From 8dc2a028d3ca0115d3173df435d926d7b6a4d5d5 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 14 Feb 2005 09:15:24 +0000 Subject: [PATCH] r5392: added "secure" WINS server processing. Send a WACK on name registrations from anyone who isn't a current owner, then query the owner addresses to see if they still want it. --- source/lib/util_strlist.c | 51 +++++++++ source/libcli/nbt/namequery.c | 3 +- source/nbt_server/config.mk | 3 +- source/nbt_server/packet.c | 43 +++++++ source/nbt_server/winsdb.c | 2 +- source/nbt_server/winsdb.h | 3 +- source/nbt_server/winsserver.c | 77 ++++++------- source/nbt_server/winswack.c | 199 +++++++++++++++++++++++++++++++++ 8 files changed, 333 insertions(+), 48 deletions(-) create mode 100644 source/nbt_server/winswack.c diff --git a/source/lib/util_strlist.c b/source/lib/util_strlist.c index 71f634f71ae..0b78e9f69e8 100644 --- a/source/lib/util_strlist.c +++ b/source/lib/util_strlist.c @@ -122,3 +122,54 @@ BOOL str_list_equal(const char **list1, const char **list2) } return True; } + + +/* + add an entry to a string list +*/ +const char **str_list_add(const char **list, const char *s) +{ + size_t len = str_list_length(list); + const char **ret; + + ret = talloc_realloc(NULL, list, const char *, len+2); + if (ret == NULL) return NULL; + + ret[len] = talloc_strdup(ret, s); + if (ret[len] == NULL) return NULL; + + ret[len+1] = NULL; + + return ret; +} + +/* + remove an entry from a string list +*/ +void str_list_remove(const char **list, const char *s) +{ + int i; + + for (i=0;list[i];i++) { + if (strcmp(list[i], s) == 0) break; + } + if (!list[i]) return; + + for (;list[i];i++) { + list[i] = list[i+1]; + } +} + + +/* + return True if a string is in a list +*/ +BOOL str_list_check(const char **list, const char *s) +{ + int i; + + for (i=0;list[i];i++) { + if (strcmp(list[i], s) == 0) return True; + } + return False; +} diff --git a/source/libcli/nbt/namequery.c b/source/libcli/nbt/namequery.c index a9748c7bd25..f222148f4d6 100644 --- a/source/libcli/nbt/namequery.c +++ b/source/libcli/nbt/namequery.c @@ -98,7 +98,7 @@ NTSTATUS nbt_name_query_recv(struct nbt_name_request *req, io->out.name = packet->answers[0].name; io->out.num_addrs = packet->answers[0].rdata.netbios.length / 6; - io->out.reply_addrs = talloc_array(mem_ctx, const char *, io->out.num_addrs); + io->out.reply_addrs = talloc_array(mem_ctx, const char *, io->out.num_addrs+1); if (io->out.reply_addrs == NULL) { talloc_free(req); return NT_STATUS_NO_MEMORY; @@ -108,6 +108,7 @@ NTSTATUS nbt_name_query_recv(struct nbt_name_request *req, io->out.reply_addrs[i] = talloc_steal(mem_ctx, packet->answers[0].rdata.netbios.addresses[i].ipaddr); } + io->out.reply_addrs[i] = NULL; talloc_steal(mem_ctx, io->out.name.name); talloc_steal(mem_ctx, io->out.name.scope); diff --git a/source/nbt_server/config.mk b/source/nbt_server/config.mk index 12d0a09b6bc..144a12e9e26 100644 --- a/source/nbt_server/config.mk +++ b/source/nbt_server/config.mk @@ -14,7 +14,8 @@ ADD_OBJ_FILES = \ nbt_server/defense.o \ nbt_server/packet.o \ nbt_server/winsserver.o \ - nbt_server/winsdb.o + nbt_server/winsdb.o \ + nbt_server/winswack.o REQUIRED_SUBSYSTEMS = \ LIBCLI_NBT # End SUBSYSTEM SMB diff --git a/source/nbt_server/packet.c b/source/nbt_server/packet.c index 63839091496..6e14fef06c6 100644 --- a/source/nbt_server/packet.c +++ b/source/nbt_server/packet.c @@ -261,3 +261,46 @@ void nbtd_name_release_reply(struct nbt_name_socket *nbtsock, failed: talloc_free(packet); } + + +/* + send a WACK reply +*/ +void nbtd_wack_reply(struct nbt_name_socket *nbtsock, + struct nbt_name_packet *request_packet, + const char *src_address, int src_port, + uint32_t ttl) +{ + struct nbt_name_packet *packet; + struct nbt_name *name = &request_packet->questions[0].name; + + packet = talloc_zero(nbtsock, struct nbt_name_packet); + if (packet == NULL) return; + + packet->name_trn_id = request_packet->name_trn_id; + packet->ancount = 1; + packet->operation = + NBT_FLAG_REPLY | + NBT_OPCODE_WACK | + NBT_FLAG_AUTHORITIVE; + + packet->answers = talloc_array(packet, struct nbt_res_rec, 1); + if (packet->answers == NULL) goto failed; + + packet->answers[0].name = *name; + packet->answers[0].rr_type = NBT_QTYPE_NETBIOS; + packet->answers[0].rr_class = NBT_QCLASS_IP; + packet->answers[0].ttl = ttl; + packet->answers[0].rdata.data.length = 2; + packet->answers[0].rdata.data.data = talloc_size(packet, 2); + if (packet->answers[0].rdata.data.data == NULL) goto failed; + RSSVAL(packet->answers[0].rdata.data.data, 0, request_packet->operation); + + DEBUG(7,("Sending WACK reply for %s to %s:%d\n", + nbt_name_string(packet, name), src_address, src_port)); + + nbt_name_reply_send(nbtsock, src_address, src_port, packet); + +failed: + talloc_free(packet); +} diff --git a/source/nbt_server/winsdb.c b/source/nbt_server/winsdb.c index f452e58e70c..4eff12901fd 100644 --- a/source/nbt_server/winsdb.c +++ b/source/nbt_server/winsdb.c @@ -78,7 +78,7 @@ struct winsdb_record *winsdb_load(struct wins_server *winssrv, rec->expire_time <= time(NULL)) { DEBUG(5,("WINS: expiring name %s (expired at %s)\n", nbt_name_string(tmp_ctx, rec->name), timestring(tmp_ctx, rec->expire_time))); - rec->state = WINS_REC_EXPIRED; + rec->state = WINS_REC_RELEASED; } talloc_steal(mem_ctx, rec); diff --git a/source/nbt_server/winsdb.h b/source/nbt_server/winsdb.h index fd0fe4af70a..0774757ef99 100644 --- a/source/nbt_server/winsdb.h +++ b/source/nbt_server/winsdb.h @@ -22,8 +22,7 @@ enum wins_record_state { WINS_REC_RELEASED =0, - WINS_REC_ACTIVE =1, - WINS_REC_EXPIRED =2 + WINS_REC_ACTIVE =1 }; /* diff --git a/source/nbt_server/winsserver.c b/source/nbt_server/winsserver.c index ad5ccdc16ec..38f874a196c 100644 --- a/source/nbt_server/winsserver.c +++ b/source/nbt_server/winsserver.c @@ -25,6 +25,16 @@ #include "nbt_server/winsdb.h" #include "system/time.h" +/* + work out the ttl we will use given a client requested ttl +*/ +uint32_t wins_server_ttl(struct wins_server *winssrv, uint32_t ttl) +{ + ttl = MIN(ttl, winssrv->max_ttl); + ttl = MAX(ttl, winssrv->min_ttl); + return ttl; +} + /* register a new name with WINS */ @@ -36,14 +46,11 @@ static uint8_t wins_register_new(struct nbt_name_socket *nbtsock, struct nbtd_interface); struct wins_server *winssrv = iface->nbtsrv->winssrv; struct nbt_name *name = &packet->questions[0].name; - uint32_t ttl = packet->additional[0].ttl; + uint32_t ttl = wins_server_ttl(winssrv, packet->additional[0].ttl); uint16_t nb_flags = packet->additional[0].rdata.netbios.addresses[0].nb_flags; const char *address = packet->additional[0].rdata.netbios.addresses[0].ipaddr; struct winsdb_record rec; - ttl = MIN(ttl, winssrv->max_ttl); - ttl = MAX(ttl, winssrv->min_ttl); - rec.name = name; rec.nb_flags = nb_flags; rec.state = WINS_REC_ACTIVE; @@ -74,13 +81,10 @@ static uint8_t wins_update_ttl(struct nbt_name_socket *nbtsock, struct nbtd_interface *iface = talloc_get_type(nbtsock->incoming.private, struct nbtd_interface); struct wins_server *winssrv = iface->nbtsrv->winssrv; - uint32_t ttl = packet->additional[0].ttl; + uint32_t ttl = wins_server_ttl(winssrv, packet->additional[0].ttl); const char *address = packet->additional[0].rdata.netbios.addresses[0].ipaddr; time_t now = time(NULL); - ttl = MIN(ttl, winssrv->max_ttl); - ttl = MAX(ttl, winssrv->min_ttl); - if (now + ttl > rec->expire_time) { rec->expire_time = now + ttl; } @@ -92,28 +96,6 @@ static uint8_t wins_update_ttl(struct nbt_name_socket *nbtsock, return winsdb_modify(winssrv, rec); } - -/* - send a WACK reply, then check if the current owners want to keep the name -*/ -static uint8_t wins_register_wack(struct nbt_name_socket *nbtsock, - struct nbt_name_packet *packet, - struct winsdb_record *rec, - const char *src_address, int src_port) -{ - struct nbtd_interface *iface = talloc_get_type(nbtsock->incoming.private, - struct nbtd_interface); - struct wins_server *winssrv = iface->nbtsrv->winssrv; - uint32_t ttl = packet->additional[0].ttl; - const char *address = packet->additional[0].rdata.netbios.addresses[0].ipaddr; - time_t now = time(NULL); - - DEBUG(0,("TODO: WACK\n")); - - return NBT_RCODE_SVR; -} - - /* register a name */ @@ -129,7 +111,6 @@ static void nbtd_winsserver_register(struct nbt_name_socket *nbtsock, uint8_t rcode = NBT_RCODE_OK; uint16_t nb_flags = packet->additional[0].rdata.netbios.addresses[0].nb_flags; const char *address = packet->additional[0].rdata.netbios.addresses[0].ipaddr; - int i; rec = winsdb_load(winssrv, name, packet); if (rec == NULL) { @@ -165,15 +146,13 @@ static void nbtd_winsserver_register(struct nbt_name_socket *nbtsock, /* if the registration is for an address that is currently active, then just update the expiry time */ - for (i=0;rec->addresses[i];i++) { - if (strcmp(address, rec->addresses[i]) == 0) { - wins_update_ttl(nbtsock, packet, rec, src_address, src_port); - goto done; - } + if (str_list_check(rec->addresses, address)) { + wins_update_ttl(nbtsock, packet, rec, src_address, src_port); + goto done; } - /* we have to do a WACK to see if the current owners are willing to give - up their claim */ + /* we have to do a WACK to see if the current owner is willing + to give up its claim */ wins_register_wack(nbtsock, packet, rec, src_address, src_port); return; @@ -220,14 +199,26 @@ static void nbtd_winsserver_release(struct nbt_name_socket *nbtsock, struct winsdb_record *rec; rec = winsdb_load(winssrv, name, packet); - if (rec != NULL && - rec->state == WINS_REC_ACTIVE && - !(rec->nb_flags & NBT_NM_GROUP)) { - /* should we release all, or only some of the addresses? */ - rec->state = WINS_REC_RELEASED; + if (rec == NULL || + rec->state != WINS_REC_ACTIVE || + (rec->nb_flags & NBT_NM_GROUP)) { + goto done; + } + + /* we only allow releases from an owner - other releases are + silently ignored */ + if (str_list_check(rec->addresses, src_address)) { + const char *address = packet->additional[0].rdata.netbios.addresses[0].ipaddr; + + DEBUG(4,("WINS: released name %s at %s\n", nbt_name_string(rec, rec->name), address)); + str_list_remove(rec->addresses, address); + if (rec->addresses[0] == NULL) { + rec->state = WINS_REC_RELEASED; + } winsdb_modify(winssrv, rec); } +done: /* we match w2k3 by always giving a positive reply to name releases. */ nbtd_name_release_reply(nbtsock, packet, src_address, src_port, NBT_RCODE_OK); } diff --git a/source/nbt_server/winswack.c b/source/nbt_server/winswack.c new file mode 100644 index 00000000000..a15f0a7d06f --- /dev/null +++ b/source/nbt_server/winswack.c @@ -0,0 +1,199 @@ +/* + Unix SMB/CIFS implementation. + + "secure" wins server WACK processing + + Copyright (C) Andrew Tridgell 2005 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" +#include "nbt_server/nbt_server.h" +#include "nbt_server/winsdb.h" +#include "system/time.h" + +struct wack_state { + struct wins_server *winssrv; + struct nbt_name_socket *nbtsock; + struct nbt_name_packet *request_packet; + struct winsdb_record *rec; + const char *src_address; + int src_port; + const char **owner_addresses; + const char *reg_address; + struct nbt_name_query query; +}; + + +/* + deny a registration request +*/ +static void wins_wack_deny(struct wack_state *state) +{ + nbtd_name_registration_reply(state->nbtsock, state->request_packet, + state->src_address, state->src_port, NBT_RCODE_ACT); + DEBUG(4,("WINS: denied name registration request for %s from %s\n", + nbt_name_string(state, state->rec->name), state->src_address)); + talloc_free(state); +} + +/* + allow a registration request +*/ +static void wins_wack_allow(struct wack_state *state) +{ + uint32_t ttl; + time_t now = time(NULL); + struct winsdb_record *rec = state->rec; + + nbtd_name_registration_reply(state->nbtsock, state->request_packet, + state->src_address, state->src_port, NBT_RCODE_OK); + + rec->addresses = str_list_add(rec->addresses, state->reg_address); + if (rec->addresses == NULL) goto failed; + + ttl = wins_server_ttl(state->winssrv, state->request_packet->additional[0].ttl); + if (now + ttl > rec->expire_time) { + rec->expire_time = now + ttl; + } + rec->registered_by = state->src_address; + + winsdb_modify(state->winssrv, rec); + + DEBUG(4,("WINS: accepted registration of %s with address %s\n", + nbt_name_string(state, rec->name), state->reg_address)); + +failed: + talloc_free(state); +} + +/* + called when a name query to a current owner completes +*/ +static void wins_wack_handler(struct nbt_name_request *req) +{ + struct wack_state *state = talloc_get_type(req->async.private, struct wack_state); + NTSTATUS status; + int i; + struct winsdb_record *rec = state->rec; + + status = nbt_name_query_recv(req, state, &state->query); + + /* if we timed out then try the next owner address, if any */ + if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT)) { + state->owner_addresses++; + if (state->owner_addresses[0] == NULL) { + wins_wack_allow(state); + return; + } + state->query.in.dest_addr = state->owner_addresses[0]; + + req = nbt_name_query_send(state->nbtsock, &state->query); + if (req == NULL) goto failed; + + req->async.fn = wins_wack_handler; + req->async.private = state; + return; + } + + /* if the owner denies it holds the name, then allow + the registration */ + if (!NT_STATUS_IS_OK(status)) { + wins_wack_allow(state); + return; + } + + /* if the owner still wants the name and doesn't reply + with the address trying to be registered, then deny + the registration */ + if (!str_list_check(state->query.out.reply_addrs, state->reg_address)) { + wins_wack_deny(state); + return; + } + + /* we are going to allow the registration, but first remove any addresses + from the record that aren't in the reply from the client */ + for (i=0;rec->addresses[i];) { + if (!str_list_check(state->query.out.reply_addrs, rec->addresses[i])) { + str_list_remove(rec->addresses, rec->addresses[i]); + } else { + i++; + } + } + + wins_wack_allow(state); + return; + +failed: + talloc_free(state); +} + + +/* + a client has asked to register a unique name that someone else owns. We + need to ask each of the current owners if they still want it. If they do + then reject the registration, otherwise allow it +*/ +void wins_register_wack(struct nbt_name_socket *nbtsock, + struct nbt_name_packet *packet, + struct winsdb_record *rec, + const char *src_address, int src_port) +{ + struct nbtd_interface *iface = talloc_get_type(nbtsock->incoming.private, + struct nbtd_interface); + struct wins_server *winssrv = iface->nbtsrv->winssrv; + struct wack_state *state; + struct nbt_name_request *req; + uint32_t ttl; + + state = talloc(nbtsock, struct wack_state); + if (state == NULL) goto failed; + + /* package up the state variables for this wack request */ + state->winssrv = winssrv; + state->nbtsock = nbtsock; + state->request_packet = talloc_steal(state, packet); + state->rec = talloc_steal(state, rec); + state->src_port = src_port; + state->owner_addresses = rec->addresses; + state->reg_address = packet->additional[0].rdata.netbios.addresses[0].ipaddr; + state->src_address = talloc_strdup(state, src_address); + if (state->src_address == NULL) goto failed; + + /* send a WACK to the client, specifying the maximum time it could + take to check with the owner, plus some slack */ + ttl = 5 + 4 * str_list_length(rec->addresses); + nbtd_wack_reply(nbtsock, packet, src_address, src_port, ttl); + + /* setup a name query to the first address */ + state->query.in.name = *rec->name; + state->query.in.dest_addr = state->owner_addresses[0]; + state->query.in.broadcast = False; + state->query.in.wins_lookup = True; + state->query.in.timeout = 1; + state->query.in.retries = 2; + + req = nbt_name_query_send(nbtsock, &state->query); + if (req == NULL) goto failed; + + req->async.fn = wins_wack_handler; + req->async.private = state; + return; + +failed: + talloc_free(state); + nbtd_name_registration_reply(nbtsock, packet, src_address, src_port, NBT_RCODE_SVR); +}