offset, + lck.count); + + reply_smb1_outbuf(req, 0, 0); + + END_PROFILE(SMBunlock); + return; +} + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_ALL + +/**************************************************************************** + Reply to a tdis. + conn POINTER CAN BE NULL HERE ! +****************************************************************************/ + +static struct tevent_req *reply_tdis_send(struct smb_request *smb1req); +static void reply_tdis_done(struct tevent_req *req); + +void reply_tdis(struct smb_request *smb1req) +{ + connection_struct *conn = smb1req->conn; + struct tevent_req *req; + + /* + * Don't setup the profile charge here, take + * it in reply_tdis_done(). Not strictly correct + * but better than the other SMB1 async + * code that double-charges at the moment. + */ + + if (conn == NULL) { + /* Not going async, profile here. */ + START_PROFILE(SMBtdis); + DBG_INFO("Invalid connection in tdis\n"); + reply_force_doserror(smb1req, ERRSRV, ERRinvnid); + END_PROFILE(SMBtdis); + return; + } + + req = reply_tdis_send(smb1req); + if (req == NULL) { + /* Not going async, profile here. */ + START_PROFILE(SMBtdis); + reply_force_doserror(smb1req, ERRDOS, ERRnomem); + END_PROFILE(SMBtdis); + return; + } + /* We're async. This will complete later. */ + tevent_req_set_callback(req, reply_tdis_done, smb1req); + return; +} + +struct reply_tdis_state { + struct tevent_queue *wait_queue; +}; + +static void reply_tdis_wait_done(struct tevent_req *subreq); + +/**************************************************************************** + Async SMB1 tdis. + Note, on failure here we deallocate and return NULL to allow the caller to + SMB1 return an error of ERRnomem immediately. +****************************************************************************/ + +static struct tevent_req *reply_tdis_send(struct smb_request *smb1req) +{ + struct tevent_req *req; + struct reply_tdis_state *state; + struct tevent_req *subreq; + connection_struct *conn = smb1req->conn; + files_struct *fsp; + + req = tevent_req_create(smb1req, &state, + struct reply_tdis_state); + if (req == NULL) { + return NULL; + } + state->wait_queue = tevent_queue_create(state, "reply_tdis_wait_queue"); + if (tevent_req_nomem(state->wait_queue, req)) { + TALLOC_FREE(req); + return NULL; + } + + /* + * Make sure that no new request will be able to use this tcon. + * This ensures that once all outstanding fsp->aio_requests + * on this tcon are done, we are safe to close it. + */ + conn->tcon->status = NT_STATUS_NETWORK_NAME_DELETED; + + for (fsp = conn->sconn->files; fsp; fsp = fsp->next) { + if (fsp->conn != conn) { + continue; + } + /* + * Flag the file as close in progress. + * This will prevent any more IO being + * done on it. Not strictly needed, but + * doesn't hurt to flag it as closing. + */ + fsp->fsp_flags.closing = true; + + if (fsp->num_aio_requests > 0) { + /* + * Now wait until all aio requests on this fsp are + * finished. + * + * We don't set a callback, as we just want to block the + * wait queue and the talloc_free() of fsp->aio_request + * will remove the item from the wait queue. + */ + subreq = tevent_queue_wait_send(fsp->aio_requests, + conn->sconn->ev_ctx, + state->wait_queue); + if (tevent_req_nomem(subreq, req)) { + TALLOC_FREE(req); + return NULL; + } + } + } + + /* + * Now we add our own waiter to the end of the queue, + * this way we get notified when all pending requests are finished + * and reply to the outstanding SMB1 request. + */ + subreq = tevent_queue_wait_send(state, + conn->sconn->ev_ctx, + state->wait_queue); + if (tevent_req_nomem(subreq, req)) { + TALLOC_FREE(req); + return NULL; + } + + /* + * We're really going async - move the SMB1 request from + * a talloc stackframe above us to the sconn talloc-context. + * We need this to stick around until the wait_done + * callback is invoked. + */ + smb1req = talloc_move(smb1req->sconn, &smb1req); + + tevent_req_set_callback(subreq, reply_tdis_wait_done, req); + + return req; +} + +static void reply_tdis_wait_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data( + subreq, struct tevent_req); + + tevent_queue_wait_recv(subreq); + TALLOC_FREE(subreq); + tevent_req_done(req); +} + +static NTSTATUS reply_tdis_recv(struct tevent_req *req) +{ + return tevent_req_simple_recv_ntstatus(req); +} + +static void reply_tdis_done(struct tevent_req *req) +{ + struct smb_request *smb1req = tevent_req_callback_data( + req, struct smb_request); + NTSTATUS status; + struct smbXsrv_tcon *tcon = smb1req->conn->tcon; + bool ok; + + /* + * Take the profile charge here. Not strictly + * correct but better than the other SMB1 async + * code that double-charges at the moment. + */ + START_PROFILE(SMBtdis); + + status = reply_tdis_recv(req); + TALLOC_FREE(req); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(smb1req); + END_PROFILE(SMBtdis); + exit_server(__location__ ": reply_tdis_recv failed"); + return; + } + + /* + * As we've been awoken, we may have changed + * directory in the meantime. + * reply_tdis() has the DO_CHDIR flag set. + */ + ok = chdir_current_service(smb1req->conn); + if (!ok) { + reply_force_doserror(smb1req, ERRSRV, ERRinvnid); + smb_request_done(smb1req); + END_PROFILE(SMBtdis); + } + + status = smbXsrv_tcon_disconnect(tcon, + smb1req->vuid); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(smb1req); + END_PROFILE(SMBtdis); + exit_server(__location__ ": smbXsrv_tcon_disconnect failed"); + return; + } + + /* smbXsrv_tcon_disconnect frees smb1req->conn. */ + smb1req->conn = NULL; + + TALLOC_FREE(tcon); + + reply_smb1_outbuf(smb1req, 0, 0); + /* + * The following call is needed to push the + * reply data back out the socket after async + * return. Plus it frees smb1req. + */ + smb_request_done(smb1req); + END_PROFILE(SMBtdis); +} + +/**************************************************************************** + Reply to a echo. + conn POINTER CAN BE NULL HERE ! +****************************************************************************/ + +void reply_echo(struct smb_request *req) +{ + connection_struct *conn = req->conn; + int smb_reverb; + int seq_num; + + START_PROFILE(SMBecho); + + if (req->wct < 1) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + END_PROFILE(SMBecho); + return; + } + + smb_reverb = SVAL(req->vwv+0, 0); + + reply_smb1_outbuf(req, 1, req->buflen); + + /* copy any incoming data back out */ + if (req->buflen > 0) { + memcpy(smb_buf(req->outbuf), req->buf, req->buflen); + } + + if (smb_reverb > 100) { + DEBUG(0,("large reverb (%d)?? Setting to 100\n",smb_reverb)); + smb_reverb = 100; + } + + for (seq_num = 1 ; seq_num <= smb_reverb ; seq_num++) { + + SSVAL(req->outbuf,smb_vwv0,seq_num); + + show_msg((char *)req->outbuf); + if (!smb1_srv_send(req->xconn, + (char *)req->outbuf, + true, + req->seqnum + 1, + IS_CONN_ENCRYPTED(conn) || req->encrypted)) + exit_server_cleanly("reply_echo: smb1_srv_send failed."); + } + + DEBUG(3,("echo %d times\n", smb_reverb)); + + TALLOC_FREE(req->outbuf); + + END_PROFILE(SMBecho); + return; +} + +/**************************************************************************** + Reply to a printopen. +****************************************************************************/ + +void reply_printopen(struct smb_request *req) +{ + connection_struct *conn = req->conn; + files_struct *fsp; + NTSTATUS status; + + START_PROFILE(SMBsplopen); + + if (req->wct < 2) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + END_PROFILE(SMBsplopen); + return; + } + + if (!CAN_PRINT(conn)) { + reply_nterror(req, NT_STATUS_ACCESS_DENIED); + END_PROFILE(SMBsplopen); + return; + } + + status = file_new(req, conn, &fsp); + if(!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + END_PROFILE(SMBsplopen); + return; + } + + /* Open for exclusive use, write only. */ + status = print_spool_open(fsp, NULL, req->vuid); + + if (!NT_STATUS_IS_OK(status)) { + file_free(req, fsp); + reply_nterror(req, status); + END_PROFILE(SMBsplopen); + return; + } + + reply_smb1_outbuf(req, 1, 0); + SSVAL(req->outbuf,smb_vwv0,fsp->fnum); + + DEBUG(3,("openprint fd=%d %s\n", + fsp_get_io_fd(fsp), fsp_fnum_dbg(fsp))); + + END_PROFILE(SMBsplopen); + return; +} + +/**************************************************************************** + Reply to a printclose. +****************************************************************************/ + +void reply_printclose(struct smb_request *req) +{ + connection_struct *conn = req->conn; + files_struct *fsp; + NTSTATUS status; + + START_PROFILE(SMBsplclose); + + if (req->wct < 1) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + END_PROFILE(SMBsplclose); + return; + } + + fsp = file_fsp(req, SVAL(req->vwv+0, 0)); + + if (!check_fsp(conn, req, fsp)) { + END_PROFILE(SMBsplclose); + return; + } + + if (!CAN_PRINT(conn)) { + reply_force_doserror(req, ERRSRV, ERRerror); + END_PROFILE(SMBsplclose); + return; + } + + DEBUG(3,("printclose fd=%d %s\n", + fsp_get_io_fd(fsp), fsp_fnum_dbg(fsp))); + + status = close_file_free(req, &fsp, NORMAL_CLOSE); + + if(!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + END_PROFILE(SMBsplclose); + return; + } + + reply_smb1_outbuf(req, 0, 0); + + END_PROFILE(SMBsplclose); + return; +} + +/**************************************************************************** + Reply to a printqueue. +****************************************************************************/ + +void reply_printqueue(struct smb_request *req) +{ + const struct loadparm_substitution *lp_sub = + loadparm_s3_global_substitution(); + connection_struct *conn = req->conn; + int max_count; + int start_index; + + START_PROFILE(SMBsplretq); + + if (req->wct < 2) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + END_PROFILE(SMBsplretq); + return; + } + + max_count = SVAL(req->vwv+0, 0); + start_index = SVAL(req->vwv+1, 0); + + /* we used to allow the client to get the cnum wrong, but that + is really quite gross and only worked when there was only + one printer - I think we should now only accept it if they + get it right (tridge) */ + if (!CAN_PRINT(conn)) { + reply_nterror(req, NT_STATUS_ACCESS_DENIED); + END_PROFILE(SMBsplretq); + return; + } + + reply_smb1_outbuf(req, 2, 3); + SSVAL(req->outbuf,smb_vwv0,0); + SSVAL(req->outbuf,smb_vwv1,0); + SCVAL(smb_buf(req->outbuf),0,1); + SSVAL(smb_buf(req->outbuf),1,0); + + DEBUG(3,("printqueue start_index=%d max_count=%d\n", + start_index, max_count)); + + { + TALLOC_CTX *mem_ctx = talloc_tos(); + NTSTATUS status; + WERROR werr; + const char *sharename = lp_servicename(mem_ctx, lp_sub, SNUM(conn)); + struct rpc_pipe_client *cli = NULL; + struct dcerpc_binding_handle *b = NULL; + struct policy_handle handle; + struct spoolss_DevmodeContainer devmode_ctr; + union spoolss_JobInfo *info; + uint32_t count; + uint32_t num_to_get; + uint32_t first; + uint32_t i; + + ZERO_STRUCT(handle); + + status = rpc_pipe_open_interface(mem_ctx, + &ndr_table_spoolss, + conn->session_info, + conn->sconn->remote_address, + conn->sconn->local_address, + conn->sconn->msg_ctx, + &cli); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("reply_printqueue: " + "could not connect to spoolss: %s\n", + nt_errstr(status))); + reply_nterror(req, status); + goto out; + } + b = cli->binding_handle; + + ZERO_STRUCT(devmode_ctr); + + status = dcerpc_spoolss_OpenPrinter(b, mem_ctx, + sharename, + NULL, devmode_ctr, + SEC_FLAG_MAXIMUM_ALLOWED, + &handle, + &werr); + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + goto out; + } + if (!W_ERROR_IS_OK(werr)) { + reply_nterror(req, werror_to_ntstatus(werr)); + goto out; + } + + werr = rpccli_spoolss_enumjobs(cli, mem_ctx, + &handle, + 0, /* firstjob */ + 0xff, /* numjobs */ + 2, /* level */ + 0, /* offered */ + &count, + &info); + if (!W_ERROR_IS_OK(werr)) { + reply_nterror(req, werror_to_ntstatus(werr)); + goto out; + } + + if (max_count > 0) { + first = start_index; + } else { + first = start_index + max_count + 1; + } + + if (first >= count) { + num_to_get = first; + } else { + num_to_get = first + MIN(ABS(max_count), count - first); + } + + for (i = first; i < num_to_get; i++) { + char blob[28]; + char *p = blob; + struct timespec qtime = { + .tv_sec = spoolss_Time_to_time_t( + &info[i].info2.submitted), + }; + int qstatus; + size_t len = 0; + uint16_t qrapjobid = pjobid_to_rap(sharename, + info[i].info2.job_id); + + if (info[i].info2.status == JOB_STATUS_PRINTING) { + qstatus = 2; + } else { + qstatus = 3; + } + + srv_put_dos_date2_ts(p, 0, qtime); + SCVAL(p, 4, qstatus); + SSVAL(p, 5, qrapjobid); + SIVAL(p, 7, info[i].info2.size); + SCVAL(p, 11, 0); + status = srvstr_push(blob, req->flags2, p+12, + info[i].info2.notify_name, 16, STR_ASCII, &len); + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + goto out; + } + if (message_push_blob( + &req->outbuf, + data_blob_const( + blob, sizeof(blob))) == -1) { + reply_nterror(req, NT_STATUS_NO_MEMORY); + goto out; + } + } + + if (count > 0) { + SSVAL(req->outbuf,smb_vwv0,count); + SSVAL(req->outbuf,smb_vwv1, + (max_count>0?first+count:first-1)); + SCVAL(smb_buf(req->outbuf),0,1); + SSVAL(smb_buf(req->outbuf),1,28*count); + } + + + DEBUG(3, ("%u entries returned in queue\n", + (unsigned)count)); + +out: + if (b && is_valid_policy_hnd(&handle)) { + dcerpc_spoolss_ClosePrinter(b, mem_ctx, &handle, &werr); + } + + } + + END_PROFILE(SMBsplretq); + return; +} + +/**************************************************************************** + Reply to a printwrite. +****************************************************************************/ + +void reply_printwrite(struct smb_request *req) +{ + connection_struct *conn = req->conn; + int numtowrite; + const char *data; + files_struct *fsp; + NTSTATUS status; + + START_PROFILE(SMBsplwr); + + if (req->wct < 1) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + END_PROFILE(SMBsplwr); + return; + } + + fsp = file_fsp(req, SVAL(req->vwv+0, 0)); + + if (!check_fsp(conn, req, fsp)) { + END_PROFILE(SMBsplwr); + return; + } + + if (!fsp->print_file) { + reply_nterror(req, NT_STATUS_ACCESS_DENIED); + END_PROFILE(SMBsplwr); + return; + } + + status = check_any_access_fsp(fsp, FILE_WRITE_DATA|FILE_APPEND_DATA); + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + END_PROFILE(SMBsplwr); + return; + } + + numtowrite = SVAL(req->buf, 1); + + /* + * This already protects us against CVE-2017-12163. + */ + if (req->buflen < numtowrite + 3) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + END_PROFILE(SMBsplwr); + return; + } + + data = (const char *)req->buf + 3; + + if (write_file(req,fsp,data,(off_t)-1,numtowrite) != numtowrite) { + reply_nterror(req, map_nt_error_from_unix(errno)); + END_PROFILE(SMBsplwr); + return; + } + + DEBUG(3, ("printwrite %s num=%d\n", fsp_fnum_dbg(fsp), numtowrite)); + + reply_smb1_outbuf(req, 0, 0); + + END_PROFILE(SMBsplwr); + return; +} + +/**************************************************************************** + Reply to a mkdir. +****************************************************************************/ + +void reply_mkdir(struct smb_request *req) +{ + connection_struct *conn = req->conn; + struct files_struct *dirfsp = NULL; + struct smb_filename *smb_dname = NULL; + char *directory = NULL; + NTSTATUS status; + uint32_t ucf_flags; + NTTIME twrp = 0; + TALLOC_CTX *ctx = talloc_tos(); + + START_PROFILE(SMBmkdir); + + srvstr_get_path_req(ctx, req, &directory, (const char *)req->buf + 1, + STR_TERMINATE, &status); + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + goto out; + } + + ucf_flags = filename_create_ucf_flags(req, FILE_CREATE); + if (ucf_flags & UCF_GMT_PATHNAME) { + extract_snapshot_token(directory, &twrp); + } + status = smb1_strip_dfs_path(ctx, &ucf_flags, &directory); + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + goto out; + } + + status = filename_convert_dirfsp(ctx, + conn, + directory, + ucf_flags, + twrp, + &dirfsp, + &smb_dname); + if (!NT_STATUS_IS_OK(status)) { + if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) { + reply_botherror(req, NT_STATUS_PATH_NOT_COVERED, + ERRSRV, ERRbadpath); + goto out; + } + reply_nterror(req, status); + goto out; + } + + status = create_directory(conn, req, dirfsp, smb_dname); + + DEBUG(5, ("create_directory returned %s\n", nt_errstr(status))); + + if (!NT_STATUS_IS_OK(status)) { + + if (!use_nt_status() + && NT_STATUS_EQUAL(status, + NT_STATUS_OBJECT_NAME_COLLISION)) { + /* + * Yes, in the DOS error code case we get a + * ERRDOS:ERRnoaccess here. See BASE-SAMBA3ERROR + * samba4 torture test. + */ + status = NT_STATUS_DOS(ERRDOS, ERRnoaccess); + } + + reply_nterror(req, status); + goto out; + } + + reply_smb1_outbuf(req, 0, 0); + + DEBUG(3, ("mkdir %s\n", smb_dname->base_name)); + out: + TALLOC_FREE(smb_dname); + END_PROFILE(SMBmkdir); + return; +} + +/**************************************************************************** + Reply to a rmdir. +****************************************************************************/ + +void reply_rmdir(struct smb_request *req) +{ + connection_struct *conn = req->conn; + struct smb_filename *smb_dname = NULL; + char *directory = NULL; + NTSTATUS status; + TALLOC_CTX *ctx = talloc_tos(); + struct files_struct *dirfsp = NULL; + files_struct *fsp = NULL; + int info = 0; + NTTIME twrp = 0; + uint32_t ucf_flags = ucf_flags_from_smb_request(req); + + START_PROFILE(SMBrmdir); + + srvstr_get_path_req(ctx, req, &directory, (const char *)req->buf + 1, + STR_TERMINATE, &status); + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + goto out; + } + + if (ucf_flags & UCF_GMT_PATHNAME) { + extract_snapshot_token(directory, &twrp); + } + status = smb1_strip_dfs_path(ctx, &ucf_flags, &directory); + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + goto out; + } + + status = filename_convert_dirfsp(ctx, + conn, + directory, + ucf_flags, + twrp, + &dirfsp, + &smb_dname); + if (!NT_STATUS_IS_OK(status)) { + if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) { + reply_botherror(req, NT_STATUS_PATH_NOT_COVERED, + ERRSRV, ERRbadpath); + goto out; + } + reply_nterror(req, status); + goto out; + } + + status = SMB_VFS_CREATE_FILE( + conn, /* conn */ + req, /* req */ + dirfsp, /* dirfsp */ + smb_dname, /* fname */ + DELETE_ACCESS, /* access_mask */ + (FILE_SHARE_READ | FILE_SHARE_WRITE | /* share_access */ + FILE_SHARE_DELETE), + FILE_OPEN, /* create_disposition*/ + FILE_DIRECTORY_FILE | + FILE_OPEN_REPARSE_POINT, /* create_options */ + FILE_ATTRIBUTE_DIRECTORY, /* file_attributes */ + 0, /* oplock_request */ + NULL, /* lease */ + 0, /* allocation_size */ + 0, /* private_flags */ + NULL, /* sd */ + NULL, /* ea_list */ + &fsp, /* result */ + &info, /* pinfo */ + NULL, NULL); /* create context */ + + if (!NT_STATUS_IS_OK(status)) { + if (open_was_deferred(req->xconn, req->mid)) { + /* We have re-scheduled this call. */ + goto out; + } + if (NT_STATUS_EQUAL(status, NT_STATUS_SHARING_VIOLATION)) { + bool ok = defer_smb1_sharing_violation(req); + if (ok) { + goto out; + } + } + reply_nterror(req, status); + goto out; + } + + status = can_set_delete_on_close(fsp, FILE_ATTRIBUTE_DIRECTORY); + if (!NT_STATUS_IS_OK(status)) { + close_file_free(req, &fsp, ERROR_CLOSE); + reply_nterror(req, status); + goto out; + } + + if (!set_delete_on_close(fsp, true, + conn->session_info->security_token, + conn->session_info->unix_token)) { + close_file_free(req, &fsp, ERROR_CLOSE); + reply_nterror(req, NT_STATUS_ACCESS_DENIED); + goto out; + } + + status = close_file_free(req, &fsp, NORMAL_CLOSE); + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + } else { + reply_smb1_outbuf(req, 0, 0); + } + + DEBUG(3, ("rmdir %s\n", smb_fname_str_dbg(smb_dname))); + out: + TALLOC_FREE(smb_dname); + END_PROFILE(SMBrmdir); + return; +} + +/**************************************************************************** + Reply to a mv. +****************************************************************************/ + +void reply_mv(struct smb_request *req) +{ + connection_struct *conn = req->conn; + char *name = NULL; + char *newname = NULL; + const char *p; + uint32_t attrs; + NTSTATUS status; + TALLOC_CTX *ctx = talloc_tos(); + struct files_struct *src_dirfsp = NULL; + struct smb_filename *smb_fname_src = NULL; + struct files_struct *dst_dirfsp = NULL; + struct smb_filename *smb_fname_dst = NULL; + const char *dst_original_lcomp = NULL; + uint32_t src_ucf_flags = ucf_flags_from_smb_request(req); + NTTIME src_twrp = 0; + uint32_t dst_ucf_flags = ucf_flags_from_smb_request(req); + NTTIME dst_twrp = 0; + bool stream_rename = false; + + START_PROFILE(SMBmv); + + if (req->wct < 1) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + goto out; + } + + attrs = SVAL(req->vwv+0, 0); + + p = (const char *)req->buf + 1; + p += srvstr_get_path_req(ctx, req, &name, p, STR_TERMINATE, + &status); + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + goto out; + } + p++; + p += srvstr_get_path_req(ctx, req, &newname, p, STR_TERMINATE, + &status); + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + goto out; + } + + if (!req->posix_pathnames) { + /* The newname must begin with a ':' if the + name contains a ':'. */ + if (strchr_m(name, ':')) { + if (newname[0] != ':') { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + goto out; + } + stream_rename = true; + } + } + + if (src_ucf_flags & UCF_GMT_PATHNAME) { + extract_snapshot_token(name, &src_twrp); + } + status = smb1_strip_dfs_path(ctx, &src_ucf_flags, &name); + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + goto out; + } + status = filename_convert_dirfsp(ctx, + conn, + name, + src_ucf_flags, + src_twrp, + &src_dirfsp, + &smb_fname_src); + + if (!NT_STATUS_IS_OK(status)) { + if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) { + reply_botherror(req, NT_STATUS_PATH_NOT_COVERED, + ERRSRV, ERRbadpath); + goto out; + } + reply_nterror(req, status); + goto out; + } + + if (dst_ucf_flags & UCF_GMT_PATHNAME) { + extract_snapshot_token(newname, &dst_twrp); + } + status = smb1_strip_dfs_path(ctx, &dst_ucf_flags, &newname); + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + goto out; + } + status = filename_convert_dirfsp(ctx, + conn, + newname, + dst_ucf_flags, + dst_twrp, + &dst_dirfsp, + &smb_fname_dst); + + if (!NT_STATUS_IS_OK(status)) { + if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) { + reply_botherror(req, NT_STATUS_PATH_NOT_COVERED, + ERRSRV, ERRbadpath); + goto out; + } + reply_nterror(req, status); + goto out; + } + + /* Get the last component of the destination for rename_internals(). */ + dst_original_lcomp = get_original_lcomp(ctx, + conn, + newname, + dst_ucf_flags); + if (dst_original_lcomp == NULL) { + reply_nterror(req, NT_STATUS_NO_MEMORY); + goto out; + } + + if (stream_rename) { + /* smb_fname_dst->base_name must be the same as + smb_fname_src->base_name. */ + TALLOC_FREE(smb_fname_dst->base_name); + smb_fname_dst->base_name = talloc_strdup(smb_fname_dst, + smb_fname_src->base_name); + if (!smb_fname_dst->base_name) { + reply_nterror(req, NT_STATUS_NO_MEMORY); + goto out; + } + } + + DEBUG(3,("reply_mv : %s -> %s\n", smb_fname_str_dbg(smb_fname_src), + smb_fname_str_dbg(smb_fname_dst))); + + status = rename_internals(ctx, + conn, + req, + src_dirfsp, /* src_dirfsp */ + smb_fname_src, + smb_fname_dst, + dst_original_lcomp, + attrs, + false, + DELETE_ACCESS); + if (!NT_STATUS_IS_OK(status)) { + if (open_was_deferred(req->xconn, req->mid)) { + /* We have re-scheduled this call. */ + goto out; + } + if (NT_STATUS_EQUAL(status, NT_STATUS_SHARING_VIOLATION)) { + bool ok = defer_smb1_sharing_violation(req); + if (ok) { + goto out; + } + } + reply_nterror(req, status); + goto out; + } + + reply_smb1_outbuf(req, 0, 0); + out: + TALLOC_FREE(smb_fname_src); + TALLOC_FREE(smb_fname_dst); + END_PROFILE(SMBmv); + return; +} + +/**************************************************************************** + Reply to a file copy. + + From MS-CIFS. + + This command was introduced in the LAN Manager 1.0 dialect + It was rendered obsolete in the NT LAN Manager dialect. + This command was used to perform server-side file copies, but + is no longer used. Clients SHOULD + NOT send requests using this command code. + Servers receiving requests with this command code + SHOULD return STATUS_NOT_IMPLEMENTED (ERRDOS/ERRbadfunc). +****************************************************************************/ + +void reply_copy(struct smb_request *req) +{ + START_PROFILE(SMBcopy); + reply_nterror(req, NT_STATUS_NOT_IMPLEMENTED); + END_PROFILE(SMBcopy); + return; +} + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_LOCKING + +/**************************************************************************** + Get a lock pid, dealing with large count requests. +****************************************************************************/ + +uint64_t get_lock_pid(const uint8_t *data, int data_offset, + bool large_file_format) +{ + if(!large_file_format) + return (uint64_t)SVAL(data,SMB_LPID_OFFSET(data_offset)); + else + return (uint64_t)SVAL(data,SMB_LARGE_LPID_OFFSET(data_offset)); +} + +/**************************************************************************** + Get a lock count, dealing with large count requests. +****************************************************************************/ + +uint64_t get_lock_count(const uint8_t *data, int data_offset, + bool large_file_format) +{ + uint64_t count = 0; + + if(!large_file_format) { + count = (uint64_t)IVAL(data,SMB_LKLEN_OFFSET(data_offset)); + } else { + /* + * No BVAL, this is reversed! + */ + count = (((uint64_t) IVAL(data,SMB_LARGE_LKLEN_OFFSET_HIGH(data_offset))) << 32) | + ((uint64_t) IVAL(data,SMB_LARGE_LKLEN_OFFSET_LOW(data_offset))); + } + + return count; +} + +/**************************************************************************** + Reply to a lockingX request. +****************************************************************************/ + +static void reply_lockingx_done(struct tevent_req *subreq); + +void reply_lockingX(struct smb_request *req) +{ + connection_struct *conn = req->conn; + files_struct *fsp; + unsigned char locktype; + enum brl_type brltype; + unsigned char oplocklevel; + uint16_t num_ulocks; + uint16_t num_locks; + int32_t lock_timeout; + uint16_t i; + const uint8_t *data; + bool large_file_format; + NTSTATUS status = NT_STATUS_UNSUCCESSFUL; + struct smbd_lock_element *locks = NULL; + struct tevent_req *subreq = NULL; + + START_PROFILE(SMBlockingX); + + if (req->wct < 8) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + END_PROFILE(SMBlockingX); + return; + } + + fsp = file_fsp(req, SVAL(req->vwv+2, 0)); + locktype = CVAL(req->vwv+3, 0); + oplocklevel = CVAL(req->vwv+3, 1); + num_ulocks = SVAL(req->vwv+6, 0); + num_locks = SVAL(req->vwv+7, 0); + lock_timeout = IVAL(req->vwv+4, 0); + large_file_format = ((locktype & LOCKING_ANDX_LARGE_FILES) != 0); + + if (!check_fsp(conn, req, fsp)) { + END_PROFILE(SMBlockingX); + return; + } + + data = req->buf; + + if (locktype & LOCKING_ANDX_CHANGE_LOCKTYPE) { + /* we don't support these - and CANCEL_LOCK makes w2k + and XP reboot so I don't really want to be + compatible! (tridge) */ + reply_force_doserror(req, ERRDOS, ERRnoatomiclocks); + END_PROFILE(SMBlockingX); + return; + } + + /* Check if this is an oplock break on a file + we have granted an oplock on. + */ + if (locktype & LOCKING_ANDX_OPLOCK_RELEASE) { + /* Client can insist on breaking to none. */ + bool break_to_none = (oplocklevel == 0); + bool result; + + DEBUG(5,("reply_lockingX: oplock break reply (%u) from client " + "for %s\n", (unsigned int)oplocklevel, + fsp_fnum_dbg(fsp))); + + /* + * Make sure we have granted an exclusive or batch oplock on + * this file. + */ + + if (fsp->oplock_type == 0) { + + /* The Samba4 nbench simulator doesn't understand + the difference between break to level2 and break + to none from level2 - it sends oplock break + replies in both cases. Don't keep logging an error + message here - just ignore it. JRA. */ + + DEBUG(5,("reply_lockingX: Error : oplock break from " + "client for %s (oplock=%d) and no " + "oplock granted on this file (%s).\n", + fsp_fnum_dbg(fsp), fsp->oplock_type, + fsp_str_dbg(fsp))); + + /* if this is a pure oplock break request then don't + * send a reply */ + if (num_locks == 0 && num_ulocks == 0) { + END_PROFILE(SMBlockingX); + return; + } + + END_PROFILE(SMBlockingX); + reply_nterror(req, NT_STATUS_FILE_LOCK_CONFLICT); + return; + } + + if ((fsp->sent_oplock_break == BREAK_TO_NONE_SENT) || + (break_to_none)) { + result = remove_oplock(fsp); + } else { + result = downgrade_oplock(fsp); + } + + if (!result) { + DEBUG(0, ("reply_lockingX: error in removing " + "oplock on file %s\n", fsp_str_dbg(fsp))); + /* Hmmm. Is this panic justified? */ + smb_panic("internal tdb error"); + } + + /* if this is a pure oplock break request then don't send a + * reply */ + if (num_locks == 0 && num_ulocks == 0) { + /* Sanity check - ensure a pure oplock break is not a + chained request. */ + if (CVAL(req->vwv+0, 0) != 0xff) { + DEBUG(0,("reply_lockingX: Error : pure oplock " + "break is a chained %d request !\n", + (unsigned int)CVAL(req->vwv+0, 0))); + } + END_PROFILE(SMBlockingX); + return; + } + } + + if (req->buflen < + (num_ulocks + num_locks) * (large_file_format ? 20 : 10)) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + END_PROFILE(SMBlockingX); + return; + } + + if (num_ulocks != 0) { + struct smbd_lock_element *ulocks = NULL; + bool ok; + + ulocks = talloc_array( + req, struct smbd_lock_element, num_ulocks); + if (ulocks == NULL) { + reply_nterror(req, NT_STATUS_NO_MEMORY); + END_PROFILE(SMBlockingX); + return; + } + + /* + * Data now points at the beginning of the list of + * smb_unlkrng structs + */ + for (i = 0; i < num_ulocks; i++) { + ulocks[i].req_guid = smbd_request_guid(req, + UINT16_MAX - i), + ulocks[i].smblctx = get_lock_pid( + data, i, large_file_format); + ulocks[i].count = get_lock_count( + data, i, large_file_format); + ulocks[i].offset = get_lock_offset( + data, i, large_file_format); + ulocks[i].brltype = UNLOCK_LOCK; + ulocks[i].lock_flav = WINDOWS_LOCK; + } + + /* + * Unlock cancels pending locks + */ + + ok = smbd_smb1_brl_finish_by_lock( + fsp, + large_file_format, + ulocks[0], + NT_STATUS_OK); + if (ok) { + reply_smb1_outbuf(req, 2, 0); + SSVAL(req->outbuf, smb_vwv0, 0xff); + SSVAL(req->outbuf, smb_vwv1, 0); + END_PROFILE(SMBlockingX); + return; + } + + status = smbd_do_unlocking( + req, fsp, num_ulocks, ulocks); + TALLOC_FREE(ulocks); + if (!NT_STATUS_IS_OK(status)) { + END_PROFILE(SMBlockingX); + reply_nterror(req, status); + return; + } + } + + /* Now do any requested locks */ + data += ((large_file_format ? 20 : 10)*num_ulocks); + + /* Data now points at the beginning of the list + of smb_lkrng structs */ + + if (locktype & LOCKING_ANDX_SHARED_LOCK) { + brltype = READ_LOCK; + } else { + brltype = WRITE_LOCK; + } + + locks = talloc_array(req, struct smbd_lock_element, num_locks); + if (locks == NULL) { + reply_nterror(req, NT_STATUS_NO_MEMORY); + END_PROFILE(SMBlockingX); + return; + } + + for (i = 0; i < num_locks; i++) { + locks[i].req_guid = smbd_request_guid(req, i), + locks[i].smblctx = get_lock_pid(data, i, large_file_format); + locks[i].count = get_lock_count(data, i, large_file_format); + locks[i].offset = get_lock_offset(data, i, large_file_format); + locks[i].brltype = brltype; + locks[i].lock_flav = WINDOWS_LOCK; + } + + if (locktype & LOCKING_ANDX_CANCEL_LOCK) { + + bool ok; + + if (num_locks == 0) { + /* See smbtorture3 lock11 test */ + reply_smb1_outbuf(req, 2, 0); + /* andx chain ends */ + SSVAL(req->outbuf, smb_vwv0, 0xff); + SSVAL(req->outbuf, smb_vwv1, 0); + END_PROFILE(SMBlockingX); + return; + } + + ok = smbd_smb1_brl_finish_by_lock( + fsp, + large_file_format, + locks[0], /* Windows only cancels the first lock */ + NT_STATUS_FILE_LOCK_CONFLICT); + + if (!ok) { + reply_force_doserror(req, ERRDOS, ERRcancelviolation); + END_PROFILE(SMBlockingX); + return; + } + + reply_smb1_outbuf(req, 2, 0); + SSVAL(req->outbuf, smb_vwv0, 0xff); + SSVAL(req->outbuf, smb_vwv1, 0); + END_PROFILE(SMBlockingX); + return; + } + + subreq = smbd_smb1_do_locks_send( + fsp, + req->sconn->ev_ctx, + &req, + fsp, + lock_timeout, + large_file_format, + num_locks, + locks); + if (subreq == NULL) { + reply_nterror(req, NT_STATUS_NO_MEMORY); + END_PROFILE(SMBlockingX); + return; + } + tevent_req_set_callback(subreq, reply_lockingx_done, NULL); + END_PROFILE(SMBlockingX); +} + +static void reply_lockingx_done(struct tevent_req *subreq) +{ + struct smb_request *req = NULL; + NTSTATUS status; + bool ok; + + START_PROFILE(SMBlockingX); + + ok = smbd_smb1_do_locks_extract_smbreq(subreq, talloc_tos(), &req); + SMB_ASSERT(ok); + + status = smbd_smb1_do_locks_recv(subreq); + TALLOC_FREE(subreq); + + DBG_DEBUG("smbd_smb1_do_locks_recv returned %s\n", nt_errstr(status)); + + if (NT_STATUS_IS_OK(status)) { + reply_smb1_outbuf(req, 2, 0); + SSVAL(req->outbuf, smb_vwv0, 0xff); /* andx chain ends */ + SSVAL(req->outbuf, smb_vwv1, 0); /* no andx offset */ + } else { + reply_nterror(req, status); + } + + ok = smb1_srv_send(req->xconn, + (char *)req->outbuf, + true, + req->seqnum + 1, + IS_CONN_ENCRYPTED(req->conn)); + if (!ok) { + exit_server_cleanly("reply_lock_done: smb1_srv_send failed."); + } + TALLOC_FREE(req); + END_PROFILE(SMBlockingX); +} + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_ALL + +/**************************************************************************** + Reply to a SMBreadbmpx (read block multiplex) request. + Always reply with an error, if someone has a platform really needs this, + please contact vl@samba.org +****************************************************************************/ + +void reply_readbmpx(struct smb_request *req) +{ + START_PROFILE(SMBreadBmpx); + reply_force_doserror(req, ERRSRV, ERRuseSTD); + END_PROFILE(SMBreadBmpx); + return; +} + +/**************************************************************************** + Reply to a SMBreadbs (read block multiplex secondary) request. + Always reply with an error, if someone has a platform really needs this, + please contact vl@samba.org +****************************************************************************/ + +void reply_readbs(struct smb_request *req) +{ + START_PROFILE(SMBreadBs); + reply_force_doserror(req, ERRSRV, ERRuseSTD); + END_PROFILE(SMBreadBs); + return; +} + +/**************************************************************************** + Reply to a SMBsetattrE. +****************************************************************************/ + +void reply_setattrE(struct smb_request *req) +{ + connection_struct *conn = req->conn; + struct smb_file_time ft; + files_struct *fsp; + NTSTATUS status; + + START_PROFILE(SMBsetattrE); + init_smb_file_time(&ft); + + if (req->wct < 7) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + goto out; + } + + fsp = file_fsp(req, SVAL(req->vwv+0, 0)); + + if(!fsp || (fsp->conn != conn)) { + reply_nterror(req, NT_STATUS_INVALID_HANDLE); + goto out; + } + + /* + * Convert the DOS times into unix times. + */ + + ft.atime = time_t_to_full_timespec( + srv_make_unix_date2(req->vwv+3)); + ft.mtime = time_t_to_full_timespec( + srv_make_unix_date2(req->vwv+5)); + ft.create_time = time_t_to_full_timespec( + srv_make_unix_date2(req->vwv+1)); + + reply_smb1_outbuf(req, 0, 0); + + /* + * Patch from Ray Frush + * Sometimes times are sent as zero - ignore them. + */ + + /* Ensure we have a valid stat struct for the source. */ + status = vfs_stat_fsp(fsp); + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + goto out; + } + + status = check_any_access_fsp(fsp, FILE_WRITE_ATTRIBUTES); + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + goto out; + } + + status = smb_set_file_time(conn, fsp, fsp->fsp_name, &ft, true); + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + goto out; + } + + if (fsp->fsp_flags.modified) { + trigger_write_time_update_immediate(fsp); + } + + DEBUG( 3, ( "reply_setattrE %s actime=%u modtime=%u " + " createtime=%u\n", + fsp_fnum_dbg(fsp), + (unsigned int)ft.atime.tv_sec, + (unsigned int)ft.mtime.tv_sec, + (unsigned int)ft.create_time.tv_sec + )); + out: + END_PROFILE(SMBsetattrE); + return; +} + + +/* Back from the dead for OS/2..... JRA. */ + +/**************************************************************************** + Reply to a SMBwritebmpx (write block multiplex primary) request. + Always reply with an error, if someone has a platform really needs this, + please contact vl@samba.org +****************************************************************************/ + +void reply_writebmpx(struct smb_request *req) +{ + START_PROFILE(SMBwriteBmpx); + reply_force_doserror(req, ERRSRV, ERRuseSTD); + END_PROFILE(SMBwriteBmpx); + return; +} + +/**************************************************************************** + Reply to a SMBwritebs (write block multiplex secondary) request. + Always reply with an error, if someone has a platform really needs this, + please contact vl@samba.org +****************************************************************************/ + +void reply_writebs(struct smb_request *req) +{ + START_PROFILE(SMBwriteBs); + reply_force_doserror(req, ERRSRV, ERRuseSTD); + END_PROFILE(SMBwriteBs); + return; +} + +/**************************************************************************** + Reply to a SMBgetattrE. +****************************************************************************/ + +void reply_getattrE(struct smb_request *req) +{ + connection_struct *conn = req->conn; + int mode; + files_struct *fsp; + struct timespec create_ts; + NTSTATUS status; + + START_PROFILE(SMBgetattrE); + + if (req->wct < 1) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + END_PROFILE(SMBgetattrE); + return; + } + + fsp = file_fsp(req, SVAL(req->vwv+0, 0)); + + if(!fsp || (fsp->conn != conn)) { + reply_nterror(req, NT_STATUS_INVALID_HANDLE); + END_PROFILE(SMBgetattrE); + return; + } + + /* Do an fstat on this file */ + status = vfs_stat_fsp(fsp); + if (!NT_STATUS_IS_OK(status)) { + reply_nterror(req, status); + END_PROFILE(SMBgetattrE); + return; + } + + mode = fdos_mode(fsp); + + /* + * Convert the times into dos times. Set create + * date to be last modify date as UNIX doesn't save + * this. + */ + + reply_smb1_outbuf(req, 11, 0); + + create_ts = get_create_timespec(conn, fsp, fsp->fsp_name); + srv_put_dos_date2_ts((char *)req->outbuf, smb_vwv0, create_ts); + srv_put_dos_date2_ts((char *)req->outbuf, + smb_vwv2, + fsp->fsp_name->st.st_ex_atime); + /* Should we check pending modtime here ? JRA */ + srv_put_dos_date2_ts((char *)req->outbuf, + smb_vwv4, + fsp->fsp_name->st.st_ex_mtime); + + if (mode & FILE_ATTRIBUTE_DIRECTORY) { + SIVAL(req->outbuf, smb_vwv6, 0); + SIVAL(req->outbuf, smb_vwv8, 0); + } else { + uint32_t allocation_size = SMB_VFS_GET_ALLOC_SIZE(conn,fsp, &fsp->fsp_name->st); + SIVAL(req->outbuf, smb_vwv6, (uint32_t)fsp->fsp_name->st.st_ex_size); + SIVAL(req->outbuf, smb_vwv8, allocation_size); + } + SSVAL(req->outbuf,smb_vwv10, mode); + + DEBUG( 3, ( "reply_getattrE %s\n", fsp_fnum_dbg(fsp))); + + END_PROFILE(SMBgetattrE); + return; +} + +/**************************************************************************** + Reply to a SMBfindclose (stop trans2 directory search). +****************************************************************************/ + +void reply_findclose(struct smb_request *req) +{ + int dptr_num; + struct smbd_server_connection *sconn = req->sconn; + files_struct *fsp = NULL; + + START_PROFILE(SMBfindclose); + + if (req->wct < 1) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + END_PROFILE(SMBfindclose); + return; + } + + dptr_num = SVALS(req->vwv+0, 0); + + DEBUG(3,("reply_findclose, dptr_num = %d\n", dptr_num)); + + /* + * OS/2 seems to use -1 to indicate "close all directories" + * This has to mean on this specific connection struct. + */ + if (dptr_num == -1) { + dptr_closecnum(req->conn); + } else { + fsp = dptr_fetch_lanman2_fsp(sconn, dptr_num); + dptr_num = -1; + if (fsp != NULL) { + close_file_free(NULL, &fsp, NORMAL_CLOSE); + } + } + + reply_smb1_outbuf(req, 0, 0); + + DEBUG(3,("SMBfindclose dptr_num = %d\n", dptr_num)); + + END_PROFILE(SMBfindclose); + return; +} + +/**************************************************************************** + Reply to a SMBfindnclose (stop FINDNOTIFYFIRST directory search). +****************************************************************************/ + +void reply_findnclose(struct smb_request *req) +{ + int dptr_num; + + START_PROFILE(SMBfindnclose); + + if (req->wct < 1) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + END_PROFILE(SMBfindnclose); + return; + } + + dptr_num = SVAL(req->vwv+0, 0); + + DEBUG(3,("reply_findnclose, dptr_num = %d\n", dptr_num)); + + /* We never give out valid handles for a + findnotifyfirst - so any dptr_num is ok here. + Just ignore it. */ + + reply_smb1_outbuf(req, 0, 0); + + DEBUG(3,("SMB_findnclose dptr_num = %d\n", dptr_num)); + + END_PROFILE(SMBfindnclose); + return; +} -- cgit v1.2.3