2011-12-21 14:04:43 +04:00
/*
Unix SMB / CIFS implementation .
smb2 lib
Copyright ( C ) Stefan Metzmacher 2011
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation ; either version 3 of the License , or
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
along with this program . If not , see < http : //www.gnu.org/licenses/>.
*/
# include "includes.h"
2012-05-15 14:24:38 +04:00
# include "system/network.h"
2011-12-21 14:04:43 +04:00
# include "lib/util/tevent_ntstatus.h"
2012-05-15 14:24:38 +04:00
# include "smb_common.h"
# include "smbXcli_base.h"
2011-12-21 14:04:43 +04:00
struct smb2cli_ioctl_state {
uint8_t fixed [ 0x38 ] ;
uint8_t dyn_pad [ 1 ] ;
uint32_t max_input_length ;
uint32_t max_output_length ;
struct iovec * recv_iov ;
2015-11-27 19:31:04 +03:00
bool out_valid ;
2011-12-21 14:04:43 +04:00
DATA_BLOB out_input_buffer ;
DATA_BLOB out_output_buffer ;
2015-05-28 01:13:15 +03:00
uint32_t ctl_code ;
2011-12-21 14:04:43 +04:00
} ;
static void smb2cli_ioctl_done ( struct tevent_req * subreq ) ;
struct tevent_req * smb2cli_ioctl_send ( TALLOC_CTX * mem_ctx ,
struct tevent_context * ev ,
2012-05-10 20:36:47 +04:00
struct smbXcli_conn * conn ,
uint32_t timeout_msec ,
struct smbXcli_session * session ,
2012-07-24 00:32:49 +04:00
struct smbXcli_tcon * tcon ,
2011-12-21 14:04:43 +04:00
uint64_t in_fid_persistent ,
uint64_t in_fid_volatile ,
uint32_t in_ctl_code ,
uint32_t in_max_input_length ,
const DATA_BLOB * in_input_buffer ,
uint32_t in_max_output_length ,
const DATA_BLOB * in_output_buffer ,
uint32_t in_flags )
{
struct tevent_req * req , * subreq ;
struct smb2cli_ioctl_state * state ;
uint8_t * fixed ;
uint8_t * dyn ;
size_t dyn_len ;
uint32_t input_buffer_offset = 0 ;
uint32_t input_buffer_length = 0 ;
uint32_t output_buffer_offset = 0 ;
uint32_t output_buffer_length = 0 ;
uint32_t pad_length = 0 ;
2013-08-13 12:25:52 +04:00
uint64_t tmp64 ;
uint32_t max_dyn_len = 0 ;
2011-12-21 14:04:43 +04:00
req = tevent_req_create ( mem_ctx , & state ,
struct smb2cli_ioctl_state ) ;
if ( req = = NULL ) {
return NULL ;
}
2015-05-28 01:13:15 +03:00
state - > ctl_code = in_ctl_code ;
2011-12-21 14:04:43 +04:00
state - > max_input_length = in_max_input_length ;
state - > max_output_length = in_max_output_length ;
2013-08-13 12:25:52 +04:00
tmp64 = in_max_input_length ;
tmp64 + = in_max_output_length ;
if ( tmp64 > UINT32_MAX ) {
max_dyn_len = UINT32_MAX ;
} else {
max_dyn_len = tmp64 ;
}
2011-12-21 14:04:43 +04:00
if ( in_input_buffer ) {
input_buffer_offset = SMB2_HDR_BODY + 0x38 ;
input_buffer_length = in_input_buffer - > length ;
}
if ( in_output_buffer ) {
output_buffer_offset = SMB2_HDR_BODY + 0x38 ;
2012-12-17 18:17:45 +04:00
output_buffer_length = in_output_buffer - > length ;
2012-05-29 09:27:14 +04:00
if ( input_buffer_length > 0 & & output_buffer_length > 0 ) {
2011-12-21 14:04:43 +04:00
uint32_t tmp ;
output_buffer_offset + = input_buffer_length ;
tmp = output_buffer_offset ;
output_buffer_offset = NDR_ROUND ( output_buffer_offset , 8 ) ;
pad_length = output_buffer_offset - tmp ;
}
}
fixed = state - > fixed ;
SSVAL ( fixed , 0x00 , 0x39 ) ;
SSVAL ( fixed , 0x02 , 0 ) ; /* reserved */
SIVAL ( fixed , 0x04 , in_ctl_code ) ;
SBVAL ( fixed , 0x08 , in_fid_persistent ) ;
SBVAL ( fixed , 0x10 , in_fid_volatile ) ;
SIVAL ( fixed , 0x18 , input_buffer_offset ) ;
SIVAL ( fixed , 0x1C , input_buffer_length ) ;
SIVAL ( fixed , 0x20 , in_max_input_length ) ;
SIVAL ( fixed , 0x24 , output_buffer_offset ) ;
SIVAL ( fixed , 0x28 , output_buffer_length ) ;
SIVAL ( fixed , 0x2C , in_max_output_length ) ;
SIVAL ( fixed , 0x30 , in_flags ) ;
SIVAL ( fixed , 0x34 , 0 ) ; /* reserved */
if ( input_buffer_length > 0 & & output_buffer_length > 0 ) {
size_t avail = UINT32_MAX - ( input_buffer_length + pad_length ) ;
size_t ofs = output_buffer_offset - input_buffer_offset ;
if ( avail < output_buffer_length ) {
tevent_req_nterror ( req , NT_STATUS_INVALID_PARAMETER_MIX ) ;
return tevent_req_post ( req , ev ) ;
}
dyn_len = input_buffer_length + output_buffer_length + pad_length ;
dyn = talloc_zero_array ( state , uint8_t , dyn_len ) ;
if ( tevent_req_nomem ( dyn , req ) ) {
return tevent_req_post ( req , ev ) ;
}
memcpy ( dyn , in_input_buffer - > data ,
in_input_buffer - > length ) ;
memcpy ( dyn + ofs , in_output_buffer - > data ,
in_output_buffer - > length ) ;
} else if ( input_buffer_length > 0 ) {
dyn = in_input_buffer - > data ;
dyn_len = in_input_buffer - > length ;
} else if ( output_buffer_length > 0 ) {
dyn = in_output_buffer - > data ;
dyn_len = in_output_buffer - > length ;
} else {
dyn = state - > dyn_pad ;
dyn_len = sizeof ( state - > dyn_pad ) ;
}
2012-05-10 20:36:47 +04:00
subreq = smb2cli_req_send ( state , ev , conn , SMB2_OP_IOCTL ,
2011-12-21 14:04:43 +04:00
0 , 0 , /* flags */
2012-05-10 20:36:47 +04:00
timeout_msec ,
2012-07-25 12:36:27 +04:00
tcon ,
2012-05-10 20:36:47 +04:00
session ,
2011-12-21 14:04:43 +04:00
state - > fixed , sizeof ( state - > fixed ) ,
2013-08-13 12:25:52 +04:00
dyn , dyn_len ,
max_dyn_len ) ;
2011-12-21 14:04:43 +04:00
if ( tevent_req_nomem ( subreq , req ) ) {
return tevent_req_post ( req , ev ) ;
}
tevent_req_set_callback ( subreq , smb2cli_ioctl_done , req ) ;
return req ;
}
2021-01-14 19:27:21 +03:00
static NTSTATUS smb2cli_ioctl_parse_buffer ( uint32_t dyn_offset ,
const DATA_BLOB dyn_buffer ,
uint32_t min_offset ,
uint32_t buffer_offset ,
uint32_t buffer_length ,
uint32_t max_length ,
uint32_t * next_offset ,
DATA_BLOB * buffer )
{
uint32_t offset ;
bool oob ;
* buffer = data_blob_null ;
* next_offset = dyn_offset ;
if ( buffer_offset = = 0 ) {
/*
* If the offset is 0 , we better ignore
* the buffer_length field .
*/
return NT_STATUS_OK ;
}
if ( buffer_length = = 0 ) {
/*
* If the length is 0 , we better ignore
* the buffer_offset field .
*/
return NT_STATUS_OK ;
}
2021-01-14 19:32:15 +03:00
if ( ( buffer_offset % 8 ) ! = 0 ) {
/*
* The offset needs to be 8 byte aligned .
*/
return NT_STATUS_INVALID_NETWORK_RESPONSE ;
}
/*
* We used to enforce buffer_offset to be
* an exact match of the expected minimum ,
* but the NetApp Ontap 7.3 .7 SMB server
* gets the padding wrong and aligns the
* input_buffer_offset by a value of 8.
*
* So we just enforce that the offset is
* not lower than the expected value .
*/
2021-01-14 19:27:21 +03:00
SMB_ASSERT ( min_offset > = dyn_offset ) ;
2021-01-14 19:32:15 +03:00
if ( buffer_offset < min_offset ) {
2021-01-14 19:27:21 +03:00
return NT_STATUS_INVALID_NETWORK_RESPONSE ;
}
/*
* Make [ input | output ] _buffer_offset relative to " dyn_buffer "
*/
offset = buffer_offset - dyn_offset ;
oob = smb_buffer_oob ( dyn_buffer . length , offset , buffer_length ) ;
if ( oob ) {
return NT_STATUS_INVALID_NETWORK_RESPONSE ;
}
/*
* Give the caller a hint what we consumed ,
* the caller may need to add possible padding .
*/
* next_offset = buffer_offset + buffer_length ;
if ( max_length = = 0 ) {
/*
* If max_input_length is 0 we ignore the
* input_buffer_length , because Windows 2008 echos the
* DCERPC request from the requested input_buffer to
* the response input_buffer .
*
* We just use the same logic also for max_output_length . . .
*/
buffer_length = 0 ;
}
if ( buffer_length > max_length ) {
return NT_STATUS_INVALID_NETWORK_RESPONSE ;
}
* buffer = ( DATA_BLOB ) {
. data = dyn_buffer . data + offset ,
. length = buffer_length ,
} ;
return NT_STATUS_OK ;
}
2011-12-21 14:04:43 +04:00
static void smb2cli_ioctl_done ( struct tevent_req * subreq )
{
struct tevent_req * req =
tevent_req_callback_data ( subreq ,
struct tevent_req ) ;
struct smb2cli_ioctl_state * state =
tevent_req_data ( req ,
struct smb2cli_ioctl_state ) ;
NTSTATUS status ;
2021-01-14 19:27:21 +03:00
NTSTATUS error ;
2011-12-21 14:04:43 +04:00
struct iovec * iov ;
uint8_t * fixed ;
2021-01-14 19:27:21 +03:00
DATA_BLOB dyn_buffer = data_blob_null ;
2011-12-21 14:04:43 +04:00
uint32_t dyn_ofs = SMB2_HDR_BODY + 0x30 ;
2021-01-14 19:27:21 +03:00
uint32_t input_min_offset ;
2011-12-21 14:04:43 +04:00
uint32_t input_buffer_offset ;
uint32_t input_buffer_length ;
2021-01-14 19:27:21 +03:00
uint32_t input_next_offset ;
uint32_t output_min_offset ;
2011-12-21 14:04:43 +04:00
uint32_t output_buffer_offset ;
uint32_t output_buffer_length ;
2021-01-14 19:27:21 +03:00
uint32_t output_next_offset ;
2011-12-21 14:04:43 +04:00
static const struct smb2cli_req_expected_response expected [ ] = {
{
. status = NT_STATUS_OK ,
. body_size = 0x31
} ,
{
. status = STATUS_BUFFER_OVERFLOW ,
. body_size = 0x31
2014-09-30 12:02:01 +04:00
} ,
{
/*
* We need to make sure that
* a response with NT_STATUS_FILE_CLOSED
* without signing generates NT_STATUS_ACCESS_DENIED
* if the request was signed .
*/
. status = NT_STATUS_FILE_CLOSED ,
. body_size = 0x09 ,
} ,
2015-05-28 01:13:15 +03:00
{
2015-11-27 19:31:04 +03:00
/*
* a normal error
*/
. status = NT_STATUS_INVALID_PARAMETER ,
. body_size = 0x09
} ,
{
/*
* a special case for FSCTL_SRV_COPYCHUNK_ *
*/
2015-05-28 01:13:15 +03:00
. status = NT_STATUS_INVALID_PARAMETER ,
. body_size = 0x31
} ,
2011-12-21 14:04:43 +04:00
} ;
2012-05-03 14:05:13 +04:00
status = smb2cli_req_recv ( subreq , state , & iov ,
2011-12-21 14:04:43 +04:00
expected , ARRAY_SIZE ( expected ) ) ;
2012-09-28 21:48:26 +04:00
TALLOC_FREE ( subreq ) ;
2015-11-27 19:31:04 +03:00
if ( NT_STATUS_EQUAL ( status , NT_STATUS_INVALID_PARAMETER ) ) {
switch ( state - > ctl_code ) {
case FSCTL_SRV_COPYCHUNK :
case FSCTL_SRV_COPYCHUNK_WRITE :
break ;
default :
tevent_req_nterror ( req , status ) ;
return ;
}
if ( iov [ 1 ] . iov_len ! = 0x30 ) {
tevent_req_nterror ( req ,
NT_STATUS_INVALID_NETWORK_RESPONSE ) ;
return ;
}
} else if ( NT_STATUS_EQUAL ( status , STATUS_BUFFER_OVERFLOW ) ) {
/* no error */
} else {
if ( tevent_req_nterror ( req , status ) ) {
return ;
}
2011-12-21 14:04:43 +04:00
}
2015-11-27 19:31:04 +03:00
/*
* At this stage we ' re sure that got a body size of 0x31 ,
* either with NT_STATUS_OK , STATUS_BUFFER_OVERFLOW or
* NT_STATUS_INVALID_PARAMETER .
*/
2011-12-21 14:04:43 +04:00
state - > recv_iov = iov ;
fixed = ( uint8_t * ) iov [ 1 ] . iov_base ;
2021-01-14 19:27:21 +03:00
dyn_buffer = data_blob_const ( ( uint8_t * ) iov [ 2 ] . iov_base ,
iov [ 2 ] . iov_len ) ;
2011-12-21 14:04:43 +04:00
input_buffer_offset = IVAL ( fixed , 0x18 ) ;
input_buffer_length = IVAL ( fixed , 0x1C ) ;
output_buffer_offset = IVAL ( fixed , 0x20 ) ;
output_buffer_length = IVAL ( fixed , 0x24 ) ;
2021-01-14 19:27:21 +03:00
input_min_offset = dyn_ofs ;
input_next_offset = dyn_ofs ;
error = smb2cli_ioctl_parse_buffer ( dyn_ofs ,
dyn_buffer ,
input_min_offset ,
input_buffer_offset ,
input_buffer_length ,
state - > max_input_length ,
& input_next_offset ,
& state - > out_input_buffer ) ;
if ( tevent_req_nterror ( req , error ) ) {
return ;
2011-12-21 14:04:43 +04:00
}
2021-01-14 19:27:21 +03:00
/*
* If output data is returned , the output offset MUST be set to
* InputOffset + InputCount rounded up to a multiple of 8.
*/
output_min_offset = NDR_ROUND ( input_next_offset , 8 ) ;
output_next_offset = 0 ; /* this variable is completely ignored */
error = smb2cli_ioctl_parse_buffer ( dyn_ofs ,
dyn_buffer ,
output_min_offset ,
output_buffer_offset ,
output_buffer_length ,
state - > max_output_length ,
& output_next_offset ,
& state - > out_output_buffer ) ;
if ( tevent_req_nterror ( req , error ) ) {
return ;
2011-12-21 14:04:43 +04:00
}
2015-11-27 19:31:04 +03:00
state - > out_valid = true ;
2015-05-28 01:13:15 +03:00
if ( tevent_req_nterror ( req , status ) ) {
return ;
}
2011-12-21 14:04:43 +04:00
tevent_req_done ( req ) ;
}
NTSTATUS smb2cli_ioctl_recv ( struct tevent_req * req ,
TALLOC_CTX * mem_ctx ,
DATA_BLOB * out_input_buffer ,
DATA_BLOB * out_output_buffer )
{
struct smb2cli_ioctl_state * state =
tevent_req_data ( req ,
struct smb2cli_ioctl_state ) ;
2015-05-28 01:13:15 +03:00
NTSTATUS status = NT_STATUS_OK ;
2011-12-21 14:04:43 +04:00
2015-11-27 19:31:04 +03:00
if ( tevent_req_is_nterror ( req , & status ) & & ! state - > out_valid ) {
if ( out_input_buffer ) {
* out_input_buffer = data_blob_null ;
}
if ( out_output_buffer ) {
* out_output_buffer = data_blob_null ;
}
2011-12-21 14:04:43 +04:00
tevent_req_received ( req ) ;
return status ;
}
talloc_steal ( mem_ctx , state - > recv_iov ) ;
if ( out_input_buffer ) {
* out_input_buffer = state - > out_input_buffer ;
}
if ( out_output_buffer ) {
* out_output_buffer = state - > out_output_buffer ;
}
tevent_req_received ( req ) ;
2015-05-28 01:13:15 +03:00
return status ;
2011-12-21 14:04:43 +04:00
}
2012-05-10 20:36:47 +04:00
NTSTATUS smb2cli_ioctl ( struct smbXcli_conn * conn ,
uint32_t timeout_msec ,
struct smbXcli_session * session ,
2012-07-24 00:32:49 +04:00
struct smbXcli_tcon * tcon ,
2011-12-21 14:04:43 +04:00
uint64_t in_fid_persistent ,
uint64_t in_fid_volatile ,
uint32_t in_ctl_code ,
uint32_t in_max_input_length ,
const DATA_BLOB * in_input_buffer ,
uint32_t in_max_output_length ,
const DATA_BLOB * in_output_buffer ,
uint32_t in_flags ,
TALLOC_CTX * mem_ctx ,
DATA_BLOB * out_input_buffer ,
DATA_BLOB * out_output_buffer )
{
TALLOC_CTX * frame = talloc_stackframe ( ) ;
2012-05-14 11:56:47 +04:00
struct tevent_context * ev ;
2011-12-21 14:04:43 +04:00
struct tevent_req * req ;
NTSTATUS status = NT_STATUS_NO_MEMORY ;
2012-05-10 20:36:47 +04:00
if ( smbXcli_conn_has_async_calls ( conn ) ) {
2011-12-21 14:04:43 +04:00
/*
* Can ' t use sync call while an async call is in flight
*/
status = NT_STATUS_INVALID_PARAMETER_MIX ;
goto fail ;
}
2013-02-18 12:07:11 +04:00
ev = samba_tevent_context_init ( frame ) ;
2011-12-21 14:04:43 +04:00
if ( ev = = NULL ) {
goto fail ;
}
2012-05-10 20:36:47 +04:00
req = smb2cli_ioctl_send ( frame , ev , conn , timeout_msec ,
2012-07-24 00:32:49 +04:00
session , tcon ,
2011-12-21 14:04:43 +04:00
in_fid_persistent ,
in_fid_volatile ,
in_ctl_code ,
in_max_input_length ,
in_input_buffer ,
in_max_output_length ,
in_output_buffer ,
in_flags ) ;
if ( req = = NULL ) {
goto fail ;
}
if ( ! tevent_req_poll_ntstatus ( req , ev , & status ) ) {
goto fail ;
}
status = smb2cli_ioctl_recv ( req , mem_ctx ,
out_input_buffer ,
out_output_buffer ) ;
fail :
TALLOC_FREE ( frame ) ;
return status ;
}