2 Unix SMB/CIFS implementation.
5 Copyright (C) Stefan Metzmacher 2009
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 #include "smbd/smbd.h"
23 #include "smbd/globals.h"
24 #include "../libcli/smb/smb_common.h"
25 #include "../lib/util/tevent_ntstatus.h"
26 #include "rpc_server/srv_pipe_hnd.h"
27 #include "include/ntioctl.h"
28 #include "../librpc/ndr/libndr.h"
30 static struct tevent_req *smbd_smb2_ioctl_send(TALLOC_CTX *mem_ctx,
31 struct tevent_context *ev,
32 struct smbd_smb2_request *smb2req,
34 uint64_t in_file_id_volatile,
36 uint32_t in_max_output,
38 static NTSTATUS smbd_smb2_ioctl_recv(struct tevent_req *req,
40 DATA_BLOB *out_output,
43 static void smbd_smb2_request_ioctl_done(struct tevent_req *subreq);
44 NTSTATUS smbd_smb2_request_process_ioctl(struct smbd_smb2_request *req)
47 const uint8_t *inbody;
48 int i = req->current_idx;
50 uint64_t in_file_id_persistent;
51 uint64_t in_file_id_volatile;
52 uint32_t in_input_offset;
53 uint32_t in_input_length;
54 DATA_BLOB in_input_buffer;
55 uint32_t in_max_output_length;
57 struct tevent_req *subreq;
59 status = smbd_smb2_request_verify_sizes(req, 0x39);
60 if (!NT_STATUS_IS_OK(status)) {
61 return smbd_smb2_request_error(req, status);
63 inbody = (const uint8_t *)req->in.vector[i+1].iov_base;
65 in_ctl_code = IVAL(inbody, 0x04);
66 in_file_id_persistent = BVAL(inbody, 0x08);
67 in_file_id_volatile = BVAL(inbody, 0x10);
68 in_input_offset = IVAL(inbody, 0x18);
69 in_input_length = IVAL(inbody, 0x1C);
70 in_max_output_length = IVAL(inbody, 0x2C);
71 in_flags = IVAL(inbody, 0x30);
74 * InputOffset (4 bytes): The offset, in bytes, from the beginning of
75 * the SMB2 header to the input data buffer. If no input data is
76 * required for the FSCTL/IOCTL command being issued, the client SHOULD
77 * set this value to 0.<49>
78 * <49> If no input data is required for the FSCTL/IOCTL command being
79 * issued, Windows-based clients set this field to any value.
81 if ((in_input_length > 0)
82 && (in_input_offset != (SMB2_HDR_BODY + req->in.vector[i+1].iov_len))) {
83 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
86 if (in_input_length > req->in.vector[i+2].iov_len) {
87 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
90 in_input_buffer.data = (uint8_t *)req->in.vector[i+2].iov_base;
91 in_input_buffer.length = in_input_length;
93 if (req->compat_chain_fsp) {
95 } else if (in_file_id_persistent == UINT64_MAX &&
96 in_file_id_volatile == UINT64_MAX) {
97 /* without a handle */
98 } else if (in_file_id_persistent != in_file_id_volatile) {
99 return smbd_smb2_request_error(req, NT_STATUS_FILE_CLOSED);
102 subreq = smbd_smb2_ioctl_send(req,
108 in_max_output_length,
110 if (subreq == NULL) {
111 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
113 tevent_req_set_callback(subreq, smbd_smb2_request_ioctl_done, req);
115 return smbd_smb2_request_pending_queue(req, subreq, 1000);
118 static void smbd_smb2_request_ioctl_done(struct tevent_req *subreq)
120 struct smbd_smb2_request *req = tevent_req_callback_data(subreq,
121 struct smbd_smb2_request);
122 const uint8_t *inbody;
123 int i = req->current_idx;
126 uint32_t in_ctl_code;
127 uint64_t in_file_id_persistent;
128 uint64_t in_file_id_volatile;
129 uint32_t out_input_offset;
130 uint32_t out_output_offset;
131 DATA_BLOB out_output_buffer = data_blob_null;
133 NTSTATUS error; /* transport error */
134 bool disconnect = false;
136 status = smbd_smb2_ioctl_recv(subreq, req,
140 DEBUG(10,("smbd_smb2_request_ioctl_done: smbd_smb2_ioctl_recv returned "
142 (unsigned int)out_output_buffer.length,
143 nt_errstr(status) ));
148 smbd_server_connection_terminate(req->sconn,
153 if (NT_STATUS_EQUAL(status, STATUS_BUFFER_OVERFLOW)) {
155 } else if (!NT_STATUS_IS_OK(status)) {
156 error = smbd_smb2_request_error(req, status);
157 if (!NT_STATUS_IS_OK(error)) {
158 smbd_server_connection_terminate(req->sconn,
165 out_input_offset = SMB2_HDR_BODY + 0x30;
166 out_output_offset = SMB2_HDR_BODY + 0x30;
168 inbody = (const uint8_t *)req->in.vector[i+1].iov_base;
170 in_ctl_code = IVAL(inbody, 0x04);
171 in_file_id_persistent = BVAL(inbody, 0x08);
172 in_file_id_volatile = BVAL(inbody, 0x10);
174 outbody = data_blob_talloc(req->out.vector, NULL, 0x30);
175 if (outbody.data == NULL) {
176 error = smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
177 if (!NT_STATUS_IS_OK(error)) {
178 smbd_server_connection_terminate(req->sconn,
185 SSVAL(outbody.data, 0x00, 0x30 + 1); /* struct size */
186 SSVAL(outbody.data, 0x02, 0); /* reserved */
187 SIVAL(outbody.data, 0x04,
188 in_ctl_code); /* ctl code */
189 SBVAL(outbody.data, 0x08,
190 in_file_id_persistent); /* file id (persistent) */
191 SBVAL(outbody.data, 0x10,
192 in_file_id_volatile); /* file id (volatile) */
193 SIVAL(outbody.data, 0x18,
194 out_input_offset); /* input offset */
195 SIVAL(outbody.data, 0x1C, 0); /* input count */
196 SIVAL(outbody.data, 0x20,
197 out_output_offset); /* output offset */
198 SIVAL(outbody.data, 0x24,
199 out_output_buffer.length); /* output count */
200 SIVAL(outbody.data, 0x28, 0); /* flags */
201 SIVAL(outbody.data, 0x2C, 0); /* reserved */
204 * Note: Windows Vista and 2008 send back also the
205 * input from the request. But it was fixed in
208 outdyn = out_output_buffer;
210 error = smbd_smb2_request_done_ex(req, status, outbody, &outdyn,
212 if (!NT_STATUS_IS_OK(error)) {
213 smbd_server_connection_terminate(req->sconn,
219 struct smbd_smb2_ioctl_state {
220 struct smbd_smb2_request *smb2req;
221 struct smb_request *smbreq;
224 uint32_t in_max_output;
225 DATA_BLOB out_output;
229 static void smbd_smb2_ioctl_pipe_write_done(struct tevent_req *subreq);
230 static void smbd_smb2_ioctl_pipe_read_done(struct tevent_req *subreq);
232 static struct tevent_req *smbd_smb2_ioctl_send(TALLOC_CTX *mem_ctx,
233 struct tevent_context *ev,
234 struct smbd_smb2_request *smb2req,
235 uint32_t in_ctl_code,
236 uint64_t in_file_id_volatile,
238 uint32_t in_max_output,
241 struct tevent_req *req;
242 struct smbd_smb2_ioctl_state *state;
243 struct smb_request *smbreq;
244 files_struct *fsp = NULL;
245 struct tevent_req *subreq;
247 req = tevent_req_create(mem_ctx, &state,
248 struct smbd_smb2_ioctl_state);
252 state->smb2req = smb2req;
253 state->smbreq = NULL;
255 state->in_input = in_input;
256 state->in_max_output = in_max_output;
257 state->out_output = data_blob_null;
259 DEBUG(10, ("smbd_smb2_ioctl: ctl_code[0x%08x] file_id[0x%016llX]\n",
260 (unsigned)in_ctl_code,
261 (unsigned long long)in_file_id_volatile));
263 smbreq = smbd_smb2_fake_smb_request(smb2req);
264 if (tevent_req_nomem(smbreq, req)) {
265 return tevent_req_post(req, ev);
267 state->smbreq = smbreq;
269 if (in_file_id_volatile != UINT64_MAX) {
270 fsp = file_fsp(smbreq, (uint16_t)in_file_id_volatile);
272 tevent_req_nterror(req, NT_STATUS_FILE_CLOSED);
273 return tevent_req_post(req, ev);
275 if (smbreq->conn != fsp->conn) {
276 tevent_req_nterror(req, NT_STATUS_FILE_CLOSED);
277 return tevent_req_post(req, ev);
279 if (smb2req->session->vuid != fsp->vuid) {
280 tevent_req_nterror(req, NT_STATUS_FILE_CLOSED);
281 return tevent_req_post(req, ev);
286 switch (in_ctl_code) {
287 case 0x00060194: /* FSCTL_DFS_GET_REFERRALS */
289 uint16_t in_max_referral_level;
290 DATA_BLOB in_file_name_buffer;
291 char *in_file_name_string;
292 size_t in_file_name_string_size;
294 bool overflow = false;
297 char *dfs_data = NULL;
299 if (!IS_IPC(smbreq->conn)) {
300 tevent_req_nterror(req, NT_STATUS_INVALID_DEVICE_REQUEST);
301 return tevent_req_post(req, ev);
304 if (!lp_host_msdfs()) {
305 tevent_req_nterror(req, NT_STATUS_FS_DRIVER_REQUIRED);
306 return tevent_req_post(req, ev);
309 if (in_input.length < (2 + 2)) {
310 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
311 return tevent_req_post(req, ev);
314 in_max_referral_level = SVAL(in_input.data, 0);
315 in_file_name_buffer.data = in_input.data + 2;
316 in_file_name_buffer.length = in_input.length - 2;
318 ok = convert_string_talloc(state, CH_UTF16, CH_UNIX,
319 in_file_name_buffer.data,
320 in_file_name_buffer.length,
321 &in_file_name_string,
322 &in_file_name_string_size);
324 tevent_req_nterror(req, NT_STATUS_ILLEGAL_CHARACTER);
325 return tevent_req_post(req, ev);
328 dfs_size = setup_dfs_referral(smbreq->conn,
330 in_max_referral_level,
333 tevent_req_nterror(req, status);
334 return tevent_req_post(req, ev);
337 if (dfs_size > in_max_output) {
339 * TODO: we need a testsuite for this
342 dfs_size = in_max_output;
345 state->out_output = data_blob_talloc(state,
350 tevent_req_nomem(state->out_output.data, req)) {
351 return tevent_req_post(req, ev);
355 tevent_req_nterror(req, STATUS_BUFFER_OVERFLOW);
357 tevent_req_done(req);
359 return tevent_req_post(req, ev);
361 case 0x0011C017: /* FSCTL_PIPE_TRANSCEIVE */
363 if (!IS_IPC(smbreq->conn)) {
364 tevent_req_nterror(req, NT_STATUS_NOT_SUPPORTED);
365 return tevent_req_post(req, ev);
369 tevent_req_nterror(req, NT_STATUS_FILE_CLOSED);
370 return tevent_req_post(req, ev);
373 if (!fsp_is_np(fsp)) {
374 tevent_req_nterror(req, NT_STATUS_FILE_CLOSED);
375 return tevent_req_post(req, ev);
378 DEBUG(10,("smbd_smb2_ioctl_send: np_write_send of size %u\n",
379 (unsigned int)in_input.length ));
381 subreq = np_write_send(state, ev,
382 fsp->fake_file_handle,
385 if (tevent_req_nomem(subreq, req)) {
386 return tevent_req_post(req, ev);
388 tevent_req_set_callback(subreq,
389 smbd_smb2_ioctl_pipe_write_done,
393 case FSCTL_VALIDATE_NEGOTIATE_INFO_224:
395 struct smbXsrv_connection *conn = smbreq->sconn->conn;
396 uint32_t in_capabilities;
397 DATA_BLOB in_guid_blob;
399 uint16_t in_security_mode;
400 uint16_t in_max_dialect;
401 uint16_t max_dialect;
402 DATA_BLOB out_guid_blob;
405 if (in_input.length != 0x18) {
406 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
407 return tevent_req_post(req, ev);
410 if (in_max_output < 0x18) {
411 tevent_req_nterror(req, NT_STATUS_BUFFER_TOO_SMALL);
412 return tevent_req_post(req, ev);
415 in_capabilities = IVAL(in_input.data, 0x00);
416 in_guid_blob = data_blob_const(in_input.data + 0x04, 16);
417 in_security_mode = SVAL(in_input.data, 0x14);
418 in_max_dialect = SVAL(in_input.data, 0x16);
420 status = GUID_from_ndr_blob(&in_guid_blob, &in_guid);
421 if (tevent_req_nterror(req, status)) {
422 return tevent_req_post(req, ev);
425 max_dialect = conn->smb2.client.dialects[conn->smb2.client.num_dialects-1];
426 if (in_max_dialect != max_dialect) {
427 state->disconnect = true;
428 tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
429 return tevent_req_post(req, ev);
432 if (!GUID_compare(&in_guid, &conn->smb2.client.guid)) {
433 state->disconnect = true;
434 tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
435 return tevent_req_post(req, ev);
438 if (in_security_mode != conn->smb2.client.security_mode) {
439 state->disconnect = true;
440 tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
441 return tevent_req_post(req, ev);
444 if (in_capabilities != conn->smb2.client.capabilities) {
445 state->disconnect = true;
446 tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
447 return tevent_req_post(req, ev);
450 status = GUID_to_ndr_blob(&conn->smb2.server.guid, state,
452 if (tevent_req_nterror(req, status)) {
453 return tevent_req_post(req, ev);
456 state->out_output = data_blob_talloc(state, NULL, 0x18);
457 if (tevent_req_nomem(state->out_output.data, req)) {
458 return tevent_req_post(req, ev);
461 SIVAL(state->out_output.data, 0x00, conn->smb2.server.capabilities);
462 memcpy(state->out_output.data+0x04, out_guid_blob.data, 16);
463 SIVAL(state->out_output.data, 0x14, conn->smb2.server.security_mode);
464 SIVAL(state->out_output.data, 0x16, conn->smb2.server.dialect);
466 tevent_req_done(req);
467 return tevent_req_post(req, ev);
470 case FSCTL_VALIDATE_NEGOTIATE_INFO:
472 struct smbXsrv_connection *conn = smbreq->sconn->conn;
473 uint32_t in_capabilities;
474 DATA_BLOB in_guid_blob;
476 uint16_t in_security_mode;
477 uint16_t in_num_dialects;
479 DATA_BLOB out_guid_blob;
482 if (in_input.length < 0x18) {
483 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
484 return tevent_req_post(req, ev);
487 in_capabilities = IVAL(in_input.data, 0x00);
488 in_guid_blob = data_blob_const(in_input.data + 0x04, 16);
489 in_security_mode = SVAL(in_input.data, 0x14);
490 in_num_dialects = SVAL(in_input.data, 0x16);
492 if (in_input.length != (0x18 + in_num_dialects*2)) {
493 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
494 return tevent_req_post(req, ev);
497 if (in_max_output < 0x18) {
498 tevent_req_nterror(req, NT_STATUS_BUFFER_TOO_SMALL);
499 return tevent_req_post(req, ev);
502 status = GUID_from_ndr_blob(&in_guid_blob, &in_guid);
503 if (tevent_req_nterror(req, status)) {
504 return tevent_req_post(req, ev);
507 if (in_num_dialects != conn->smb2.client.num_dialects) {
508 state->disconnect = true;
509 tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
510 return tevent_req_post(req, ev);
513 for (i=0; i < in_num_dialects; i++) {
514 uint16_t v = SVAL(in_input.data, 0x18 + i*2);
516 if (conn->smb2.client.dialects[i] != v) {
517 state->disconnect = true;
518 tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
519 return tevent_req_post(req, ev);
523 if (!GUID_compare(&in_guid, &conn->smb2.client.guid)) {
524 state->disconnect = true;
525 tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
526 return tevent_req_post(req, ev);
529 if (in_security_mode != conn->smb2.client.security_mode) {
530 state->disconnect = true;
531 tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
532 return tevent_req_post(req, ev);
535 if (in_capabilities != conn->smb2.client.capabilities) {
536 state->disconnect = true;
537 tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
538 return tevent_req_post(req, ev);
541 status = GUID_to_ndr_blob(&conn->smb2.server.guid, state,
543 if (tevent_req_nterror(req, status)) {
544 return tevent_req_post(req, ev);
547 state->out_output = data_blob_talloc(state, NULL, 0x18);
548 if (tevent_req_nomem(state->out_output.data, req)) {
549 return tevent_req_post(req, ev);
552 SIVAL(state->out_output.data, 0x00, conn->smb2.server.capabilities);
553 memcpy(state->out_output.data+0x04, out_guid_blob.data, 16);
554 SIVAL(state->out_output.data, 0x14, conn->smb2.server.security_mode);
555 SIVAL(state->out_output.data, 0x16, conn->smb2.server.dialect);
557 tevent_req_done(req);
558 return tevent_req_post(req, ev);
562 uint8_t *out_data = NULL;
563 uint32_t out_data_len = 0;
567 tevent_req_nterror(req, NT_STATUS_FILE_CLOSED);
568 return tevent_req_post(req, ev);
571 status = SMB_VFS_FSCTL(fsp,
580 state->out_output = data_blob_const(out_data, out_data_len);
581 if (NT_STATUS_IS_OK(status)) {
582 tevent_req_done(req);
583 return tevent_req_post(req, ev);
586 if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
587 if (IS_IPC(smbreq->conn)) {
588 status = NT_STATUS_FS_DRIVER_REQUIRED;
590 status = NT_STATUS_INVALID_DEVICE_REQUEST;
594 tevent_req_nterror(req, status);
595 return tevent_req_post(req, ev);
599 tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
600 return tevent_req_post(req, ev);
603 static void smbd_smb2_ioctl_pipe_write_done(struct tevent_req *subreq)
605 struct tevent_req *req = tevent_req_callback_data(subreq,
607 struct smbd_smb2_ioctl_state *state = tevent_req_data(req,
608 struct smbd_smb2_ioctl_state);
610 ssize_t nwritten = -1;
612 status = np_write_recv(subreq, &nwritten);
614 DEBUG(10,("smbd_smb2_ioctl_pipe_write_done: received %ld\n",
615 (long int)nwritten ));
618 if (!NT_STATUS_IS_OK(status)) {
619 tevent_req_nterror(req, status);
623 if (nwritten != state->in_input.length) {
624 tevent_req_nterror(req, NT_STATUS_PIPE_NOT_AVAILABLE);
628 state->out_output = data_blob_talloc(state, NULL, state->in_max_output);
629 if (state->in_max_output > 0 &&
630 tevent_req_nomem(state->out_output.data, req)) {
634 DEBUG(10,("smbd_smb2_ioctl_pipe_write_done: issuing np_read_send "
636 (unsigned int)state->out_output.length ));
639 subreq = np_read_send(state->smbreq->conn,
640 state->smb2req->sconn->ev_ctx,
641 state->fsp->fake_file_handle,
642 state->out_output.data,
643 state->out_output.length);
644 if (tevent_req_nomem(subreq, req)) {
647 tevent_req_set_callback(subreq, smbd_smb2_ioctl_pipe_read_done, req);
650 static void smbd_smb2_ioctl_pipe_read_done(struct tevent_req *subreq)
652 struct tevent_req *req = tevent_req_callback_data(subreq,
654 struct smbd_smb2_ioctl_state *state = tevent_req_data(req,
655 struct smbd_smb2_ioctl_state);
658 bool is_data_outstanding = false;
660 status = np_read_recv(subreq, &nread, &is_data_outstanding);
662 DEBUG(10,("smbd_smb2_ioctl_pipe_read_done: np_read_recv nread = %d "
663 "is_data_outstanding = %d, status = %s\n",
665 (int)is_data_outstanding,
666 nt_errstr(status) ));
669 if (!NT_STATUS_IS_OK(status)) {
670 tevent_req_nterror(req, status);
674 state->out_output.length = nread;
676 if (is_data_outstanding) {
677 tevent_req_nterror(req, STATUS_BUFFER_OVERFLOW);
681 tevent_req_done(req);
684 static NTSTATUS smbd_smb2_ioctl_recv(struct tevent_req *req,
686 DATA_BLOB *out_output,
689 NTSTATUS status = NT_STATUS_OK;
690 struct smbd_smb2_ioctl_state *state = tevent_req_data(req,
691 struct smbd_smb2_ioctl_state);
693 *disconnect = state->disconnect;
695 if (tevent_req_is_nterror(req, &status)) {
696 if (!NT_STATUS_EQUAL(status, STATUS_BUFFER_OVERFLOW)) {
697 tevent_req_received(req);
702 *out_output = state->out_output;
703 talloc_steal(mem_ctx, out_output->data);
705 tevent_req_received(req);
git.samba.org / samba.git / blob