static ssize_t read_from_internal_pipe(struct pipes_struct *p, char *data,
size_t n, bool *is_data_outstanding)
{
uint32 pdu_remaining = 0;
ssize_t data_returned = 0;
if (!p) {
DEBUG(0,("read_from_pipe: pipe not open\n"));
return -1;
}
DEBUG(6,(" name: %s len: %u\n",
get_pipe_name_from_syntax(talloc_tos(), &p->syntax),
(unsigned int)n));
/*
* We cannot return more than one PDU length per
* read request.
*/
/*
* This condition should result in the connection being closed.
* Netapp filers seem to set it to 0xffff which results in domain
* authentications failing. Just ignore it so things work.
*/
if(n > RPC_MAX_PDU_FRAG_LEN) {
DEBUG(5,("read_from_pipe: too large read (%u) requested on "
"pipe %s. We can only service %d sized reads.\n",
(unsigned int)n,
get_pipe_name_from_syntax(talloc_tos(), &p->syntax),
RPC_MAX_PDU_FRAG_LEN ));
n = RPC_MAX_PDU_FRAG_LEN;
}
/*
* Determine if there is still data to send in the
* pipe PDU buffer. Always send this first. Never
* send more than is left in the current PDU. The
* client should send a new read request for a new
* PDU.
*/
pdu_remaining = p->out_data.frag.length
- p->out_data.current_pdu_sent;
if (pdu_remaining > 0) {
data_returned = (ssize_t)MIN(n, pdu_remaining);
DEBUG(10,("read_from_pipe: %s: current_pdu_len = %u, "
"current_pdu_sent = %u returning %d bytes.\n",
get_pipe_name_from_syntax(talloc_tos(), &p->syntax),
(unsigned int)p->out_data.frag.length,
(unsigned int)p->out_data.current_pdu_sent,
(int)data_returned));
memcpy(data,
p->out_data.frag.data
+ p->out_data.current_pdu_sent,
data_returned);
p->out_data.current_pdu_sent += (uint32)data_returned;
goto out;
}
/*
* At this point p->current_pdu_len == p->current_pdu_sent (which
* may of course be zero if this is the first return fragment.
*/
DEBUG(10,("read_from_pipe: %s: fault_state = %d : data_sent_length "
"= %u, p->out_data.rdata.length = %u.\n",
get_pipe_name_from_syntax(talloc_tos(), &p->syntax),
(int)p->fault_state,
(unsigned int)p->out_data.data_sent_length,
(unsigned int)p->out_data.rdata.length));
if (p->out_data.data_sent_length >= p->out_data.rdata.length) {
/*
* We have sent all possible data, return 0.
*/
data_returned = 0;
goto out;
}
/*
* We need to create a new PDU from the data left in p->rdata.
* Create the header/data/footers. This also sets up the fields
* p->current_pdu_len, p->current_pdu_sent, p->data_sent_length
* and stores the outgoing PDU in p->current_pdu.
*/
if(!create_next_pdu(p)) {
DEBUG(0,("read_from_pipe: %s: create_next_pdu failed.\n",
get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
return -1;
}
data_returned = MIN(n, p->out_data.frag.length);
memcpy(data, p->out_data.frag.data, (size_t)data_returned);
p->out_data.current_pdu_sent += (uint32)data_returned;
out:
(*is_data_outstanding) = p->out_data.frag.length > n;
if (p->out_data.current_pdu_sent == p->out_data.frag.length) {
/* We've returned everything in the out_data.frag
* so we're done with this pdu. Free it and reset
* current_pdu_sent. */
p->out_data.current_pdu_sent = 0;
data_blob_free(&p->out_data.frag);
if (p->out_data.data_sent_length >= p->out_data.rdata.length) {
/*
* We're completely finished with both outgoing and
* incoming data streams. It's safe to free all
* temporary data from this request.
*/
free_pipe_context(p);
}
}
return data_returned;
}
static bool process_request_pdu(pipes_struct *p, prs_struct *rpc_in_p)
{
uint32 ss_padding_len = 0;
size_t data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
(p->hdr.auth_len ? RPC_HDR_AUTH_LEN : 0) - p->hdr.auth_len;
if(!p->pipe_bound) {
DEBUG(0,("process_request_pdu: rpc request with no bind.\n"));
set_incoming_fault(p);
return False;
}
/*
* Check if we need to do authentication processing.
* This is only done on requests, not binds.
*/
/*
* Read the RPC request header.
*/
if(!smb_io_rpc_hdr_req("req", &p->hdr_req, rpc_in_p, 0)) {
DEBUG(0,("process_request_pdu: failed to unmarshall RPC_HDR_REQ.\n"));
set_incoming_fault(p);
return False;
}
switch(p->auth.auth_type) {
case PIPE_AUTH_TYPE_NONE:
break;
case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
case PIPE_AUTH_TYPE_NTLMSSP:
{
NTSTATUS status;
if(!api_pipe_ntlmssp_auth_process(p, rpc_in_p, &ss_padding_len, &status)) {
DEBUG(0,("process_request_pdu: failed to do auth processing.\n"));
DEBUG(0,("process_request_pdu: error was %s.\n", nt_errstr(status) ));
set_incoming_fault(p);
return False;
}
break;
}
case PIPE_AUTH_TYPE_SCHANNEL:
if (!api_pipe_schannel_process(p, rpc_in_p, &ss_padding_len)) {
DEBUG(3,("process_request_pdu: failed to do schannel processing.\n"));
set_incoming_fault(p);
return False;
}
break;
default:
DEBUG(0,("process_request_pdu: unknown auth type %u set.\n", (unsigned int)p->auth.auth_type ));
set_incoming_fault(p);
return False;
}
/* Now we've done the sign/seal we can remove any padding data. */
if (data_len > ss_padding_len) {
data_len -= ss_padding_len;
}
/*
* Check the data length doesn't go over the 15Mb limit.
* increased after observing a bug in the Windows NT 4.0 SP6a
* spoolsv.exe when the response to a GETPRINTERDRIVER2 RPC
* will not fit in the initial buffer of size 0x1068 --jerry 22/01/2002
*/
if(prs_offset(&p->in_data.data) + data_len > MAX_RPC_DATA_SIZE) {
DEBUG(0,("process_request_pdu: rpc data buffer too large (%u) + (%u)\n",
(unsigned int)prs_data_size(&p->in_data.data), (unsigned int)data_len ));
set_incoming_fault(p);
return False;
}
/*
* Append the data portion into the buffer and return.
*/
if(!prs_append_some_prs_data(&p->in_data.data, rpc_in_p, prs_offset(rpc_in_p), data_len)) {
DEBUG(0,("process_request_pdu: Unable to append data size %u to parse buffer of size %u.\n",
(unsigned int)data_len, (unsigned int)prs_data_size(&p->in_data.data) ));
set_incoming_fault(p);
return False;
}
if(p->hdr.flags & RPC_FLG_LAST) {
bool ret = False;
/*
* Ok - we finally have a complete RPC stream.
* Call the rpc command to process it.
*/
/*
* Ensure the internal prs buffer size is *exactly* the same
* size as the current offset.
*/
if(!prs_set_buffer_size(&p->in_data.data, prs_offset(&p->in_data.data))) {
DEBUG(0,("process_request_pdu: Call to prs_set_buffer_size failed!\n"));
set_incoming_fault(p);
return False;
}
/*
* Set the parse offset to the start of the data and set the
* prs_struct to UNMARSHALL.
*/
prs_set_offset(&p->in_data.data, 0);
prs_switch_type(&p->in_data.data, UNMARSHALL);
/*
* Process the complete data stream here.
*/
free_pipe_context(p);
if(pipe_init_outgoing_data(p)) {
ret = api_pipe_request(p);
}
free_pipe_context(p);
/*
* We have consumed the whole data stream. Set back to
* marshalling and set the offset back to the start of
* the buffer to re-use it (we could also do a prs_mem_free()
* and then re_init on the next start of PDU. Not sure which
* is best here.... JRA.
*/
prs_switch_type(&p->in_data.data, MARSHALL);
prs_set_offset(&p->in_data.data, 0);
return ret;
}
return True;
}
static BOOL process_request_pdu(pipes_struct *p, prs_struct *rpc_in_p)
{
BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
size_t data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
(auth_verify ? RPC_HDR_AUTH_LEN : 0) - p->hdr.auth_len;
if(!p->pipe_bound) {
DEBUG(0,("process_request_pdu: rpc request with no bind.\n"));
set_incoming_fault(p);
return False;
}
/*
* Check if we need to do authentication processing.
* This is only done on requests, not binds.
*/
/*
* Read the RPC request header.
*/
if(!smb_io_rpc_hdr_req("req", &p->hdr_req, rpc_in_p, 0)) {
DEBUG(0,("process_request_pdu: failed to unmarshall RPC_HDR_REQ.\n"));
set_incoming_fault(p);
return False;
}
if(p->ntlmssp_auth_validated && !api_pipe_auth_process(p, rpc_in_p)) {
DEBUG(0,("process_request_pdu: failed to do auth processing.\n"));
set_incoming_fault(p);
return False;
}
if (p->ntlmssp_auth_requested && !p->ntlmssp_auth_validated) {
/*
* Authentication _was_ requested and it already failed.
*/
DEBUG(0,("process_request_pdu: RPC request received on pipe %s "
"where authentication failed. Denying the request.\n",
p->name));
set_incoming_fault(p);
return False;
}
if (p->netsec_auth_validated && !api_pipe_netsec_process(p, rpc_in_p)) {
DEBUG(3,("process_request_pdu: failed to do schannel processing.\n"));
set_incoming_fault(p);
return False;
}
/*
* Check the data length doesn't go over the 15Mb limit.
* increased after observing a bug in the Windows NT 4.0 SP6a
* spoolsv.exe when the response to a GETPRINTERDRIVER2 RPC
* will not fit in the initial buffer of size 0x1068 --jerry 22/01/2002
*/
if(prs_offset(&p->in_data.data) + data_len > 15*1024*1024) {
DEBUG(0,("process_request_pdu: rpc data buffer too large (%u) + (%u)\n",
(unsigned int)prs_data_size(&p->in_data.data), (unsigned int)data_len ));
set_incoming_fault(p);
return False;
}
/*
* Append the data portion into the buffer and return.
*/
if(!prs_append_some_prs_data(&p->in_data.data, rpc_in_p, prs_offset(rpc_in_p), data_len)) {
DEBUG(0,("process_request_pdu: Unable to append data size %u to parse buffer of size %u.\n",
(unsigned int)data_len, (unsigned int)prs_data_size(&p->in_data.data) ));
set_incoming_fault(p);
return False;
}
if(p->hdr.flags & RPC_FLG_LAST) {
BOOL ret = False;
/*
* Ok - we finally have a complete RPC stream.
* Call the rpc command to process it.
*/
/*
* Ensure the internal prs buffer size is *exactly* the same
* size as the current offset.
*/
if(!prs_set_buffer_size(&p->in_data.data, prs_offset(&p->in_data.data)))
{
DEBUG(0,("process_request_pdu: Call to prs_set_buffer_size failed!\n"));
set_incoming_fault(p);
return False;
}
/*
* Set the parse offset to the start of the data and set the
* prs_struct to UNMARSHALL.
*/
prs_set_offset(&p->in_data.data, 0);
prs_switch_type(&p->in_data.data, UNMARSHALL);
/*
* Process the complete data stream here.
*/
free_pipe_context(p);
if(pipe_init_outgoing_data(p))
ret = api_pipe_request(p);
free_pipe_context(p);
/*
* We have consumed the whole data stream. Set back to
* marshalling and set the offset back to the start of
* the buffer to re-use it (we could also do a prs_mem_free()
* and then re_init on the next start of PDU. Not sure which
* is best here.... JRA.
*/
prs_switch_type(&p->in_data.data, MARSHALL);
prs_set_offset(&p->in_data.data, 0);
return ret;
}
return True;
}
