NTSTATUS smbd_smb2_request_process_create(struct smbd_smb2_request *smb2req) { const uint8_t *inbody; int i = smb2req->current_idx; size_t expected_body_size = 0x39; size_t body_size; uint8_t in_oplock_level; uint32_t in_impersonation_level; uint32_t in_desired_access; uint32_t in_file_attributes; uint32_t in_share_access; uint32_t in_create_disposition; uint32_t in_create_options; uint16_t in_name_offset; uint16_t in_name_length; DATA_BLOB in_name_buffer; char *in_name_string; size_t in_name_string_size; uint32_t name_offset = 0; uint32_t name_available_length = 0; uint32_t in_context_offset; uint32_t in_context_length; DATA_BLOB in_context_buffer; struct smb2_create_blobs in_context_blobs; uint32_t context_offset = 0; uint32_t context_available_length = 0; uint32_t dyn_offset; NTSTATUS status; bool ok; struct tevent_req *tsubreq; if (smb2req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) { return smbd_smb2_request_error(smb2req, NT_STATUS_INVALID_PARAMETER); } inbody = (const uint8_t *)smb2req->in.vector[i+1].iov_base; body_size = SVAL(inbody, 0x00); if (body_size != expected_body_size) { return smbd_smb2_request_error(smb2req, NT_STATUS_INVALID_PARAMETER); } in_oplock_level = CVAL(inbody, 0x03); in_impersonation_level = IVAL(inbody, 0x04); in_desired_access = IVAL(inbody, 0x18); in_file_attributes = IVAL(inbody, 0x1C); in_share_access = IVAL(inbody, 0x20); in_create_disposition = IVAL(inbody, 0x24); in_create_options = IVAL(inbody, 0x28); in_name_offset = SVAL(inbody, 0x2C); in_name_length = SVAL(inbody, 0x2E); in_context_offset = IVAL(inbody, 0x30); in_context_length = IVAL(inbody, 0x34); /* * First check if the dynamic name and context buffers * are correctly specified. * * Note: That we don't check if the name and context buffers * overlap */ dyn_offset = SMB2_HDR_BODY + (body_size & 0xFFFFFFFE); if (in_name_offset == 0 && in_name_length == 0) { /* This is ok */ name_offset = 0; } else if (in_name_offset < dyn_offset) { return smbd_smb2_request_error(smb2req, NT_STATUS_INVALID_PARAMETER); } else { name_offset = in_name_offset - dyn_offset; } if (name_offset > smb2req->in.vector[i+2].iov_len) { return smbd_smb2_request_error(smb2req, NT_STATUS_INVALID_PARAMETER); } name_available_length = smb2req->in.vector[i+2].iov_len - name_offset; if (in_name_length > name_available_length) { return smbd_smb2_request_error(smb2req, NT_STATUS_INVALID_PARAMETER); } in_name_buffer.data = (uint8_t *)smb2req->in.vector[i+2].iov_base + name_offset; in_name_buffer.length = in_name_length; if (in_context_offset == 0 && in_context_length == 0) { /* This is ok */ context_offset = 0; } else if (in_context_offset < dyn_offset) { return smbd_smb2_request_error(smb2req, NT_STATUS_INVALID_PARAMETER); } else { context_offset = in_context_offset - dyn_offset; } if (context_offset > smb2req->in.vector[i+2].iov_len) { return smbd_smb2_request_error(smb2req, NT_STATUS_INVALID_PARAMETER); } context_available_length = smb2req->in.vector[i+2].iov_len - context_offset; if (in_context_length > context_available_length) { return smbd_smb2_request_error(smb2req, NT_STATUS_INVALID_PARAMETER); } in_context_buffer.data = (uint8_t *)smb2req->in.vector[i+2].iov_base + context_offset; in_context_buffer.length = in_context_length; /* * Now interpret the name and context buffers */ ok = convert_string_talloc(smb2req, CH_UTF16, CH_UNIX, in_name_buffer.data, in_name_buffer.length, &in_name_string, &in_name_string_size); if (!ok) { return smbd_smb2_request_error(smb2req, NT_STATUS_ILLEGAL_CHARACTER); } ZERO_STRUCT(in_context_blobs); status = smb2_create_blob_parse(smb2req, in_context_buffer, &in_context_blobs); if (!NT_STATUS_IS_OK(status)) { return smbd_smb2_request_error(smb2req, status); } tsubreq = smbd_smb2_create_send(smb2req, smb2req->sconn->smb2.event_ctx, smb2req, in_oplock_level, in_impersonation_level, in_desired_access, in_file_attributes, in_share_access, in_create_disposition, in_create_options, in_name_string, in_context_blobs); if (tsubreq == NULL) { smb2req->subreq = NULL; return smbd_smb2_request_error(smb2req, NT_STATUS_NO_MEMORY); } tevent_req_set_callback(tsubreq, smbd_smb2_request_create_done, smb2req); return smbd_smb2_request_pending_queue(smb2req, tsubreq); }
void smb2srv_create_recv(struct smb2srv_request *req) { union smb_open *io; DATA_BLOB blob; int i; SMB2SRV_CHECK_BODY_SIZE(req, 0x38, true); SMB2SRV_TALLOC_IO_PTR(io, union smb_open); SMB2SRV_SETUP_NTVFS_REQUEST(smb2srv_create_send, NTVFS_ASYNC_STATE_MAY_ASYNC); ZERO_STRUCT(io->smb2.in); io->smb2.level = RAW_OPEN_SMB2; io->smb2.in.security_flags = CVAL(req->in.body, 0x02); io->smb2.in.oplock_level = CVAL(req->in.body, 0x03); io->smb2.in.impersonation_level = IVAL(req->in.body, 0x04); io->smb2.in.create_flags = BVAL(req->in.body, 0x08); io->smb2.in.reserved = BVAL(req->in.body, 0x10); io->smb2.in.desired_access = IVAL(req->in.body, 0x18); io->smb2.in.file_attributes = IVAL(req->in.body, 0x1C); io->smb2.in.share_access = IVAL(req->in.body, 0x20); io->smb2.in.create_disposition = IVAL(req->in.body, 0x24); io->smb2.in.create_options = IVAL(req->in.body, 0x28); SMB2SRV_CHECK(smb2_pull_o16s16_string(&req->in, io, req->in.body+0x2C, &io->smb2.in.fname)); SMB2SRV_CHECK(smb2_pull_o32s32_blob(&req->in, io, req->in.body+0x30, &blob)); SMB2SRV_CHECK(smb2_create_blob_parse(io, blob, &io->smb2.in.blobs)); /* interpret the parsed tags that a server needs to respond to */ for (i=0;i<io->smb2.in.blobs.num_blobs;i++) { if (strcmp(io->smb2.in.blobs.blobs[i].tag, SMB2_CREATE_TAG_EXTA) == 0) { SMB2SRV_CHECK(ea_pull_list_chained(&io->smb2.in.blobs.blobs[i].data, io, &io->smb2.in.eas.num_eas, &io->smb2.in.eas.eas)); } if (strcmp(io->smb2.in.blobs.blobs[i].tag, SMB2_CREATE_TAG_SECD) == 0) { enum ndr_err_code ndr_err; io->smb2.in.sec_desc = talloc(io, struct security_descriptor); if (io->smb2.in.sec_desc == NULL) { smb2srv_send_error(req, NT_STATUS_NO_MEMORY); return; } ndr_err = ndr_pull_struct_blob(&io->smb2.in.blobs.blobs[i].data, io, NULL, io->smb2.in.sec_desc, (ndr_pull_flags_fn_t)ndr_pull_security_descriptor); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { smb2srv_send_error(req, ndr_map_error2ntstatus(ndr_err)); return; } } if (strcmp(io->smb2.in.blobs.blobs[i].tag, SMB2_CREATE_TAG_DHNQ) == 0) { io->smb2.in.durable_open = true; } if (strcmp(io->smb2.in.blobs.blobs[i].tag, SMB2_CREATE_TAG_DHNC) == 0) { if (io->smb2.in.blobs.blobs[i].data.length != 16) { smb2srv_send_error(req, NT_STATUS_INVALID_PARAMETER); return; } io->smb2.in.durable_handle = talloc(io, struct smb2_handle); if (io->smb2.in.durable_handle == NULL) { smb2srv_send_error(req, NT_STATUS_NO_MEMORY); return; } smb2_pull_handle(io->smb2.in.blobs.blobs[i].data.data, io->smb2.in.durable_handle); } if (strcmp(io->smb2.in.blobs.blobs[i].tag, SMB2_CREATE_TAG_ALSI) == 0) { if (io->smb2.in.blobs.blobs[i].data.length != 8) { smb2srv_send_error(req, NT_STATUS_INVALID_PARAMETER); return; } io->smb2.in.alloc_size = BVAL(io->smb2.in.blobs.blobs[i].data.data, 0); } if (strcmp(io->smb2.in.blobs.blobs[i].tag, SMB2_CREATE_TAG_MXAC) == 0) { io->smb2.in.query_maximal_access = true; } if (strcmp(io->smb2.in.blobs.blobs[i].tag, SMB2_CREATE_TAG_TWRP) == 0) { if (io->smb2.in.blobs.blobs[i].data.length != 8) { smb2srv_send_error(req, NT_STATUS_INVALID_PARAMETER); return; } io->smb2.in.timewarp = BVAL(io->smb2.in.blobs.blobs[i].data.data, 0); } if (strcmp(io->smb2.in.blobs.blobs[i].tag, SMB2_CREATE_TAG_QFID) == 0) { io->smb2.in.query_on_disk_id = true; } } /* the VFS backend does not yet handle NULL filenames */ if (io->smb2.in.fname == NULL) { io->smb2.in.fname = ""; } SMB2SRV_CALL_NTVFS_BACKEND(ntvfs_open(req->ntvfs, io)); }
/* recv a create reply */ NTSTATUS smb2_create_recv(struct smb2_request *req, TALLOC_CTX *mem_ctx, struct smb2_create *io) { NTSTATUS status; DATA_BLOB blob; int i; if (!smb2_request_receive(req) || !smb2_request_is_ok(req)) { return smb2_request_destroy(req); } SMB2_CHECK_PACKET_RECV(req, 0x58, true); ZERO_STRUCT(io->out); io->out.oplock_level = CVAL(req->in.body, 0x02); io->out.reserved = CVAL(req->in.body, 0x03); io->out.create_action = IVAL(req->in.body, 0x04); io->out.create_time = smbcli_pull_nttime(req->in.body, 0x08); io->out.access_time = smbcli_pull_nttime(req->in.body, 0x10); io->out.write_time = smbcli_pull_nttime(req->in.body, 0x18); io->out.change_time = smbcli_pull_nttime(req->in.body, 0x20); io->out.alloc_size = BVAL(req->in.body, 0x28); io->out.size = BVAL(req->in.body, 0x30); io->out.file_attr = IVAL(req->in.body, 0x38); io->out.reserved2 = IVAL(req->in.body, 0x3C); smb2_pull_handle(req->in.body+0x40, &io->out.file.handle); status = smb2_pull_o32s32_blob(&req->in, mem_ctx, req->in.body+0x50, &blob); if (!NT_STATUS_IS_OK(status)) { smb2_request_destroy(req); return status; } status = smb2_create_blob_parse(mem_ctx, blob, &io->out.blobs); if (!NT_STATUS_IS_OK(status)) { smb2_request_destroy(req); return status; } /* pull out the parsed blobs */ for (i=0;i<io->out.blobs.num_blobs;i++) { if (strcmp(io->out.blobs.blobs[i].tag, SMB2_CREATE_TAG_MXAC) == 0) { /* TODO: this also contains a status field in first 4 bytes */ if (io->out.blobs.blobs[i].data.length != 8) { smb2_request_destroy(req); return NT_STATUS_INVALID_NETWORK_RESPONSE; } io->out.maximal_access = IVAL(io->out.blobs.blobs[i].data.data, 4); } if (strcmp(io->out.blobs.blobs[i].tag, SMB2_CREATE_TAG_QFID) == 0) { if (io->out.blobs.blobs[i].data.length != 32) { smb2_request_destroy(req); return NT_STATUS_INVALID_NETWORK_RESPONSE; } memcpy(io->out.on_disk_id, io->out.blobs.blobs[i].data.data, 32); } if (strcmp(io->out.blobs.blobs[i].tag, SMB2_CREATE_TAG_RQLS) == 0) { uint8_t *data; if (io->out.blobs.blobs[i].data.length != 32) { smb2_request_destroy(req); return NT_STATUS_INVALID_NETWORK_RESPONSE; } data = io->out.blobs.blobs[i].data.data; memcpy(&io->out.lease_response.lease_key, data, 16); io->out.lease_response.lease_state = IVAL(data, 16); io->out.lease_response.lease_flags = IVAL(data, 20); io->out.lease_response.lease_duration = BVAL(data, 24); } } data_blob_free(&blob); return smb2_request_destroy(req); }
NTSTATUS smbd_smb2_request_process_create(struct smbd_smb2_request *smb2req) { const uint8_t *inbody; const struct iovec *indyniov; uint8_t in_oplock_level; uint32_t in_impersonation_level; uint32_t in_desired_access; uint32_t in_file_attributes; uint32_t in_share_access; uint32_t in_create_disposition; uint32_t in_create_options; uint16_t in_name_offset; uint16_t in_name_length; DATA_BLOB in_name_buffer; char *in_name_string; size_t in_name_string_size; uint32_t name_offset = 0; uint32_t name_available_length = 0; uint32_t in_context_offset; uint32_t in_context_length; DATA_BLOB in_context_buffer; struct smb2_create_blobs in_context_blobs; uint32_t context_offset = 0; uint32_t context_available_length = 0; uint32_t dyn_offset; NTSTATUS status; bool ok; struct tevent_req *tsubreq; status = smbd_smb2_request_verify_sizes(smb2req, 0x39); if (!NT_STATUS_IS_OK(status)) { return smbd_smb2_request_error(smb2req, status); } inbody = SMBD_SMB2_IN_BODY_PTR(smb2req); in_oplock_level = CVAL(inbody, 0x03); in_impersonation_level = IVAL(inbody, 0x04); in_desired_access = IVAL(inbody, 0x18); in_file_attributes = IVAL(inbody, 0x1C); in_share_access = IVAL(inbody, 0x20); in_create_disposition = IVAL(inbody, 0x24); in_create_options = IVAL(inbody, 0x28); in_name_offset = SVAL(inbody, 0x2C); in_name_length = SVAL(inbody, 0x2E); in_context_offset = IVAL(inbody, 0x30); in_context_length = IVAL(inbody, 0x34); /* * First check if the dynamic name and context buffers * are correctly specified. * * Note: That we don't check if the name and context buffers * overlap */ dyn_offset = SMB2_HDR_BODY + SMBD_SMB2_IN_BODY_LEN(smb2req); if (in_name_offset == 0 && in_name_length == 0) { /* This is ok */ name_offset = 0; } else if (in_name_offset < dyn_offset) { return smbd_smb2_request_error(smb2req, NT_STATUS_INVALID_PARAMETER); } else { name_offset = in_name_offset - dyn_offset; } indyniov = SMBD_SMB2_IN_DYN_IOV(smb2req); if (name_offset > indyniov->iov_len) { return smbd_smb2_request_error(smb2req, NT_STATUS_INVALID_PARAMETER); } name_available_length = indyniov->iov_len - name_offset; if (in_name_length > name_available_length) { return smbd_smb2_request_error(smb2req, NT_STATUS_INVALID_PARAMETER); } in_name_buffer.data = (uint8_t *)indyniov->iov_base + name_offset; in_name_buffer.length = in_name_length; if (in_context_offset == 0 && in_context_length == 0) { /* This is ok */ context_offset = 0; } else if (in_context_offset < dyn_offset) { return smbd_smb2_request_error(smb2req, NT_STATUS_INVALID_PARAMETER); } else { context_offset = in_context_offset - dyn_offset; } if (context_offset > indyniov->iov_len) { return smbd_smb2_request_error(smb2req, NT_STATUS_INVALID_PARAMETER); } context_available_length = indyniov->iov_len - context_offset; if (in_context_length > context_available_length) { return smbd_smb2_request_error(smb2req, NT_STATUS_INVALID_PARAMETER); } in_context_buffer.data = (uint8_t *)indyniov->iov_base + context_offset; in_context_buffer.length = in_context_length; /* * Now interpret the name and context buffers */ ok = convert_string_talloc(smb2req, CH_UTF16, CH_UNIX, in_name_buffer.data, in_name_buffer.length, &in_name_string, &in_name_string_size); if (!ok) { return smbd_smb2_request_error(smb2req, NT_STATUS_ILLEGAL_CHARACTER); } if (in_name_buffer.length == 0) { in_name_string_size = 0; } if (strlen(in_name_string) != in_name_string_size) { return smbd_smb2_request_error(smb2req, NT_STATUS_OBJECT_NAME_INVALID); } ZERO_STRUCT(in_context_blobs); status = smb2_create_blob_parse(smb2req, in_context_buffer, &in_context_blobs); if (!NT_STATUS_IS_OK(status)) { return smbd_smb2_request_error(smb2req, status); } tsubreq = smbd_smb2_create_send(smb2req, smb2req->sconn->ev_ctx, smb2req, in_oplock_level, in_impersonation_level, in_desired_access, in_file_attributes, in_share_access, in_create_disposition, in_create_options, in_name_string, in_context_blobs); if (tsubreq == NULL) { smb2req->subreq = NULL; return smbd_smb2_request_error(smb2req, NT_STATUS_NO_MEMORY); } tevent_req_set_callback(tsubreq, smbd_smb2_request_create_done, smb2req); /* * For now we keep the logic that we do not send STATUS_PENDING * for sharing violations, so we just wait 2 seconds. * * TODO: we need more tests for this. */ return smbd_smb2_request_pending_queue(smb2req, tsubreq, 2000000); }