/* Unix SMB/Netbios implementation. Version 1.9. Inter-process communication and named pipe handling Copyright (C) Andrew Tridgell 1992-1998 SMB Version handling Copyright (C) John H Terpstra 1995-1998 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */ /* This file handles the named pipe and mailslot calls in the SMBtrans protocol */ #include "includes.h" #include "nterr.h" extern int DEBUGLEVEL; extern int max_send; extern fstring local_machine; #define NERR_notsupported 50 extern int Client; extern int smb_read_error; extern uint32 global_client_caps; /******************************************************************* copies parameters and data, as needed, into the smb buffer *both* the data and params sections should be aligned. this is fudged in the rpc pipes by at present, only the data section is. this may be a possible cause of some of the ipc problems being experienced. lkcl26dec97 ******************************************************************/ static void copy_trans_params_and_data(char *outbuf, int align, prs_struct *rparam, prs_struct *rdata, int param_offset, int data_offset, int param_len, int data_len) { char *copy_into = smb_buf(outbuf) + 1; DEBUG(5, ("copy_trans_params_and_data: params[%d..%d] data[%d..%d]\n", param_offset, param_offset + param_len, data_offset, data_offset + data_len)); if (param_len) prs_buf_copy(copy_into, rparam, param_offset, param_len); copy_into += param_len + align; if (data_len) prs_buf_copy(copy_into, rdata, data_offset, data_len); } /**************************************************************************** send a trans reply ****************************************************************************/ void send_trans_reply(char *outbuf, prs_struct *rdata, prs_struct *rparam, uint16 *setup, int lsetup, int max_data_ret, BOOL pipe_data_outstanding) { int i; int this_ldata, this_lparam; int tot_data = 0, tot_param = 0; int align; int ldata = rdata ? prs_buf_len(rdata) : 0; int lparam = rparam ? prs_buf_len(rparam) : 0; BOOL buffer_too_large = max_data_ret ? ldata > max_data_ret : False; DEBUG(10, ("send_trans_reply: max_data_ret: %d datalen: %d plen: %d\n", max_data_ret, ldata, lparam)); if (buffer_too_large) { DEBUG(5, ("send_trans_reply: buffer %d too large %d\n", ldata, max_data_ret)); ldata = max_data_ret; } this_lparam = MIN(lparam, max_send - (500 + lsetup * SIZEOFWORD)); /* hack */ this_ldata = MIN(ldata, max_send - (500 + lsetup * SIZEOFWORD + this_lparam)); align = ((this_lparam) % 4); set_message(outbuf, 10 + lsetup, 1 + align + this_ldata + this_lparam, True); if (buffer_too_large || pipe_data_outstanding) { if (global_client_caps & CAP_STATUS32) { /* issue a buffer size warning. on a DCE/RPC pipe, expect an SMBreadX... */ SIVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES); SIVAL(outbuf, smb_rcls, 0x80000005); /* STATUS_BUFFER_OVERFLOW */ } else { SCVAL(outbuf, smb_rcls, ERRDOS); SSVAL(outbuf, smb_err, ERRmoredata); } } copy_trans_params_and_data(outbuf, align, rparam, rdata, tot_param, tot_data, this_lparam, this_ldata); SSVAL(outbuf, smb_vwv0, lparam); SSVAL(outbuf, smb_vwv1, ldata); SSVAL(outbuf, smb_vwv3, this_lparam); SSVAL(outbuf, smb_vwv4, smb_offset(smb_buf(outbuf) + 1, outbuf)); SSVAL(outbuf, smb_vwv5, 0); SSVAL(outbuf, smb_vwv6, this_ldata); SSVAL(outbuf, smb_vwv7, smb_offset(smb_buf(outbuf) + 1 + this_lparam + align, outbuf)); SSVAL(outbuf, smb_vwv8, 0); SSVAL(outbuf, smb_vwv9, lsetup); for (i = 0; i < lsetup; i++) { SSVAL(outbuf, smb_vwv10 + i * SIZEOFWORD, setup[i]); } show_msg(outbuf); send_smb(Client, outbuf); tot_data = this_ldata; tot_param = this_lparam; while (tot_data < ldata || tot_param < lparam) { this_lparam = MIN(lparam - tot_param, max_send - 500); /* hack */ this_ldata = MIN(ldata - tot_data, max_send - (500 + this_lparam)); align = (this_lparam % 4); set_message(outbuf, 10, 1 + this_ldata + this_lparam + align, False); copy_trans_params_and_data(outbuf, align, rparam, rdata, tot_param, tot_data, this_lparam, this_ldata); SSVAL(outbuf, smb_vwv3, this_lparam); SSVAL(outbuf, smb_vwv4, smb_offset(smb_buf(outbuf) + 1, outbuf)); SSVAL(outbuf, smb_vwv5, tot_param); SSVAL(outbuf, smb_vwv6, this_ldata); SSVAL(outbuf, smb_vwv7, smb_offset(smb_buf(outbuf) + 1 + this_lparam + align, outbuf)); SSVAL(outbuf, smb_vwv8, tot_data); SSVAL(outbuf, smb_vwv9, 0); show_msg(outbuf); send_smb(Client, outbuf); tot_data += this_ldata; tot_param += this_lparam; } } static void api_rpc_trans_reply(char *outbuf, char *rdata, int rlen, BOOL pipe_data_outstanding) { prs_struct ps; prs_create(&ps, rdata, rlen, 0, False); prs_debug_out(&ps, "api_rpc_trans_reply", 200); send_trans_reply(outbuf, &ps, NULL, NULL, 0, rlen, pipe_data_outstanding); } /**************************************************************************** WaitNamedPipeHandleState ****************************************************************************/ static BOOL api_WNPHS(char *outbuf, pipes_struct * p, char *param, int mdrcnt) { uint16 priority; if (!param) return False; priority = param[0] + (param[1] << 8); DEBUG(4, ("WaitNamedPipeHandleState priority %x\n", priority)); if (wait_rpc_pipe_hnd_state(p, priority)) { /* now send the reply */ send_trans_reply(outbuf, NULL, NULL, NULL, 0, mdrcnt, False); return True; } return False; } /**************************************************************************** SetNamedPipeHandleState ****************************************************************************/ static BOOL api_SNPHS(char *outbuf, pipes_struct * p, char *param, int mdrcnt) { uint16 id; if (!param) return False; id = param[0] + (param[1] << 8); DEBUG(4, ("SetNamedPipeHandleState to code %x\n", id)); if (set_rpc_pipe_hnd_state(p, id)) { /* now send the reply */ send_trans_reply(outbuf, NULL, NULL, NULL, 0, mdrcnt, False); return True; } return False; } /**************************************************************************** when no reply is generated, indicate unsupported. ****************************************************************************/ static BOOL api_no_reply(char *outbuf, int max_rdata_len) { prs_struct rparam; prs_init(&rparam, 4, 0, False); rparam.start = 0; rparam.end = 4; /* unsupported */ SSVAL(rparam.data, 0, NERR_notsupported); SSVAL(rparam.data, 2, 0); /* converter word */ DEBUG(3, ("Unsupported API fd command\n")); /* now send the reply */ send_trans_reply(outbuf, NULL, &rparam, NULL, 0, max_rdata_len, False); prs_free_data(&rparam); return (-1); } /**************************************************************************** handle remote api calls delivered to a named pipe already opened. ****************************************************************************/ static int api_fd_reply(connection_struct * conn, uint16 vuid, char *outbuf, uint16 *setup, char *data, char *params, int suwcnt, int tdscnt, int tpscnt, int mdrcnt, int mprcnt) { BOOL reply = False; uint16 pnum; uint16 subcommand; pipes_struct *p = NULL; DEBUG(5, ("api_fd_reply\n")); /* First find out the name of this file. */ if (suwcnt != 2) { DEBUG(0, ("Unexpected named pipe transaction.\n")); return (-1); } /* Get the file handle and hence the file name. */ pnum = setup[1]; subcommand = setup[0]; p = get_rpc_pipe(pnum); if (p != NULL) { DEBUG(3, ("Got API command 0x%x on pipe \"%s\" (pnum %x)", subcommand, p->name, pnum)); /* record maximum data length that can be transmitted in an SMBtrans */ DEBUG(10, ("api_fd_reply: p:%p mdrcnt: %d\n", p, mdrcnt)); switch (subcommand) { case 0x26: { BOOL pipe_outstanding = False; char *rdata = NULL; int rlen = mdrcnt; reply = readwrite_pipe(p, data, tdscnt, &rdata, &rlen, &pipe_outstanding); if (reply) { api_rpc_trans_reply(outbuf, rdata, rlen, pipe_outstanding); } break; } case 0x53: { /* Wait Named Pipe Handle state */ reply = api_WNPHS(outbuf, p, params, mdrcnt); break; } case 0x01: { /* Set Named Pipe Handle state */ reply = api_SNPHS(outbuf, p, params, mdrcnt); break; } } } else { DEBUG(1, ("api_fd_reply: INVALID PIPE HANDLE: %x\n", pnum)); } if (!reply) { return api_no_reply(outbuf, mdrcnt); } return -1; } /**************************************************************************** handle named pipe commands ****************************************************************************/ static int named_pipe(connection_struct * conn, uint16 vuid, char *outbuf, char *name, uint16 *setup, char *data, char *params, int suwcnt, int tdscnt, int tpscnt, int msrcnt, int mdrcnt, int mprcnt) { DEBUG(3, ("named pipe command on <%s> name\n", name)); if (strequal(name, "LANMAN")) { return api_reply(conn, vuid, outbuf, data, params, tdscnt, tpscnt, mdrcnt, mprcnt); } if (strequal(name, "WKSSVC") || strequal(name, "SRVSVC") || strequal(name, "WINREG") || strequal(name, "SAMR") || strequal(name, "LSARPC")) { DEBUG(4, ("named pipe command from Win95 (wow!)\n")); return api_fd_reply(conn, vuid, outbuf, setup, data, params, suwcnt, tdscnt, tpscnt, mdrcnt, mprcnt); } if (strlen(name) < 1) { return api_fd_reply(conn, vuid, outbuf, setup, data, params, suwcnt, tdscnt, tpscnt, mdrcnt, mprcnt); } if (setup) { DEBUG(3, ("unknown named pipe: setup 0x%X setup1=%d\n", (int)setup[0], (int)setup[1])); } return 0; } /**************************************************************************** reply to a SMBtrans ****************************************************************************/ int reply_trans(connection_struct * conn, char *inbuf, char *outbuf, int size, int bufsize) { fstring name; int name_offset = 0; char *data = NULL, *params = NULL; uint16 *setup = NULL; int outsize = 0; uint16 vuid = SVAL(inbuf, smb_uid); int tpscnt = SVAL(inbuf, smb_vwv0); int tdscnt = SVAL(inbuf, smb_vwv1); int mprcnt = SVAL(inbuf, smb_vwv2); int mdrcnt = SVAL(inbuf, smb_vwv3); int msrcnt = CVAL(inbuf, smb_vwv4); BOOL close_on_completion = BITSETW(inbuf + smb_vwv5, 0); BOOL one_way = BITSETW(inbuf + smb_vwv5, 1); int pscnt = SVAL(inbuf, smb_vwv9); int psoff = SVAL(inbuf, smb_vwv10); int dscnt = SVAL(inbuf, smb_vwv11); int dsoff = SVAL(inbuf, smb_vwv12); int suwcnt = CVAL(inbuf, smb_vwv13); ZERO_STRUCT(name); fstrcpy(name, smb_buf(inbuf)); if (dscnt > tdscnt || pscnt > tpscnt) { exit_server("invalid trans parameters\n"); } if (tdscnt) { if ((data = (char *)malloc(tdscnt)) == NULL) { DEBUG(0, ("reply_trans: data malloc fail for %d bytes !\n", tdscnt)); return (ERROR(ERRDOS, ERRnomem)); } memcpy(data, smb_base(inbuf) + dsoff, dscnt); } if (tpscnt) { if ((params = (char *)malloc(tpscnt)) == NULL) { DEBUG(0, ("reply_trans: param malloc fail for %d bytes !\n", tpscnt)); return (ERROR(ERRDOS, ERRnomem)); } memcpy(params, smb_base(inbuf) + psoff, pscnt); } if (suwcnt) { int i; if ((setup = (uint16 *)malloc(suwcnt * sizeof(uint16))) == NULL) { DEBUG(0, ("reply_trans: setup malloc fail for %d bytes !\n", suwcnt * sizeof(uint16))); return (ERROR(ERRDOS, ERRnomem)); } for (i = 0; i < suwcnt; i++) setup[i] = SVAL(inbuf, smb_vwv14 + i * SIZEOFWORD); } if (pscnt < tpscnt || dscnt < tdscnt) { /* We need to send an interim response then receive the rest of the parameter/data bytes */ outsize = set_message(outbuf, 0, 0, True); show_msg(outbuf); send_smb(Client, outbuf); } /* receive the rest of the trans packet */ while (pscnt < tpscnt || dscnt < tdscnt) { BOOL ret; int pcnt, poff, dcnt, doff, pdisp, ddisp; ret = receive_next_smb(inbuf, bufsize, SMB_SECONDARY_WAIT); show_msg(inbuf); if ((ret && (CVAL(inbuf, smb_com) != SMBtrans && CVAL(inbuf, smb_com) != SMBtranss)) || !ret) { if (ret) { DEBUG(0, ("reply_trans: Invalid secondary trans packet\n")); } else { DEBUG(0, ("reply_trans: %s in getting secondary trans response.\n", (smb_read_error == READ_ERROR) ? "error" : "timeout")); } if (params) free(params); if (data) free(data); if (setup) free(setup); return (ERROR(ERRSRV, ERRerror)); } tpscnt = SVAL(inbuf, smb_vwv0); tdscnt = SVAL(inbuf, smb_vwv1); pcnt = SVAL(inbuf, smb_vwv2); poff = SVAL(inbuf, smb_vwv3); pdisp = SVAL(inbuf, smb_vwv4); dcnt = SVAL(inbuf, smb_vwv5); doff = SVAL(inbuf, smb_vwv6); ddisp = SVAL(inbuf, smb_vwv7); pscnt += pcnt; dscnt += dcnt; if (dscnt > tdscnt || pscnt > tpscnt) { exit_server("invalid trans parameters\n"); } if (pcnt) memcpy(params + pdisp, smb_base(inbuf) + poff, pcnt); if (dcnt) memcpy(data + ddisp, smb_base(inbuf) + doff, dcnt); } DEBUG(3, ("trans <%s> data=%d params=%d setup=%d\n", name, tdscnt, tpscnt, suwcnt)); /* * WinCE wierdness.... */ if (name[0] == '\\' && (StrnCaseCmp(&name[1], local_machine, strlen(local_machine)) == 0)) { name_offset = strlen(local_machine) + 1; } if (strncmp(&name[name_offset], "\\PIPE\\", strlen("\\PIPE\\")) == 0) { DEBUG(5, ("calling named_pipe\n")); outsize = named_pipe(conn, vuid, outbuf, name + name_offset + strlen("\\PIPE\\"), setup, data, params, suwcnt, tdscnt, tpscnt, msrcnt, mdrcnt, mprcnt); } else { DEBUG(3, ("invalid pipe name\n")); outsize = 0; } if (data) free(data); if (params) free(params); if (setup) free(setup); if (close_on_completion) close_cnum(conn, vuid); if (one_way) return (-1); if (outsize == 0) return (ERROR(ERRSRV, ERRnosupport)); return (outsize); }