2 Unix SMB/CIFS implementation.
3 handle unexpected packets
4 Copyright (C) Andrew Tridgell 2000
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 #include "lib/async_req/async_sock.h"
23 #include "libsmb/nmblib.h"
25 static const char *nmbd_socket_dir(void)
27 return lp_parm_const_string(-1, "nmbd", "socket dir",
28 get_dyn_NMBDSOCKETDIR());
31 struct nb_packet_query {
32 enum packet_type type;
33 size_t mailslot_namelen;
37 struct nb_packet_client;
39 struct nb_packet_server {
40 struct tevent_context *ev;
44 struct nb_packet_client *clients;
47 struct nb_packet_client {
48 struct nb_packet_client *prev, *next;
49 struct nb_packet_server *server;
51 enum packet_type type;
56 struct tevent_req *read_req;
57 struct tevent_queue *out_queue;
60 static int nb_packet_server_destructor(struct nb_packet_server *s);
61 static void nb_packet_server_listener(struct tevent_context *ev,
62 struct tevent_fd *fde,
66 NTSTATUS nb_packet_server_create(TALLOC_CTX *mem_ctx,
67 struct tevent_context *ev,
69 struct nb_packet_server **presult)
71 struct nb_packet_server *result;
72 struct tevent_fd *fde;
75 result = TALLOC_ZERO_P(mem_ctx, struct nb_packet_server);
77 status = NT_STATUS_NO_MEMORY;
81 result->max_clients = max_clients;
83 result->listen_sock = create_pipe_sock(
84 nmbd_socket_dir(), "unexpected", 0755);
85 if (result->listen_sock == -1) {
86 status = map_nt_error_from_unix(errno);
89 talloc_set_destructor(result, nb_packet_server_destructor);
91 fde = tevent_add_fd(ev, result, result->listen_sock, TEVENT_FD_READ,
92 nb_packet_server_listener, result);
94 status = NT_STATUS_NO_MEMORY;
105 static int nb_packet_server_destructor(struct nb_packet_server *s)
107 if (s->listen_sock != -1) {
108 close(s->listen_sock);
114 static int nb_packet_client_destructor(struct nb_packet_client *c);
115 static ssize_t nb_packet_client_more(uint8_t *buf, size_t buflen,
117 static void nb_packet_got_query(struct tevent_req *req);
118 static void nb_packet_client_read_done(struct tevent_req *req);
120 static void nb_packet_server_listener(struct tevent_context *ev,
121 struct tevent_fd *fde,
125 struct nb_packet_server *server = talloc_get_type_abort(
126 private_data, struct nb_packet_server);
127 struct nb_packet_client *client;
128 struct tevent_req *req;
129 struct sockaddr_un sunaddr;
133 len = sizeof(sunaddr);
135 sock = accept(server->listen_sock, (struct sockaddr *)(void *)&sunaddr,
140 DEBUG(6,("accepted socket %d\n", sock));
142 client = TALLOC_ZERO_P(server, struct nb_packet_client);
143 if (client == NULL) {
144 DEBUG(10, ("talloc failed\n"));
149 client->server = server;
150 talloc_set_destructor(client, nb_packet_client_destructor);
152 client->out_queue = tevent_queue_create(
153 client, "unexpected packet output");
154 if (client->out_queue == NULL) {
155 DEBUG(10, ("tevent_queue_create failed\n"));
160 req = read_packet_send(client, ev, client->sock,
161 sizeof(struct nb_packet_query),
162 nb_packet_client_more, NULL);
164 DEBUG(10, ("read_packet_send failed\n"));
168 tevent_req_set_callback(req, nb_packet_got_query, client);
170 DLIST_ADD(server->clients, client);
171 server->num_clients += 1;
173 if (server->num_clients > server->max_clients) {
174 DEBUG(10, ("Too many clients, dropping oldest\n"));
177 * no TALLOC_FREE here, don't mess with the list structs
179 talloc_free(server->clients->prev);
183 static ssize_t nb_packet_client_more(uint8_t *buf, size_t buflen,
186 struct nb_packet_query q;
187 if (buflen > sizeof(struct nb_packet_query)) {
190 /* Take care of alignment */
191 memcpy(&q, buf, sizeof(q));
192 if (q.mailslot_namelen > 1024) {
193 DEBUG(10, ("Got invalid mailslot namelen %d\n",
194 (int)q.mailslot_namelen));
197 return q.mailslot_namelen;
200 static int nb_packet_client_destructor(struct nb_packet_client *c)
206 DLIST_REMOVE(c->server->clients, c);
207 c->server->num_clients -= 1;
211 static void nb_packet_got_query(struct tevent_req *req)
213 struct nb_packet_client *client = tevent_req_callback_data(
214 req, struct nb_packet_client);
215 struct nb_packet_query q;
217 ssize_t nread, nwritten;
221 nread = read_packet_recv(req, talloc_tos(), &buf, &err);
223 if (nread < sizeof(struct nb_packet_query)) {
224 DEBUG(10, ("read_packet_recv returned %d (%s)\n",
226 (nread == -1) ? strerror(err) : "wrong length"));
231 /* Take care of alignment */
232 memcpy(&q, buf, sizeof(q));
234 if (nread != sizeof(struct nb_packet_query) + q.mailslot_namelen) {
235 DEBUG(10, ("nb_packet_got_query: Invalid mailslot namelength\n"));
240 client->trn_id = q.trn_id;
241 client->type = q.type;
242 if (q.mailslot_namelen > 0) {
243 client->mailslot_name = talloc_strndup(
244 client, (char *)buf + sizeof(q),
246 if (client->mailslot_name == NULL) {
253 * Yes, this is a blocking write of 1 byte into a unix
254 * domain socket that has never been written to. Highly
255 * unlikely that this actually blocks.
258 nwritten = sys_write(client->sock, &c, sizeof(c));
259 if (nwritten != sizeof(c)) {
260 DEBUG(10, ("Could not write success indicator to client: %s\n",
266 client->read_req = read_packet_send(client, client->server->ev,
267 client->sock, 1, NULL, NULL);
268 if (client->read_req == NULL) {
269 DEBUG(10, ("Could not activate reader for client exit "
274 tevent_req_set_callback(client->read_req, nb_packet_client_read_done,
278 static void nb_packet_client_read_done(struct tevent_req *req)
280 struct nb_packet_client *client = tevent_req_callback_data(
281 req, struct nb_packet_client);
286 nread = read_packet_recv(req, talloc_tos(), &buf, &err);
289 DEBUG(10, ("Protocol error, received data on write-only "
290 "unexpected socket: 0x%2.2x\n", (*buf)));
295 static void nb_packet_client_send(struct nb_packet_client *client,
296 struct packet_struct *p);
298 void nb_packet_dispatch(struct nb_packet_server *server,
299 struct packet_struct *p)
301 struct nb_packet_client *c;
304 switch (p->packet_type) {
306 trn_id = p->packet.nmb.header.name_trn_id;
309 trn_id = p->packet.dgram.header.dgm_id;
312 DEBUG(10, ("Got invalid packet type %d\n",
313 (int)p->packet_type));
316 for (c = server->clients; c != NULL; c = c->next) {
318 if (c->type != p->packet_type) {
319 DEBUG(10, ("client expects packet %d, got %d\n",
320 c->type, p->packet_type));
324 if (p->packet_type == NMB_PACKET) {
326 * See if the client specified transaction
327 * ID. Filter if it did.
329 if ((c->trn_id != -1) &&
330 (c->trn_id != trn_id)) {
331 DEBUG(10, ("client expects trn %d, got %d\n",
337 * See if the client specified a mailslot
338 * name. Filter if it did.
340 if ((c->mailslot_name != NULL) &&
341 !match_mailslot_name(p, c->mailslot_name)) {
345 nb_packet_client_send(c, p);
349 struct nb_packet_client_header {
351 enum packet_type type;
357 struct nb_packet_client_state {
358 struct nb_packet_client *client;
360 struct nb_packet_client_header hdr;
364 static void nb_packet_client_send_done(struct tevent_req *req);
366 static void nb_packet_client_send(struct nb_packet_client *client,
367 struct packet_struct *p)
369 struct nb_packet_client_state *state;
370 struct tevent_req *req;
372 if (tevent_queue_length(client->out_queue) > 10) {
374 * Skip clients that don't listen anyway, some form of DoS
380 state = TALLOC_ZERO_P(client, struct nb_packet_client_state);
382 DEBUG(10, ("talloc failed\n"));
386 state->client = client;
388 state->hdr.ip = p->ip;
389 state->hdr.port = p->port;
390 state->hdr.timestamp = p->timestamp;
391 state->hdr.type = p->packet_type;
392 state->hdr.len = build_packet(state->buf, sizeof(state->buf), p);
394 state->iov[0].iov_base = (char *)&state->hdr;
395 state->iov[0].iov_len = sizeof(state->hdr);
396 state->iov[1].iov_base = state->buf;
397 state->iov[1].iov_len = state->hdr.len;
399 TALLOC_FREE(client->read_req);
401 req = writev_send(client, client->server->ev, client->out_queue,
402 client->sock, true, state->iov, 2);
404 DEBUG(10, ("writev_send failed\n"));
407 tevent_req_set_callback(req, nb_packet_client_send_done, state);
410 static void nb_packet_client_send_done(struct tevent_req *req)
412 struct nb_packet_client_state *state = tevent_req_callback_data(
413 req, struct nb_packet_client_state);
414 struct nb_packet_client *client = state->client;
418 nwritten = writev_recv(req, &err);
423 if (nwritten == -1) {
424 DEBUG(10, ("writev failed: %s\n", strerror(err)));
428 if (tevent_queue_length(client->out_queue) == 0) {
429 client->read_req = read_packet_send(client, client->server->ev,
432 if (client->read_req == NULL) {
433 DEBUG(10, ("Could not activate reader for client exit "
438 tevent_req_set_callback(client->read_req,
439 nb_packet_client_read_done,
444 struct nb_packet_reader {
448 struct nb_packet_reader_state {
449 struct tevent_context *ev;
450 struct sockaddr_un addr;
451 struct nb_packet_query query;
452 const char *mailslot_name;
455 struct nb_packet_reader *reader;
458 static int nb_packet_reader_destructor(struct nb_packet_reader *r);
459 static void nb_packet_reader_connected(struct tevent_req *subreq);
460 static void nb_packet_reader_sent_query(struct tevent_req *subreq);
461 static void nb_packet_reader_got_ack(struct tevent_req *subreq);
463 struct tevent_req *nb_packet_reader_send(TALLOC_CTX *mem_ctx,
464 struct tevent_context *ev,
465 enum packet_type type,
467 const char *mailslot_name)
469 struct tevent_req *req, *subreq;
470 struct nb_packet_reader_state *state;
473 req = tevent_req_create(mem_ctx, &state,
474 struct nb_packet_reader_state);
479 state->query.trn_id = trn_id;
480 state->query.type = type;
481 state->mailslot_name = mailslot_name;
483 if (mailslot_name != NULL) {
484 state->query.mailslot_namelen = strlen(mailslot_name);
487 state->reader = TALLOC_ZERO_P(state, struct nb_packet_reader);
488 if (tevent_req_nomem(state->reader, req)) {
489 return tevent_req_post(req, ev);
492 path = talloc_asprintf(talloc_tos(), "%s/%s", nmbd_socket_dir(),
494 if (tevent_req_nomem(path, req)) {
495 return tevent_req_post(req, ev);
497 state->addr.sun_family = AF_UNIX;
498 strlcpy(state->addr.sun_path, path, sizeof(state->addr.sun_path));
501 state->reader->sock = socket(AF_UNIX, SOCK_STREAM, 0);
502 if (state->reader->sock == -1) {
503 tevent_req_nterror(req, map_nt_error_from_unix(errno));
504 return tevent_req_post(req, ev);
506 talloc_set_destructor(state->reader, nb_packet_reader_destructor);
508 subreq = async_connect_send(state, ev, state->reader->sock,
509 (struct sockaddr *)(void *)&state->addr,
510 sizeof(state->addr));
511 if (tevent_req_nomem(subreq, req)) {
512 return tevent_req_post(req, ev);
514 tevent_req_set_callback(subreq, nb_packet_reader_connected, req);
518 static int nb_packet_reader_destructor(struct nb_packet_reader *r)
527 static void nb_packet_reader_connected(struct tevent_req *subreq)
529 struct tevent_req *req = tevent_req_callback_data(
530 subreq, struct tevent_req);
531 struct nb_packet_reader_state *state = tevent_req_data(
532 req, struct nb_packet_reader_state);
536 res = async_connect_recv(subreq, &err);
539 DEBUG(10, ("async_connect failed: %s\n", strerror(err)));
540 tevent_req_nterror(req, map_nt_error_from_unix(err));
544 state->iov[0].iov_base = (char *)&state->query;
545 state->iov[0].iov_len = sizeof(state->query);
547 if (state->mailslot_name != NULL) {
549 state->iov[1].iov_base = discard_const_p(
550 char, state->mailslot_name);
551 state->iov[1].iov_len = state->query.mailslot_namelen;
554 subreq = writev_send(state, state->ev, NULL, state->reader->sock,
555 true, state->iov, num_iovecs);
556 if (tevent_req_nomem(subreq, req)) {
559 tevent_req_set_callback(subreq, nb_packet_reader_sent_query, req);
562 static void nb_packet_reader_sent_query(struct tevent_req *subreq)
564 struct tevent_req *req = tevent_req_callback_data(
565 subreq, struct tevent_req);
566 struct nb_packet_reader_state *state = tevent_req_data(
567 req, struct nb_packet_reader_state);
571 written = writev_recv(subreq, &err);
574 tevent_req_nterror(req, map_nt_error_from_unix(err));
577 if (written != sizeof(state->query) + state->query.mailslot_namelen) {
578 tevent_req_nterror(req, NT_STATUS_UNEXPECTED_IO_ERROR);
581 subreq = read_packet_send(state, state->ev, state->reader->sock,
582 sizeof(state->c), NULL, NULL);
583 if (tevent_req_nomem(subreq, req)) {
586 tevent_req_set_callback(subreq, nb_packet_reader_got_ack, req);
589 static void nb_packet_reader_got_ack(struct tevent_req *subreq)
591 struct tevent_req *req = tevent_req_callback_data(
592 subreq, struct tevent_req);
593 struct nb_packet_reader_state *state = tevent_req_data(
594 req, struct nb_packet_reader_state);
599 nread = read_packet_recv(subreq, state, &buf, &err);
602 DEBUG(10, ("read_packet_recv returned %s\n",
604 tevent_req_nterror(req, map_nt_error_from_unix(err));
607 if (nread != sizeof(state->c)) {
608 DEBUG(10, ("read = %d, expected %d\n", (int)nread,
609 (int)sizeof(state->c)));
610 tevent_req_nterror(req, NT_STATUS_UNEXPECTED_IO_ERROR);
613 tevent_req_done(req);
616 NTSTATUS nb_packet_reader_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
617 struct nb_packet_reader **preader)
619 struct nb_packet_reader_state *state = tevent_req_data(
620 req, struct nb_packet_reader_state);
623 if (tevent_req_is_nterror(req, &status)) {
626 *preader = talloc_move(mem_ctx, &state->reader);
630 struct nb_packet_read_state {
631 struct nb_packet_client_header hdr;
636 static ssize_t nb_packet_read_more(uint8_t *buf, size_t buflen, void *p);
637 static void nb_packet_read_done(struct tevent_req *subreq);
639 struct tevent_req *nb_packet_read_send(TALLOC_CTX *mem_ctx,
640 struct tevent_context *ev,
641 struct nb_packet_reader *reader)
643 struct tevent_req *req, *subreq;
644 struct nb_packet_read_state *state;
646 req = tevent_req_create(mem_ctx, &state, struct nb_packet_read_state);
650 subreq = read_packet_send(state, ev, reader->sock,
651 sizeof(struct nb_packet_client_header),
652 nb_packet_read_more, state);
653 if (tevent_req_nomem(subreq, req)) {
654 return tevent_req_post(req, ev);
656 tevent_req_set_callback(subreq, nb_packet_read_done, req);
660 static ssize_t nb_packet_read_more(uint8_t *buf, size_t buflen, void *p)
662 struct nb_packet_read_state *state = talloc_get_type_abort(
663 p, struct nb_packet_read_state);
665 if (buflen > sizeof(struct nb_packet_client_header)) {
671 memcpy(&state->hdr, buf, sizeof(struct nb_packet_client_header));
672 return state->hdr.len;
675 static void nb_packet_read_done(struct tevent_req *subreq)
677 struct tevent_req *req = tevent_req_callback_data(
678 subreq, struct tevent_req);
679 struct nb_packet_read_state *state = tevent_req_data(
680 req, struct nb_packet_read_state);
684 nread = read_packet_recv(subreq, state, &state->buf, &err);
686 tevent_req_nterror(req, map_nt_error_from_unix(err));
689 state->buflen = nread;
690 tevent_req_done(req);
693 NTSTATUS nb_packet_read_recv(struct tevent_req *req,
694 struct packet_struct **ppacket)
696 struct nb_packet_read_state *state = tevent_req_data(
697 req, struct nb_packet_read_state);
698 struct nb_packet_client_header hdr;
699 struct packet_struct *packet;
702 if (tevent_req_is_nterror(req, &status)) {
706 memcpy(&hdr, state->buf, sizeof(hdr));
708 packet = parse_packet(
709 (char *)state->buf + sizeof(struct nb_packet_client_header),
710 state->buflen - sizeof(struct nb_packet_client_header),
711 state->hdr.type, state->hdr.ip, state->hdr.port);
712 if (packet == NULL) {
713 return NT_STATUS_INVALID_NETWORK_RESPONSE;