s3: Remove chain_reply

<insert your favourite tombstone ascii art here>

6 files changed, 0 insertions, 289 deletions

diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index b03e0997a2..fc52ee5be4 100644
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -382,8 +382,6 @@ static void do_ntcreate_pipe_open(connection_struct *conn,
 	}
 
 	DEBUG(5,("do_ntcreate_pipe_open: open pipe = %s\n", fname));
-
-	chain_reply(req);
 }
 
 struct case_semantics_state {
@@ -734,7 +732,6 @@ void reply_ntcreate_and_X(struct smb_request *req)
 	DEBUG(5,("reply_ntcreate_and_X: fnum = %d, open name = %s\n",
 		fsp->fnum, smb_fname_str_dbg(smb_fname)));
 
-	chain_reply(req);
  out:
 	END_PROFILE(SMBntcreateX);
 	return;
diff --git a/source3/smbd/pipes.c b/source3/smbd/pipes.c
index d567537ed6..b39c0f0e59 100644
--- a/source3/smbd/pipes.c
+++ b/source3/smbd/pipes.c
@@ -159,9 +159,6 @@ void reply_open_pipe_and_X(connection_struct *conn, struct smb_request *req)
 	SIVAL(req->outbuf, smb_vwv6, 0);	/* size */
 	SSVAL(req->outbuf, smb_vwv8, 0);	/* rmode */
 	SSVAL(req->outbuf, smb_vwv11, 0x0001);
-
-	chain_reply(req);
-	return;
 }
 
 /****************************************************************************
@@ -366,7 +363,6 @@ static void pipe_write_andx_done(struct tevent_req *subreq)
 	DEBUG(3,("writeX-IPC nwritten=%d\n", (int)nwritten));
 
  done:
-	chain_reply(req);
 	/*
 	 * We must free here as the ownership of req was
 	 * moved to the connection struct in reply_pipe_write_and_X().
@@ -493,7 +489,6 @@ static void pipe_read_andx_done(struct tevent_req *subreq)
 		 state->smb_mincnt, state->smb_maxcnt, (int)nread));
 
  done:
-	chain_reply(req);
 	/*
 	 * We must free here as the ownership of req was
 	 * moved to the connection struct in reply_pipe_read_and_X().
diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index 6167278fcb..8fb45123ad 100644
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -1852,21 +1852,6 @@ size_t req_wct_ofs(struct smb_request *req)
 	return buf_size - 4;
 }
 
-/*
- * Hack around reply_nterror & friends not being aware of chained requests,
- * generating illegal (i.e. wct==0) chain replies.
- */
-
-static void fixup_chain_error_packet(struct smb_request *req)
-{
-	uint8_t *outbuf = req->outbuf;
-	req->outbuf = NULL;
-	reply_outbuf(req, 2, 0);
-	memcpy(req->outbuf, outbuf, smb_wct);
-	TALLOC_FREE(outbuf);
-	SCVAL(req->outbuf, smb_vwv0, 0xff);
-}
-
 /**
  * @brief Find the smb_cmd offset of the last command pushed
  * @param[in] buf	The buffer we're building up
@@ -2248,261 +2233,6 @@ bool smb1_parse_chain(TALLOC_CTX *mem_ctx, const uint8_t *buf,
 }
 
 /****************************************************************************
- Construct a chained reply and add it to the already made reply
-****************************************************************************/
-
-void chain_reply(struct smb_request *req)
-{
-	size_t smblen = smb_len(req->inbuf);
-	size_t already_used, length_needed;
-	uint8_t chain_cmd;
-	uint32_t chain_offset;	/* uint32_t to avoid overflow */
-
-	uint8_t wct;
-	const uint16_t *vwv;
-	uint16_t buflen;
-	const uint8_t *buf;
-
-	return;
-
-	if (IVAL(req->outbuf, smb_rcls) != 0) {
-		fixup_chain_error_packet(req);
-	}
-
-	/*
-	 * Any of the AndX requests and replies have at least a wct of
-	 * 2. vwv[0] is the next command, vwv[1] is the offset from the
-	 * beginning of the SMB header to the next wct field.
-	 *
-	 * None of the AndX requests put anything valuable in vwv[0] and [1],
-	 * so we can overwrite it here to form the chain.
-	 */
-
-	if ((req->wct < 2) || (CVAL(req->outbuf, smb_wct) < 2)) {
-		if (req->chain_outbuf == NULL) {
-			req->chain_outbuf = talloc_realloc(
-				req, req->outbuf, uint8_t,
-				smb_len(req->outbuf) + 4);
-			if (req->chain_outbuf == NULL) {
-				smb_panic("talloc failed");
-			}
-		}
-		req->outbuf = NULL;
-		goto error;
-	}
-
-	/*
-	 * Here we assume that this is the end of the chain. For that we need
-	 * to set "next command" to 0xff and the offset to 0. If we later find
-	 * more commands in the chain, this will be overwritten again.
-	 */
-
-	SCVAL(req->outbuf, smb_vwv0, 0xff);
-	SCVAL(req->outbuf, smb_vwv0+1, 0);
-	SSVAL(req->outbuf, smb_vwv1, 0);
-
-	if (req->chain_outbuf == NULL) {
-		/*
-		 * In req->chain_outbuf we collect all the replies. Start the
-		 * chain by copying in the first reply.
-		 *
-		 * We do the realloc because later on we depend on
-		 * talloc_get_size to determine the length of
-		 * chain_outbuf. The reply_xxx routines might have
-		 * over-allocated (reply_pipe_read_and_X used to be such an
-		 * example).
-		 */
-		req->chain_outbuf = talloc_realloc(
-			req, req->outbuf, uint8_t, smb_len(req->outbuf) + 4);
-		if (req->chain_outbuf == NULL) {
-			smb_panic("talloc failed");
-		}
-		req->outbuf = NULL;
-	} else {
-		/*
-		 * Update smb headers where subsequent chained commands
-		 * may have updated them.
-		 */
-		SSVAL(req->chain_outbuf, smb_tid, SVAL(req->outbuf, smb_tid));
-		SSVAL(req->chain_outbuf, smb_uid, SVAL(req->outbuf, smb_uid));
-
-		if (!smb_splice_chain(&req->chain_outbuf, req->outbuf)) {
-			goto error;
-		}
-		TALLOC_FREE(req->outbuf);
-	}
-
-	/*
-	 * We use the old request's vwv field to grab the next chained command
-	 * and offset into the chained fields.
-	 */
-
-	chain_cmd = CVAL(req->vwv+0, 0);
-	chain_offset = SVAL(req->vwv+1, 0);
-
-	if (chain_cmd == 0xff) {
-		/*
-		 * End of chain, no more requests from the client. So ship the
-		 * replies.
-		 */
-		smb_setlen((char *)(req->chain_outbuf),
-			   talloc_get_size(req->chain_outbuf) - 4);
-
-		if (!srv_send_smb(req->sconn, (char *)req->chain_outbuf,
-				  true, req->seqnum+1,
-				  IS_CONN_ENCRYPTED(req->conn)
-				  ||req->encrypted,
-				  &req->pcd)) {
-			exit_server_cleanly("chain_reply: srv_send_smb "
-					    "failed.");
-		}
-		TALLOC_FREE(req->chain_outbuf);
-		req->done = true;
-		return;
-	}
-
-	/* add a new perfcounter for this element of chain */
-	SMB_PERFCOUNT_ADD(&req->pcd);
-	SMB_PERFCOUNT_SET_OP(&req->pcd, chain_cmd);
-	SMB_PERFCOUNT_SET_MSGLEN_IN(&req->pcd, smblen);
-
-	/*
-	 * Check if the client tries to fool us. The chain offset
-	 * needs to point beyond the current request in the chain, it
-	 * needs to strictly grow. Otherwise we might be tricked into
-	 * an endless loop always processing the same request over and
-	 * over again. We used to assume that vwv and the byte buffer
-	 * array in a chain are always attached, but OS/2 the
-	 * Write&X/Read&X chain puts the Read&X vwv array right behind
-	 * the Write&X vwv chain. The Write&X bcc array is put behind
-	 * the Read&X vwv array. So now we check whether the chain
-	 * offset points strictly behind the previous vwv
-	 * array. req->buf points right after the vwv array of the
-	 * previous request. See
-	 * https://bugzilla.samba.org/show_bug.cgi?id=8360 for more
-	 * information.
-	 */
-
-	already_used = PTR_DIFF(req->buf, smb_base(req->inbuf));
-	if (chain_offset <= already_used) {
-		goto error;
-	}
-
-	/*
-	 * Next check: Make sure the chain offset does not point beyond the
-	 * overall smb request length.
-	 */
-
-	length_needed = chain_offset+1;	/* wct */
-	if (length_needed > smblen) {
-		goto error;
-	}
-
-	/*
-	 * Now comes the pointer magic. Goal here is to set up req->vwv and
-	 * req->buf correctly again to be able to call the subsequent
-	 * switch_message(). The chain offset (the former vwv[1]) points at
-	 * the new wct field.
-	 */
-
-	wct = CVAL(smb_base(req->inbuf), chain_offset);
-
-	/*
-	 * Next consistency check: Make the new vwv array fits in the overall
-	 * smb request.
-	 */
-
-	length_needed += (wct+1)*sizeof(uint16_t); /* vwv+buflen */
-	if (length_needed > smblen) {
-		goto error;
-	}
-	vwv = (const uint16_t *)(smb_base(req->inbuf) + chain_offset + 1);
-
-	/*
-	 * Now grab the new byte buffer....
-	 */
-
-	buflen = SVAL(vwv+wct, 0);
-
-	/*
-	 * .. and check that it fits.
-	 */
-
-	length_needed += buflen;
-	if (length_needed > smblen) {
-		goto error;
-	}
-	buf = (const uint8_t *)(vwv+wct+1);
-
-	req->cmd = chain_cmd;
-	req->wct = wct;
-	req->vwv = discard_const_p(uint16_t, vwv);
-	req->buflen = buflen;
-	req->buf = buf;
-
-	switch_message(chain_cmd, req);
-
-	if (req->outbuf == NULL) {
-		/*
-		 * This happens if the chained command has suspended itself or
-		 * if it has called srv_send_smb() itself.
-		 */
-		return;
-	}
-
-	/*
-	 * We end up here if the chained command was not itself chained or
-	 * suspended, but for example a close() command. We now need to splice
-	 * the chained commands' outbuf into the already built up chain_outbuf
-	 * and ship the result.
-	 */
-	goto done;
-
- error:
-	/*
-	 * We end up here if there's any error in the chain syntax. Report a
-	 * DOS error, just like Windows does.
-	 */
-	reply_force_doserror(req, ERRSRV, ERRerror);
-	fixup_chain_error_packet(req);
-
- done:
-	/*
-	 * This scary statement intends to set the
-	 * FLAGS2_32_BIT_ERROR_CODES flg2 field in req->chain_outbuf
-	 * to the value req->outbuf carries
-	 */
-	SSVAL(req->chain_outbuf, smb_flg2,
-	      (SVAL(req->chain_outbuf, smb_flg2) & ~FLAGS2_32_BIT_ERROR_CODES)
-	      | (SVAL(req->outbuf, smb_flg2) & FLAGS2_32_BIT_ERROR_CODES));
-
-	/*
-	 * Transfer the error codes from the subrequest to the main one
-	 */
-	SSVAL(req->chain_outbuf, smb_rcls, SVAL(req->outbuf, smb_rcls));
-	SSVAL(req->chain_outbuf, smb_err, SVAL(req->outbuf, smb_err));
-
-	if (!smb_splice_chain(&req->chain_outbuf, req->outbuf)) {
-		exit_server_cleanly("chain_reply: smb_splice_chain failed\n");
-	}
-	TALLOC_FREE(req->outbuf);
-
-	smb_setlen((char *)(req->chain_outbuf),
-		   talloc_get_size(req->chain_outbuf) - 4);
-
-	show_msg((char *)(req->chain_outbuf));
-
-	if (!srv_send_smb(req->sconn, (char *)req->chain_outbuf,
-			  true, req->seqnum+1,
-			  IS_CONN_ENCRYPTED(req->conn)||req->encrypted,
-			  &req->pcd)) {
-		exit_server_cleanly("chain_reply: srv_send_smb failed.");
-	}
-	TALLOC_FREE(req->chain_outbuf);
-	req->done = true;
-}
-
-/****************************************************************************
  Check if services need reloading.
 ****************************************************************************/
 
diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
index e5dd762663..f4aa06b061 100644
--- a/source3/smbd/proto.h
+++ b/source3/smbd/proto.h
@@ -797,7 +797,6 @@ bool smb1_parse_chain(TALLOC_CTX *mem_ctx, const uint8_t *buf,
 		      struct smbd_server_connection *sconn,
 		      bool encrypted, uint32_t seqnum,
 		      struct smb_request ***reqs, unsigned *num_reqs);
-void chain_reply(struct smb_request *req);
 bool req_is_in_chain(struct smb_request *req);
 void smbd_process(struct tevent_context *ev_ctx,
 		  struct smbd_server_connection *sconn);
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 1b156b2acc..8b94396578 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -873,8 +873,6 @@ void reply_tcon_and_X(struct smb_request *req)
 	END_PROFILE(SMBtconX);
 
 	req->tid = conn->cnum;
-	chain_reply(req);
-	return;
 }
 
 /****************************************************************************
@@ -2065,7 +2063,6 @@ void reply_open_and_X(struct smb_request *req)
 		SIVAL(req->outbuf, smb_vwv15, SEC_STD_ALL);
 	}
 
-	chain_reply(req);
  out:
 	TALLOC_FREE(smb_fname);
 	END_PROFILE(SMBopenX);
@@ -2106,7 +2103,6 @@ void reply_ulogoffX(struct smb_request *req)
 
 	END_PROFILE(SMBulogoffX);
 	req->vuid = UID_FIELD_INVALID;
-	chain_reply(req);
 }
 
 /****************************************************************************
@@ -3708,8 +3704,6 @@ nosendfile_read:
 
 	DEBUG( 3, ( "send_file_readX fnum=%d max=%d nread=%d\n",
 		    fsp->fnum, (int)smb_maxcnt, (int)nread ) );
-
-	chain_reply(req);
 	return;
 
  strict_unlock:
@@ -4654,7 +4648,6 @@ void reply_write_and_X(struct smb_request *req)
 	}
 
 	END_PROFILE(SMBwriteX);
-	chain_reply(req);
 	return;
 
 out:
@@ -7853,7 +7846,6 @@ void reply_lockingX(struct smb_request *req)
 		  fsp->fnum, (unsigned int)locktype, num_locks, num_ulocks));
 
 	END_PROFILE(SMBlockingX);
-	chain_reply(req);
 }
 
 #undef DBGC_CLASS
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index cc801364cd..6bc1260770 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -791,6 +791,4 @@ void reply_sesssetup_and_X(struct smb_request *req)
 	sconn->smb1.sessions.done_sesssetup = true;
 
 	END_PROFILE(SMBsesssetupX);
-	chain_reply(req);
-	return;
 }