2
Unix SMB/CIFS implementation.
4
dcerpc over SMB transport
6
Copyright (C) Tim Potter 2003
7
Copyright (C) Andrew Tridgell 2003
9
This program is free software; you can redistribute it and/or modify
10
it under the terms of the GNU General Public License as published by
11
the Free Software Foundation; either version 3 of the License, or
12
(at your option) any later version.
14
This program is distributed in the hope that it will be useful,
15
but WITHOUT ANY WARRANTY; without even the implied warranty of
16
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17
GNU General Public License for more details.
19
You should have received a copy of the GNU General Public License
20
along with this program. If not, see <http://www.gnu.org/licenses/>.
24
#include "libcli/raw/libcliraw.h"
25
#include "libcli/composite/composite.h"
26
#include "librpc/rpc/dcerpc.h"
27
#include "librpc/rpc/dcerpc_proto.h"
29
/* transport private information used by SMB pipe transport */
32
struct smbcli_tree *tree;
33
const char *server_name;
39
tell the dcerpc layer that the transport is dead
41
static void pipe_dead(struct dcerpc_connection *c, NTSTATUS status)
43
struct smb_private *smb = (struct smb_private *)c->transport.private_data;
51
if (NT_STATUS_EQUAL(NT_STATUS_UNSUCCESSFUL, status)) {
52
status = NT_STATUS_UNEXPECTED_NETWORK_ERROR;
55
if (NT_STATUS_EQUAL(NT_STATUS_OK, status)) {
56
status = NT_STATUS_END_OF_FILE;
59
if (c->transport.recv_data) {
60
c->transport.recv_data(c, NULL, status);
66
this holds the state of an in-flight call
68
struct smb_read_state {
69
struct dcerpc_connection *c;
70
struct smbcli_request *req;
77
called when a read request has completed
79
static void smb_read_callback(struct smbcli_request *req)
81
struct smb_private *smb;
82
struct smb_read_state *state;
87
state = talloc_get_type(req->async.private_data, struct smb_read_state);
88
smb = talloc_get_type(state->c->transport.private_data, struct smb_private);
91
status = smb_raw_read_recv(state->req, io);
92
if (NT_STATUS_IS_ERR(status)) {
93
pipe_dead(state->c, status);
98
state->received += io->readx.out.nread;
100
if (state->received < 16) {
101
DEBUG(0,("dcerpc_smb: short packet (length %d) in read callback!\n",
102
(int)state->received));
103
pipe_dead(state->c, NT_STATUS_INFO_LENGTH_MISMATCH);
108
frag_length = dcerpc_get_frag_length(&state->data);
110
if (frag_length <= state->received) {
111
DATA_BLOB data = state->data;
112
struct dcerpc_connection *c = state->c;
113
data.length = state->received;
114
talloc_steal(state->c, data.data);
116
c->transport.recv_data(c, &data, NT_STATUS_OK);
120
/* initiate another read request, as we only got part of a fragment */
121
state->data.data = talloc_realloc(state, state->data.data, uint8_t, frag_length);
123
io->readx.in.mincnt = MIN(state->c->srv_max_xmit_frag,
124
frag_length - state->received);
125
io->readx.in.maxcnt = io->readx.in.mincnt;
126
io->readx.out.data = state->data.data + state->received;
128
state->req = smb_raw_read_send(smb->tree, io);
129
if (state->req == NULL) {
130
pipe_dead(state->c, NT_STATUS_NO_MEMORY);
135
state->req->async.fn = smb_read_callback;
136
state->req->async.private_data = state;
140
trigger a read request from the server, possibly with some initial
141
data in the read buffer
143
static NTSTATUS send_read_request_continue(struct dcerpc_connection *c, DATA_BLOB *blob)
145
struct smb_private *smb = (struct smb_private *)c->transport.private_data;
147
struct smb_read_state *state;
148
struct smbcli_request *req;
150
state = talloc(smb, struct smb_read_state);
152
return NT_STATUS_NO_MEMORY;
158
state->data = data_blob_talloc(state, NULL, 0x2000);
160
uint32_t frag_length = blob->length>=16?
161
dcerpc_get_frag_length(blob):0x2000;
162
state->received = blob->length;
163
state->data = data_blob_talloc(state, NULL, frag_length);
164
if (!state->data.data) {
166
return NT_STATUS_NO_MEMORY;
168
memcpy(state->data.data, blob->data, blob->length);
171
state->io = talloc(state, union smb_read);
174
io->generic.level = RAW_READ_READX;
175
io->readx.in.file.fnum = smb->fnum;
176
io->readx.in.mincnt = state->data.length - state->received;
177
io->readx.in.maxcnt = io->readx.in.mincnt;
178
io->readx.in.offset = 0;
179
io->readx.in.remaining = 0;
180
io->readx.in.read_for_execute = false;
181
io->readx.out.data = state->data.data + state->received;
182
req = smb_raw_read_send(smb->tree, io);
184
return NT_STATUS_NO_MEMORY;
187
req->async.fn = smb_read_callback;
188
req->async.private_data = state;
197
trigger a read request from the server
199
static NTSTATUS send_read_request(struct dcerpc_connection *c)
201
struct smb_private *smb = (struct smb_private *)c->transport.private_data;
204
return NT_STATUS_CONNECTION_DISCONNECTED;
207
return send_read_request_continue(c, NULL);
211
this holds the state of an in-flight trans call
213
struct smb_trans_state {
214
struct dcerpc_connection *c;
215
struct smbcli_request *req;
216
struct smb_trans2 *trans;
220
called when a trans request has completed
222
static void smb_trans_callback(struct smbcli_request *req)
224
struct smb_trans_state *state = (struct smb_trans_state *)req->async.private_data;
225
struct dcerpc_connection *c = state->c;
228
status = smb_raw_trans_recv(req, state, state->trans);
230
if (NT_STATUS_IS_ERR(status)) {
231
pipe_dead(c, status);
235
if (!NT_STATUS_EQUAL(status, STATUS_BUFFER_OVERFLOW)) {
236
DATA_BLOB data = state->trans->out.data;
237
talloc_steal(c, data.data);
239
c->transport.recv_data(c, &data, NT_STATUS_OK);
243
/* there is more to receive - setup a readx */
244
send_read_request_continue(c, &state->trans->out.data);
249
send a SMBtrans style request
251
static NTSTATUS smb_send_trans_request(struct dcerpc_connection *c, DATA_BLOB *blob)
253
struct smb_private *smb = (struct smb_private *)c->transport.private_data;
254
struct smb_trans2 *trans;
256
struct smb_trans_state *state;
259
state = talloc(smb, struct smb_trans_state);
261
return NT_STATUS_NO_MEMORY;
265
state->trans = talloc(state, struct smb_trans2);
266
trans = state->trans;
268
trans->in.data = *blob;
269
trans->in.params = data_blob(NULL, 0);
271
setup[0] = TRANSACT_DCERPCCMD;
272
setup[1] = smb->fnum;
274
if (c->srv_max_xmit_frag > 0) {
275
max_data = MIN(UINT16_MAX, c->srv_max_xmit_frag);
277
max_data = UINT16_MAX;
280
trans->in.max_param = 0;
281
trans->in.max_data = max_data;
282
trans->in.max_setup = 0;
283
trans->in.setup_count = 2;
285
trans->in.timeout = 0;
286
trans->in.setup = setup;
287
trans->in.trans_name = "\\PIPE\\";
289
state->req = smb_raw_trans_send(smb->tree, trans);
290
if (state->req == NULL) {
292
return NT_STATUS_NO_MEMORY;
295
state->req->async.fn = smb_trans_callback;
296
state->req->async.private_data = state;
298
talloc_steal(state, state->req);
304
called when a write request has completed
306
static void smb_write_callback(struct smbcli_request *req)
308
struct dcerpc_connection *c = (struct dcerpc_connection *)req->async.private_data;
310
if (!NT_STATUS_IS_OK(req->status)) {
311
DEBUG(0,("dcerpc_smb: write callback error\n"));
312
pipe_dead(c, req->status);
315
smbcli_request_destroy(req);
319
send a packet to the server
321
static NTSTATUS smb_send_request(struct dcerpc_connection *c, DATA_BLOB *blob,
324
struct smb_private *smb = (struct smb_private *)c->transport.private_data;
326
struct smbcli_request *req;
329
return NT_STATUS_CONNECTION_DISCONNECTED;
333
return smb_send_trans_request(c, blob);
336
io.generic.level = RAW_WRITE_WRITEX;
337
io.writex.in.file.fnum = smb->fnum;
338
io.writex.in.offset = 0;
339
io.writex.in.wmode = PIPE_START_MESSAGE;
340
io.writex.in.remaining = blob->length;
341
io.writex.in.count = blob->length;
342
io.writex.in.data = blob->data;
344
/* we must not timeout at the smb level for rpc requests, as otherwise
345
signing/sealing can be messed up */
346
smb->tree->session->transport->options.request_timeout = 0;
348
req = smb_raw_write_send(smb->tree, &io);
350
return NT_STATUS_NO_MEMORY;
353
req->async.fn = smb_write_callback;
354
req->async.private_data = c;
357
send_read_request(c);
364
shutdown SMB pipe connection
366
static NTSTATUS smb_shutdown_pipe(struct dcerpc_connection *c, NTSTATUS status)
368
struct smb_private *smb = (struct smb_private *)c->transport.private_data;
370
struct smbcli_request *req;
372
/* maybe we're still starting up */
373
if (!smb) return status;
375
io.close.level = RAW_CLOSE_CLOSE;
376
io.close.in.file.fnum = smb->fnum;
377
io.close.in.write_time = 0;
378
req = smb_raw_close_send(smb->tree, &io);
380
/* we don't care if this fails, so just free it if it succeeds */
381
req->async.fn = (void (*)(struct smbcli_request *))talloc_free;
390
return SMB server name (called name)
392
static const char *smb_peer_name(struct dcerpc_connection *c)
394
struct smb_private *smb = (struct smb_private *)c->transport.private_data;
395
return smb->server_name;
399
return remote name we make the actual connection (good for kerberos)
401
static const char *smb_target_hostname(struct dcerpc_connection *c)
403
struct smb_private *smb = talloc_get_type(c->transport.private_data, struct smb_private);
404
return smb->tree->session->transport->socket->hostname;
408
fetch the user session key
410
static NTSTATUS smb_session_key(struct dcerpc_connection *c, DATA_BLOB *session_key)
412
struct smb_private *smb = (struct smb_private *)c->transport.private_data;
414
if (smb->tree->session->user_session_key.data) {
415
*session_key = smb->tree->session->user_session_key;
418
return NT_STATUS_NO_USER_SESSION_KEY;
421
struct pipe_open_smb_state {
422
union smb_open *open;
423
struct dcerpc_connection *c;
424
struct smbcli_tree *tree;
425
struct composite_context *ctx;
428
static void pipe_open_recv(struct smbcli_request *req);
430
struct composite_context *dcerpc_pipe_open_smb_send(struct dcerpc_pipe *p,
431
struct smbcli_tree *tree,
432
const char *pipe_name)
434
struct composite_context *ctx;
435
struct pipe_open_smb_state *state;
436
struct smbcli_request *req;
437
struct dcerpc_connection *c = p->conn;
439
/* if we don't have a binding on this pipe yet, then create one */
440
if (p->binding == NULL) {
443
SMB_ASSERT(tree->session->transport->socket->hostname != NULL);
444
s = talloc_asprintf(p, "ncacn_np:%s", tree->session->transport->socket->hostname);
445
if (s == NULL) return NULL;
446
status = dcerpc_parse_binding(p, s, &p->binding);
448
if (!NT_STATUS_IS_OK(status)) {
453
ctx = composite_create(c, c->event_ctx);
454
if (ctx == NULL) return NULL;
456
state = talloc(ctx, struct pipe_open_smb_state);
457
if (composite_nomem(state, ctx)) return ctx;
458
ctx->private_data = state;
464
state->open = talloc(state, union smb_open);
465
if (composite_nomem(state->open, ctx)) return ctx;
467
state->open->ntcreatex.level = RAW_OPEN_NTCREATEX;
468
state->open->ntcreatex.in.flags = 0;
469
state->open->ntcreatex.in.root_fid = 0;
470
state->open->ntcreatex.in.access_mask =
471
SEC_STD_READ_CONTROL |
472
SEC_FILE_WRITE_ATTRIBUTE |
476
state->open->ntcreatex.in.file_attr = 0;
477
state->open->ntcreatex.in.alloc_size = 0;
478
state->open->ntcreatex.in.share_access =
479
NTCREATEX_SHARE_ACCESS_READ |
480
NTCREATEX_SHARE_ACCESS_WRITE;
481
state->open->ntcreatex.in.open_disposition = NTCREATEX_DISP_OPEN;
482
state->open->ntcreatex.in.create_options = 0;
483
state->open->ntcreatex.in.impersonation =
484
NTCREATEX_IMPERSONATION_IMPERSONATION;
485
state->open->ntcreatex.in.security_flags = 0;
487
if ((strncasecmp(pipe_name, "/pipe/", 6) == 0) ||
488
(strncasecmp(pipe_name, "\\pipe\\", 6) == 0)) {
491
state->open->ntcreatex.in.fname =
492
(pipe_name[0] == '\\') ?
493
talloc_strdup(state->open, pipe_name) :
494
talloc_asprintf(state->open, "\\%s", pipe_name);
495
if (composite_nomem(state->open->ntcreatex.in.fname, ctx)) return ctx;
497
req = smb_raw_open_send(tree, state->open);
498
composite_continue_smb(ctx, req, pipe_open_recv, state);
502
static void pipe_open_recv(struct smbcli_request *req)
504
struct pipe_open_smb_state *state = talloc_get_type(req->async.private_data,
505
struct pipe_open_smb_state);
506
struct composite_context *ctx = state->ctx;
507
struct dcerpc_connection *c = state->c;
508
struct smb_private *smb;
510
ctx->status = smb_raw_open_recv(req, state, state->open);
511
if (!composite_is_ok(ctx)) return;
514
fill in the transport methods
516
c->transport.transport = NCACN_NP;
517
c->transport.private_data = NULL;
518
c->transport.shutdown_pipe = smb_shutdown_pipe;
519
c->transport.peer_name = smb_peer_name;
520
c->transport.target_hostname = smb_target_hostname;
522
c->transport.send_request = smb_send_request;
523
c->transport.send_read = send_read_request;
524
c->transport.recv_data = NULL;
526
/* Over-ride the default session key with the SMB session key */
527
c->security_state.session_key = smb_session_key;
529
smb = talloc(c, struct smb_private);
530
if (composite_nomem(smb, ctx)) return;
532
smb->fnum = state->open->ntcreatex.out.file.fnum;
533
smb->tree = talloc_reference(smb, state->tree);
534
smb->server_name= strupper_talloc(smb,
535
state->tree->session->transport->called.name);
536
if (composite_nomem(smb->server_name, ctx)) return;
539
c->transport.private_data = smb;
544
NTSTATUS dcerpc_pipe_open_smb_recv(struct composite_context *c)
546
NTSTATUS status = composite_wait(c);
551
_PUBLIC_ NTSTATUS dcerpc_pipe_open_smb(struct dcerpc_pipe *p,
552
struct smbcli_tree *tree,
553
const char *pipe_name)
555
struct composite_context *ctx = dcerpc_pipe_open_smb_send(p, tree,
557
return dcerpc_pipe_open_smb_recv(ctx);
561
return the SMB tree used for a dcerpc over SMB pipe
563
_PUBLIC_ struct smbcli_tree *dcerpc_smb_tree(struct dcerpc_connection *c)
565
struct smb_private *smb;
567
if (c->transport.transport != NCACN_NP) return NULL;
569
smb = talloc_get_type(c->transport.private_data, struct smb_private);
570
if (!smb) return NULL;
576
return the SMB fnum used for a dcerpc over SMB pipe (hack for torture operations)
578
_PUBLIC_ uint16_t dcerpc_smb_fnum(struct dcerpc_connection *c)
580
struct smb_private *smb;
582
if (c->transport.transport != NCACN_NP) return 0;
584
smb = talloc_get_type(c->transport.private_data, struct smb_private);