static ssize_t read_from_internal_pipe(struct pipes_struct *p, char *data, size_t n, bool *is_data_outstanding) { uint32 pdu_remaining = 0; ssize_t data_returned = 0; if (!p) { DEBUG(0,("read_from_pipe: pipe not open\n")); return -1; } DEBUG(6,(" name: %s len: %u\n", get_pipe_name_from_syntax(talloc_tos(), &p->syntax), (unsigned int)n)); /* * We cannot return more than one PDU length per * read request. */ /* * This condition should result in the connection being closed. * Netapp filers seem to set it to 0xffff which results in domain * authentications failing. Just ignore it so things work. */ if(n > RPC_MAX_PDU_FRAG_LEN) { DEBUG(5,("read_from_pipe: too large read (%u) requested on " "pipe %s. We can only service %d sized reads.\n", (unsigned int)n, get_pipe_name_from_syntax(talloc_tos(), &p->syntax), RPC_MAX_PDU_FRAG_LEN )); n = RPC_MAX_PDU_FRAG_LEN; } /* * Determine if there is still data to send in the * pipe PDU buffer. Always send this first. Never * send more than is left in the current PDU. The * client should send a new read request for a new * PDU. */ pdu_remaining = p->out_data.frag.length - p->out_data.current_pdu_sent; if (pdu_remaining > 0) { data_returned = (ssize_t)MIN(n, pdu_remaining); DEBUG(10,("read_from_pipe: %s: current_pdu_len = %u, " "current_pdu_sent = %u returning %d bytes.\n", get_pipe_name_from_syntax(talloc_tos(), &p->syntax), (unsigned int)p->out_data.frag.length, (unsigned int)p->out_data.current_pdu_sent, (int)data_returned)); memcpy(data, p->out_data.frag.data + p->out_data.current_pdu_sent, data_returned); p->out_data.current_pdu_sent += (uint32)data_returned; goto out; } /* * At this point p->current_pdu_len == p->current_pdu_sent (which * may of course be zero if this is the first return fragment. */ DEBUG(10,("read_from_pipe: %s: fault_state = %d : data_sent_length " "= %u, p->out_data.rdata.length = %u.\n", get_pipe_name_from_syntax(talloc_tos(), &p->syntax), (int)p->fault_state, (unsigned int)p->out_data.data_sent_length, (unsigned int)p->out_data.rdata.length)); if (p->out_data.data_sent_length >= p->out_data.rdata.length) { /* * We have sent all possible data, return 0. */ data_returned = 0; goto out; } /* * We need to create a new PDU from the data left in p->rdata. * Create the header/data/footers. This also sets up the fields * p->current_pdu_len, p->current_pdu_sent, p->data_sent_length * and stores the outgoing PDU in p->current_pdu. */ if(!create_next_pdu(p)) { DEBUG(0,("read_from_pipe: %s: create_next_pdu failed.\n", get_pipe_name_from_syntax(talloc_tos(), &p->syntax))); return -1; } data_returned = MIN(n, p->out_data.frag.length); memcpy(data, p->out_data.frag.data, (size_t)data_returned); p->out_data.current_pdu_sent += (uint32)data_returned; out: (*is_data_outstanding) = p->out_data.frag.length > n; if (p->out_data.current_pdu_sent == p->out_data.frag.length) { /* We've returned everything in the out_data.frag * so we're done with this pdu. Free it and reset * current_pdu_sent. */ p->out_data.current_pdu_sent = 0; data_blob_free(&p->out_data.frag); if (p->out_data.data_sent_length >= p->out_data.rdata.length) { /* * We're completely finished with both outgoing and * incoming data streams. It's safe to free all * temporary data from this request. */ free_pipe_context(p); } } return data_returned; }
static bool process_request_pdu(pipes_struct *p, prs_struct *rpc_in_p) { uint32 ss_padding_len = 0; size_t data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - (p->hdr.auth_len ? RPC_HDR_AUTH_LEN : 0) - p->hdr.auth_len; if(!p->pipe_bound) { DEBUG(0,("process_request_pdu: rpc request with no bind.\n")); set_incoming_fault(p); return False; } /* * Check if we need to do authentication processing. * This is only done on requests, not binds. */ /* * Read the RPC request header. */ if(!smb_io_rpc_hdr_req("req", &p->hdr_req, rpc_in_p, 0)) { DEBUG(0,("process_request_pdu: failed to unmarshall RPC_HDR_REQ.\n")); set_incoming_fault(p); return False; } switch(p->auth.auth_type) { case PIPE_AUTH_TYPE_NONE: break; case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP: case PIPE_AUTH_TYPE_NTLMSSP: { NTSTATUS status; if(!api_pipe_ntlmssp_auth_process(p, rpc_in_p, &ss_padding_len, &status)) { DEBUG(0,("process_request_pdu: failed to do auth processing.\n")); DEBUG(0,("process_request_pdu: error was %s.\n", nt_errstr(status) )); set_incoming_fault(p); return False; } break; } case PIPE_AUTH_TYPE_SCHANNEL: if (!api_pipe_schannel_process(p, rpc_in_p, &ss_padding_len)) { DEBUG(3,("process_request_pdu: failed to do schannel processing.\n")); set_incoming_fault(p); return False; } break; default: DEBUG(0,("process_request_pdu: unknown auth type %u set.\n", (unsigned int)p->auth.auth_type )); set_incoming_fault(p); return False; } /* Now we've done the sign/seal we can remove any padding data. */ if (data_len > ss_padding_len) { data_len -= ss_padding_len; } /* * Check the data length doesn't go over the 15Mb limit. * increased after observing a bug in the Windows NT 4.0 SP6a * spoolsv.exe when the response to a GETPRINTERDRIVER2 RPC * will not fit in the initial buffer of size 0x1068 --jerry 22/01/2002 */ if(prs_offset(&p->in_data.data) + data_len > MAX_RPC_DATA_SIZE) { DEBUG(0,("process_request_pdu: rpc data buffer too large (%u) + (%u)\n", (unsigned int)prs_data_size(&p->in_data.data), (unsigned int)data_len )); set_incoming_fault(p); return False; } /* * Append the data portion into the buffer and return. */ if(!prs_append_some_prs_data(&p->in_data.data, rpc_in_p, prs_offset(rpc_in_p), data_len)) { DEBUG(0,("process_request_pdu: Unable to append data size %u to parse buffer of size %u.\n", (unsigned int)data_len, (unsigned int)prs_data_size(&p->in_data.data) )); set_incoming_fault(p); return False; } if(p->hdr.flags & RPC_FLG_LAST) { bool ret = False; /* * Ok - we finally have a complete RPC stream. * Call the rpc command to process it. */ /* * Ensure the internal prs buffer size is *exactly* the same * size as the current offset. */ if(!prs_set_buffer_size(&p->in_data.data, prs_offset(&p->in_data.data))) { DEBUG(0,("process_request_pdu: Call to prs_set_buffer_size failed!\n")); set_incoming_fault(p); return False; } /* * Set the parse offset to the start of the data and set the * prs_struct to UNMARSHALL. */ prs_set_offset(&p->in_data.data, 0); prs_switch_type(&p->in_data.data, UNMARSHALL); /* * Process the complete data stream here. */ free_pipe_context(p); if(pipe_init_outgoing_data(p)) { ret = api_pipe_request(p); } free_pipe_context(p); /* * We have consumed the whole data stream. Set back to * marshalling and set the offset back to the start of * the buffer to re-use it (we could also do a prs_mem_free() * and then re_init on the next start of PDU. Not sure which * is best here.... JRA. */ prs_switch_type(&p->in_data.data, MARSHALL); prs_set_offset(&p->in_data.data, 0); return ret; } return True; }
static BOOL process_request_pdu(pipes_struct *p, prs_struct *rpc_in_p) { BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0); size_t data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN - (auth_verify ? RPC_HDR_AUTH_LEN : 0) - p->hdr.auth_len; if(!p->pipe_bound) { DEBUG(0,("process_request_pdu: rpc request with no bind.\n")); set_incoming_fault(p); return False; } /* * Check if we need to do authentication processing. * This is only done on requests, not binds. */ /* * Read the RPC request header. */ if(!smb_io_rpc_hdr_req("req", &p->hdr_req, rpc_in_p, 0)) { DEBUG(0,("process_request_pdu: failed to unmarshall RPC_HDR_REQ.\n")); set_incoming_fault(p); return False; } if(p->ntlmssp_auth_validated && !api_pipe_auth_process(p, rpc_in_p)) { DEBUG(0,("process_request_pdu: failed to do auth processing.\n")); set_incoming_fault(p); return False; } if (p->ntlmssp_auth_requested && !p->ntlmssp_auth_validated) { /* * Authentication _was_ requested and it already failed. */ DEBUG(0,("process_request_pdu: RPC request received on pipe %s " "where authentication failed. Denying the request.\n", p->name)); set_incoming_fault(p); return False; } if (p->netsec_auth_validated && !api_pipe_netsec_process(p, rpc_in_p)) { DEBUG(3,("process_request_pdu: failed to do schannel processing.\n")); set_incoming_fault(p); return False; } /* * Check the data length doesn't go over the 15Mb limit. * increased after observing a bug in the Windows NT 4.0 SP6a * spoolsv.exe when the response to a GETPRINTERDRIVER2 RPC * will not fit in the initial buffer of size 0x1068 --jerry 22/01/2002 */ if(prs_offset(&p->in_data.data) + data_len > 15*1024*1024) { DEBUG(0,("process_request_pdu: rpc data buffer too large (%u) + (%u)\n", (unsigned int)prs_data_size(&p->in_data.data), (unsigned int)data_len )); set_incoming_fault(p); return False; } /* * Append the data portion into the buffer and return. */ if(!prs_append_some_prs_data(&p->in_data.data, rpc_in_p, prs_offset(rpc_in_p), data_len)) { DEBUG(0,("process_request_pdu: Unable to append data size %u to parse buffer of size %u.\n", (unsigned int)data_len, (unsigned int)prs_data_size(&p->in_data.data) )); set_incoming_fault(p); return False; } if(p->hdr.flags & RPC_FLG_LAST) { BOOL ret = False; /* * Ok - we finally have a complete RPC stream. * Call the rpc command to process it. */ /* * Ensure the internal prs buffer size is *exactly* the same * size as the current offset. */ if(!prs_set_buffer_size(&p->in_data.data, prs_offset(&p->in_data.data))) { DEBUG(0,("process_request_pdu: Call to prs_set_buffer_size failed!\n")); set_incoming_fault(p); return False; } /* * Set the parse offset to the start of the data and set the * prs_struct to UNMARSHALL. */ prs_set_offset(&p->in_data.data, 0); prs_switch_type(&p->in_data.data, UNMARSHALL); /* * Process the complete data stream here. */ free_pipe_context(p); if(pipe_init_outgoing_data(p)) ret = api_pipe_request(p); free_pipe_context(p); /* * We have consumed the whole data stream. Set back to * marshalling and set the offset back to the start of * the buffer to re-use it (we could also do a prs_mem_free() * and then re_init on the next start of PDU. Not sure which * is best here.... JRA. */ prs_switch_type(&p->in_data.data, MARSHALL); prs_set_offset(&p->in_data.data, 0); return ret; } return True; }