mirror of
https://github.com/samba-team/samba.git
synced 2025-01-21 18:04:06 +03:00
3cc0f1eeda
An empty UDP packet put the nbt server into a busy loop that consumes 100% of a cpu. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14417 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Autobuild-User(master): Karolin Seeger <kseeger@samba.org> Autobuild-Date(master): Thu Jul 2 10:26:24 UTC 2020 on sn-devel-184
565 lines
14 KiB
C
565 lines
14 KiB
C
/*
|
|
Unix SMB/CIFS implementation.
|
|
|
|
low level socket handling for nbt requests
|
|
|
|
Copyright (C) Andrew Tridgell 2005
|
|
|
|
This program is free software; you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License as published by
|
|
the Free Software Foundation; either version 3 of the License, or
|
|
(at your option) any later version.
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
#include "includes.h"
|
|
#include "lib/events/events.h"
|
|
#include "../lib/util/dlinklist.h"
|
|
#include "../libcli/nbt/libnbt.h"
|
|
#include "../libcli/nbt/nbt_proto.h"
|
|
#include "lib/socket/socket.h"
|
|
#include "librpc/gen_ndr/ndr_nbt.h"
|
|
#include "param/param.h"
|
|
|
|
#define NBT_MAX_REPLIES 1000
|
|
|
|
/*
|
|
destroy a pending request
|
|
*/
|
|
static int nbt_name_request_destructor(struct nbt_name_request *req)
|
|
{
|
|
if (req->state == NBT_REQUEST_SEND) {
|
|
DLIST_REMOVE(req->nbtsock->send_queue, req);
|
|
}
|
|
if (req->state == NBT_REQUEST_WAIT) {
|
|
req->nbtsock->num_pending--;
|
|
}
|
|
if (req->name_trn_id != 0 && !req->is_reply) {
|
|
idr_remove(req->nbtsock->idr, req->name_trn_id);
|
|
req->name_trn_id = 0;
|
|
}
|
|
TALLOC_FREE(req->te);
|
|
if (req->nbtsock->send_queue == NULL) {
|
|
TEVENT_FD_NOT_WRITEABLE(req->nbtsock->fde);
|
|
}
|
|
if (req->nbtsock->num_pending == 0 &&
|
|
req->nbtsock->incoming.handler == NULL) {
|
|
TEVENT_FD_NOT_READABLE(req->nbtsock->fde);
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
|
|
/*
|
|
handle send events on a nbt name socket
|
|
*/
|
|
static void nbt_name_socket_send(struct nbt_name_socket *nbtsock)
|
|
{
|
|
struct nbt_name_request *req;
|
|
TALLOC_CTX *tmp_ctx = talloc_new(nbtsock);
|
|
NTSTATUS status;
|
|
|
|
while ((req = nbtsock->send_queue)) {
|
|
size_t len;
|
|
|
|
len = req->encoded.length;
|
|
status = socket_sendto(nbtsock->sock, &req->encoded, &len,
|
|
req->dest);
|
|
if (NT_STATUS_IS_ERR(status)) goto failed;
|
|
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
talloc_free(tmp_ctx);
|
|
return;
|
|
}
|
|
|
|
DLIST_REMOVE(nbtsock->send_queue, req);
|
|
req->state = NBT_REQUEST_WAIT;
|
|
if (req->is_reply) {
|
|
talloc_free(req);
|
|
} else {
|
|
TEVENT_FD_READABLE(nbtsock->fde);
|
|
nbtsock->num_pending++;
|
|
}
|
|
}
|
|
|
|
TEVENT_FD_NOT_WRITEABLE(nbtsock->fde);
|
|
talloc_free(tmp_ctx);
|
|
return;
|
|
|
|
failed:
|
|
DLIST_REMOVE(nbtsock->send_queue, req);
|
|
nbt_name_request_destructor(req);
|
|
req->status = status;
|
|
req->state = NBT_REQUEST_ERROR;
|
|
talloc_free(tmp_ctx);
|
|
if (req->async.fn) {
|
|
req->async.fn(req);
|
|
} else if (req->is_reply) {
|
|
talloc_free(req);
|
|
}
|
|
return;
|
|
}
|
|
|
|
|
|
/*
|
|
handle a request timeout
|
|
*/
|
|
static void nbt_name_socket_timeout(struct tevent_context *ev, struct tevent_timer *te,
|
|
struct timeval t, void *private_data)
|
|
{
|
|
struct nbt_name_request *req = talloc_get_type(private_data,
|
|
struct nbt_name_request);
|
|
|
|
if (req->num_retries != 0) {
|
|
req->num_retries--;
|
|
req->te = tevent_add_timer(req->nbtsock->event_ctx, req,
|
|
timeval_add(&t, req->timeout, 0),
|
|
nbt_name_socket_timeout, req);
|
|
if (req->state != NBT_REQUEST_SEND) {
|
|
req->state = NBT_REQUEST_SEND;
|
|
DLIST_ADD_END(req->nbtsock->send_queue, req);
|
|
}
|
|
TEVENT_FD_WRITEABLE(req->nbtsock->fde);
|
|
return;
|
|
}
|
|
|
|
nbt_name_request_destructor(req);
|
|
if (req->num_replies == 0) {
|
|
req->state = NBT_REQUEST_TIMEOUT;
|
|
req->status = NT_STATUS_IO_TIMEOUT;
|
|
} else {
|
|
req->state = NBT_REQUEST_DONE;
|
|
req->status = NT_STATUS_OK;
|
|
}
|
|
if (req->async.fn) {
|
|
req->async.fn(req);
|
|
} else if (req->is_reply) {
|
|
talloc_free(req);
|
|
}
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
handle recv events on a nbt name socket
|
|
*/
|
|
static void nbt_name_socket_recv(struct nbt_name_socket *nbtsock)
|
|
{
|
|
TALLOC_CTX *tmp_ctx = talloc_new(nbtsock);
|
|
NTSTATUS status;
|
|
enum ndr_err_code ndr_err;
|
|
struct socket_address *src;
|
|
DATA_BLOB blob;
|
|
size_t nread, dsize;
|
|
struct nbt_name_packet *packet;
|
|
struct nbt_name_request *req;
|
|
|
|
status = socket_pending(nbtsock->sock, &dsize);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
talloc_free(tmp_ctx);
|
|
return;
|
|
}
|
|
|
|
/*
|
|
* Given a zero length, data_blob_talloc() returns the
|
|
* NULL blob {NULL, 0}.
|
|
*
|
|
* We only want to error return here on a real out of memory condition
|
|
* (i.e. dsize != 0, so the UDP packet has data, but the return of the
|
|
* allocation failed, so blob.data==NULL).
|
|
*
|
|
* Given an actual zero length UDP packet having blob.data == NULL
|
|
* isn't an out of memory error condition, that's the defined semantics
|
|
* of data_blob_talloc() when asked for zero bytes.
|
|
*
|
|
* We still need to continue to do the zero-length socket_recvfrom()
|
|
* read in order to clear the "read pending" condition on the socket.
|
|
*/
|
|
blob = data_blob_talloc(tmp_ctx, NULL, dsize);
|
|
if (blob.data == NULL && dsize != 0) {
|
|
talloc_free(tmp_ctx);
|
|
return;
|
|
}
|
|
|
|
status = socket_recvfrom(nbtsock->sock, blob.data, blob.length, &nread,
|
|
tmp_ctx, &src);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
talloc_free(tmp_ctx);
|
|
return;
|
|
}
|
|
|
|
packet = talloc(tmp_ctx, struct nbt_name_packet);
|
|
if (packet == NULL) {
|
|
talloc_free(tmp_ctx);
|
|
return;
|
|
}
|
|
|
|
/* parse the request */
|
|
ndr_err = ndr_pull_struct_blob(&blob, packet, packet,
|
|
(ndr_pull_flags_fn_t)ndr_pull_nbt_name_packet);
|
|
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
|
|
status = ndr_map_error2ntstatus(ndr_err);
|
|
DEBUG(2,("Failed to parse incoming NBT name packet - %s\n",
|
|
nt_errstr(status)));
|
|
talloc_free(tmp_ctx);
|
|
return;
|
|
}
|
|
|
|
if (DEBUGLVL(10)) {
|
|
DEBUG(10,("Received nbt packet of length %d from %s:%d\n",
|
|
(int)blob.length, src->addr, src->port));
|
|
NDR_PRINT_DEBUG(nbt_name_packet, packet);
|
|
}
|
|
|
|
/* if its not a reply then pass it off to the incoming request
|
|
handler, if any */
|
|
if (!(packet->operation & NBT_FLAG_REPLY)) {
|
|
if (nbtsock->incoming.handler) {
|
|
nbtsock->incoming.handler(nbtsock, packet, src);
|
|
}
|
|
talloc_free(tmp_ctx);
|
|
return;
|
|
}
|
|
|
|
/* find the matching request */
|
|
req = (struct nbt_name_request *)idr_find(nbtsock->idr,
|
|
packet->name_trn_id);
|
|
if (req == NULL) {
|
|
if (nbtsock->unexpected.handler) {
|
|
nbtsock->unexpected.handler(nbtsock, packet, src);
|
|
} else {
|
|
DEBUG(10,("Failed to match request for incoming name packet id 0x%04x on %p\n",
|
|
packet->name_trn_id, nbtsock));
|
|
}
|
|
talloc_free(tmp_ctx);
|
|
return;
|
|
}
|
|
|
|
talloc_steal(req, packet);
|
|
talloc_steal(req, src);
|
|
talloc_free(tmp_ctx);
|
|
nbt_name_socket_handle_response_packet(req, packet, src);
|
|
}
|
|
|
|
void nbt_name_socket_handle_response_packet(struct nbt_name_request *req,
|
|
struct nbt_name_packet *packet,
|
|
struct socket_address *src)
|
|
{
|
|
/* if this is a WACK response, this we need to go back to waiting,
|
|
but perhaps increase the timeout */
|
|
if ((packet->operation & NBT_OPCODE) == NBT_OPCODE_WACK) {
|
|
uint32_t ttl;
|
|
if (req->received_wack || packet->ancount < 1) {
|
|
nbt_name_request_destructor(req);
|
|
req->status = NT_STATUS_INVALID_NETWORK_RESPONSE;
|
|
req->state = NBT_REQUEST_ERROR;
|
|
goto done;
|
|
}
|
|
talloc_free(req->te);
|
|
/* we know we won't need any more retries - the server
|
|
has received our request */
|
|
req->num_retries = 0;
|
|
req->received_wack = true;
|
|
/*
|
|
* there is a timeout in the packet,
|
|
* it is 5 + 4 * num_old_addresses
|
|
*
|
|
* although w2k3 screws it up
|
|
* and uses num_old_addresses = 0
|
|
*
|
|
* so we better fallback to the maximum
|
|
* of num_old_addresses = 25 if we got
|
|
* a timeout of less than 9s (5 + 4*1)
|
|
* or more than 105s (5 + 4*25).
|
|
*/
|
|
ttl = packet->answers[0].ttl;
|
|
if ((ttl < (5 + 4*1)) || (ttl > (5 + 4*25))) {
|
|
ttl = 5 + 4*25;
|
|
}
|
|
req->timeout = ttl;
|
|
req->te = tevent_add_timer(req->nbtsock->event_ctx, req,
|
|
timeval_current_ofs(req->timeout, 0),
|
|
nbt_name_socket_timeout, req);
|
|
return;
|
|
}
|
|
|
|
|
|
req->replies = talloc_realloc(req, req->replies, struct nbt_name_reply, req->num_replies+1);
|
|
if (req->replies == NULL) {
|
|
nbt_name_request_destructor(req);
|
|
req->state = NBT_REQUEST_ERROR;
|
|
req->status = NT_STATUS_NO_MEMORY;
|
|
goto done;
|
|
}
|
|
|
|
talloc_steal(req, src);
|
|
req->replies[req->num_replies].dest = src;
|
|
talloc_steal(req, packet);
|
|
req->replies[req->num_replies].packet = packet;
|
|
req->num_replies++;
|
|
|
|
/* if we don't want multiple replies then we are done */
|
|
if (req->allow_multiple_replies &&
|
|
req->num_replies < NBT_MAX_REPLIES) {
|
|
return;
|
|
}
|
|
|
|
nbt_name_request_destructor(req);
|
|
req->state = NBT_REQUEST_DONE;
|
|
req->status = NT_STATUS_OK;
|
|
|
|
done:
|
|
if (req->async.fn) {
|
|
req->async.fn(req);
|
|
}
|
|
}
|
|
|
|
/*
|
|
handle fd events on a nbt_name_socket
|
|
*/
|
|
static void nbt_name_socket_handler(struct tevent_context *ev, struct tevent_fd *fde,
|
|
uint16_t flags, void *private_data)
|
|
{
|
|
struct nbt_name_socket *nbtsock = talloc_get_type(private_data,
|
|
struct nbt_name_socket);
|
|
if (flags & TEVENT_FD_WRITE) {
|
|
nbt_name_socket_send(nbtsock);
|
|
}
|
|
if (flags & TEVENT_FD_READ) {
|
|
nbt_name_socket_recv(nbtsock);
|
|
}
|
|
}
|
|
|
|
|
|
/*
|
|
initialise a nbt_name_socket. The event_ctx is optional, if provided
|
|
then operations will use that event context
|
|
*/
|
|
_PUBLIC_ struct nbt_name_socket *nbt_name_socket_init(TALLOC_CTX *mem_ctx,
|
|
struct tevent_context *event_ctx)
|
|
{
|
|
struct nbt_name_socket *nbtsock;
|
|
NTSTATUS status;
|
|
|
|
nbtsock = talloc(mem_ctx, struct nbt_name_socket);
|
|
if (nbtsock == NULL) goto failed;
|
|
|
|
nbtsock->event_ctx = event_ctx;
|
|
if (nbtsock->event_ctx == NULL) goto failed;
|
|
|
|
status = socket_create(nbtsock, "ip", SOCKET_TYPE_DGRAM,
|
|
&nbtsock->sock, 0);
|
|
if (!NT_STATUS_IS_OK(status)) goto failed;
|
|
|
|
socket_set_option(nbtsock->sock, "SO_BROADCAST", "1");
|
|
|
|
nbtsock->idr = idr_init(nbtsock);
|
|
if (nbtsock->idr == NULL) goto failed;
|
|
|
|
nbtsock->send_queue = NULL;
|
|
nbtsock->num_pending = 0;
|
|
nbtsock->incoming.handler = NULL;
|
|
nbtsock->unexpected.handler = NULL;
|
|
|
|
nbtsock->fde = tevent_add_fd(nbtsock->event_ctx, nbtsock,
|
|
socket_get_fd(nbtsock->sock), 0,
|
|
nbt_name_socket_handler, nbtsock);
|
|
|
|
return nbtsock;
|
|
|
|
failed:
|
|
talloc_free(nbtsock);
|
|
return NULL;
|
|
}
|
|
|
|
/*
|
|
send off a nbt name request
|
|
*/
|
|
struct nbt_name_request *nbt_name_request_send(TALLOC_CTX *mem_ctx,
|
|
struct nbt_name_socket *nbtsock,
|
|
struct socket_address *dest,
|
|
struct nbt_name_packet *request,
|
|
int timeout, int retries,
|
|
bool allow_multiple_replies)
|
|
{
|
|
struct nbt_name_request *req;
|
|
int id;
|
|
enum ndr_err_code ndr_err;
|
|
|
|
req = talloc_zero(mem_ctx, struct nbt_name_request);
|
|
if (req == NULL) goto failed;
|
|
|
|
req->nbtsock = nbtsock;
|
|
req->allow_multiple_replies = allow_multiple_replies;
|
|
req->state = NBT_REQUEST_SEND;
|
|
req->is_reply = false;
|
|
req->timeout = timeout;
|
|
req->num_retries = retries;
|
|
req->dest = socket_address_copy(req, dest);
|
|
if (req->dest == NULL) goto failed;
|
|
|
|
/* we select a random transaction id unless the user supplied one */
|
|
if (request->name_trn_id == 0) {
|
|
id = idr_get_new_random(req->nbtsock->idr, req, UINT16_MAX);
|
|
} else {
|
|
if (idr_find(req->nbtsock->idr, request->name_trn_id)) goto failed;
|
|
id = idr_get_new_above(req->nbtsock->idr, req, request->name_trn_id,
|
|
UINT16_MAX);
|
|
}
|
|
if (id == -1) goto failed;
|
|
|
|
request->name_trn_id = id;
|
|
req->name_trn_id = id;
|
|
|
|
req->te = tevent_add_timer(nbtsock->event_ctx, req,
|
|
timeval_current_ofs(req->timeout, 0),
|
|
nbt_name_socket_timeout, req);
|
|
|
|
talloc_set_destructor(req, nbt_name_request_destructor);
|
|
|
|
ndr_err = ndr_push_struct_blob(&req->encoded, req,
|
|
request,
|
|
(ndr_push_flags_fn_t)ndr_push_nbt_name_packet);
|
|
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) goto failed;
|
|
|
|
DLIST_ADD_END(nbtsock->send_queue, req);
|
|
|
|
if (DEBUGLVL(10)) {
|
|
DEBUG(10,("Queueing nbt packet to %s:%d\n",
|
|
req->dest->addr, req->dest->port));
|
|
NDR_PRINT_DEBUG(nbt_name_packet, request);
|
|
}
|
|
|
|
TEVENT_FD_WRITEABLE(nbtsock->fde);
|
|
|
|
return req;
|
|
|
|
failed:
|
|
talloc_free(req);
|
|
return NULL;
|
|
}
|
|
|
|
|
|
/*
|
|
send off a nbt name reply
|
|
*/
|
|
_PUBLIC_ NTSTATUS nbt_name_reply_send(struct nbt_name_socket *nbtsock,
|
|
struct socket_address *dest,
|
|
struct nbt_name_packet *request)
|
|
{
|
|
struct nbt_name_request *req;
|
|
enum ndr_err_code ndr_err;
|
|
|
|
req = talloc_zero(nbtsock, struct nbt_name_request);
|
|
NT_STATUS_HAVE_NO_MEMORY(req);
|
|
|
|
req->nbtsock = nbtsock;
|
|
req->dest = socket_address_copy(req, dest);
|
|
if (req->dest == NULL) goto failed;
|
|
req->state = NBT_REQUEST_SEND;
|
|
req->is_reply = true;
|
|
|
|
talloc_set_destructor(req, nbt_name_request_destructor);
|
|
|
|
if (DEBUGLVL(10)) {
|
|
NDR_PRINT_DEBUG(nbt_name_packet, request);
|
|
}
|
|
|
|
ndr_err = ndr_push_struct_blob(&req->encoded, req,
|
|
request,
|
|
(ndr_push_flags_fn_t)ndr_push_nbt_name_packet);
|
|
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
|
|
talloc_free(req);
|
|
return ndr_map_error2ntstatus(ndr_err);
|
|
}
|
|
|
|
DLIST_ADD_END(nbtsock->send_queue, req);
|
|
|
|
TEVENT_FD_WRITEABLE(nbtsock->fde);
|
|
|
|
return NT_STATUS_OK;
|
|
|
|
failed:
|
|
talloc_free(req);
|
|
return NT_STATUS_NO_MEMORY;
|
|
}
|
|
|
|
/*
|
|
wait for a nbt request to complete
|
|
*/
|
|
NTSTATUS nbt_name_request_recv(struct nbt_name_request *req)
|
|
{
|
|
if (!req) return NT_STATUS_NO_MEMORY;
|
|
|
|
while (req->state < NBT_REQUEST_DONE) {
|
|
if (tevent_loop_once(req->nbtsock->event_ctx) != 0) {
|
|
req->state = NBT_REQUEST_ERROR;
|
|
req->status = NT_STATUS_UNEXPECTED_NETWORK_ERROR;
|
|
break;
|
|
}
|
|
}
|
|
return req->status;
|
|
}
|
|
|
|
|
|
/*
|
|
setup a handler for incoming requests
|
|
*/
|
|
_PUBLIC_ NTSTATUS nbt_set_incoming_handler(struct nbt_name_socket *nbtsock,
|
|
void (*handler)(struct nbt_name_socket *, struct nbt_name_packet *,
|
|
struct socket_address *),
|
|
void *private_data)
|
|
{
|
|
nbtsock->incoming.handler = handler;
|
|
nbtsock->incoming.private_data = private_data;
|
|
TEVENT_FD_READABLE(nbtsock->fde);
|
|
return NT_STATUS_OK;
|
|
}
|
|
|
|
/*
|
|
setup a handler for unexpected requests
|
|
*/
|
|
NTSTATUS nbt_set_unexpected_handler(struct nbt_name_socket *nbtsock,
|
|
void (*handler)(struct nbt_name_socket *, struct nbt_name_packet *,
|
|
struct socket_address *),
|
|
void *private_data)
|
|
{
|
|
nbtsock->unexpected.handler = handler;
|
|
nbtsock->unexpected.private_data = private_data;
|
|
TEVENT_FD_READABLE(nbtsock->fde);
|
|
return NT_STATUS_OK;
|
|
}
|
|
|
|
/*
|
|
turn a NBT rcode into a NTSTATUS
|
|
*/
|
|
_PUBLIC_ NTSTATUS nbt_rcode_to_ntstatus(uint8_t rcode)
|
|
{
|
|
size_t i;
|
|
struct {
|
|
enum nbt_rcode rcode;
|
|
NTSTATUS status;
|
|
} map[] = {
|
|
{ NBT_RCODE_FMT, NT_STATUS_INVALID_PARAMETER },
|
|
{ NBT_RCODE_SVR, NT_STATUS_SERVER_DISABLED },
|
|
{ NBT_RCODE_NAM, NT_STATUS_OBJECT_NAME_NOT_FOUND },
|
|
{ NBT_RCODE_IMP, NT_STATUS_NOT_SUPPORTED },
|
|
{ NBT_RCODE_RFS, NT_STATUS_ACCESS_DENIED },
|
|
{ NBT_RCODE_ACT, NT_STATUS_ADDRESS_ALREADY_EXISTS },
|
|
{ NBT_RCODE_CFT, NT_STATUS_CONFLICTING_ADDRESSES }
|
|
};
|
|
for (i=0;i<ARRAY_SIZE(map);i++) {
|
|
if (map[i].rcode == rcode) {
|
|
return map[i].status;
|
|
}
|
|
}
|
|
return NT_STATUS_UNSUCCESSFUL;
|
|
}
|