/* Unix SMB/CIFS implementation. low level socket handling for nbt requests Copyright (C) Andrew Tridgell 2005 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . */ #include "includes.h" #include "lib/events/events.h" #include "../lib/util/dlinklist.h" #include "../libcli/nbt/libnbt.h" #include "../libcli/nbt/nbt_proto.h" #include "lib/socket/socket.h" #include "librpc/gen_ndr/ndr_nbt.h" #include "param/param.h" #define NBT_MAX_REPLIES 1000 /* destroy a pending request */ static int nbt_name_request_destructor(struct nbt_name_request *req) { if (req->state == NBT_REQUEST_SEND) { DLIST_REMOVE(req->nbtsock->send_queue, req); } if (req->state == NBT_REQUEST_WAIT) { req->nbtsock->num_pending--; } if (req->name_trn_id != 0 && !req->is_reply) { idr_remove(req->nbtsock->idr, req->name_trn_id); req->name_trn_id = 0; } TALLOC_FREE(req->te); if (req->nbtsock->send_queue == NULL) { TEVENT_FD_NOT_WRITEABLE(req->nbtsock->fde); } if (req->nbtsock->num_pending == 0 && req->nbtsock->incoming.handler == NULL) { TEVENT_FD_NOT_READABLE(req->nbtsock->fde); } return 0; } /* handle send events on a nbt name socket */ static void nbt_name_socket_send(struct nbt_name_socket *nbtsock) { struct nbt_name_request *req; TALLOC_CTX *tmp_ctx = talloc_new(nbtsock); NTSTATUS status; while ((req = nbtsock->send_queue)) { size_t len; len = req->encoded.length; status = socket_sendto(nbtsock->sock, &req->encoded, &len, req->dest); if (NT_STATUS_IS_ERR(status)) goto failed; if (!NT_STATUS_IS_OK(status)) { talloc_free(tmp_ctx); return; } DLIST_REMOVE(nbtsock->send_queue, req); req->state = NBT_REQUEST_WAIT; if (req->is_reply) { talloc_free(req); } else { TEVENT_FD_READABLE(nbtsock->fde); nbtsock->num_pending++; } } TEVENT_FD_NOT_WRITEABLE(nbtsock->fde); talloc_free(tmp_ctx); return; failed: DLIST_REMOVE(nbtsock->send_queue, req); nbt_name_request_destructor(req); req->status = status; req->state = NBT_REQUEST_ERROR; talloc_free(tmp_ctx); if (req->async.fn) { req->async.fn(req); } else if (req->is_reply) { talloc_free(req); } return; } /* handle a request timeout */ static void nbt_name_socket_timeout(struct tevent_context *ev, struct tevent_timer *te, struct timeval t, void *private_data) { struct nbt_name_request *req = talloc_get_type(private_data, struct nbt_name_request); if (req->num_retries != 0) { req->num_retries--; req->te = tevent_add_timer(req->nbtsock->event_ctx, req, timeval_add(&t, req->timeout, 0), nbt_name_socket_timeout, req); if (req->state != NBT_REQUEST_SEND) { req->state = NBT_REQUEST_SEND; DLIST_ADD_END(req->nbtsock->send_queue, req); } TEVENT_FD_WRITEABLE(req->nbtsock->fde); return; } nbt_name_request_destructor(req); if (req->num_replies == 0) { req->state = NBT_REQUEST_TIMEOUT; req->status = NT_STATUS_IO_TIMEOUT; } else { req->state = NBT_REQUEST_DONE; req->status = NT_STATUS_OK; } if (req->async.fn) { req->async.fn(req); } else if (req->is_reply) { talloc_free(req); } } /** handle recv events on a nbt name socket */ static void nbt_name_socket_recv(struct nbt_name_socket *nbtsock) { TALLOC_CTX *tmp_ctx = talloc_new(nbtsock); NTSTATUS status; enum ndr_err_code ndr_err; struct socket_address *src; DATA_BLOB blob; size_t nread, dsize; struct nbt_name_packet *packet; struct nbt_name_request *req; status = socket_pending(nbtsock->sock, &dsize); if (!NT_STATUS_IS_OK(status)) { talloc_free(tmp_ctx); return; } /* * Given a zero length, data_blob_talloc() returns the * NULL blob {NULL, 0}. * * We only want to error return here on a real out of memory condition * (i.e. dsize != 0, so the UDP packet has data, but the return of the * allocation failed, so blob.data==NULL). * * Given an actual zero length UDP packet having blob.data == NULL * isn't an out of memory error condition, that's the defined semantics * of data_blob_talloc() when asked for zero bytes. * * We still need to continue to do the zero-length socket_recvfrom() * read in order to clear the "read pending" condition on the socket. */ blob = data_blob_talloc(tmp_ctx, NULL, dsize); if (blob.data == NULL && dsize != 0) { talloc_free(tmp_ctx); return; } status = socket_recvfrom(nbtsock->sock, blob.data, blob.length, &nread, tmp_ctx, &src); if (!NT_STATUS_IS_OK(status)) { talloc_free(tmp_ctx); return; } packet = talloc(tmp_ctx, struct nbt_name_packet); if (packet == NULL) { talloc_free(tmp_ctx); return; } /* parse the request */ ndr_err = ndr_pull_struct_blob(&blob, packet, packet, (ndr_pull_flags_fn_t)ndr_pull_nbt_name_packet); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { status = ndr_map_error2ntstatus(ndr_err); DEBUG(2,("Failed to parse incoming NBT name packet - %s\n", nt_errstr(status))); talloc_free(tmp_ctx); return; } if (DEBUGLVL(10)) { DEBUG(10,("Received nbt packet of length %d from %s:%d\n", (int)blob.length, src->addr, src->port)); NDR_PRINT_DEBUG(nbt_name_packet, packet); } /* if its not a reply then pass it off to the incoming request handler, if any */ if (!(packet->operation & NBT_FLAG_REPLY)) { if (nbtsock->incoming.handler) { nbtsock->incoming.handler(nbtsock, packet, src); } talloc_free(tmp_ctx); return; } /* find the matching request */ req = (struct nbt_name_request *)idr_find(nbtsock->idr, packet->name_trn_id); if (req == NULL) { if (nbtsock->unexpected.handler) { nbtsock->unexpected.handler(nbtsock, packet, src); } else { DEBUG(10,("Failed to match request for incoming name packet id 0x%04x on %p\n", packet->name_trn_id, nbtsock)); } talloc_free(tmp_ctx); return; } talloc_steal(req, packet); talloc_steal(req, src); talloc_free(tmp_ctx); nbt_name_socket_handle_response_packet(req, packet, src); } void nbt_name_socket_handle_response_packet(struct nbt_name_request *req, struct nbt_name_packet *packet, struct socket_address *src) { /* if this is a WACK response, this we need to go back to waiting, but perhaps increase the timeout */ if ((packet->operation & NBT_OPCODE) == NBT_OPCODE_WACK) { uint32_t ttl; if (req->received_wack || packet->ancount < 1) { nbt_name_request_destructor(req); req->status = NT_STATUS_INVALID_NETWORK_RESPONSE; req->state = NBT_REQUEST_ERROR; goto done; } talloc_free(req->te); /* we know we won't need any more retries - the server has received our request */ req->num_retries = 0; req->received_wack = true; /* * there is a timeout in the packet, * it is 5 + 4 * num_old_addresses * * although w2k3 screws it up * and uses num_old_addresses = 0 * * so we better fallback to the maximum * of num_old_addresses = 25 if we got * a timeout of less than 9s (5 + 4*1) * or more than 105s (5 + 4*25). */ ttl = packet->answers[0].ttl; if ((ttl < (5 + 4*1)) || (ttl > (5 + 4*25))) { ttl = 5 + 4*25; } req->timeout = ttl; req->te = tevent_add_timer(req->nbtsock->event_ctx, req, timeval_current_ofs(req->timeout, 0), nbt_name_socket_timeout, req); return; } req->replies = talloc_realloc(req, req->replies, struct nbt_name_reply, req->num_replies+1); if (req->replies == NULL) { nbt_name_request_destructor(req); req->state = NBT_REQUEST_ERROR; req->status = NT_STATUS_NO_MEMORY; goto done; } talloc_steal(req, src); req->replies[req->num_replies].dest = src; talloc_steal(req, packet); req->replies[req->num_replies].packet = packet; req->num_replies++; /* if we don't want multiple replies then we are done */ if (req->allow_multiple_replies && req->num_replies < NBT_MAX_REPLIES) { return; } nbt_name_request_destructor(req); req->state = NBT_REQUEST_DONE; req->status = NT_STATUS_OK; done: if (req->async.fn) { req->async.fn(req); } } /* handle fd events on a nbt_name_socket */ static void nbt_name_socket_handler(struct tevent_context *ev, struct tevent_fd *fde, uint16_t flags, void *private_data) { struct nbt_name_socket *nbtsock = talloc_get_type(private_data, struct nbt_name_socket); if (flags & TEVENT_FD_WRITE) { nbt_name_socket_send(nbtsock); } if (flags & TEVENT_FD_READ) { nbt_name_socket_recv(nbtsock); } } /* initialise a nbt_name_socket. The event_ctx is optional, if provided then operations will use that event context */ _PUBLIC_ struct nbt_name_socket *nbt_name_socket_init(TALLOC_CTX *mem_ctx, struct tevent_context *event_ctx) { struct nbt_name_socket *nbtsock; NTSTATUS status; nbtsock = talloc(mem_ctx, struct nbt_name_socket); if (nbtsock == NULL) goto failed; nbtsock->event_ctx = event_ctx; if (nbtsock->event_ctx == NULL) goto failed; status = socket_create(nbtsock, "ip", SOCKET_TYPE_DGRAM, &nbtsock->sock, 0); if (!NT_STATUS_IS_OK(status)) goto failed; socket_set_option(nbtsock->sock, "SO_BROADCAST", "1"); nbtsock->idr = idr_init(nbtsock); if (nbtsock->idr == NULL) goto failed; nbtsock->send_queue = NULL; nbtsock->num_pending = 0; nbtsock->incoming.handler = NULL; nbtsock->unexpected.handler = NULL; nbtsock->fde = tevent_add_fd(nbtsock->event_ctx, nbtsock, socket_get_fd(nbtsock->sock), 0, nbt_name_socket_handler, nbtsock); return nbtsock; failed: talloc_free(nbtsock); return NULL; } /* send off a nbt name request */ struct nbt_name_request *nbt_name_request_send(TALLOC_CTX *mem_ctx, struct nbt_name_socket *nbtsock, struct socket_address *dest, struct nbt_name_packet *request, int timeout, int retries, bool allow_multiple_replies) { struct nbt_name_request *req; int id; enum ndr_err_code ndr_err; req = talloc_zero(mem_ctx, struct nbt_name_request); if (req == NULL) goto failed; req->nbtsock = nbtsock; req->allow_multiple_replies = allow_multiple_replies; req->state = NBT_REQUEST_SEND; req->is_reply = false; req->timeout = timeout; req->num_retries = retries; req->dest = socket_address_copy(req, dest); if (req->dest == NULL) goto failed; /* we select a random transaction id unless the user supplied one */ if (request->name_trn_id == 0) { id = idr_get_new_random(req->nbtsock->idr, req, UINT16_MAX); } else { if (idr_find(req->nbtsock->idr, request->name_trn_id)) goto failed; id = idr_get_new_above(req->nbtsock->idr, req, request->name_trn_id, UINT16_MAX); } if (id == -1) goto failed; request->name_trn_id = id; req->name_trn_id = id; req->te = tevent_add_timer(nbtsock->event_ctx, req, timeval_current_ofs(req->timeout, 0), nbt_name_socket_timeout, req); talloc_set_destructor(req, nbt_name_request_destructor); ndr_err = ndr_push_struct_blob(&req->encoded, req, request, (ndr_push_flags_fn_t)ndr_push_nbt_name_packet); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) goto failed; DLIST_ADD_END(nbtsock->send_queue, req); if (DEBUGLVL(10)) { DEBUG(10,("Queueing nbt packet to %s:%d\n", req->dest->addr, req->dest->port)); NDR_PRINT_DEBUG(nbt_name_packet, request); } TEVENT_FD_WRITEABLE(nbtsock->fde); return req; failed: talloc_free(req); return NULL; } /* send off a nbt name reply */ _PUBLIC_ NTSTATUS nbt_name_reply_send(struct nbt_name_socket *nbtsock, struct socket_address *dest, struct nbt_name_packet *request) { struct nbt_name_request *req; enum ndr_err_code ndr_err; req = talloc_zero(nbtsock, struct nbt_name_request); NT_STATUS_HAVE_NO_MEMORY(req); req->nbtsock = nbtsock; req->dest = socket_address_copy(req, dest); if (req->dest == NULL) goto failed; req->state = NBT_REQUEST_SEND; req->is_reply = true; talloc_set_destructor(req, nbt_name_request_destructor); if (DEBUGLVL(10)) { NDR_PRINT_DEBUG(nbt_name_packet, request); } ndr_err = ndr_push_struct_blob(&req->encoded, req, request, (ndr_push_flags_fn_t)ndr_push_nbt_name_packet); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { talloc_free(req); return ndr_map_error2ntstatus(ndr_err); } DLIST_ADD_END(nbtsock->send_queue, req); TEVENT_FD_WRITEABLE(nbtsock->fde); return NT_STATUS_OK; failed: talloc_free(req); return NT_STATUS_NO_MEMORY; } /* wait for a nbt request to complete */ NTSTATUS nbt_name_request_recv(struct nbt_name_request *req) { if (!req) return NT_STATUS_NO_MEMORY; while (req->state < NBT_REQUEST_DONE) { if (tevent_loop_once(req->nbtsock->event_ctx) != 0) { req->state = NBT_REQUEST_ERROR; req->status = NT_STATUS_UNEXPECTED_NETWORK_ERROR; break; } } return req->status; } /* setup a handler for incoming requests */ _PUBLIC_ NTSTATUS nbt_set_incoming_handler(struct nbt_name_socket *nbtsock, void (*handler)(struct nbt_name_socket *, struct nbt_name_packet *, struct socket_address *), void *private_data) { nbtsock->incoming.handler = handler; nbtsock->incoming.private_data = private_data; TEVENT_FD_READABLE(nbtsock->fde); return NT_STATUS_OK; } /* setup a handler for unexpected requests */ NTSTATUS nbt_set_unexpected_handler(struct nbt_name_socket *nbtsock, void (*handler)(struct nbt_name_socket *, struct nbt_name_packet *, struct socket_address *), void *private_data) { nbtsock->unexpected.handler = handler; nbtsock->unexpected.private_data = private_data; TEVENT_FD_READABLE(nbtsock->fde); return NT_STATUS_OK; } /* turn a NBT rcode into a NTSTATUS */ _PUBLIC_ NTSTATUS nbt_rcode_to_ntstatus(uint8_t rcode) { size_t i; struct { enum nbt_rcode rcode; NTSTATUS status; } map[] = { { NBT_RCODE_FMT, NT_STATUS_INVALID_PARAMETER }, { NBT_RCODE_SVR, NT_STATUS_SERVER_DISABLED }, { NBT_RCODE_NAM, NT_STATUS_OBJECT_NAME_NOT_FOUND }, { NBT_RCODE_IMP, NT_STATUS_NOT_SUPPORTED }, { NBT_RCODE_RFS, NT_STATUS_ACCESS_DENIED }, { NBT_RCODE_ACT, NT_STATUS_ADDRESS_ALREADY_EXISTS }, { NBT_RCODE_CFT, NT_STATUS_CONFLICTING_ADDRESSES } }; for (i=0;i