r11786: move all SMB protocol specific stuff to smb_server/smb/

metze
(This used to be commit 5fea278cb65076cea71bb6c921e51c4feffc37d7)

1 files changed, 675 insertions, 0 deletions

diff --git a/source4/smb_server/smb/request.c b/source4/smb_server/smb/request.c
new file mode 100644
index 0000000000..5491089c8e
--- /dev/null
+++ b/source4/smb_server/smb/request.c
@@ -0,0 +1,675 @@
+/* 
+   Unix SMB/CIFS implementation.
+   
+   Copyright (C) Andrew Tridgell              2003
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+/*
+  this file implements functions for manipulating the 'struct smbsrv_request' structure in smbd
+*/
+
+#include "includes.h"
+#include "lib/events/events.h"
+#include "dlinklist.h"
+#include "smb_server/smb_server.h"
+#include "smbd/service_stream.h"
+#include "lib/stream/packet.h"
+
+
+/* we over allocate the data buffer to prevent too many realloc calls */
+#define REQ_OVER_ALLOCATION 0
+
+/* destroy a request structure */
+void req_destroy(struct smbsrv_request *req)
+{
+	/* ahh, its so nice to destroy a complex structure in such a
+	 * simple way! */
+	talloc_free(req);
+}
+
+/****************************************************************************
+construct a basic request packet, mostly used to construct async packets
+such as change notify and oplock break requests
+****************************************************************************/
+struct smbsrv_request *init_smb_request(struct smbsrv_connection *smb_conn)
+{
+	struct smbsrv_request *req;
+
+	req = talloc(smb_conn, struct smbsrv_request);
+	if (!req) {
+		return NULL;
+	}
+
+	ZERO_STRUCTP(req);
+
+	/* setup the request context */
+	req->smb_conn = smb_conn;
+
+	req->async_states = talloc(req, struct ntvfs_async_state);
+	if (!req->async_states) {
+		talloc_free(req);
+		return NULL;
+	}
+	req->async_states->state = 0;
+
+	return req;
+}
+
+
+/*
+  setup a chained reply in req->out with the given word count and initial data buffer size. 
+*/
+static void req_setup_chain_reply(struct smbsrv_request *req, uint_t wct, uint_t buflen)
+{
+	uint32_t chain_base_size = req->out.size;
+
+	/* we need room for the wct value, the words, the buffer length and the buffer */
+	req->out.size += 1 + VWV(wct) + 2 + buflen;
+
+	/* over allocate by a small amount */
+	req->out.allocated = req->out.size + REQ_OVER_ALLOCATION; 
+
+	req->out.buffer = talloc_realloc(req, req->out.buffer, 
+					 uint8_t, req->out.allocated);
+	if (!req->out.buffer) {
+		smbsrv_terminate_connection(req->smb_conn, "allocation failed");
+		return;
+	}
+
+	req->out.hdr = req->out.buffer + NBT_HDR_SIZE;
+	req->out.vwv = req->out.buffer + chain_base_size + 1;
+	req->out.wct = wct;
+	req->out.data = req->out.vwv + VWV(wct) + 2;
+	req->out.data_size = buflen;
+	req->out.ptr = req->out.data;
+
+	SCVAL(req->out.buffer, chain_base_size, wct);
+	SSVAL(req->out.vwv, VWV(wct), buflen);
+}
+
+
+/*
+  setup a reply in req->out with the given word count and initial data buffer size. 
+  the caller will then fill in the command words and data before calling req_send_reply() to 
+  send the reply on its way
+*/
+void req_setup_reply(struct smbsrv_request *req, uint_t wct, uint_t buflen)
+{
+	uint16_t flags2;
+
+	if (req->chain_count != 0) {
+		req_setup_chain_reply(req, wct, buflen);
+		return;
+	}
+
+	req->out.size = NBT_HDR_SIZE + MIN_SMB_SIZE + wct*2 + buflen;
+
+	/* over allocate by a small amount */
+	req->out.allocated = req->out.size + REQ_OVER_ALLOCATION; 
+
+	req->out.buffer = talloc_size(req, req->out.allocated);
+	if (!req->out.buffer) {
+		smbsrv_terminate_connection(req->smb_conn, "allocation failed");
+		return;
+	}
+
+	flags2 = FLAGS2_LONG_PATH_COMPONENTS | 
+		FLAGS2_EXTENDED_ATTRIBUTES | 
+		FLAGS2_IS_LONG_NAME;
+	flags2 |= (req->flags2 & (FLAGS2_UNICODE_STRINGS|FLAGS2_EXTENDED_SECURITY));
+	if (req->smb_conn->negotiate.client_caps & CAP_STATUS32) {
+		flags2 |= FLAGS2_32_BIT_ERROR_CODES;
+	}
+
+	req->out.hdr = req->out.buffer + NBT_HDR_SIZE;
+	req->out.vwv = req->out.hdr + HDR_VWV;
+	req->out.wct = wct;
+	req->out.data = req->out.vwv + VWV(wct) + 2;
+	req->out.data_size = buflen;
+	req->out.ptr = req->out.data;
+
+	SIVAL(req->out.hdr, HDR_RCLS, 0);
+
+	SCVAL(req->out.hdr, HDR_WCT, wct);
+	SSVAL(req->out.vwv, VWV(wct), buflen);
+
+	memcpy(req->out.hdr, "\377SMB", 4);
+	SCVAL(req->out.hdr,HDR_FLG, FLAG_REPLY | FLAG_CASELESS_PATHNAMES); 
+	SSVAL(req->out.hdr,HDR_FLG2, flags2);
+	SSVAL(req->out.hdr,HDR_PIDHIGH,0);
+	memset(req->out.hdr + HDR_SS_FIELD, 0, 10);
+
+	if (req->in.hdr) {
+		/* copy the cmd, tid, pid, uid and mid from the request */
+		SCVAL(req->out.hdr,HDR_COM,CVAL(req->in.hdr,HDR_COM));	
+		SSVAL(req->out.hdr,HDR_TID,SVAL(req->in.hdr,HDR_TID));
+		SSVAL(req->out.hdr,HDR_PID,SVAL(req->in.hdr,HDR_PID));
+		SSVAL(req->out.hdr,HDR_UID,SVAL(req->in.hdr,HDR_UID));
+		SSVAL(req->out.hdr,HDR_MID,SVAL(req->in.hdr,HDR_MID));
+	} else {
+		SSVAL(req->out.hdr,HDR_TID,0);
+		SSVAL(req->out.hdr,HDR_PID,0);
+		SSVAL(req->out.hdr,HDR_UID,0);
+		SSVAL(req->out.hdr,HDR_MID,0);
+	}
+}
+
+
+/*
+  setup a copy of a request, used when the server needs to send
+  more than one reply for a single request packet
+*/
+struct smbsrv_request *req_setup_secondary(struct smbsrv_request *old_req)
+{
+	struct smbsrv_request *req;
+	ptrdiff_t diff;
+
+	req = talloc_memdup(old_req, old_req, sizeof(struct smbsrv_request));
+	if (req == NULL) {
+		return NULL;
+	}
+
+	req->out.buffer = talloc_memdup(req, req->out.buffer, req->out.allocated);
+	if (req->out.buffer == NULL) {
+		talloc_free(req);
+		return NULL;
+	}
+
+	diff = req->out.buffer - old_req->out.buffer;
+
+	req->out.hdr  += diff;
+	req->out.vwv  += diff;
+	req->out.data += diff;
+	req->out.ptr  += diff;
+
+	return req;
+}
+
+/*
+  work out the maximum data size we will allow for this reply, given
+  the negotiated max_xmit. The basic reply packet must be setup before
+  this call
+
+  note that this is deliberately a signed integer reply
+*/
+int req_max_data(struct smbsrv_request *req)
+{
+	int ret;
+	ret = req->smb_conn->negotiate.max_send;
+	ret -= PTR_DIFF(req->out.data, req->out.hdr);
+	if (ret < 0) ret = 0;
+	return ret;
+}
+
+
+/*
+  grow the allocation of the data buffer portion of a reply
+  packet. Note that as this can reallocate the packet buffer this
+  invalidates any local pointers into the packet.
+
+  To cope with this req->out.ptr is supplied. This will be updated to
+  point at the same offset into the packet as before this call
+*/
+static void req_grow_allocation(struct smbsrv_request *req, uint_t new_size)
+{
+	int delta;
+	uint8_t *buf2;
+
+	delta = new_size - req->out.data_size;
+	if (delta + req->out.size <= req->out.allocated) {
+		/* it fits in the preallocation */
+		return;
+	}
+
+	/* we need to realloc */
+	req->out.allocated = req->out.size + delta + REQ_OVER_ALLOCATION;
+	buf2 = talloc_realloc(req, req->out.buffer, uint8_t, req->out.allocated);
+	if (buf2 == NULL) {
+		smb_panic("out of memory in req_grow_allocation");
+	}
+
+	if (buf2 == req->out.buffer) {
+		/* the malloc library gave us the same pointer */
+		return;
+	}
+	
+	/* update the pointers into the packet */
+	req->out.data = buf2 + PTR_DIFF(req->out.data, req->out.buffer);
+	req->out.ptr  = buf2 + PTR_DIFF(req->out.ptr,  req->out.buffer);
+	req->out.vwv  = buf2 + PTR_DIFF(req->out.vwv,  req->out.buffer);
+	req->out.hdr  = buf2 + PTR_DIFF(req->out.hdr,  req->out.buffer);
+
+	req->out.buffer = buf2;
+}
+
+
+/*
+  grow the data buffer portion of a reply packet. Note that as this
+  can reallocate the packet buffer this invalidates any local pointers
+  into the packet. 
+
+  To cope with this req->out.ptr is supplied. This will be updated to
+  point at the same offset into the packet as before this call
+*/
+void req_grow_data(struct smbsrv_request *req, uint_t new_size)
+{
+	int delta;
+
+	if (!(req->control_flags & REQ_CONTROL_LARGE) && new_size > req_max_data(req)) {
+		smb_panic("reply buffer too large!");
+	}
+
+	req_grow_allocation(req, new_size);
+
+	delta = new_size - req->out.data_size;
+
+	req->out.size += delta;
+	req->out.data_size += delta;
+
+	/* set the BCC to the new data size */
+	SSVAL(req->out.vwv, VWV(req->out.wct), new_size);
+}
+
+/*
+  send a reply and destroy the request buffer
+
+  note that this only looks at req->out.buffer and req->out.size, allowing manually 
+  constructed packets to be sent
+*/
+void req_send_reply_nosign(struct smbsrv_request *req)
+{
+	DATA_BLOB blob;
+	NTSTATUS status;
+
+	if (req->out.size > NBT_HDR_SIZE) {
+		_smb_setlen(req->out.buffer, req->out.size - NBT_HDR_SIZE);
+	}
+
+	blob = data_blob_const(req->out.buffer, req->out.size);
+	status = packet_send(req->smb_conn->packet, blob);
+	if (!NT_STATUS_IS_OK(status)) {
+		smbsrv_terminate_connection(req->smb_conn, nt_errstr(status));
+	}
+	req_destroy(req);
+}
+
+/*
+  possibly sign a message then send a reply and destroy the request buffer
+
+  note that this only looks at req->out.buffer and req->out.size, allowing manually 
+  constructed packets to be sent
+*/
+void req_send_reply(struct smbsrv_request *req)
+{
+	req_sign_packet(req);
+
+	req_send_reply_nosign(req);
+}
+
+
+
+/* 
+   construct and send an error packet with a forced DOS error code
+   this is needed to match win2000 behaviour for some parts of the protocol
+*/
+void req_reply_dos_error(struct smbsrv_request *req, uint8_t eclass, uint16_t ecode)
+{
+	/* if the basic packet hasn't been setup yet then do it now */
+	if (req->out.buffer == NULL) {
+		req_setup_reply(req, 0, 0);
+	}
+
+	SCVAL(req->out.hdr, HDR_RCLS, eclass);
+	SSVAL(req->out.hdr, HDR_ERR, ecode);
+	SSVAL(req->out.hdr, HDR_FLG2, SVAL(req->out.hdr, HDR_FLG2) & ~FLAGS2_32_BIT_ERROR_CODES);	
+	req_send_reply(req);
+}
+
+/* 
+   setup the header of a reply to include an NTSTATUS code
+*/
+void req_setup_error(struct smbsrv_request *req, NTSTATUS status)
+{
+	if (!req->smb_conn->config.nt_status_support || !(req->smb_conn->negotiate.client_caps & CAP_STATUS32)) {
+		/* convert to DOS error codes */
+		uint8_t eclass;
+		uint32_t ecode;
+		ntstatus_to_dos(status, &eclass, &ecode);
+		SCVAL(req->out.hdr, HDR_RCLS, eclass);
+		SSVAL(req->out.hdr, HDR_ERR, ecode);
+		SSVAL(req->out.hdr, HDR_FLG2, SVAL(req->out.hdr, HDR_FLG2) & ~FLAGS2_32_BIT_ERROR_CODES);
+		return;
+	}
+
+	if (NT_STATUS_IS_DOS(status)) {
+		/* its a encoded DOS error, using the reserved range */
+		SSVAL(req->out.hdr, HDR_RCLS, NT_STATUS_DOS_CLASS(status));
+		SSVAL(req->out.hdr, HDR_ERR,  NT_STATUS_DOS_CODE(status));
+		SSVAL(req->out.hdr, HDR_FLG2, SVAL(req->out.hdr, HDR_FLG2) & ~FLAGS2_32_BIT_ERROR_CODES);
+	} else {
+		SIVAL(req->out.hdr, HDR_RCLS, NT_STATUS_V(status));
+		SSVAL(req->out.hdr, HDR_FLG2, SVAL(req->out.hdr, HDR_FLG2) | FLAGS2_32_BIT_ERROR_CODES);
+	}
+}
+
+/* 
+   construct and send an error packet, then destroy the request 
+   auto-converts to DOS error format when appropriate
+*/
+void req_reply_error(struct smbsrv_request *req, NTSTATUS status)
+{
+	if (req->smb_conn->connection->event.fde == NULL) {
+		/* the socket has been destroyed - no point trying to send an error! */
+		talloc_free(req);
+		return;
+	}
+	req_setup_reply(req, 0, 0);
+
+	/* error returns never have any data */
+	req_grow_data(req, 0);
+
+	req_setup_error(req, status);
+	req_send_reply(req);
+}
+
+
+/*
+  push a string into the data portion of the request packet, growing it if necessary
+  this gets quite tricky - please be very careful to cover all cases when modifying this
+
+  if dest is NULL, then put the string at the end of the data portion of the packet
+
+  if dest_len is -1 then no limit applies
+*/
+size_t req_push_str(struct smbsrv_request *req, uint8_t *dest, const char *str, int dest_len, uint_t flags)
+{
+	size_t len;
+	uint_t grow_size;
+	uint8_t *buf0;
+	const int max_bytes_per_char = 3;
+
+	if (!(flags & (STR_ASCII|STR_UNICODE))) {
+		flags |= (req->flags2 & FLAGS2_UNICODE_STRINGS) ? STR_UNICODE : STR_ASCII;
+	}
+
+	if (dest == NULL) {
+		dest = req->out.data + req->out.data_size;
+	}
+
+	if (dest_len != -1) {
+		len = dest_len;
+	} else {
+		len = (strlen(str)+2) * max_bytes_per_char;
+	}
+
+	grow_size = len + PTR_DIFF(dest, req->out.data);
+	buf0 = req->out.buffer;
+
+	req_grow_allocation(req, grow_size);
+
+	if (buf0 != req->out.buffer) {
+		dest = req->out.buffer + PTR_DIFF(dest, buf0);
+	}
+
+	len = push_string(dest, str, len, flags);
+
+	grow_size = len + PTR_DIFF(dest, req->out.data);
+
+	if (grow_size > req->out.data_size) {
+		req_grow_data(req, grow_size);
+	}
+
+	return len;
+}
+
+/*
+  append raw bytes into the data portion of the request packet
+  return the number of bytes added
+*/
+size_t req_append_bytes(struct smbsrv_request *req, 
+			const uint8_t *bytes, size_t byte_len)
+{
+	req_grow_allocation(req, byte_len + req->out.data_size);
+	memcpy(req->out.data + req->out.data_size, bytes, byte_len);
+	req_grow_data(req, byte_len + req->out.data_size);
+	return byte_len;
+}
+/*
+  append variable block (type 5 buffer) into the data portion of the request packet
+  return the number of bytes added
+*/
+size_t req_append_var_block(struct smbsrv_request *req, 
+		const uint8_t *bytes, uint16_t byte_len)
+{
+	req_grow_allocation(req, byte_len + 3 + req->out.data_size);
+	SCVAL(req->out.data + req->out.data_size, 0, 5);
+	SSVAL(req->out.data + req->out.data_size, 1, byte_len);		/* add field length */
+	if (byte_len > 0) {
+		memcpy(req->out.data + req->out.data_size + 3, bytes, byte_len);
+	}
+	req_grow_data(req, byte_len + 3 + req->out.data_size);
+	return byte_len + 3;
+}
+/*
+  pull a UCS2 string from a request packet, returning a talloced unix string
+
+  the string length is limited by the 3 things:
+   - the data size in the request (end of packet)
+   - the passed 'byte_len' if it is not -1
+   - the end of string (null termination)
+
+  Note that 'byte_len' is the number of bytes in the packet
+
+  on failure zero is returned and *dest is set to NULL, otherwise the number
+  of bytes consumed in the packet is returned
+*/
+static size_t req_pull_ucs2(struct smbsrv_request *req, const char **dest, const uint8_t *src, int byte_len, uint_t flags)
+{
+	int src_len, src_len2, alignment=0;
+	ssize_t ret;
+	char *dest2;
+
+	if (!(flags & STR_NOALIGN) && ucs2_align(req->in.buffer, src, flags)) {
+		src++;
+		alignment=1;
+		if (byte_len != -1) {
+			byte_len--;
+		}
+	}
+
+	if (flags & STR_NO_RANGE_CHECK) {
+		src_len = byte_len;
+	} else {
+		src_len = req->in.data_size - PTR_DIFF(src, req->in.data);
+		if (byte_len != -1 && src_len > byte_len) {
+			src_len = byte_len;
+		}
+	}
+
+	if (src_len < 0) {
+		*dest = NULL;
+		return 0;
+	}
+	
+	src_len2 = utf16_len_n(src, src_len);
+	if (src_len2 == 0) {
+		*dest = talloc_strdup(req, "");
+		return src_len2 + alignment;
+	}
+
+	ret = convert_string_talloc(req, CH_UTF16, CH_UNIX, src, src_len2, (void **)&dest2);
+
+	if (ret == -1) {
+		*dest = NULL;
+		return 0;
+	}
+	*dest = dest2;
+
+	return src_len2 + alignment;
+}
+
+/*
+  pull a ascii string from a request packet, returning a talloced string
+
+  the string length is limited by the 3 things:
+   - the data size in the request (end of packet)
+   - the passed 'byte_len' if it is not -1
+   - the end of string (null termination)
+
+  Note that 'byte_len' is the number of bytes in the packet
+
+  on failure zero is returned and *dest is set to NULL, otherwise the number
+  of bytes consumed in the packet is returned
+*/
+static size_t req_pull_ascii(struct smbsrv_request *req, const char **dest, const uint8_t *src, int byte_len, uint_t flags)
+{
+	int src_len, src_len2;
+	ssize_t ret;
+	char *dest2;
+
+	if (flags & STR_NO_RANGE_CHECK) {
+		src_len = byte_len;
+	} else {
+		src_len = req->in.data_size - PTR_DIFF(src, req->in.data);
+		if (src_len < 0) {
+			*dest = NULL;
+			return 0;
+		}
+		if (byte_len != -1 && src_len > byte_len) {
+			src_len = byte_len;
+		}
+	}
+
+	src_len2 = strnlen((const char *)src, src_len);
+	if (src_len2 <= src_len - 1) {
+		/* include the termination if we didn't reach the end of the packet */
+		src_len2++;
+	}
+
+	ret = convert_string_talloc(req, CH_DOS, CH_UNIX, src, src_len2, (void **)&dest2);
+
+	if (ret == -1) {
+		*dest = NULL;
+		return 0;
+	}
+	*dest = dest2;
+
+	return src_len2;
+}
+
+/*
+  pull a string from a request packet, returning a talloced string
+
+  the string length is limited by the 3 things:
+   - the data size in the request (end of packet)
+   - the passed 'byte_len' if it is not -1
+   - the end of string (null termination)
+
+  Note that 'byte_len' is the number of bytes in the packet
+
+  on failure zero is returned and *dest is set to NULL, otherwise the number
+  of bytes consumed in the packet is returned
+*/
+size_t req_pull_string(struct smbsrv_request *req, const char **dest, const uint8_t *src, int byte_len, uint_t flags)
+{
+	if (!(flags & STR_ASCII) && 
+	    (((flags & STR_UNICODE) || (req->flags2 & FLAGS2_UNICODE_STRINGS)))) {
+		return req_pull_ucs2(req, dest, src, byte_len, flags);
+	}
+
+	return req_pull_ascii(req, dest, src, byte_len, flags);
+}
+
+
+/*
+  pull a ASCII4 string buffer from a request packet, returning a talloced string
+  
+  an ASCII4 buffer is a null terminated string that has a prefix
+  of the character 0x4. It tends to be used in older parts of the protocol.
+
+  on failure *dest is set to the zero length string. This seems to
+  match win2000 behaviour
+*/
+size_t req_pull_ascii4(struct smbsrv_request *req, const char **dest, const uint8_t *src, uint_t flags)
+{
+	ssize_t ret;
+
+	if (PTR_DIFF(src, req->in.data) + 1 > req->in.data_size) {
+		/* win2000 treats this as the NULL string! */
+		(*dest) = talloc_strdup(req, "");
+		return 0;
+	}
+
+	/* this consumes the 0x4 byte. We don't check whether the byte
+	   is actually 0x4 or not. This matches win2000 server
+	   behaviour */
+	src++;
+
+	ret = req_pull_string(req, dest, src, -1, flags);
+	if (ret == -1) {
+		(*dest) = talloc_strdup(req, "");
+		return 1;
+	}
+	
+	return ret + 1;
+}
+
+/*
+  pull a DATA_BLOB from a request packet, returning a talloced blob
+
+  return False if any part is outside the data portion of the packet
+*/
+BOOL req_pull_blob(struct smbsrv_request *req, const uint8_t *src, int len, DATA_BLOB *blob)
+{
+	if (len != 0 && req_data_oob(req, src, len)) {
+		return False;
+	}
+
+	(*blob) = data_blob_talloc(req, src, len);
+
+	return True;
+}
+
+/* check that a lump of data in a request is within the bounds of the data section of
+   the packet */
+BOOL req_data_oob(struct smbsrv_request *req, const uint8_t *ptr, uint32_t count)
+{
+	if (count == 0) {
+		return False;
+	}
+	
+	/* be careful with wraparound! */
+	if (ptr < req->in.data ||
+	    ptr >= req->in.data + req->in.data_size ||
+	    count > req->in.data_size ||
+	    ptr + count > req->in.data + req->in.data_size) {
+		return True;
+	}
+	return False;
+}
+
+
+/* 
+   pull an open file handle from a packet, taking account of the chained_fnum
+*/
+uint16_t req_fnum(struct smbsrv_request *req, const uint8_t *base, uint_t offset)
+{
+	if (req->chained_fnum != -1) {
+		return req->chained_fnum;
+	}
+	return SVAL(base, offset);
+}