2
Unix SMB/CIFS implementation.
4
dcerpc over SMB2 transport
6
Copyright (C) Andrew Tridgell 2005
8
This program is free software; you can redistribute it and/or modify
9
it under the terms of the GNU General Public License as published by
10
the Free Software Foundation; either version 3 of the License, or
11
(at your option) any later version.
13
This program is distributed in the hope that it will be useful,
14
but WITHOUT ANY WARRANTY; without even the implied warranty of
15
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
GNU General Public License for more details.
18
You should have received a copy of the GNU General Public License
19
along with this program. If not, see <http://www.gnu.org/licenses/>.
23
#include "libcli/raw/libcliraw.h"
24
#include "libcli/composite/composite.h"
25
#include "libcli/smb2/smb2.h"
26
#include "libcli/smb2/smb2_calls.h"
27
#include "libcli/raw/ioctl.h"
28
#include "librpc/rpc/dcerpc.h"
29
#include "librpc/rpc/dcerpc_proto.h"
31
/* transport private information used by SMB2 pipe transport */
33
struct smb2_handle handle;
34
struct smb2_tree *tree;
35
const char *server_name;
41
tell the dcerpc layer that the transport is dead
43
static void pipe_dead(struct dcerpc_connection *c, NTSTATUS status)
45
struct smb2_private *smb = (struct smb2_private *)c->transport.private_data;
53
if (NT_STATUS_EQUAL(NT_STATUS_UNSUCCESSFUL, status)) {
54
status = NT_STATUS_UNEXPECTED_NETWORK_ERROR;
57
if (NT_STATUS_EQUAL(NT_STATUS_OK, status)) {
58
status = NT_STATUS_END_OF_FILE;
61
if (c->transport.recv_data) {
62
c->transport.recv_data(c, NULL, status);
68
this holds the state of an in-flight call
70
struct smb2_read_state {
71
struct dcerpc_connection *c;
76
called when a read request has completed
78
static void smb2_read_callback(struct smb2_request *req)
80
struct smb2_private *smb;
81
struct smb2_read_state *state;
86
state = talloc_get_type(req->async.private_data, struct smb2_read_state);
87
smb = talloc_get_type(state->c->transport.private_data, struct smb2_private);
89
status = smb2_read_recv(req, state, &io);
90
if (NT_STATUS_IS_ERR(status)) {
91
pipe_dead(state->c, status);
96
if (!data_blob_append(state, &state->data,
97
io.out.data.data, io.out.data.length)) {
98
pipe_dead(state->c, NT_STATUS_NO_MEMORY);
103
if (state->data.length < 16) {
104
DEBUG(0,("dcerpc_smb2: short packet (length %d) in read callback!\n",
105
(int)state->data.length));
106
pipe_dead(state->c, NT_STATUS_INFO_LENGTH_MISMATCH);
111
frag_length = dcerpc_get_frag_length(&state->data);
113
if (frag_length <= state->data.length) {
114
DATA_BLOB data = state->data;
115
struct dcerpc_connection *c = state->c;
116
talloc_steal(c, data.data);
118
c->transport.recv_data(c, &data, NT_STATUS_OK);
122
/* initiate another read request, as we only got part of a fragment */
124
io.in.file.handle = smb->handle;
125
io.in.length = MIN(state->c->srv_max_xmit_frag,
126
frag_length - state->data.length);
127
if (io.in.length < 16) {
131
req = smb2_read_send(smb->tree, &io);
133
pipe_dead(state->c, NT_STATUS_NO_MEMORY);
138
req->async.fn = smb2_read_callback;
139
req->async.private_data = state;
144
trigger a read request from the server, possibly with some initial
145
data in the read buffer
147
static NTSTATUS send_read_request_continue(struct dcerpc_connection *c, DATA_BLOB *blob)
149
struct smb2_private *smb = (struct smb2_private *)c->transport.private_data;
151
struct smb2_read_state *state;
152
struct smb2_request *req;
154
state = talloc(smb, struct smb2_read_state);
156
return NT_STATUS_NO_MEMORY;
161
state->data = data_blob(NULL, 0);
164
talloc_steal(state, state->data.data);
168
io.in.file.handle = smb->handle;
170
if (state->data.length >= 16) {
171
uint16_t frag_length = dcerpc_get_frag_length(&state->data);
172
io.in.length = frag_length - state->data.length;
174
io.in.length = 0x2000;
177
req = smb2_read_send(smb->tree, &io);
179
return NT_STATUS_NO_MEMORY;
182
req->async.fn = smb2_read_callback;
183
req->async.private_data = state;
190
trigger a read request from the server
192
static NTSTATUS send_read_request(struct dcerpc_connection *c)
194
struct smb2_private *smb = (struct smb2_private *)c->transport.private_data;
197
return NT_STATUS_CONNECTION_DISCONNECTED;
200
return send_read_request_continue(c, NULL);
204
this holds the state of an in-flight trans call
206
struct smb2_trans_state {
207
struct dcerpc_connection *c;
211
called when a trans request has completed
213
static void smb2_trans_callback(struct smb2_request *req)
215
struct smb2_trans_state *state = talloc_get_type(req->async.private_data,
216
struct smb2_trans_state);
217
struct dcerpc_connection *c = state->c;
219
struct smb2_ioctl io;
221
status = smb2_ioctl_recv(req, state, &io);
222
if (NT_STATUS_IS_ERR(status)) {
223
pipe_dead(c, status);
227
if (!NT_STATUS_EQUAL(status, STATUS_BUFFER_OVERFLOW)) {
228
DATA_BLOB data = io.out.out;
229
talloc_steal(c, data.data);
231
c->transport.recv_data(c, &data, NT_STATUS_OK);
235
/* there is more to receive - setup a read */
236
send_read_request_continue(c, &io.out.out);
241
send a SMBtrans style request, using a named pipe read_write fsctl
243
static NTSTATUS smb2_send_trans_request(struct dcerpc_connection *c, DATA_BLOB *blob)
245
struct smb2_private *smb = talloc_get_type(c->transport.private_data,
246
struct smb2_private);
247
struct smb2_ioctl io;
248
struct smb2_trans_state *state;
249
struct smb2_request *req;
251
state = talloc(smb, struct smb2_trans_state);
253
return NT_STATUS_NO_MEMORY;
259
io.in.file.handle = smb->handle;
260
io.in.function = FSCTL_NAMED_PIPE_READ_WRITE;
261
io.in.max_response_size = 0x1000;
265
req = smb2_ioctl_send(smb->tree, &io);
268
return NT_STATUS_NO_MEMORY;
271
req->async.fn = smb2_trans_callback;
272
req->async.private_data = state;
274
talloc_steal(state, req);
280
called when a write request has completed
282
static void smb2_write_callback(struct smb2_request *req)
284
struct dcerpc_connection *c = (struct dcerpc_connection *)req->async.private_data;
286
if (!NT_STATUS_IS_OK(req->status)) {
287
DEBUG(0,("dcerpc_smb2: write callback error\n"));
288
pipe_dead(c, req->status);
291
smb2_request_destroy(req);
295
send a packet to the server
297
static NTSTATUS smb2_send_request(struct dcerpc_connection *c, DATA_BLOB *blob,
300
struct smb2_private *smb = (struct smb2_private *)c->transport.private_data;
301
struct smb2_write io;
302
struct smb2_request *req;
305
return NT_STATUS_CONNECTION_DISCONNECTED;
309
return smb2_send_trans_request(c, blob);
313
io.in.file.handle = smb->handle;
316
req = smb2_write_send(smb->tree, &io);
318
return NT_STATUS_NO_MEMORY;
321
req->async.fn = smb2_write_callback;
322
req->async.private_data = c;
328
shutdown SMB pipe connection
330
static NTSTATUS smb2_shutdown_pipe(struct dcerpc_connection *c, NTSTATUS status)
332
struct smb2_private *smb = (struct smb2_private *)c->transport.private_data;
333
struct smb2_close io;
334
struct smb2_request *req;
336
/* maybe we're still starting up */
337
if (!smb) return status;
340
io.in.file.handle = smb->handle;
341
req = smb2_close_send(smb->tree, &io);
343
/* we don't care if this fails, so just free it if it succeeds */
344
req->async.fn = (void (*)(struct smb2_request *))talloc_free;
353
return SMB server name
355
static const char *smb2_peer_name(struct dcerpc_connection *c)
357
struct smb2_private *smb = talloc_get_type(c->transport.private_data,
358
struct smb2_private);
359
return smb->server_name;
363
return remote name we make the actual connection (good for kerberos)
365
static const char *smb2_target_hostname(struct dcerpc_connection *c)
367
struct smb2_private *smb = talloc_get_type(c->transport.private_data,
368
struct smb2_private);
369
return smb->tree->session->transport->socket->hostname;
373
fetch the user session key
375
static NTSTATUS smb2_session_key(struct dcerpc_connection *c, DATA_BLOB *session_key)
377
struct smb2_private *smb = talloc_get_type(c->transport.private_data,
378
struct smb2_private);
379
*session_key = smb->tree->session->session_key;
380
if (session_key->data == NULL) {
381
return NT_STATUS_NO_USER_SESSION_KEY;
386
struct pipe_open_smb2_state {
387
struct dcerpc_connection *c;
388
struct composite_context *ctx;
391
static void pipe_open_recv(struct smb2_request *req);
393
struct composite_context *dcerpc_pipe_open_smb2_send(struct dcerpc_pipe *p,
394
struct smb2_tree *tree,
395
const char *pipe_name)
397
struct composite_context *ctx;
398
struct pipe_open_smb2_state *state;
399
struct smb2_create io;
400
struct smb2_request *req;
401
struct dcerpc_connection *c = p->conn;
403
ctx = composite_create(c, c->event_ctx);
404
if (ctx == NULL) return NULL;
406
state = talloc(ctx, struct pipe_open_smb2_state);
407
if (composite_nomem(state, ctx)) return ctx;
408
ctx->private_data = state;
414
io.in.desired_access =
415
SEC_STD_READ_CONTROL |
416
SEC_FILE_READ_ATTRIBUTE |
417
SEC_FILE_WRITE_ATTRIBUTE |
418
SEC_STD_SYNCHRONIZE |
422
SEC_FILE_WRITE_DATA |
423
SEC_FILE_APPEND_DATA;
425
NTCREATEX_SHARE_ACCESS_READ |
426
NTCREATEX_SHARE_ACCESS_WRITE;
427
io.in.create_disposition = NTCREATEX_DISP_OPEN;
428
io.in.create_options =
429
NTCREATEX_OPTIONS_NON_DIRECTORY_FILE |
430
NTCREATEX_OPTIONS_NO_RECALL;
431
io.in.impersonation_level = NTCREATEX_IMPERSONATION_IMPERSONATION;
433
if ((strncasecmp(pipe_name, "/pipe/", 6) == 0) ||
434
(strncasecmp(pipe_name, "\\pipe\\", 6) == 0)) {
437
io.in.fname = pipe_name;
439
req = smb2_create_send(tree, &io);
440
composite_continue_smb2(ctx, req, pipe_open_recv, state);
444
static void pipe_open_recv(struct smb2_request *req)
446
struct pipe_open_smb2_state *state =
447
talloc_get_type(req->async.private_data,
448
struct pipe_open_smb2_state);
449
struct composite_context *ctx = state->ctx;
450
struct dcerpc_connection *c = state->c;
451
struct smb2_tree *tree = req->tree;
452
struct smb2_private *smb;
453
struct smb2_create io;
455
ctx->status = smb2_create_recv(req, state, &io);
456
if (!composite_is_ok(ctx)) return;
459
fill in the transport methods
461
c->transport.transport = NCACN_NP;
462
c->transport.private_data = NULL;
463
c->transport.shutdown_pipe = smb2_shutdown_pipe;
464
c->transport.peer_name = smb2_peer_name;
465
c->transport.target_hostname = smb2_target_hostname;
467
c->transport.send_request = smb2_send_request;
468
c->transport.send_read = send_read_request;
469
c->transport.recv_data = NULL;
471
/* Over-ride the default session key with the SMB session key */
472
c->security_state.session_key = smb2_session_key;
474
smb = talloc(c, struct smb2_private);
475
if (composite_nomem(smb, ctx)) return;
477
smb->handle = io.out.file.handle;
478
smb->tree = talloc_reference(smb, tree);
479
smb->server_name= strupper_talloc(smb,
480
tree->session->transport->socket->hostname);
481
if (composite_nomem(smb->server_name, ctx)) return;
484
c->transport.private_data = smb;
489
NTSTATUS dcerpc_pipe_open_smb2_recv(struct composite_context *c)
491
NTSTATUS status = composite_wait(c);
496
NTSTATUS dcerpc_pipe_open_smb2(struct dcerpc_pipe *p,
497
struct smb2_tree *tree,
498
const char *pipe_name)
500
struct composite_context *ctx = dcerpc_pipe_open_smb2_send(p, tree, pipe_name);
501
return dcerpc_pipe_open_smb2_recv(ctx);
505
return the SMB2 tree used for a dcerpc over SMB2 pipe
507
struct smb2_tree *dcerpc_smb2_tree(struct dcerpc_connection *c)
509
struct smb2_private *smb = talloc_get_type(c->transport.private_data,
510
struct smb2_private);