summaryrefslogtreecommitdiff
path: root/source4/libcli
diff options
context:
space:
mode:
Diffstat (limited to 'source4/libcli')
-rw-r--r--source4/libcli/smb2/request.c34
-rw-r--r--source4/libcli/smb2/smb2.h65
-rw-r--r--source4/libcli/smb2/transport.c156
3 files changed, 205 insertions, 50 deletions
diff --git a/source4/libcli/smb2/request.c b/source4/libcli/smb2/request.c
index 649a1db8d5..c351fd2fcb 100644
--- a/source4/libcli/smb2/request.c
+++ b/source4/libcli/smb2/request.c
@@ -63,6 +63,8 @@ struct smb2_request *smb2_request_init(struct smb2_transport *transport, uint16_
{
struct smb2_request *req;
uint64_t seqnum;
+ uint32_t hdr_offset;
+ uint32_t flags = 0;
if (body_dynamic_present) {
if (body_dynamic_size == 0) {
@@ -92,16 +94,34 @@ struct smb2_request *smb2_request_init(struct smb2_transport *transport, uint16_
ZERO_STRUCT(req->cancel);
ZERO_STRUCT(req->in);
- req->out.size = SMB2_HDR_BODY+NBT_HDR_SIZE+body_fixed_size;
+ if (transport->compound.missing > 0) {
+ transport->compound.missing -= 1;
+ req->out = transport->compound.buffer;
+ ZERO_STRUCT(transport->compound.buffer);
+ if (transport->compound.related) {
+ flags |= SMB2_HDR_FLAG_CHAINED;
+ }
+ } else {
+ ZERO_STRUCT(req->out);
+ }
+ if (req->out.size > 0) {
+ hdr_offset = req->out.size;
+ } else {
+ hdr_offset = NBT_HDR_SIZE;
+ }
+
+ req->out.size = hdr_offset + SMB2_HDR_BODY + body_fixed_size;
req->out.allocated = req->out.size + body_dynamic_size;
- req->out.buffer = talloc_array(req, uint8_t, req->out.allocated);
+
+ req->out.buffer = talloc_realloc(req, req->out.buffer,
+ uint8_t, req->out.allocated);
if (req->out.buffer == NULL) {
talloc_free(req);
return NULL;
}
- req->out.hdr = req->out.buffer + NBT_HDR_SIZE;
+ req->out.hdr = req->out.buffer + hdr_offset;
req->out.body = req->out.hdr + SMB2_HDR_BODY;
req->out.body_fixed= body_fixed_size;
req->out.body_size = body_fixed_size;
@@ -113,7 +133,7 @@ struct smb2_request *smb2_request_init(struct smb2_transport *transport, uint16_
SIVAL(req->out.hdr, SMB2_HDR_STATUS, 0);
SSVAL(req->out.hdr, SMB2_HDR_OPCODE, opcode);
SSVAL(req->out.hdr, SMB2_HDR_CREDIT, 0);
- SIVAL(req->out.hdr, SMB2_HDR_FLAGS, 0);
+ SIVAL(req->out.hdr, SMB2_HDR_FLAGS, flags);
SIVAL(req->out.hdr, SMB2_HDR_NEXT_COMMAND, 0);
SBVAL(req->out.hdr, SMB2_HDR_MESSAGE_ID, req->seqnum);
SIVAL(req->out.hdr, SMB2_HDR_PID, 0);
@@ -245,8 +265,9 @@ static size_t smb2_padding_fix(struct smb2_request_buffer *buf)
/*
grow a SMB2 buffer by the specified amount
*/
-static NTSTATUS smb2_grow_buffer(struct smb2_request_buffer *buf, size_t increase)
+NTSTATUS smb2_grow_buffer(struct smb2_request_buffer *buf, size_t increase)
{
+ size_t hdr_ofs;
size_t dynamic_ofs;
uint8_t *buffer_ptr;
uint32_t newsize = buf->size + increase;
@@ -256,13 +277,14 @@ static NTSTATUS smb2_grow_buffer(struct smb2_request_buffer *buf, size_t increas
if (newsize <= buf->allocated) return NT_STATUS_OK;
+ hdr_ofs = buf->hdr - buf->buffer;
dynamic_ofs = buf->dynamic - buf->buffer;
buffer_ptr = talloc_realloc(buf, buf->buffer, uint8_t, newsize);
NT_STATUS_HAVE_NO_MEMORY(buffer_ptr);
buf->buffer = buffer_ptr;
- buf->hdr = buf->buffer + NBT_HDR_SIZE;
+ buf->hdr = buf->buffer + hdr_ofs;
buf->body = buf->hdr + SMB2_HDR_BODY;
buf->dynamic = buf->buffer + dynamic_ofs;
buf->allocated = newsize;
diff --git a/source4/libcli/smb2/smb2.h b/source4/libcli/smb2/smb2.h
index f1c83215c7..39d6aaacba 100644
--- a/source4/libcli/smb2/smb2.h
+++ b/source4/libcli/smb2/smb2.h
@@ -40,6 +40,35 @@ struct smb2_negotiate {
uint16_t dialect_revision;
};
+struct smb2_request_buffer {
+ /* the raw SMB2 buffer, including the 4 byte length header */
+ uint8_t *buffer;
+
+ /* the size of the raw buffer, including 4 byte header */
+ size_t size;
+
+ /* how much has been allocated - on reply the buffer is over-allocated to
+ prevent too many realloc() calls
+ */
+ size_t allocated;
+
+ /* the start of the SMB2 header - this is always buffer+4 */
+ uint8_t *hdr;
+
+ /* the packet body */
+ uint8_t *body;
+ size_t body_fixed;
+ size_t body_size;
+
+ /* this point to the next dynamic byte that can be used
+ * this will be moved when some dynamic data is pushed
+ */
+ uint8_t *dynamic;
+
+ /* this is used to range check and align strings and buffers */
+ struct request_bufinfo bufinfo;
+};
+
/* this is the context for the smb2 transport layer */
struct smb2_transport {
/* socket level info */
@@ -50,6 +79,13 @@ struct smb2_transport {
/* next seqnum to allocate */
uint64_t seqnum;
+ /* the details for coumpounded requests */
+ struct {
+ uint32_t missing;
+ bool related;
+ struct smb2_request_buffer buffer;
+ } compound;
+
/* a list of requests that are pending for receive on this
connection */
struct smb2_request *pending_recv;
@@ -110,35 +146,6 @@ struct smb2_session {
};
-struct smb2_request_buffer {
- /* the raw SMB2 buffer, including the 4 byte length header */
- uint8_t *buffer;
-
- /* the size of the raw buffer, including 4 byte header */
- size_t size;
-
- /* how much has been allocated - on reply the buffer is over-allocated to
- prevent too many realloc() calls
- */
- size_t allocated;
-
- /* the start of the SMB2 header - this is always buffer+4 */
- uint8_t *hdr;
-
- /* the packet body */
- uint8_t *body;
- size_t body_fixed;
- size_t body_size;
-
- /* this point to the next dynamic byte that can be used
- * this will be moved when some dynamic data is pushed
- */
- uint8_t *dynamic;
-
- /* this is used to range check and align strings and buffers */
- struct request_bufinfo bufinfo;
-};
-
/*
a client request moves between the following 4 states.
diff --git a/source4/libcli/smb2/transport.c b/source4/libcli/smb2/transport.c
index 6a87d124d9..49b72a4545 100644
--- a/source4/libcli/smb2/transport.c
+++ b/source4/libcli/smb2/transport.c
@@ -208,6 +208,28 @@ static NTSTATUS smb2_handle_oplock_break(struct smb2_transport *transport,
return NT_STATUS_OK;
}
+struct smb2_transport_compount_response_state {
+ struct smb2_transport *transport;
+ DATA_BLOB blob;
+};
+
+static void smb2_transport_compound_response_handler(struct tevent_context *ctx,
+ struct tevent_immediate *im,
+ void *private_data)
+{
+ struct smb2_transport_compount_response_state *state =
+ talloc_get_type_abort(private_data,
+ struct smb2_transport_compount_response_state);
+ struct smb2_transport *transport = state->transport;
+ NTSTATUS status;
+
+ status = smb2_transport_finish_recv(transport, state->blob);
+ TALLOC_FREE(state);
+ if (!NT_STATUS_IS_OK(status)) {
+ smb2_transport_error(transport, status);
+ }
+}
+
/*
we have a full request in our receive buffer - match it to a pending request
and process
@@ -226,6 +248,7 @@ static NTSTATUS smb2_transport_finish_recv(void *private_data, DATA_BLOB blob)
uint32_t i;
uint16_t opcode;
NTSTATUS status;
+ uint32_t next_ofs;
buffer = blob.data;
len = blob.length;
@@ -285,6 +308,18 @@ static NTSTATUS smb2_transport_finish_recv(void *private_data, DATA_BLOB blob)
return NT_STATUS_OK;
}
+ next_ofs = IVAL(req->in.hdr, SMB2_HDR_NEXT_COMMAND);
+ if (next_ofs > 0) {
+ if (smb2_oob(&req->in, req->in.hdr + next_ofs, SMB2_HDR_BODY + 2)) {
+ DEBUG(1,("SMB2 request invalid next offset 0x%x\n",
+ next_ofs));
+ goto error;
+ }
+
+ req->in.size = NBT_HDR_SIZE + next_ofs;
+ req->in.body_size = req->in.size - (SMB2_HDR_BODY+NBT_HDR_SIZE);
+ }
+
if (req->session && req->session->signing_active) {
status = smb2_check_signature(&req->in,
req->session->session_key);
@@ -313,6 +348,36 @@ static NTSTATUS smb2_transport_finish_recv(void *private_data, DATA_BLOB blob)
DEBUG(2, ("SMB2 RECV seqnum=0x%llx\n", (long long)req->seqnum));
dump_data(5, req->in.body, req->in.body_size);
+ if (next_ofs > 0) {
+ struct tevent_immediate *im;
+ struct smb2_transport_compount_response_state *state;
+
+ state = talloc(transport,
+ struct smb2_transport_compount_response_state);
+ if (!state) {
+ goto error;
+ }
+ state->transport = transport;
+
+ state->blob = data_blob_talloc(state, NULL,
+ blob.length - next_ofs);
+ if (!state->blob.data) {
+ goto error;
+ }
+ im = tevent_create_immediate(state);
+ if (!im) {
+ TALLOC_FREE(state);
+ goto error;
+ }
+ _smb2_setlen(state->blob.data, state->blob.length - NBT_HDR_SIZE);
+ memcpy(state->blob.data + NBT_HDR_SIZE,
+ req->in.hdr + next_ofs,
+ req->in.allocated - req->in.size);
+ tevent_schedule_immediate(im, transport->socket->event.ctx,
+ smb2_transport_compound_response_handler,
+ state);
+ }
+
/* if this request has an async handler then call that to
notify that the reply has been received. This might destroy
the request so it must happen last */
@@ -367,25 +432,67 @@ static int smb2_request_destructor(struct smb2_request *req)
return 0;
}
+static NTSTATUS smb2_transport_raw_send(struct smb2_transport *transport,
+ struct smb2_request_buffer *buffer)
+{
+ DATA_BLOB blob;
+ NTSTATUS status;
+
+ /* check if the transport is dead */
+ if (transport->socket->sock == NULL) {
+ return NT_STATUS_NET_WRITE_FAULT;
+ }
+
+ _smb2_setlen(buffer->buffer, buffer->size - NBT_HDR_SIZE);
+ blob = data_blob_const(buffer->buffer, buffer->size);
+ status = packet_send(transport->packet, blob);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ return NT_STATUS_OK;
+}
/*
put a request into the send queue
*/
void smb2_transport_send(struct smb2_request *req)
{
- DATA_BLOB blob;
NTSTATUS status;
- _smb2_setlen(req->out.buffer, req->out.size - NBT_HDR_SIZE);
-
DEBUG(2, ("SMB2 send seqnum=0x%llx\n", (long long)req->seqnum));
dump_data(5, req->out.body, req->out.body_size);
- /* check if the transport is dead */
- if (req->transport->socket->sock == NULL) {
- req->state = SMB2_REQUEST_ERROR;
- req->status = NT_STATUS_NET_WRITE_FAULT;
- return;
+ if (req->transport->compound.missing > 0) {
+ off_t next_ofs;
+ size_t pad = 0;
+ uint8_t *end;
+
+ end = req->out.buffer + req->out.size;
+
+ /*
+ * we need to set dynamic otherwise
+ * smb2_grow_buffer segfaults
+ */
+ if (req->out.dynamic == NULL) {
+ req->out.dynamic = end;
+ }
+
+ next_ofs = end - req->out.hdr;
+ if ((next_ofs % 8) > 0) {
+ pad = 8 - (next_ofs % 8);
+ }
+ next_ofs += pad;
+
+ status = smb2_grow_buffer(&req->out, pad);
+ if (!NT_STATUS_IS_OK(status)) {
+ req->state = SMB2_REQUEST_ERROR;
+ req->status = status;
+ return;
+ }
+ req->out.size += pad;
+
+ SIVAL(req->out.hdr, SMB2_HDR_NEXT_COMMAND, next_ofs);
}
/* possibly sign the message */
@@ -397,14 +504,19 @@ void smb2_transport_send(struct smb2_request *req)
return;
}
}
-
- blob = data_blob_const(req->out.buffer, req->out.size);
- status = packet_send(req->transport->packet, blob);
- if (!NT_STATUS_IS_OK(status)) {
- req->state = SMB2_REQUEST_ERROR;
- req->status = status;
- return;
+
+ if (req->transport->compound.missing > 0) {
+ req->transport->compound.buffer = req->out;
+ } else {
+ status = smb2_transport_raw_send(req->transport,
+ &req->out);
+ if (!NT_STATUS_IS_OK(status)) {
+ req->state = SMB2_REQUEST_ERROR;
+ req->status = status;
+ return;
+ }
}
+ ZERO_STRUCT(req->out);
req->state = SMB2_REQUEST_RECV;
DLIST_ADD(req->transport->pending_recv, req);
@@ -419,6 +531,20 @@ void smb2_transport_send(struct smb2_request *req)
talloc_set_destructor(req, smb2_request_destructor);
}
+NTSTATUS smb2_transport_compound_start(struct smb2_transport *transport,
+ uint32_t num)
+{
+ ZERO_STRUCT(transport->compound);
+ transport->compound.missing = num;
+ return NT_STATUS_OK;
+}
+
+void smb2_transport_compound_set_related(struct smb2_transport *transport,
+ bool related)
+{
+ transport->compound.related = related;
+}
+
static void idle_handler(struct tevent_context *ev,
struct tevent_timer *te, struct timeval t, void *private_data)
{