2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1998,
5 * Largely re-written : 2005
6 * Copyright (C) Jeremy Allison 1998 - 2005
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 #define DBGC_CLASS DBGC_RPC_SRV
28 #define PIPE "\\PIPE\\"
29 #define PIPELEN strlen(PIPE)
31 static smb_np_struct *chain_p;
32 static int pipes_open;
35 * Sometimes I can't decide if I hate Windows printer driver
36 * writers more than I hate the Windows spooler service driver
37 * writers. This gets around a combination of bugs in the spooler
38 * and the HP 8500 PCL driver that causes a spooler spin. JRA.
40 * bumped up from 20 -> 64 after viewing traffic from WordPerfect
41 * 2002 running on NT 4.- SP6
42 * bumped up from 64 -> 256 after viewing traffic from con2prt
43 * for lots of printers on a WinNT 4.x SP6 box.
46 #ifndef MAX_OPEN_SPOOLSS_PIPES
47 #define MAX_OPEN_SPOOLSS_PIPES 256
49 static int current_spoolss_pipes_open;
51 static smb_np_struct *Pipes;
52 static pipes_struct *InternalPipes;
53 static struct bitmap *bmap;
56 * the following prototypes are declared here to avoid
57 * code being moved about too much for a patch to be
58 * disrupted / less obvious.
60 * these functions, and associated functions that they
61 * call, should be moved behind a .so module-loading
62 * system _anyway_. so that's the next step...
65 static ssize_t read_from_internal_pipe(void *np_conn, char *data, size_t n,
66 BOOL *is_data_outstanding);
67 static ssize_t write_to_internal_pipe(void *np_conn, char *data, size_t n);
68 static BOOL close_internal_rpc_pipe_hnd(void *np_conn);
69 static void *make_internal_rpc_pipe_p(char *pipe_name,
70 connection_struct *conn, uint16 vuid);
72 /****************************************************************************
73 Pipe iterator functions.
74 ****************************************************************************/
76 smb_np_struct *get_first_pipe(void)
81 smb_np_struct *get_next_pipe(smb_np_struct *p)
86 /****************************************************************************
87 Internal Pipe iterator functions.
88 ****************************************************************************/
90 pipes_struct *get_first_internal_pipe(void)
95 pipes_struct *get_next_internal_pipe(pipes_struct *p)
100 /* this must be larger than the sum of the open files and directories */
101 static int pipe_handle_offset;
103 /****************************************************************************
104 Set the pipe_handle_offset. Called from smbd/files.c
105 ****************************************************************************/
107 void set_pipe_handle_offset(int max_open_files)
109 if(max_open_files < 0x7000) {
110 pipe_handle_offset = 0x7000;
112 pipe_handle_offset = max_open_files + 10; /* For safety. :-) */
116 /****************************************************************************
117 Reset pipe chain handle number.
118 ****************************************************************************/
120 void reset_chain_p(void)
125 /****************************************************************************
126 Initialise pipe handle states.
127 ****************************************************************************/
129 void init_rpc_pipe_hnd(void)
131 bmap = bitmap_allocate(MAX_OPEN_PIPES);
133 exit_server("out of memory in init_rpc_pipe_hnd");
137 /****************************************************************************
138 Initialise an outgoing packet.
139 ****************************************************************************/
141 static BOOL pipe_init_outgoing_data(pipes_struct *p)
143 output_data *o_data = &p->out_data;
145 /* Reset the offset counters. */
146 o_data->data_sent_length = 0;
147 o_data->current_pdu_len = 0;
148 o_data->current_pdu_sent = 0;
150 memset(o_data->current_pdu, '\0', sizeof(o_data->current_pdu));
152 /* Free any memory in the current return data buffer. */
153 prs_mem_free(&o_data->rdata);
156 * Initialize the outgoing RPC data buffer.
157 * we will use this as the raw data area for replying to rpc requests.
159 if(!prs_init(&o_data->rdata, RPC_MAX_PDU_FRAG_LEN, p->mem_ctx, MARSHALL)) {
160 DEBUG(0,("pipe_init_outgoing_data: malloc fail.\n"));
167 /****************************************************************************
168 Find first available pipe slot.
169 ****************************************************************************/
171 smb_np_struct *open_rpc_pipe_p(char *pipe_name,
172 connection_struct *conn, uint16 vuid)
175 smb_np_struct *p, *p_it;
176 static int next_pipe;
177 BOOL is_spoolss_pipe = False;
179 DEBUG(4,("Open pipe requested %s (pipes_open=%d)\n",
180 pipe_name, pipes_open));
182 if (strstr(pipe_name, "spoolss")) {
183 is_spoolss_pipe = True;
186 if (is_spoolss_pipe && current_spoolss_pipes_open >= MAX_OPEN_SPOOLSS_PIPES) {
187 DEBUG(10,("open_rpc_pipe_p: spooler bug workaround. Denying open on pipe %s\n",
192 /* not repeating pipe numbers makes it easier to track things in
193 log files and prevents client bugs where pipe numbers are reused
194 over connection restarts */
196 if (next_pipe == 0) {
197 next_pipe = (sys_getpid() ^ time(NULL)) % MAX_OPEN_PIPES;
200 i = bitmap_find(bmap, next_pipe);
203 DEBUG(0,("ERROR! Out of pipe structures\n"));
207 next_pipe = (i+1) % MAX_OPEN_PIPES;
209 for (p = Pipes; p; p = p->next) {
210 DEBUG(5,("open_rpc_pipe_p: name %s pnum=%x\n", p->name, p->pnum));
213 p = SMB_MALLOC_P(smb_np_struct);
215 DEBUG(0,("ERROR! no memory for pipes_struct!\n"));
221 /* add a dso mechanism instead of this, here */
223 p->namedpipe_create = make_internal_rpc_pipe_p;
224 p->namedpipe_read = read_from_internal_pipe;
225 p->namedpipe_write = write_to_internal_pipe;
226 p->namedpipe_close = close_internal_rpc_pipe_hnd;
228 p->np_state = p->namedpipe_create(pipe_name, conn, vuid);
230 if (p->np_state == NULL) {
231 DEBUG(0,("open_rpc_pipe_p: make_internal_rpc_pipe_p failed.\n"));
239 * Initialize the incoming RPC data buffer with one PDU worth of memory.
240 * We cheat here and say we're marshalling, as we intend to add incoming
241 * data directly into the prs_struct and we want it to auto grow. We will
242 * change the type to UNMARSALLING before processing the stream.
246 i += pipe_handle_offset;
258 p->max_trans_reply = 0;
260 fstrcpy(p->name, pipe_name);
262 DEBUG(4,("Opened pipe %s with handle %x (pipes_open=%d)\n",
263 pipe_name, i, pipes_open));
267 /* Iterate over p_it as a temp variable, to display all open pipes */
268 for (p_it = Pipes; p_it; p_it = p_it->next) {
269 DEBUG(5,("open pipes: name %s pnum=%x\n", p_it->name, p_it->pnum));
275 /****************************************************************************
276 Make an internal namedpipes structure
277 ****************************************************************************/
279 static void *make_internal_rpc_pipe_p(char *pipe_name,
280 connection_struct *conn, uint16 vuid)
283 user_struct *vuser = get_valid_user_struct(vuid);
285 DEBUG(4,("Create pipe requested %s\n", pipe_name));
287 if (!vuser && vuid != UID_FIELD_INVALID) {
288 DEBUG(0,("ERROR! vuid %d did not map to a valid vuser struct!\n", vuid));
292 p = SMB_MALLOC_P(pipes_struct);
295 DEBUG(0,("ERROR! no memory for pipes_struct!\n"));
301 if ((p->mem_ctx = talloc_init("pipe %s %p", pipe_name, p)) == NULL) {
302 DEBUG(0,("open_rpc_pipe_p: talloc_init failed.\n"));
307 if ((p->pipe_state_mem_ctx = talloc_init("pipe_state %s %p", pipe_name, p)) == NULL) {
308 DEBUG(0,("open_rpc_pipe_p: talloc_init failed.\n"));
309 talloc_destroy(p->mem_ctx);
314 if (!init_pipe_handle_list(p, pipe_name)) {
315 DEBUG(0,("open_rpc_pipe_p: init_pipe_handles failed.\n"));
316 talloc_destroy(p->mem_ctx);
317 talloc_destroy(p->pipe_state_mem_ctx);
323 * Initialize the incoming RPC data buffer with one PDU worth of memory.
324 * We cheat here and say we're marshalling, as we intend to add incoming
325 * data directly into the prs_struct and we want it to auto grow. We will
326 * change the type to UNMARSALLING before processing the stream.
329 if(!prs_init(&p->in_data.data, RPC_MAX_PDU_FRAG_LEN, p->mem_ctx, MARSHALL)) {
330 DEBUG(0,("open_rpc_pipe_p: malloc fail for in_data struct.\n"));
331 talloc_destroy(p->mem_ctx);
332 talloc_destroy(p->pipe_state_mem_ctx);
336 DLIST_ADD(InternalPipes, p);
340 /* Ensure the connection isn't idled whilst this pipe is open. */
341 p->conn->num_files_open++;
345 p->endian = RPC_LITTLE_ENDIAN;
347 ZERO_STRUCT(p->pipe_user);
349 p->pipe_user.uid = (uid_t)-1;
350 p->pipe_user.gid = (gid_t)-1;
352 /* Store the session key and NT_TOKEN */
354 p->session_key = data_blob(vuser->session_key.data, vuser->session_key.length);
355 p->pipe_user.nt_user_token = dup_nt_token(vuser->nt_user_token);
359 * Initialize the outgoing RPC data buffer with no memory.
361 prs_init(&p->out_data.rdata, 0, p->mem_ctx, MARSHALL);
363 fstrcpy(p->name, pipe_name);
365 DEBUG(4,("Created internal pipe %s (pipes_open=%d)\n",
366 pipe_name, pipes_open));
371 /****************************************************************************
372 Sets the fault state on incoming packets.
373 ****************************************************************************/
375 static void set_incoming_fault(pipes_struct *p)
377 prs_mem_free(&p->in_data.data);
378 p->in_data.pdu_needed_len = 0;
379 p->in_data.pdu_received_len = 0;
380 p->fault_state = True;
381 DEBUG(10,("set_incoming_fault: Setting fault state on pipe %s : vuid = 0x%x\n",
385 /****************************************************************************
386 Ensures we have at least RPC_HEADER_LEN amount of data in the incoming buffer.
387 ****************************************************************************/
389 static ssize_t fill_rpc_header(pipes_struct *p, char *data, size_t data_to_copy)
391 size_t len_needed_to_complete_hdr = MIN(data_to_copy, RPC_HEADER_LEN - p->in_data.pdu_received_len);
393 DEBUG(10,("fill_rpc_header: data_to_copy = %u, len_needed_to_complete_hdr = %u, receive_len = %u\n",
394 (unsigned int)data_to_copy, (unsigned int)len_needed_to_complete_hdr,
395 (unsigned int)p->in_data.pdu_received_len ));
397 memcpy((char *)&p->in_data.current_in_pdu[p->in_data.pdu_received_len], data, len_needed_to_complete_hdr);
398 p->in_data.pdu_received_len += len_needed_to_complete_hdr;
400 return (ssize_t)len_needed_to_complete_hdr;
403 /****************************************************************************
404 Unmarshalls a new PDU header. Assumes the raw header data is in current_in_pdu.
405 ****************************************************************************/
407 static ssize_t unmarshall_rpc_header(pipes_struct *p)
410 * Unmarshall the header to determine the needed length.
415 if(p->in_data.pdu_received_len != RPC_HEADER_LEN) {
416 DEBUG(0,("unmarshall_rpc_header: assert on rpc header length failed.\n"));
417 set_incoming_fault(p);
421 prs_init( &rpc_in, 0, p->mem_ctx, UNMARSHALL);
422 prs_set_endian_data( &rpc_in, p->endian);
424 prs_give_memory( &rpc_in, (char *)&p->in_data.current_in_pdu[0],
425 p->in_data.pdu_received_len, False);
428 * Unmarshall the header as this will tell us how much
429 * data we need to read to get the complete pdu.
430 * This also sets the endian flag in rpc_in.
433 if(!smb_io_rpc_hdr("", &p->hdr, &rpc_in, 0)) {
434 DEBUG(0,("unmarshall_rpc_header: failed to unmarshall RPC_HDR.\n"));
435 set_incoming_fault(p);
436 prs_mem_free(&rpc_in);
441 * Validate the RPC header.
444 if(p->hdr.major != 5 && p->hdr.minor != 0) {
445 DEBUG(0,("unmarshall_rpc_header: invalid major/minor numbers in RPC_HDR.\n"));
446 set_incoming_fault(p);
447 prs_mem_free(&rpc_in);
452 * If there's not data in the incoming buffer this should be the start of a new RPC.
455 if(prs_offset(&p->in_data.data) == 0) {
458 * AS/U doesn't set FIRST flag in a BIND packet it seems.
461 if ((p->hdr.pkt_type == RPC_REQUEST) && !(p->hdr.flags & RPC_FLG_FIRST)) {
463 * Ensure that the FIRST flag is set. If not then we have
464 * a stream missmatch.
467 DEBUG(0,("unmarshall_rpc_header: FIRST flag not set in first PDU !\n"));
468 set_incoming_fault(p);
469 prs_mem_free(&rpc_in);
474 * If this is the first PDU then set the endianness
475 * flag in the pipe. We will need this when parsing all
479 p->endian = rpc_in.bigendian_data;
481 DEBUG(5,("unmarshall_rpc_header: using %sendian RPC\n",
482 p->endian == RPC_LITTLE_ENDIAN ? "little-" : "big-" ));
487 * If this is *NOT* the first PDU then check the endianness
488 * flag in the pipe is the same as that in the PDU.
491 if (p->endian != rpc_in.bigendian_data) {
492 DEBUG(0,("unmarshall_rpc_header: FIRST endianness flag (%d) different in next PDU !\n", (int)p->endian));
493 set_incoming_fault(p);
494 prs_mem_free(&rpc_in);
500 * Ensure that the pdu length is sane.
503 if((p->hdr.frag_len < RPC_HEADER_LEN) || (p->hdr.frag_len > RPC_MAX_PDU_FRAG_LEN)) {
504 DEBUG(0,("unmarshall_rpc_header: assert on frag length failed.\n"));
505 set_incoming_fault(p);
506 prs_mem_free(&rpc_in);
510 DEBUG(10,("unmarshall_rpc_header: type = %u, flags = %u\n", (unsigned int)p->hdr.pkt_type,
511 (unsigned int)p->hdr.flags ));
513 p->in_data.pdu_needed_len = (uint32)p->hdr.frag_len - RPC_HEADER_LEN;
515 prs_mem_free(&rpc_in);
517 return 0; /* No extra data processed. */
520 /****************************************************************************
521 Call this to free any talloc'ed memory. Do this before and after processing
523 ****************************************************************************/
525 static void free_pipe_context(pipes_struct *p)
528 DEBUG(3,("free_pipe_context: destroying talloc pool of size "
529 "%lu\n", (unsigned long)talloc_total_size(p->mem_ctx) ));
530 talloc_free_children(p->mem_ctx);
532 p->mem_ctx = talloc_init("pipe %s %p", p->name, p);
533 if (p->mem_ctx == NULL) {
534 p->fault_state = True;
539 /****************************************************************************
540 Processes a request pdu. This will do auth processing if needed, and
541 appends the data into the complete stream if the LAST flag is not set.
542 ****************************************************************************/
544 static BOOL process_request_pdu(pipes_struct *p, prs_struct *rpc_in_p)
546 uint32 ss_padding_len = 0;
547 size_t data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
548 (p->hdr.auth_len ? RPC_HDR_AUTH_LEN : 0) - p->hdr.auth_len;
551 DEBUG(0,("process_request_pdu: rpc request with no bind.\n"));
552 set_incoming_fault(p);
557 * Check if we need to do authentication processing.
558 * This is only done on requests, not binds.
562 * Read the RPC request header.
565 if(!smb_io_rpc_hdr_req("req", &p->hdr_req, rpc_in_p, 0)) {
566 DEBUG(0,("process_request_pdu: failed to unmarshall RPC_HDR_REQ.\n"));
567 set_incoming_fault(p);
571 switch(p->auth.auth_type) {
572 case PIPE_AUTH_TYPE_NONE:
575 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
576 case PIPE_AUTH_TYPE_NTLMSSP:
579 if(!api_pipe_ntlmssp_auth_process(p, rpc_in_p, &ss_padding_len, &status)) {
580 DEBUG(0,("process_request_pdu: failed to do auth processing.\n"));
581 DEBUG(0,("process_request_pdu: error was %s.\n", nt_errstr(status) ));
582 set_incoming_fault(p);
588 case PIPE_AUTH_TYPE_SCHANNEL:
589 if (!api_pipe_schannel_process(p, rpc_in_p, &ss_padding_len)) {
590 DEBUG(3,("process_request_pdu: failed to do schannel processing.\n"));
591 set_incoming_fault(p);
597 DEBUG(0,("process_request_pdu: unknown auth type %u set.\n", (unsigned int)p->auth.auth_type ));
598 set_incoming_fault(p);
602 /* Now we've done the sign/seal we can remove any padding data. */
603 if (data_len > ss_padding_len) {
604 data_len -= ss_padding_len;
608 * Check the data length doesn't go over the 15Mb limit.
609 * increased after observing a bug in the Windows NT 4.0 SP6a
610 * spoolsv.exe when the response to a GETPRINTERDRIVER2 RPC
611 * will not fit in the initial buffer of size 0x1068 --jerry 22/01/2002
614 if(prs_offset(&p->in_data.data) + data_len > 15*1024*1024) {
615 DEBUG(0,("process_request_pdu: rpc data buffer too large (%u) + (%u)\n",
616 (unsigned int)prs_data_size(&p->in_data.data), (unsigned int)data_len ));
617 set_incoming_fault(p);
622 * Append the data portion into the buffer and return.
625 if(!prs_append_some_prs_data(&p->in_data.data, rpc_in_p, prs_offset(rpc_in_p), data_len)) {
626 DEBUG(0,("process_request_pdu: Unable to append data size %u to parse buffer of size %u.\n",
627 (unsigned int)data_len, (unsigned int)prs_data_size(&p->in_data.data) ));
628 set_incoming_fault(p);
632 if(p->hdr.flags & RPC_FLG_LAST) {
635 * Ok - we finally have a complete RPC stream.
636 * Call the rpc command to process it.
640 * Ensure the internal prs buffer size is *exactly* the same
641 * size as the current offset.
644 if(!prs_set_buffer_size(&p->in_data.data, prs_offset(&p->in_data.data))) {
645 DEBUG(0,("process_request_pdu: Call to prs_set_buffer_size failed!\n"));
646 set_incoming_fault(p);
651 * Set the parse offset to the start of the data and set the
652 * prs_struct to UNMARSHALL.
655 prs_set_offset(&p->in_data.data, 0);
656 prs_switch_type(&p->in_data.data, UNMARSHALL);
659 * Process the complete data stream here.
662 free_pipe_context(p);
664 if(pipe_init_outgoing_data(p)) {
665 ret = api_pipe_request(p);
668 free_pipe_context(p);
671 * We have consumed the whole data stream. Set back to
672 * marshalling and set the offset back to the start of
673 * the buffer to re-use it (we could also do a prs_mem_free()
674 * and then re_init on the next start of PDU. Not sure which
675 * is best here.... JRA.
678 prs_switch_type(&p->in_data.data, MARSHALL);
679 prs_set_offset(&p->in_data.data, 0);
686 /****************************************************************************
687 Processes a finished PDU stored in current_in_pdu. The RPC_HEADER has
688 already been parsed and stored in p->hdr.
689 ****************************************************************************/
691 static void process_complete_pdu(pipes_struct *p)
694 size_t data_len = p->in_data.pdu_received_len - RPC_HEADER_LEN;
695 char *data_p = (char *)&p->in_data.current_in_pdu[RPC_HEADER_LEN];
699 DEBUG(10,("process_complete_pdu: pipe %s in fault state.\n",
701 set_incoming_fault(p);
702 setup_fault_pdu(p, NT_STATUS(0x1c010002));
706 prs_init( &rpc_in, 0, p->mem_ctx, UNMARSHALL);
709 * Ensure we're using the corrent endianness for both the
710 * RPC header flags and the raw data we will be reading from.
713 prs_set_endian_data( &rpc_in, p->endian);
714 prs_set_endian_data( &p->in_data.data, p->endian);
716 prs_give_memory( &rpc_in, data_p, (uint32)data_len, False);
718 DEBUG(10,("process_complete_pdu: processing packet type %u\n",
719 (unsigned int)p->hdr.pkt_type ));
721 switch (p->hdr.pkt_type) {
724 * We assume that a pipe bind is only in one pdu.
726 if(pipe_init_outgoing_data(p)) {
727 reply = api_pipe_bind_req(p, &rpc_in);
732 * We assume that a pipe bind is only in one pdu.
734 if(pipe_init_outgoing_data(p)) {
735 reply = api_pipe_alter_context(p, &rpc_in);
740 * The third packet in an NTLMSSP auth exchange.
742 if(pipe_init_outgoing_data(p)) {
743 reply = api_pipe_bind_auth3(p, &rpc_in);
747 reply = process_request_pdu(p, &rpc_in);
750 DEBUG(0,("process_complete_pdu: Unknown rpc type = %u received.\n", (unsigned int)p->hdr.pkt_type ));
754 /* Reset to little endian. Probably don't need this but it won't hurt. */
755 prs_set_endian_data( &p->in_data.data, RPC_LITTLE_ENDIAN);
758 DEBUG(3,("process_complete_pdu: DCE/RPC fault sent on pipe %s\n", p->pipe_srv_name));
759 set_incoming_fault(p);
760 setup_fault_pdu(p, NT_STATUS(0x1c010002));
761 prs_mem_free(&rpc_in);
764 * Reset the lengths. We're ready for a new pdu.
766 p->in_data.pdu_needed_len = 0;
767 p->in_data.pdu_received_len = 0;
770 prs_mem_free(&rpc_in);
773 /****************************************************************************
774 Accepts incoming data on an rpc pipe. Processes the data in pdu sized units.
775 ****************************************************************************/
777 static ssize_t process_incoming_data(pipes_struct *p, char *data, size_t n)
779 size_t data_to_copy = MIN(n, RPC_MAX_PDU_FRAG_LEN - p->in_data.pdu_received_len);
781 DEBUG(10,("process_incoming_data: Start: pdu_received_len = %u, pdu_needed_len = %u, incoming data = %u\n",
782 (unsigned int)p->in_data.pdu_received_len, (unsigned int)p->in_data.pdu_needed_len,
785 if(data_to_copy == 0) {
787 * This is an error - data is being received and there is no
788 * space in the PDU. Free the received data and go into the fault state.
790 DEBUG(0,("process_incoming_data: No space in incoming pdu buffer. Current size = %u \
791 incoming data size = %u\n", (unsigned int)p->in_data.pdu_received_len, (unsigned int)n ));
792 set_incoming_fault(p);
797 * If we have no data already, wait until we get at least a RPC_HEADER_LEN
798 * number of bytes before we can do anything.
801 if((p->in_data.pdu_needed_len == 0) && (p->in_data.pdu_received_len < RPC_HEADER_LEN)) {
803 * Always return here. If we have more data then the RPC_HEADER
804 * will be processed the next time around the loop.
806 return fill_rpc_header(p, data, data_to_copy);
810 * At this point we know we have at least an RPC_HEADER_LEN amount of data
811 * stored in current_in_pdu.
815 * If pdu_needed_len is zero this is a new pdu.
816 * Unmarshall the header so we know how much more
817 * data we need, then loop again.
820 if(p->in_data.pdu_needed_len == 0) {
821 return unmarshall_rpc_header(p);
825 * Ok - at this point we have a valid RPC_HEADER in p->hdr.
826 * Keep reading until we have a full pdu.
829 data_to_copy = MIN(data_to_copy, p->in_data.pdu_needed_len);
832 * Copy as much of the data as we need into the current_in_pdu buffer.
833 * pdu_needed_len becomes zero when we have a complete pdu.
836 memcpy( (char *)&p->in_data.current_in_pdu[p->in_data.pdu_received_len], data, data_to_copy);
837 p->in_data.pdu_received_len += data_to_copy;
838 p->in_data.pdu_needed_len -= data_to_copy;
841 * Do we have a complete PDU ?
842 * (return the number of bytes handled in the call)
845 if(p->in_data.pdu_needed_len == 0) {
846 process_complete_pdu(p);
850 DEBUG(10,("process_incoming_data: not a complete PDU yet. pdu_received_len = %u, pdu_needed_len = %u\n",
851 (unsigned int)p->in_data.pdu_received_len, (unsigned int)p->in_data.pdu_needed_len ));
853 return (ssize_t)data_to_copy;
856 /****************************************************************************
857 Accepts incoming data on an rpc pipe.
858 ****************************************************************************/
860 ssize_t write_to_pipe(smb_np_struct *p, char *data, size_t n)
862 DEBUG(6,("write_to_pipe: %x", p->pnum));
864 DEBUG(6,(" name: %s open: %s len: %d\n",
865 p->name, BOOLSTR(p->open), (int)n));
867 dump_data(50, data, n);
869 return p->namedpipe_write(p->np_state, data, n);
872 /****************************************************************************
873 Accepts incoming data on an internal rpc pipe.
874 ****************************************************************************/
876 static ssize_t write_to_internal_pipe(void *np_conn, char *data, size_t n)
878 pipes_struct *p = (pipes_struct*)np_conn;
879 size_t data_left = n;
884 DEBUG(10,("write_to_pipe: data_left = %u\n", (unsigned int)data_left ));
886 data_used = process_incoming_data(p, data, data_left);
888 DEBUG(10,("write_to_pipe: data_used = %d\n", (int)data_used ));
894 data_left -= data_used;
901 /****************************************************************************
902 Replies to a request to read data from a pipe.
904 Headers are interspersed with the data at PDU intervals. By the time
905 this function is called, the start of the data could possibly have been
906 read by an SMBtrans (file_offset != 0).
908 Calling create_rpc_reply() here is a hack. The data should already
909 have been prepared into arrays of headers + data stream sections.
910 ****************************************************************************/
912 ssize_t read_from_pipe(smb_np_struct *p, char *data, size_t n,
913 BOOL *is_data_outstanding)
915 if (!p || !p->open) {
916 DEBUG(0,("read_from_pipe: pipe not open\n"));
920 DEBUG(6,("read_from_pipe: %x", p->pnum));
922 return p->namedpipe_read(p->np_state, data, n, is_data_outstanding);
925 /****************************************************************************
926 Replies to a request to read data from a pipe.
928 Headers are interspersed with the data at PDU intervals. By the time
929 this function is called, the start of the data could possibly have been
930 read by an SMBtrans (file_offset != 0).
932 Calling create_rpc_reply() here is a hack. The data should already
933 have been prepared into arrays of headers + data stream sections.
934 ****************************************************************************/
936 static ssize_t read_from_internal_pipe(void *np_conn, char *data, size_t n,
937 BOOL *is_data_outstanding)
939 pipes_struct *p = (pipes_struct*)np_conn;
940 uint32 pdu_remaining = 0;
941 ssize_t data_returned = 0;
944 DEBUG(0,("read_from_pipe: pipe not open\n"));
948 DEBUG(6,(" name: %s len: %u\n", p->name, (unsigned int)n));
951 * We cannot return more than one PDU length per
956 * This condition should result in the connection being closed.
957 * Netapp filers seem to set it to 0xffff which results in domain
958 * authentications failing. Just ignore it so things work.
961 if(n > RPC_MAX_PDU_FRAG_LEN) {
962 DEBUG(5,("read_from_pipe: too large read (%u) requested on \
963 pipe %s. We can only service %d sized reads.\n", (unsigned int)n, p->name, RPC_MAX_PDU_FRAG_LEN ));
967 * Determine if there is still data to send in the
968 * pipe PDU buffer. Always send this first. Never
969 * send more than is left in the current PDU. The
970 * client should send a new read request for a new
974 if((pdu_remaining = p->out_data.current_pdu_len - p->out_data.current_pdu_sent) > 0) {
975 data_returned = (ssize_t)MIN(n, pdu_remaining);
977 DEBUG(10,("read_from_pipe: %s: current_pdu_len = %u, current_pdu_sent = %u \
978 returning %d bytes.\n", p->name, (unsigned int)p->out_data.current_pdu_len,
979 (unsigned int)p->out_data.current_pdu_sent, (int)data_returned));
981 memcpy( data, &p->out_data.current_pdu[p->out_data.current_pdu_sent], (size_t)data_returned);
982 p->out_data.current_pdu_sent += (uint32)data_returned;
987 * At this point p->current_pdu_len == p->current_pdu_sent (which
988 * may of course be zero if this is the first return fragment.
991 DEBUG(10,("read_from_pipe: %s: fault_state = %d : data_sent_length \
992 = %u, prs_offset(&p->out_data.rdata) = %u.\n",
993 p->name, (int)p->fault_state, (unsigned int)p->out_data.data_sent_length, (unsigned int)prs_offset(&p->out_data.rdata) ));
995 if(p->out_data.data_sent_length >= prs_offset(&p->out_data.rdata)) {
997 * We have sent all possible data, return 0.
1004 * We need to create a new PDU from the data left in p->rdata.
1005 * Create the header/data/footers. This also sets up the fields
1006 * p->current_pdu_len, p->current_pdu_sent, p->data_sent_length
1007 * and stores the outgoing PDU in p->current_pdu.
1010 if(!create_next_pdu(p)) {
1011 DEBUG(0,("read_from_pipe: %s: create_next_pdu failed.\n", p->name));
1015 data_returned = MIN(n, p->out_data.current_pdu_len);
1017 memcpy( data, p->out_data.current_pdu, (size_t)data_returned);
1018 p->out_data.current_pdu_sent += (uint32)data_returned;
1022 (*is_data_outstanding) = p->out_data.current_pdu_len > n;
1023 return data_returned;
1026 /****************************************************************************
1027 Wait device state on a pipe. Exactly what this is for is unknown...
1028 ****************************************************************************/
1030 BOOL wait_rpc_pipe_hnd_state(smb_np_struct *p, uint16 priority)
1037 DEBUG(3,("wait_rpc_pipe_hnd_state: Setting pipe wait state priority=%x on pipe (name=%s)\n",
1038 priority, p->name));
1040 p->priority = priority;
1045 DEBUG(3,("wait_rpc_pipe_hnd_state: Error setting pipe wait state priority=%x (name=%s)\n",
1046 priority, p->name));
1051 /****************************************************************************
1052 Set device state on a pipe. Exactly what this is for is unknown...
1053 ****************************************************************************/
1055 BOOL set_rpc_pipe_hnd_state(smb_np_struct *p, uint16 device_state)
1062 DEBUG(3,("set_rpc_pipe_hnd_state: Setting pipe device state=%x on pipe (name=%s)\n",
1063 device_state, p->name));
1065 p->device_state = device_state;
1070 DEBUG(3,("set_rpc_pipe_hnd_state: Error setting pipe device state=%x (name=%s)\n",
1071 device_state, p->name));
1076 /****************************************************************************
1078 ****************************************************************************/
1080 BOOL close_rpc_pipe_hnd(smb_np_struct *p)
1083 DEBUG(0,("Invalid pipe in close_rpc_pipe_hnd\n"));
1087 p->namedpipe_close(p->np_state);
1089 bitmap_clear(bmap, p->pnum - pipe_handle_offset);
1093 DEBUG(4,("closed pipe name %s pnum=%x (pipes_open=%d)\n",
1094 p->name, p->pnum, pipes_open));
1096 DLIST_REMOVE(Pipes, p);
1105 /****************************************************************************
1106 Close all pipes on a connection.
1107 ****************************************************************************/
1109 void pipe_close_conn(connection_struct *conn)
1111 smb_np_struct *p, *next;
1113 for (p=Pipes;p;p=next) {
1115 if (p->conn == conn) {
1116 close_rpc_pipe_hnd(p);
1121 /****************************************************************************
1123 ****************************************************************************/
1125 static BOOL close_internal_rpc_pipe_hnd(void *np_conn)
1127 pipes_struct *p = (pipes_struct *)np_conn;
1129 DEBUG(0,("Invalid pipe in close_internal_rpc_pipe_hnd\n"));
1133 prs_mem_free(&p->out_data.rdata);
1134 prs_mem_free(&p->in_data.data);
1136 if (p->auth.auth_data_free_func) {
1137 (*p->auth.auth_data_free_func)(&p->auth);
1141 talloc_destroy(p->mem_ctx);
1144 if (p->pipe_state_mem_ctx) {
1145 talloc_destroy(p->pipe_state_mem_ctx);
1148 free_pipe_rpc_context( p->contexts );
1150 /* Free the handles database. */
1151 close_policy_by_pipe(p);
1153 delete_nt_token(&p->pipe_user.nt_user_token);
1154 data_blob_free(&p->session_key);
1155 SAFE_FREE(p->pipe_user.groups);
1157 DLIST_REMOVE(InternalPipes, p);
1159 p->conn->num_files_open--;
1168 /****************************************************************************
1169 Find an rpc pipe given a pipe handle in a buffer and an offset.
1170 ****************************************************************************/
1172 smb_np_struct *get_rpc_pipe_p(char *buf, int where)
1174 int pnum = SVAL(buf,where);
1180 return get_rpc_pipe(pnum);
1183 /****************************************************************************
1184 Find an rpc pipe given a pipe handle.
1185 ****************************************************************************/
1187 smb_np_struct *get_rpc_pipe(int pnum)
1191 DEBUG(4,("search for pipe pnum=%x\n", pnum));
1193 for (p=Pipes;p;p=p->next) {
1194 DEBUG(5,("pipe name %s pnum=%x (pipes_open=%d)\n",
1195 p->name, p->pnum, pipes_open));
1198 for (p=Pipes;p;p=p->next) {
1199 if (p->pnum == pnum) {
git.samba.org / samba.git / blob