samba-mirror/libcli/smb/reparse.c

/*
 * Unix SMB/CIFS implementation.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */

#include "replace.h"
#include "libcli/smb/reparse.h"
#include "lib/util/iov_buf.h"
#include "libcli/smb/smb_constants.h"
#include "libcli/util/error.h"
#include "lib/util/debug.h"
#include "lib/util/bytearray.h"
#include "lib/util/talloc_stack.h"
#include "lib/util/charset/charset.h"
#include "smb_util.h"

NTSTATUS reparse_buffer_check(const uint8_t *in_data,
			      size_t in_len,
			      uint32_t *reparse_tag,
			      const uint8_t **_reparse_data,
			      size_t *_reparse_data_length)
{
	uint16_t reparse_data_length;

	if (in_len == 0) {
		DBG_DEBUG("in_len=0\n");
		return NT_STATUS_INVALID_BUFFER_SIZE;
	}
	if (in_len < 8) {
		DBG_DEBUG("in_len=%zu\n", in_len);
		return NT_STATUS_IO_REPARSE_DATA_INVALID;
	}

	reparse_data_length = PULL_LE_U16(in_data, 4);

	if (reparse_data_length != (in_len - 8)) {
		DBG_DEBUG("in_len=%zu, reparse_data_length=%" PRIu16 "\n",
			  in_len,
			  reparse_data_length);
		return NT_STATUS_IO_REPARSE_DATA_INVALID;
	}

	*reparse_tag = PULL_LE_U32(in_data, 0);
	*_reparse_data = in_data + 8;
	*_reparse_data_length = reparse_data_length;

	return NT_STATUS_OK;
}

static int nfs_reparse_buffer_parse(TALLOC_CTX *mem_ctx,
				    struct nfs_reparse_data_buffer *dst,
				    const uint8_t *src,
				    size_t srclen)
{
	uint64_t type;

	if (srclen < 8) {
		DBG_DEBUG("srclen=%zu too short\n", srclen);
		return EINVAL;
	}

	type = PULL_LE_U64(src, 0);

	switch (type) {
	case NFS_SPECFILE_CHR:
		FALL_THROUGH;
	case NFS_SPECFILE_BLK:
		if (srclen < 16) {
			DBG_DEBUG("srclen %zu too short for type %" PRIx64 "\n",
				  srclen,
				  type);
			return EINVAL;
		}
		dst->data.dev.major = PULL_LE_U32(src, 8);
		dst->data.dev.minor = PULL_LE_U32(src, 12);
		break;
	case NFS_SPECFILE_LNK: {
		bool ok;

		ok = convert_string_talloc(mem_ctx,
					   CH_UTF16,
					   CH_UNIX,
					   src + 8,
					   srclen - 8,
					   &dst->data.lnk_target,
					   NULL);
		if (!ok) {
			return errno;
		}
		break;
	}
	case NFS_SPECFILE_FIFO:
		break; /* empty, no data */
	case NFS_SPECFILE_SOCK:
		break; /* empty, no data */
	default:
		DBG_DEBUG("Unknown NFS reparse type %" PRIx64 "\n", type);
		return EINVAL;
	}

	dst->type = type;

	return 0;
}

static int symlink_reparse_buffer_parse(TALLOC_CTX *mem_ctx,
					struct symlink_reparse_struct *dst,
					const uint8_t *src,
					size_t srclen)
{
	uint16_t reparse_data_length;
	uint16_t substitute_name_offset, substitute_name_length;
	uint16_t print_name_offset, print_name_length;
	bool ok;

	if (srclen < 20) {
		DBG_DEBUG("srclen = %zu, expected >= 20\n", srclen);
		return EINVAL;
	}
	if (PULL_LE_U32(src, 0) != IO_REPARSE_TAG_SYMLINK) {
		DBG_DEBUG("Got ReparseTag %8.8x, expected %8.8x\n",
			  PULL_LE_U32(src, 0),
			  IO_REPARSE_TAG_SYMLINK);
		return EINVAL;
	}

	reparse_data_length	= PULL_LE_U16(src, 4);
	substitute_name_offset	= PULL_LE_U16(src, 8);
	substitute_name_length	= PULL_LE_U16(src, 10);
	print_name_offset	= PULL_LE_U16(src, 12);
	print_name_length	= PULL_LE_U16(src, 14);

	if (reparse_data_length < 12) {
		DBG_DEBUG("reparse_data_length = %"PRIu16", expected >= 12\n",
			  reparse_data_length);
		return EINVAL;
	}
	if (smb_buffer_oob(srclen - 8, reparse_data_length, 0)) {
		DBG_DEBUG("reparse_data_length (%"PRIu16") too large for "
			   "src_len (%zu)\n",
			  reparse_data_length,
			  srclen);
		return EINVAL;
	}
	if (smb_buffer_oob(reparse_data_length - 12, substitute_name_offset,
			   substitute_name_length)) {
		DBG_DEBUG("substitute_name (%"PRIu16"/%"PRIu16") does not fit "
			  "in reparse_data_length (%"PRIu16")\n",
			  substitute_name_offset,
			  substitute_name_length,
			  reparse_data_length - 12);
		return EINVAL;
	}
	if (smb_buffer_oob(reparse_data_length - 12, print_name_offset,
			   print_name_length)) {
		DBG_DEBUG("print_name (%"PRIu16"/%"PRIu16") does not fit in "
			  "reparse_data_length (%"PRIu16")\n",
			  print_name_offset,
			  print_name_length,
			  reparse_data_length - 12);
		return EINVAL;
	}

	*dst = (struct symlink_reparse_struct) {
		.unparsed_path_length = PULL_LE_U16(src, 6),
		.flags = PULL_LE_U32(src, 16),
	};

	ok = convert_string_talloc(mem_ctx,
				   CH_UTF16,
				   CH_UNIX,
				   src + 20 + substitute_name_offset,
				   substitute_name_length,
				   &dst->substitute_name,
				   NULL);
	if (!ok) {
		int ret = errno;
		DBG_DEBUG("convert_string_talloc for substitute_name "
			  "failed\n");
		return ret;
	}

	ok = convert_string_talloc(mem_ctx,
				   CH_UTF16,
				   CH_UNIX,
				   src + 20 + print_name_offset,
				   print_name_length,
				   &dst->print_name,
				   NULL);
	if (!ok) {
		int ret = errno;
		DBG_DEBUG("convert_string_talloc for print_name failed\n");
		TALLOC_FREE(dst->substitute_name);
		return ret;
	}

	return 0;
}

NTSTATUS reparse_data_buffer_parse(TALLOC_CTX *mem_ctx,
				   struct reparse_data_buffer *dst,
				   const uint8_t *buf,
				   size_t buflen)
{
	const uint8_t *reparse_data;
	size_t reparse_data_length;
	NTSTATUS status;
	int ret;

	status = reparse_buffer_check(buf,
				      buflen,
				      &dst->tag,
				      &reparse_data,
				      &reparse_data_length);
	if (!NT_STATUS_IS_OK(status)) {
		return status;
	}

	switch (dst->tag) {
	case IO_REPARSE_TAG_SYMLINK:
		ret = symlink_reparse_buffer_parse(mem_ctx,
						   &dst->parsed.lnk,
						   buf,
						   buflen);
		if (ret != 0) {
			return map_nt_error_from_unix_common(ret);
		}
		break;
	case IO_REPARSE_TAG_NFS:
		ret = nfs_reparse_buffer_parse(mem_ctx,
					       &dst->parsed.nfs,
					       reparse_data,
					       reparse_data_length);
		if (ret != 0) {
			return map_nt_error_from_unix_common(ret);
		}
		break;
	default:
		dst->parsed.raw.data = talloc_memdup(mem_ctx,
						     reparse_data,
						     reparse_data_length);
		if (dst->parsed.raw.data == NULL) {
			return NT_STATUS_NO_MEMORY;
		}
		dst->parsed.raw.length = reparse_data_length;
		dst->parsed.raw.reserved = PULL_LE_U16(buf, 6);
		break;
	}

	return NT_STATUS_OK;
}

char *reparse_data_buffer_str(TALLOC_CTX *mem_ctx,
			      const struct reparse_data_buffer *dst)
{
	char *s = talloc_strdup(mem_ctx, "");

	switch (dst->tag) {
	case IO_REPARSE_TAG_SYMLINK: {
		const struct symlink_reparse_struct *lnk = &dst->parsed.lnk;
		talloc_asprintf_addbuf(&s,
				       "0x%" PRIx32
				       " (IO_REPARSE_TAG_SYMLINK)\n",
				       dst->tag);
		talloc_asprintf_addbuf(&s,
				       "unparsed=%" PRIu16 "\n",
				       lnk->unparsed_path_length);
		talloc_asprintf_addbuf(&s,
				       "substitute_name=%s\n",
				       lnk->substitute_name);
		talloc_asprintf_addbuf(&s, "print_name=%s\n", lnk->print_name);
		talloc_asprintf_addbuf(&s, "flags=%" PRIu32 "\n", lnk->flags);
		break;
	}
	case IO_REPARSE_TAG_NFS: {
		const struct nfs_reparse_data_buffer *nfs = &dst->parsed.nfs;

		talloc_asprintf_addbuf(&s,
				       "0x%" PRIx32 " (IO_REPARSE_TAG_NFS)\n",
				       dst->tag);

		switch (nfs->type) {
		case NFS_SPECFILE_FIFO:
			talloc_asprintf_addbuf(&s,
					       " 0x%" PRIx64
					       " (NFS_SPECFILE_FIFO)\n",
					       nfs->type);
			break;
		case NFS_SPECFILE_SOCK:
			talloc_asprintf_addbuf(&s,
					       " 0x%" PRIx64
					       " (NFS_SPECFILE_SOCK)\n",
					       nfs->type);
			break;
		case NFS_SPECFILE_LNK:
			talloc_asprintf_addbuf(&s,
					       " 0x%" PRIx64
					       " (NFS_SPECFILE_LNK)\n",
					       nfs->type);
			talloc_asprintf_addbuf(&s,
					       " -> %s\n ",
					       nfs->data.lnk_target);
			break;
		case NFS_SPECFILE_BLK:
			talloc_asprintf_addbuf(&s,
					       " 0x%" PRIx64
					       " (NFS_SPECFILE_BLK)\n",
					       nfs->type);
			talloc_asprintf_addbuf(&s,
					       " %" PRIu32 "/%" PRIu32 "\n",
					       nfs->data.dev.major,
					       nfs->data.dev.minor);
			break;
		case NFS_SPECFILE_CHR:
			talloc_asprintf_addbuf(&s,
					       " 0x%" PRIx64
					       " (NFS_SPECFILE_CHR)\n",
					       nfs->type);
			talloc_asprintf_addbuf(&s,
					       " %" PRIu32 "/%" PRIu32 "\n",
					       nfs->data.dev.major,
					       nfs->data.dev.minor);
			break;
		default:
			talloc_asprintf_addbuf(&s,
					       " 0x%" PRIu64
					       " (Unknown type)\n",
					       nfs->type);
			break;
		}
		break;
	}
	default:
		talloc_asprintf_addbuf(&s, "%" PRIu32 "\n", dst->tag);
		break;
	}
	return s;
}

static ssize_t reparse_buffer_marshall(uint32_t reparse_tag,
				       uint16_t reserved,
				       const struct iovec *iov,
				       int iovlen,
				       uint8_t *buf,
				       size_t buflen)
{
	ssize_t reparse_data_length = iov_buflen(iov, iovlen);
	size_t needed;

	if (reparse_data_length == -1) {
		return -1;
	}
	if (reparse_data_length > UINT16_MAX) {
		return -1;
	}

	needed = reparse_data_length + 8;
	if (needed < reparse_data_length) {
		return -1;
	}

	if (buflen >= needed) {
		PUSH_LE_U32(buf, 0, reparse_tag);
		PUSH_LE_U16(buf, 4, reparse_data_length);
		PUSH_LE_U16(buf, 6, reserved);
		iov_buf(iov, iovlen, buf + 8, buflen - 8);
	}

	return needed;
}

static ssize_t
reparse_data_buffer_marshall_syml(const struct symlink_reparse_struct *src,
				  uint8_t *buf,
				  size_t buflen)
{
	uint8_t sbuf[12];
	struct iovec iov[3];
	const char *print_name = src->print_name;
	uint8_t *subst_utf16 = NULL;
	uint8_t *print_utf16 = NULL;
	size_t subst_len = 0;
	size_t print_len = 0;
	ssize_t ret = -1;
	bool ok;

	if (src->substitute_name == NULL) {
		return -1;
	}
	if (src->print_name == NULL) {
		print_name = src->substitute_name;
	}

	iov[0] = (struct iovec){
		.iov_base = sbuf,
		.iov_len = sizeof(sbuf),
	};

	ok = convert_string_talloc(talloc_tos(),
				   CH_UNIX,
				   CH_UTF16,
				   src->substitute_name,
				   strlen(src->substitute_name),
				   &subst_utf16,
				   &subst_len);
	if (!ok) {
		goto fail;
	}
	if (subst_len > UINT16_MAX) {
		goto fail;
	}
	iov[1] = (struct iovec){
		.iov_base = subst_utf16,
		.iov_len = subst_len,
	};

	ok = convert_string_talloc(talloc_tos(),
				   CH_UNIX,
				   CH_UTF16,
				   print_name,
				   strlen(print_name),
				   &print_utf16,
				   &print_len);
	if (!ok) {
		goto fail;
	}
	if (print_len > UINT16_MAX) {
		goto fail;
	}
	iov[2] = (struct iovec){
		.iov_base = print_utf16,
		.iov_len = print_len,
	};

	PUSH_LE_U16(sbuf, 0, 0);	  /* SubstituteNameOffset */
	PUSH_LE_U16(sbuf, 2, subst_len);  /* SubstituteNameLength */
	PUSH_LE_U16(sbuf, 4, subst_len);  /* PrintNameOffset */
	PUSH_LE_U16(sbuf, 6, print_len);  /* PrintNameLength */
	PUSH_LE_U32(sbuf, 8, src->flags); /* Flags */

	ret = reparse_buffer_marshall(IO_REPARSE_TAG_SYMLINK,
				      src->unparsed_path_length,
				      iov,
				      ARRAY_SIZE(iov),
				      buf,
				      buflen);

fail:
	TALLOC_FREE(subst_utf16);
	TALLOC_FREE(print_utf16);
	return ret;
}

static ssize_t
reparse_data_buffer_marshall_nfs(const struct nfs_reparse_data_buffer *src,
				 uint8_t *buf,
				 size_t buflen)
{
	uint8_t typebuf[8];
	uint8_t devbuf[8];
	struct iovec iov[2] = {};
	size_t iovlen;
	uint8_t *lnk_utf16 = NULL;
	size_t lnk_len = 0;
	ssize_t ret;

	PUSH_LE_U64(typebuf, 0, src->type);
	iov[0] = (struct iovec){
		.iov_base = typebuf,
		.iov_len = sizeof(typebuf),
	};
	iovlen = 1;

	switch (src->type) {
	case NFS_SPECFILE_LNK: {
		bool ok = convert_string_talloc(talloc_tos(),
						CH_UNIX,
						CH_UTF16,
						src->data.lnk_target,
						strlen(src->data.lnk_target),
						&lnk_utf16,
						&lnk_len);
		if (!ok) {
			return -1;
		}
		iov[1] = (struct iovec){
			.iov_base = lnk_utf16,
			.iov_len = lnk_len,
		};
		iovlen = 2;
		break;
	}
	case NFS_SPECFILE_CHR:
		FALL_THROUGH;
	case NFS_SPECFILE_BLK:
		PUSH_LE_U32(devbuf, 0, src->data.dev.major);
		PUSH_LE_U32(devbuf, 4, src->data.dev.minor);
		iov[1] = (struct iovec){
			.iov_base = devbuf,
			.iov_len = sizeof(devbuf),
		};
		iovlen = 2;
		break;
	default:
		break;
		/* Nothing to do for NFS_SPECFILE_FIFO and _SOCK */
	}

	ret = reparse_buffer_marshall(IO_REPARSE_TAG_NFS,
				      0,
				      iov,
				      iovlen,
				      buf,
				      buflen);
	TALLOC_FREE(lnk_utf16);
	return ret;
}

ssize_t reparse_data_buffer_marshall(const struct reparse_data_buffer *src,
				     uint8_t *buf,
				     size_t buflen)
{
	ssize_t ret = -1;

	switch (src->tag) {
	case IO_REPARSE_TAG_SYMLINK:

		ret = reparse_data_buffer_marshall_syml(&src->parsed.lnk,
							buf,
							buflen);
		break;

	case IO_REPARSE_TAG_NFS:

		ret = reparse_data_buffer_marshall_nfs(&src->parsed.nfs,
						       buf,
						       buflen);
		break;

	default: {
		struct iovec iov = {
			.iov_base = src->parsed.raw.data,
			.iov_len = src->parsed.raw.length,
		};
		ret = reparse_buffer_marshall(src->tag,
					      src->parsed.raw.reserved,
					      &iov,
					      1,
					      buf,
					      buflen);
	}
	}

	return ret;
}

/*
 * Implement [MS-SMB2] 2.2.2.2.1.1 Handling the Symbolic Link Error Response
 */

int symlink_target_path(TALLOC_CTX *ctx,
			const char *_name_in,
			size_t num_unparsed,
			const char *substitute,
			bool relative,
			char separator,
			char **_target)
{
	size_t name_in_len = strlen(_name_in);
	size_t num_parsed;
	char name_in[name_in_len + 1];
	char *unparsed = NULL;
	char *syml = NULL;
	char *target = NULL;

	if (num_unparsed > name_in_len) {
		return EINVAL;
	}
	num_parsed = name_in_len - num_unparsed;

	/*
	 * We need to NULL out separators in name_in. Make a copy of
	 * _name_in, which is a const char *.
	 */
	memcpy(name_in, _name_in, sizeof(name_in));

	unparsed = name_in + num_parsed;

	if ((num_unparsed != 0) && (unparsed[0] != separator)) {
		/*
		 * Symlinks in the middle of name_in must end in a separator
		 */
		return EINVAL;
	}

	if (!relative) {
		/*
		 * From [MS-SMB2] 2.2.2.2.1.1:
		 *
		 * If the SYMLINK_FLAG_RELATIVE flag is not set in the Flags
		 * field of the symbolic link error response, the unparsed
		 * portion of the file name MUST be appended to the substitute
		 * name to create the new target path name.
		 */
		target = talloc_asprintf(ctx, "%s%s", substitute, unparsed);
		goto done;
	}

	/*
	 * From [MS-SMB2] 2.2.2.2.1.1:
	 *
	 * If the SYMLINK_FLAG_RELATIVE flag is set in the Flags field
	 * of the symbolic link error response, the symbolic link name
	 * MUST be identified by backing up one path name element from
	 * the unparsed portion of the path name. The symbolic link
	 * MUST be replaced with the substitute name to create the new
	 * target path name.
	 */

	{
		char symlink_end_char = unparsed[0]; /* '\0' or a separator */

		unparsed[0] = '\0';
		syml = strrchr_m(name_in, separator);
		unparsed[0] = symlink_end_char;
	}

	if (syml == NULL) {
		/*
		 * Nothing to back up to, the symlink was the first
		 * path component.
		 */
		name_in[0] = '\0';
	} else {
		/*
		 * Make "name_in" up to the symlink usable for asprintf
		 */
		syml[1] = '\0';
	}

	target = talloc_asprintf(ctx, "%s%s%s", name_in, substitute, unparsed);

done:
	if (target == NULL) {
		return ENOMEM;
	}
	*_target = target;
	return 0;
}