/*
- Unix SMB/Netbios implementation.
- Version 1.9.
+ Unix SMB/CIFS implementation.
Pipe SMB reply routines
- Copyright (C) Andrew Tridgell 1992-1997,
- Copyright (C) Luke Kenneth Casson Leighton 1996-1997.
- Copyright (C) Paul Ashton 1997.
+ Copyright (C) Andrew Tridgell 1992-1998
+ Copyright (C) Luke Kenneth Casson Leighton 1996-1998
+ Copyright (C) Paul Ashton 1997-1998.
+ Copyright (C) Jeremy Allison 2005.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
+ the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
/*
This file handles reply_ calls on named pipes that the server
#include "includes.h"
-#include "trans2.h"
#define PIPE "\\PIPE\\"
#define PIPELEN strlen(PIPE)
-#define REALLOC(ptr,size) Realloc(ptr,MAX((size),4*1024))
+#define MAX_PIPE_NAME_LEN 24
-/* look in server.c for some explanation of these variables */
-extern int Protocol;
-extern int DEBUGLEVEL;
-extern char magic_char;
-static int chain_pnum = -1;
-extern BOOL case_sensitive;
-extern pstring sesssetup_user;
-extern int Client;
-extern fstring myworkgroup;
+/* PIPE/<name>/<pid>/<pnum> */
+#define PIPEDB_KEY_FORMAT "PIPE/%s/%u/%d"
-#ifndef MAX_OPEN_PIPES
-#define MAX_OPEN_PIPES 50
-#endif
+struct pipe_dbrec {
+ struct server_id pid;
+ int pnum;
+ uid_t uid;
-static struct
-{
- int cnum;
- BOOL open;
- fstring name;
+ char name[MAX_PIPE_NAME_LEN];
+ fstring user;
+};
-} Pipes[MAX_OPEN_PIPES];
-#define VALID_PNUM(pnum) (((pnum) >= 0) && ((pnum) < MAX_OPEN_PIPES))
-#define OPEN_PNUM(pnum) (VALID_PNUM(pnum) && Pipes[pnum].open)
-#define PNUM_OK(pnum,c) (OPEN_PNUM(pnum) && (c)==Pipes[pnum].cnum)
+extern struct pipe_id_info pipe_names[];
-#define CHECK_PNUM(pnum,c) if (!PNUM_OK(pnum,c)) \
- return(ERROR(ERRDOS,ERRbadfid))
-/* this macro should always be used to extract an pnum (smb_fid) from
- a packet to ensure chaining works correctly */
-#define GETPNUM(buf,where) (chain_pnum!= -1?chain_pnum:SVAL(buf,where))
+/****************************************************************************
+ Reply to an open and X on a named pipe.
+ This code is basically stolen from reply_open_and_X with some
+ wrinkles to handle pipes.
+****************************************************************************/
-char * known_pipes [] =
+void reply_open_pipe_and_X(connection_struct *conn, struct smb_request *req)
{
- "lsarpc",
-#if NTDOMAIN
- "NETLOGON",
- "srvsvc",
+ const char *fname = NULL;
+ char *pipe_name = NULL;
+ smb_np_struct *p;
+ int size=0,fmode=0,mtime=0,rmode=0;
+ int i;
+ TALLOC_CTX *ctx = talloc_tos();
+
+ /* XXXX we need to handle passed times, sattr and flags */
+ srvstr_pull_buf_talloc(ctx, req->inbuf, req->flags2, &pipe_name,
+ smb_buf(req->inbuf), STR_TERMINATE);
+ if (!pipe_name) {
+ reply_botherror(req, NT_STATUS_OBJECT_NAME_NOT_FOUND,
+ ERRDOS, ERRbadpipe);
+ return;
+ }
+
+ /* If the name doesn't start \PIPE\ then this is directed */
+ /* at a mailslot or something we really, really don't understand, */
+ /* not just something we really don't understand. */
+ if ( strncmp(pipe_name,PIPE,PIPELEN) != 0 ) {
+ reply_doserror(req, ERRSRV, ERRaccess);
+ return;
+ }
+
+ DEBUG(4,("Opening pipe %s.\n", pipe_name));
+
+ /* See if it is one we want to handle. */
+ for( i = 0; pipe_names[i].client_pipe ; i++ ) {
+ if( strequal(pipe_name,pipe_names[i].client_pipe)) {
+ break;
+ }
+ }
+
+ if (pipe_names[i].client_pipe == NULL) {
+ reply_botherror(req, NT_STATUS_OBJECT_NAME_NOT_FOUND,
+ ERRDOS, ERRbadpipe);
+ return;
+ }
+
+ /* Strip \PIPE\ off the name. */
+ fname = pipe_name + PIPELEN;
+
+#if 0
+ /*
+ * Hack for NT printers... JRA.
+ */
+ if(should_fail_next_srvsvc_open(fname)) {
+ reply_doserror(req, ERRSRV, ERRaccess);
+ return;
+ }
#endif
- NULL
-};
-/****************************************************************************
- find first available file slot
-****************************************************************************/
-static int find_free_pipe(void )
-{
- int i;
- /* we start at 1 here for an obscure reason I can't now remember,
- but I think is important :-) */
- for (i = 1; i < MAX_OPEN_PIPES; i++)
- if (!Pipes[i].open)
- return(i);
+ /* Known pipes arrive with DIR attribs. Remove it so a regular file */
+ /* can be opened and add it in after the open. */
+ DEBUG(3,("Known pipe %s opening.\n",fname));
+
+ p = open_rpc_pipe_p(fname, conn, req->vuid);
+ if (!p) {
+ reply_doserror(req, ERRSRV, ERRnofids);
+ return;
+ }
+
+ /* Prepare the reply */
+ reply_outbuf(req, 15, 0);
- DEBUG(1,("ERROR! Out of pipe structures - perhaps increase MAX_OPEN_PIPES?\n"));
+ /* Mark the opened file as an existing named pipe in message mode. */
+ SSVAL(req->outbuf,smb_vwv9,2);
+ SSVAL(req->outbuf,smb_vwv10,0xc700);
- return(-1);
+ if (rmode == 2) {
+ DEBUG(4,("Resetting open result to open from create.\n"));
+ rmode = 1;
+ }
+
+ SSVAL(req->outbuf,smb_vwv2, p->pnum);
+ SSVAL(req->outbuf,smb_vwv3,fmode);
+ srv_put_dos_date3((char *)req->outbuf,smb_vwv4,mtime);
+ SIVAL(req->outbuf,smb_vwv6,size);
+ SSVAL(req->outbuf,smb_vwv8,rmode);
+ SSVAL(req->outbuf,smb_vwv11,0x0001);
+
+ chain_reply(req);
+ return;
}
/****************************************************************************
- gets the name of a pipe
+ Reply to a write on a pipe.
****************************************************************************/
-char *get_pipe_name(int pnum)
+
+void reply_pipe_write(struct smb_request *req)
{
- DEBUG(6,("get_pipe_name: "));
-
- if (VALID_PNUM(pnum - 0x800))
- {
- DEBUG(6,("name: %s cnum: %d open: %s ",
- Pipes[pnum - 0x800].name,
- Pipes[pnum - 0x800].cnum,
- BOOLSTR(Pipes[pnum - 0x800].open)));
+ smb_np_struct *p = get_rpc_pipe_p(SVAL(req->inbuf,smb_vwv0));
+ size_t numtowrite = SVAL(req->inbuf,smb_vwv1);
+ int nwritten;
+ char *data;
+
+ if (!p) {
+ reply_doserror(req, ERRDOS, ERRbadfid);
+ return;
}
- if (OPEN_PNUM(pnum - 0x800))
- {
- DEBUG(6,("OK\n"));
- return Pipes[pnum - 0x800].name;
+
+ if (p->vuid != req->vuid) {
+ reply_nterror(req, NT_STATUS_INVALID_HANDLE);
+ return;
}
- else
- {
- DEBUG(6,("NOT\n"));
- return NULL;
+
+ data = smb_buf(req->inbuf) + 3;
+
+ if (numtowrite == 0) {
+ nwritten = 0;
+ } else {
+ nwritten = write_to_pipe(p, data, numtowrite);
}
-}
-/****************************************************************************
- reply to an open and X on a named pipe
+ if ((nwritten == 0 && numtowrite != 0) || (nwritten < 0)) {
+ reply_unixerror(req, ERRDOS, ERRnoaccess);
+ return;
+ }
- This code is basically stolen from reply_open_and_X with some
- wrinkles to handle pipes.
-****************************************************************************/
-int reply_open_pipe_and_X(char *inbuf,char *outbuf,int length,int bufsize)
-{
- pstring fname;
- int cnum = SVAL(inbuf,smb_tid);
- int pnum = -1;
- int smb_ofun = SVAL(inbuf,smb_vwv8);
- int size=0,fmode=0,mtime=0,rmode=0;
- int i;
-
- /* XXXX we need to handle passed times, sattr and flags */
- pstrcpy(fname,smb_buf(inbuf));
-
- /* If the name doesn't start \PIPE\ then this is directed */
- /* at a mailslot or something we really, really don't understand, */
- /* not just something we really don't understand. */
- if ( strncmp(fname,PIPE,PIPELEN) != 0 )
- return(ERROR(ERRSRV,ERRaccess));
-
- DEBUG(4,("Opening pipe %s.\n", fname));
-
- /* Strip \PIPE\ off the name. */
- pstrcpy(fname,smb_buf(inbuf) + PIPELEN);
-
- /* See if it is one we want to handle. */
- for( i = 0; known_pipes[i] ; i++ )
- if( strcmp(fname,known_pipes[i]) == 0 )
- break;
-
- if ( known_pipes[i] == NULL )
- return(ERROR(ERRSRV,ERRaccess));
-
- /* Known pipes arrive with DIR attribs. Remove it so a regular file */
- /* can be opened and add it in after the open. */
- DEBUG(3,("Known pipe %s opening.\n",fname));
- smb_ofun |= 0x10; /* Add Create it not exists flag */
-
- pnum = find_free_pipe();
- if (pnum < 0) return(ERROR(ERRSRV,ERRnofids));
-
- Pipes[pnum].open = True;
- Pipes[pnum].cnum = cnum;
- fstrcpy(Pipes[pnum].name, fname);
-
- /* Prepare the reply */
- set_message(outbuf,15,0,True);
-
- /* Mark the opened file as an existing named pipe in message mode. */
- SSVAL(outbuf,smb_vwv9,2);
- SSVAL(outbuf,smb_vwv10,0xc700);
-
- if (rmode == 2)
- {
- DEBUG(4,("Resetting open result to open from create.\n"));
- rmode = 1;
- }
-
- SSVAL(outbuf,smb_vwv2, pnum + 0x800); /* mark file handle up into high range */
- SSVAL(outbuf,smb_vwv3,fmode);
- put_dos_date3(outbuf,smb_vwv4,mtime);
- SIVAL(outbuf,smb_vwv6,size);
- SSVAL(outbuf,smb_vwv8,rmode);
- SSVAL(outbuf,smb_vwv11,0);
-
- DEBUG(4,("Opened pipe %s with handle %x name %s.\n",
- fname, pnum + 0x800, Pipes[pnum].name));
+ reply_outbuf(req, 1, 0);
+
+ SSVAL(req->outbuf,smb_vwv0,nwritten);
- chain_pnum = pnum;
+ DEBUG(3,("write-IPC pnum=%04x nwritten=%d\n", p->pnum, nwritten));
- return chain_reply(inbuf,outbuf,length,bufsize);
+ return;
}
-
/****************************************************************************
- reply to a close
+ Reply to a write and X.
+
+ This code is basically stolen from reply_write_and_X with some
+ wrinkles to handle pipes.
****************************************************************************/
-int reply_pipe_close(char *inbuf,char *outbuf)
+
+void reply_pipe_write_and_X(struct smb_request *req)
{
- int pnum = GETPNUM(inbuf,smb_vwv0);
- int cnum = SVAL(inbuf,smb_tid);
- int outsize = set_message(outbuf,0,0,True);
+ smb_np_struct *p = get_rpc_pipe_p(SVAL(req->inbuf,smb_vwv2));
+ size_t numtowrite = SVAL(req->inbuf,smb_vwv10);
+ int nwritten = -1;
+ int smb_doff = SVAL(req->inbuf, smb_vwv11);
+ BOOL pipe_start_message_raw =
+ ((SVAL(req->inbuf, smb_vwv7)
+ & (PIPE_START_MESSAGE|PIPE_RAW_MODE))
+ == (PIPE_START_MESSAGE|PIPE_RAW_MODE));
+ char *data;
+
+ if (!p) {
+ reply_doserror(req, ERRDOS, ERRbadfid);
+ return;
+ }
+
+ if (p->vuid != req->vuid) {
+ reply_nterror(req, NT_STATUS_INVALID_HANDLE);
+ return;
+ }
+
+ data = smb_base(req->inbuf) + smb_doff;
+
+ if (numtowrite == 0) {
+ nwritten = 0;
+ } else {
+ if(pipe_start_message_raw) {
+ /*
+ * For the start of a message in named pipe byte mode,
+ * the first two bytes are a length-of-pdu field. Ignore
+ * them (we don't trust the client). JRA.
+ */
+ if(numtowrite < 2) {
+ DEBUG(0,("reply_pipe_write_and_X: start of "
+ "message set and not enough data "
+ "sent.(%u)\n",
+ (unsigned int)numtowrite ));
+ reply_unixerror(req, ERRDOS, ERRnoaccess);
+ return;
+ }
+
+ data += 2;
+ numtowrite -= 2;
+ }
+ nwritten = write_to_pipe(p, data, numtowrite);
+ }
- /* mapping is 0x800 up... */
+ if ((nwritten == 0 && numtowrite != 0) || (nwritten < 0)) {
+ reply_unixerror(req, ERRDOS,ERRnoaccess);
+ return;
+ }
- CHECK_PNUM(pnum-0x800,cnum);
+ reply_outbuf(req, 6, 0);
- DEBUG(3,("%s Closed pipe name %s pnum=%d cnum=%d\n",
- timestring(),Pipes[pnum-0x800].name, pnum,cnum));
+ nwritten = (pipe_start_message_raw ? nwritten + 2 : nwritten);
+ SSVAL(req->outbuf,smb_vwv2,nwritten);
- Pipes[pnum-0x800].open = False;
+ DEBUG(3,("writeX-IPC pnum=%04x nwritten=%d\n", p->pnum, nwritten));
- return(outsize);
+ chain_reply(req);
}
-
/****************************************************************************
- api_LsarpcSNPHS
-
- SetNamedPipeHandleState on \PIPE\lsarpc. We can't really do much here,
- so just blithely return True. This is really only for NT domain stuff,
- we we're only handling that - don't assume Samba now does complete
- named pipe handling.
+ Reply to a read and X.
+ This code is basically stolen from reply_read_and_X with some
+ wrinkles to handle pipes.
****************************************************************************/
-BOOL api_LsarpcSNPHS(int cnum,int uid, char *param,char *data,
- int mdrcnt,int mprcnt,
- char **rdata,char **rparam,
- int *rdata_len,int *rparam_len)
+
+void reply_pipe_read_and_X(struct smb_request *req)
{
- uint16 id;
+ smb_np_struct *p = get_rpc_pipe_p(SVAL(req->inbuf,smb_vwv2));
+ int smb_maxcnt = SVAL(req->inbuf,smb_vwv5);
+ int smb_mincnt = SVAL(req->inbuf,smb_vwv6);
+ int nread = -1;
+ char *data;
+ BOOL unused;
+
+ /* we don't use the offset given to use for pipe reads. This
+ is deliberate, instead we always return the next lump of
+ data on the pipe */
+#if 0
+ uint32 smb_offs = IVAL(req->inbuf,smb_vwv3);
+#endif
- id = param[0] + (param[1] << 8);
- DEBUG(4,("lsarpc SetNamedPipeHandleState to code %x\n",id));
- return(True);
-}
+ if (!p) {
+ reply_doserror(req, ERRDOS, ERRbadfid);
+ return;
+ }
+ reply_outbuf(req, 12, smb_maxcnt);
-/****************************************************************************
- api_LsarpcTNP
+ data = smb_buf(req->outbuf);
- TransactNamedPipe on \PIPE\lsarpc.
-****************************************************************************/
-static void LsarpcTNP1(char *data,char **rdata, int *rdata_len)
-{
- uint32 dword1, dword2;
- char pname[] = "\\PIPE\\lsass";
-
- /* All kinds of mysterious numbers here */
- *rdata_len = 68;
- *rdata = REALLOC(*rdata,*rdata_len);
+ nread = read_from_pipe(p, data, smb_maxcnt, &unused);
- dword1 = IVAL(data,0xC);
- dword2 = IVAL(data,0x10);
+ if (nread < 0) {
+ reply_doserror(req, ERRDOS, ERRnoaccess);
+ return;
+ }
- SIVAL(*rdata,0,0xc0005);
- SIVAL(*rdata,4,0x10);
- SIVAL(*rdata,8,0x44);
- SIVAL(*rdata,0xC,dword1);
+ set_message((char *)req->outbuf, 12, nread, False);
- SIVAL(*rdata,0x10,dword2);
- SIVAL(*rdata,0x14,0x15);
- SSVAL(*rdata,0x18,sizeof(pname));
- strcpy(*rdata + 0x1a,pname);
- SIVAL(*rdata,0x28,1);
- memcpy(*rdata + 0x30, data + 0x34, 0x14);
-}
+ SSVAL(req->outbuf,smb_vwv5,nread);
+ SSVAL(req->outbuf,smb_vwv6,smb_offset(data,req->outbuf));
+ SSVAL(smb_buf(req->outbuf),-2,nread);
+
+ DEBUG(3,("readX-IPC pnum=%04x min=%d max=%d nread=%d\n",
+ p->pnum, smb_mincnt, smb_maxcnt, nread));
-static void LsarpcTNP2(char *data,char **rdata, int *rdata_len)
-{
- uint32 dword1;
-
- /* All kinds of mysterious numbers here */
- *rdata_len = 48;
- *rdata = REALLOC(*rdata,*rdata_len);
-
- dword1 = IVAL(data,0xC);
-
- SIVAL(*rdata,0,0x03020005);
- SIVAL(*rdata,4,0x10);
- SIVAL(*rdata,8,0x30);
- SIVAL(*rdata,0xC,dword1);
- SIVAL(*rdata,0x10,0x18);
- SIVAL(*rdata,0x1c,0x44332211);
- SIVAL(*rdata,0x20,0x88776655);
- SIVAL(*rdata,0x24,0xCCBBAA99);
- SIVAL(*rdata,0x28,0x11FFEEDD);
+ chain_reply(req);
}
-static void LsarpcTNP3(char *data,char **rdata, int *rdata_len)
-{
- uint32 dword1;
- uint16 word1;
- char * workgroup = myworkgroup;
- int wglen = strlen(workgroup);
- int i;
-
- /* All kinds of mysterious numbers here */
- *rdata_len = 90 + 2 * wglen;
- *rdata = REALLOC(*rdata,*rdata_len);
-
- dword1 = IVAL(data,0xC);
- word1 = SVAL(data,0x2C);
-
- SIVAL(*rdata,0,0x03020005);
- SIVAL(*rdata,4,0x10);
- SIVAL(*rdata,8,0x60);
- SIVAL(*rdata,0xC,dword1);
- SIVAL(*rdata,0x10,0x48);
- SSVAL(*rdata,0x18,0x5988); /* This changes */
- SSVAL(*rdata,0x1A,0x15);
- SSVAL(*rdata,0x1C,word1);
- SSVAL(*rdata,0x20,6);
- SSVAL(*rdata,0x22,8);
- SSVAL(*rdata,0x24,0x8E8); /* So does this */
- SSVAL(*rdata,0x26,0x15);
- SSVAL(*rdata,0x28,0x4D48); /* And this */
- SSVAL(*rdata,0x2A,0x15);
- SIVAL(*rdata,0x2C,4);
- SIVAL(*rdata,0x34,wglen);
- for ( i = 0 ; i < wglen ; i++ )
- (*rdata)[0x38 + i * 2] = workgroup[i];
-
- /* Now fill in the rest */
- i = 0x38 + wglen * 2;
- SSVAL(*rdata,i,0x648);
- SIVAL(*rdata,i+2,4);
- SIVAL(*rdata,i+6,0x401);
- SSVAL(*rdata,i+0xC,0x500);
- SIVAL(*rdata,i+0xE,0x15);
- SIVAL(*rdata,i+0x12,0x2372FE1);
- SIVAL(*rdata,i+0x16,0x7E831BEF);
- SIVAL(*rdata,i+0x1A,0x4B454B2);
-}
+/****************************************************************************
+ Reply to a close.
+****************************************************************************/
-static void LsarpcTNP4(char *data,char **rdata, int *rdata_len)
+void reply_pipe_close(connection_struct *conn, struct smb_request *req)
{
- uint32 dword1;
+ smb_np_struct *p = get_rpc_pipe_p(SVAL(req->inbuf,smb_vwv0));
- /* All kinds of mysterious numbers here */
- *rdata_len = 48;
- *rdata = REALLOC(*rdata,*rdata_len);
-
- dword1 = IVAL(data,0xC);
+ if (!p) {
+ reply_doserror(req, ERRDOS, ERRbadfid);
+ return;
+ }
- SIVAL(*rdata,0,0x03020005);
- SIVAL(*rdata,4,0x10);
- SIVAL(*rdata,8,0x30);
- SIVAL(*rdata,0xC,dword1);
- SIVAL(*rdata,0x10,0x18);
-}
+ DEBUG(5,("reply_pipe_close: pnum:%x\n", p->pnum));
+ if (!close_rpc_pipe_hnd(p)) {
+ reply_doserror(req, ERRDOS, ERRbadfid);
+ return;
+ }
+
+ /* TODO: REMOVE PIPE FROM DB */
-BOOL api_LsarpcTNP(int cnum,int uid, char *param,char *data,
- int mdrcnt,int mprcnt,
- char **rdata,char **rparam,
- int *rdata_len,int *rparam_len)
-{
- uint32 id,id2;
-
- id = IVAL(data,0);
-
- DEBUG(4,("lsarpc TransactNamedPipe id %lx\n",id));
- switch (id)
- {
- case 0xb0005:
- LsarpcTNP1(data,rdata,rdata_len);
- break;
-
- case 0x03000005:
- id2 = IVAL(data,8);
- DEBUG(4,("\t- Suboperation %lx\n",id2));
- switch (id2 & 0xF)
- {
- case 8:
- LsarpcTNP2(data,rdata,rdata_len);
- break;
-
- case 0xC:
- LsarpcTNP4(data,rdata,rdata_len);
- break;
-
- case 0xE:
- LsarpcTNP3(data,rdata,rdata_len);
- break;
- }
- break;
- }
- return(True);
+ reply_outbuf(req, 0, 0);
+ return;
}
-