static bool api_pipe_bind_req(struct pipes_struct *p,
struct ncacn_packet *pkt)
{
struct dcerpc_auth auth_info = {0};
uint16_t assoc_gid;
unsigned int auth_type = DCERPC_AUTH_TYPE_NONE;
NTSTATUS status;
struct ndr_syntax_id id;
uint8_t pfc_flags = 0;
union dcerpc_payload u;
struct dcerpc_ack_ctx bind_ack_ctx;
DATA_BLOB auth_resp = data_blob_null;
DATA_BLOB auth_blob = data_blob_null;
const struct ndr_interface_table *table;
/* No rebinds on a bound pipe - use alter context. */
if (p->pipe_bound) {
DEBUG(2,("Rejecting bind request on bound rpc connection\n"));
return setup_bind_nak(p, pkt);
}
if (pkt->u.bind.num_contexts == 0) {
DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
goto err_exit;
}
/*
* Try and find the correct pipe name to ensure
* that this is a pipe name we support.
*/
id = pkt->u.bind.ctx_list[0].abstract_syntax;
table = ndr_table_by_uuid(&id.uuid);
if (table == NULL) {
DEBUG(0,("unknown interface\n"));
return false;
}
if (rpc_srv_pipe_exists_by_id(&id)) {
DEBUG(3, ("api_pipe_bind_req: %s -> %s rpc service\n",
rpc_srv_get_pipe_cli_name(&id),
rpc_srv_get_pipe_srv_name(&id)));
} else {
status = smb_probe_module(
"rpc", dcerpc_default_transport_endpoint(pkt,
NCACN_NP, table));
if (NT_STATUS_IS_ERR(status)) {
DEBUG(3,("api_pipe_bind_req: Unknown rpc service name "
"%s in bind request.\n",
ndr_interface_name(&id.uuid,
id.if_version)));
return setup_bind_nak(p, pkt);
}
if (rpc_srv_get_pipe_interface_by_cli_name(
dcerpc_default_transport_endpoint(pkt,
NCACN_NP, table),
&id)) {
DEBUG(3, ("api_pipe_bind_req: %s -> %s rpc service\n",
rpc_srv_get_pipe_cli_name(&id),
rpc_srv_get_pipe_srv_name(&id)));
} else {
DEBUG(0, ("module %s doesn't provide functions for "
"pipe %s!\n",
ndr_interface_name(&id.uuid,
id.if_version),
ndr_interface_name(&id.uuid,
id.if_version)));
return setup_bind_nak(p, pkt);
}
}
DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
if (pkt->u.bind.assoc_group_id != 0) {
assoc_gid = pkt->u.bind.assoc_group_id;
} else {
assoc_gid = 0x53f0;
}
/*
* Create the bind response struct.
*/
/* If the requested abstract synt uuid doesn't match our client pipe,
reject the bind_ack & set the transfer interface synt to all 0's,
ver 0 (observed when NT5 attempts to bind to abstract interfaces
unknown to NT4)
Needed when adding entries to a DACL from NT5 - SK */
if (check_bind_req(p,
&pkt->u.bind.ctx_list[0].abstract_syntax,
&pkt->u.bind.ctx_list[0].transfer_syntaxes[0],
pkt->u.bind.ctx_list[0].context_id)) {
bind_ack_ctx.result = 0;
bind_ack_ctx.reason.value = 0;
bind_ack_ctx.syntax = pkt->u.bind.ctx_list[0].transfer_syntaxes[0];
} else {
p->pipe_bound = False;
/* Rejection reason: abstract syntax not supported */
bind_ack_ctx.result = DCERPC_BIND_PROVIDER_REJECT;
bind_ack_ctx.reason.value = DCERPC_BIND_REASON_ASYNTAX;
bind_ack_ctx.syntax = ndr_syntax_id_null;
}
/*
* Check if this is an authenticated bind request.
*/
if (pkt->auth_length) {
/* Quick length check. Won't catch a bad auth footer,
* prevents overrun. */
if (pkt->frag_length < RPC_HEADER_LEN +
DCERPC_AUTH_TRAILER_LENGTH +
pkt->auth_length) {
DEBUG(0,("api_pipe_bind_req: auth_len (%u) "
"too long for fragment %u.\n",
(unsigned int)pkt->auth_length,
(unsigned int)pkt->frag_length));
goto err_exit;
}
/*
* Decode the authentication verifier.
*/
status = dcerpc_pull_dcerpc_auth(pkt,
&pkt->u.bind.auth_info,
&auth_info, p->endian);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Unable to unmarshall dcerpc_auth.\n"));
goto err_exit;
}
auth_type = auth_info.auth_type;
/* Work out if we have to sign or seal etc. */
switch (auth_info.auth_level) {
case DCERPC_AUTH_LEVEL_INTEGRITY:
p->auth.auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
break;
case DCERPC_AUTH_LEVEL_PRIVACY:
p->auth.auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
break;
case DCERPC_AUTH_LEVEL_CONNECT:
p->auth.auth_level = DCERPC_AUTH_LEVEL_CONNECT;
break;
default:
DEBUG(0, ("Unexpected auth level (%u).\n",
(unsigned int)auth_info.auth_level ));
goto err_exit;
}
switch (auth_type) {
case DCERPC_AUTH_TYPE_NONE:
break;
default:
if (!pipe_auth_generic_bind(p, pkt,
&auth_info, &auth_resp)) {
goto err_exit;
}
break;
}
}
if (auth_type == DCERPC_AUTH_TYPE_NONE) {
/* Unauthenticated bind request. */
/* We're finished - no more packets. */
p->auth.auth_type = DCERPC_AUTH_TYPE_NONE;
/* We must set the pipe auth_level here also. */
p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
p->pipe_bound = True;
/* The session key was initialized from the SMB
* session in make_internal_rpc_pipe_p */
}
ZERO_STRUCT(u.bind_ack);
u.bind_ack.max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
u.bind_ack.max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
u.bind_ack.assoc_group_id = assoc_gid;
/* name has to be \PIPE\xxxxx */
u.bind_ack.secondary_address =
talloc_asprintf(pkt, "\\PIPE\\%s",
rpc_srv_get_pipe_srv_name(&id));
if (!u.bind_ack.secondary_address) {
DEBUG(0, ("Out of memory!\n"));
goto err_exit;
}
u.bind_ack.secondary_address_size =
strlen(u.bind_ack.secondary_address) + 1;
u.bind_ack.num_results = 1;
u.bind_ack.ctx_list = &bind_ack_ctx;
/* NOTE: We leave the auth_info empty so we can calculate the padding
* later and then append the auth_info --simo */
/*
* Marshall directly into the outgoing PDU space. We
* must do this as we need to set to the bind response
* header and are never sending more than one PDU here.
*/
pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
if (p->auth.hdr_signing) {
pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
}
status = dcerpc_push_ncacn_packet(p->mem_ctx,
DCERPC_PKT_BIND_ACK,
pfc_flags,
auth_resp.length,
pkt->call_id,
&u,
&p->out_data.frag);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Failed to marshall bind_ack packet. (%s)\n",
nt_errstr(status)));
}
if (auth_resp.length) {
status = dcerpc_push_dcerpc_auth(pkt,
auth_type,
auth_info.auth_level,
0,
1, /* auth_context_id */
&auth_resp,
&auth_blob);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Marshalling of dcerpc_auth failed.\n"));
goto err_exit;
}
}
/* Now that we have the auth len store it into the right place in
* the dcerpc header */
dcerpc_set_frag_length(&p->out_data.frag,
p->out_data.frag.length + auth_blob.length);
if (auth_blob.length) {
if (!data_blob_append(p->mem_ctx, &p->out_data.frag,
auth_blob.data, auth_blob.length)) {
DEBUG(0, ("Append of auth info failed.\n"));
goto err_exit;
}
}
/*
* Setup the lengths for the initial reply.
*/
p->out_data.data_sent_length = 0;
p->out_data.current_pdu_sent = 0;
TALLOC_FREE(auth_blob.data);
return True;
err_exit:
data_blob_free(&p->out_data.frag);
TALLOC_FREE(auth_blob.data);
return setup_bind_nak(p, pkt);
}
struct pipes_struct *make_internal_rpc_pipe_p(TALLOC_CTX *mem_ctx,
const struct ndr_syntax_id *syntax,
const struct tsocket_address *remote_address,
const struct tsocket_address *local_address,
const struct auth_session_info *session_info,
struct messaging_context *msg_ctx)
{
struct pipes_struct *p;
struct pipe_rpc_fns *context_fns;
const char *pipe_name;
int ret;
const struct ndr_interface_table *table;
table = ndr_table_by_uuid(&syntax->uuid);
if (table == NULL) {
DEBUG(0,("unknown interface\n"));
return NULL;
}
pipe_name = dcerpc_default_transport_endpoint(mem_ctx, NCACN_NP, table);
DEBUG(4,("Create pipe requested %s\n", pipe_name));
ret = make_base_pipes_struct(mem_ctx, msg_ctx, pipe_name,
NCALRPC, RPC_LITTLE_ENDIAN,
remote_address, local_address, &p);
if (ret) {
DEBUG(0,("ERROR! no memory for pipes_struct!\n"));
return NULL;
}
if (!init_pipe_handles(p, syntax)) {
DEBUG(0,("open_rpc_pipe_p: init_pipe_handles failed.\n"));
TALLOC_FREE(p);
return NULL;
}
p->session_info = copy_session_info(p, session_info);
if (p->session_info == NULL) {
DEBUG(0, ("open_rpc_pipe_p: copy_serverinfo failed\n"));
close_policy_by_pipe(p);
TALLOC_FREE(p);
return NULL;
}
context_fns = talloc_zero(p, struct pipe_rpc_fns);
if (context_fns == NULL) {
DEBUG(0,("talloc() failed!\n"));
TALLOC_FREE(p);
return NULL;
}
context_fns->next = context_fns->prev = NULL;
context_fns->n_cmds = rpc_srv_get_pipe_num_cmds(syntax);
context_fns->cmds = rpc_srv_get_pipe_cmds(syntax);
context_fns->context_id = 0;
context_fns->syntax = *syntax;
/* add to the list of open contexts */
DLIST_ADD(p->contexts, context_fns);
DEBUG(4,("Created internal pipe %s\n", pipe_name));
return p;
}
static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
const struct api_struct *api_rpc_cmds, int n_cmds,
const struct ndr_syntax_id *syntax)
{
int fn_num;
uint32_t offset1;
const struct ndr_interface_table *table;
/* interpret the command */
DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
ndr_interface_name(&syntax->uuid, syntax->if_version),
pkt->u.request.opnum));
table = ndr_table_by_uuid(&syntax->uuid);
if (table == NULL) {
DEBUG(0,("unknown interface\n"));
return false;
}
if (DEBUGLEVEL >= 50) {
fstring name;
slprintf(name, sizeof(name)-1, "in_%s",
dcerpc_default_transport_endpoint(pkt, NCACN_NP, table));
dump_pdu_region(name, pkt->u.request.opnum,
&p->in_data.data, 0,
p->in_data.data.length);
}
for (fn_num = 0; fn_num < n_cmds; fn_num++) {
if (api_rpc_cmds[fn_num].opnum == pkt->u.request.opnum &&
api_rpc_cmds[fn_num].fn != NULL) {
DEBUG(3, ("api_rpcTNP: rpc command: %s\n",
api_rpc_cmds[fn_num].name));
break;
}
}
if (fn_num == n_cmds) {
/*
* For an unknown RPC just return a fault PDU but
* return True to allow RPC's on the pipe to continue
* and not put the pipe into fault state. JRA.
*/
DEBUG(4, ("unknown\n"));
setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
return True;
}
offset1 = p->out_data.rdata.length;
DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
fn_num, api_rpc_cmds[fn_num].fn));
/* do the actual command */
if(!api_rpc_cmds[fn_num].fn(p)) {
DEBUG(0,("api_rpcTNP: %s: %s failed.\n",
ndr_interface_name(&syntax->uuid, syntax->if_version),
api_rpc_cmds[fn_num].name));
data_blob_free(&p->out_data.rdata);
return False;
}
if (p->fault_state) {
DEBUG(4,("api_rpcTNP: fault(%d) return.\n", p->fault_state));
setup_fault_pdu(p, NT_STATUS(p->fault_state));
p->fault_state = 0;
return true;
}
if (DEBUGLEVEL >= 50) {
fstring name;
slprintf(name, sizeof(name)-1, "out_%s",
dcerpc_default_transport_endpoint(pkt, NCACN_NP, table));
dump_pdu_region(name, pkt->u.request.opnum,
&p->out_data.rdata, offset1,
p->out_data.rdata.length);
}
DEBUG(5,("api_rpcTNP: called %s successfully\n",
ndr_interface_name(&syntax->uuid, syntax->if_version)));
/* Check for buffer underflow in rpc parsing */
if ((DEBUGLEVEL >= 10) &&
(pkt->frag_length < p->in_data.data.length)) {
DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
dump_data(10, p->in_data.data.data + pkt->frag_length,
p->in_data.data.length - pkt->frag_length);
}
return True;
}