1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22 /*
23 * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved.
24 * Copyright 2013 Nexenta Systems, Inc. All rights reserved.
25 */
26
27 /*
28 * Server-side NDR stream (PDU) operations. Stream operations should
29 * return TRUE (non-zero) on success or FALSE (zero or a null pointer)
30 * on failure. When an operation returns FALSE, including ndo_malloc()
31 * returning NULL, it should set the nds->error to indicate what went
32 * wrong.
33 *
34 * When available, the relevant ndr reference is passed to the
35 * operation but keep in mind that it may be a null pointer.
36 *
37 * Functions ndo_get_pdu(), ndo_put_pdu(), and ndo_pad_pdu()
38 * must never grow the PDU data. A request for out-of-bounds data is
39 * an error. The swap_bytes flag is 1 if NDR knows that the byte-
40 * order in the PDU is different from the local system.
41 */
42
43 #include <sys/types.h>
44 #include <stdarg.h>
45 #include <ctype.h>
46 #include <stdio.h>
47 #include <stdlib.h>
48 #include <strings.h>
49 #include <string.h>
50 #include <assert.h>
51
52 #include <smbsrv/libsmb.h>
53 #include <smbsrv/libmlrpc.h>
54
55 #define NDOBUFSZ 128
56
57 #define NDR_PDU_BLOCK_SIZE (4*1024)
58 #define NDR_PDU_BLOCK_MASK (NDR_PDU_BLOCK_SIZE - 1)
59 #define NDR_PDU_ALIGN(N) \
60 (((N) + NDR_PDU_BLOCK_SIZE) & ~NDR_PDU_BLOCK_MASK)
61 #define NDR_PDU_MAX_SIZE (64*1024*1024)
62
63 static char *ndo_malloc(ndr_stream_t *, unsigned, ndr_ref_t *);
64 static int ndo_free(ndr_stream_t *, char *, ndr_ref_t *);
65 static int ndo_grow_pdu(ndr_stream_t *, unsigned long, ndr_ref_t *);
66 static int ndo_pad_pdu(ndr_stream_t *, unsigned long, unsigned long,
67 ndr_ref_t *);
68 static int ndo_get_pdu(ndr_stream_t *, unsigned long, unsigned long,
69 char *, int, ndr_ref_t *);
70 static int ndo_put_pdu(ndr_stream_t *, unsigned long, unsigned long,
71 char *, int, ndr_ref_t *);
72 static void ndo_tattle(ndr_stream_t *, char *, ndr_ref_t *);
73 static void ndo_tattle_error(ndr_stream_t *, ndr_ref_t *);
74 static int ndo_reset(ndr_stream_t *);
75 static void ndo_destruct(ndr_stream_t *);
76 static void ndo_hexfmt(uint8_t *, int, int, char *, int);
77
78 /*
79 * The ndr stream operations table.
80 */
81 static ndr_stream_ops_t nds_ops = {
82 ndo_malloc,
83 ndo_free,
84 ndo_grow_pdu,
85 ndo_pad_pdu,
86 ndo_get_pdu,
87 ndo_put_pdu,
88 ndo_tattle,
89 ndo_tattle_error,
90 ndo_reset,
91 ndo_destruct
92 };
93
94 /*
95 * nds_bswap
96 *
97 * Copies len bytes from src to dst such that dst contains the bytes
98 * from src in reverse order.
99 *
100 * We expect to be dealing with bytes, words, dwords etc. So the
101 * length must be non-zero and a power of 2.
102 */
103 void
nds_bswap(void * srcbuf,void * dstbuf,size_t len)104 nds_bswap(void *srcbuf, void *dstbuf, size_t len)
105 {
106 uint8_t *src = (uint8_t *)srcbuf;
107 uint8_t *dst = (uint8_t *)dstbuf;
108
109 if ((len != 0) && ((len & (len - 1)) == 0)) {
110 src += len;
111
112 while (len--)
113 *dst++ = *(--src);
114 }
115 }
116
117 /*
118 * nds_initialize
119 *
120 * Initialize a stream. Sets up the PDU parameters and assigns the stream
121 * operations and the reference to the heap. An external heap is provided
122 * to the stream, rather than each stream creating its own heap.
123 */
124 int
nds_initialize(ndr_stream_t * nds,unsigned pdu_size_hint,int composite_op,ndr_heap_t * heap)125 nds_initialize(ndr_stream_t *nds, unsigned pdu_size_hint,
126 int composite_op, ndr_heap_t *heap)
127 {
128 unsigned size;
129
130 assert(nds);
131 assert(heap);
132
133 bzero(nds, sizeof (*nds));
134 nds->ndo = &nds_ops;
135 nds->heap = (struct ndr_heap *)heap;
136
137 if (pdu_size_hint > NDR_PDU_MAX_SIZE) {
138 nds->error = NDR_ERR_BOUNDS_CHECK;
139 nds->error_ref = __LINE__;
140 NDS_TATTLE_ERROR(nds, NULL, NULL);
141 return (NDR_DRC_FAULT_RESOURCE_1);
142 }
143
144 size = (pdu_size_hint == 0) ? NDR_PDU_BLOCK_SIZE : pdu_size_hint;
145
146 if ((nds->pdu_base_addr = malloc(size)) == NULL) {
147 nds->error = NDR_ERR_MALLOC_FAILED;
148 nds->error_ref = __LINE__;
149 NDS_TATTLE_ERROR(nds, NULL, NULL);
150 return (NDR_DRC_FAULT_OUT_OF_MEMORY);
151 }
152
153 nds->pdu_max_size = size;
154 nds->pdu_size = 0;
155 nds->pdu_base_offset = (unsigned long)nds->pdu_base_addr;
156
157 nds->m_op = NDR_MODE_TO_M_OP(composite_op);
158 nds->dir = NDR_MODE_TO_DIR(composite_op);
159
160 nds->outer_queue_tailp = &nds->outer_queue_head;
161 return (0);
162 }
163
164 /*
165 * nds_destruct
166 *
167 * Destroy a stream. This is an external interface to provide access to
168 * the stream's destruct operation.
169 */
170 void
nds_destruct(ndr_stream_t * nds)171 nds_destruct(ndr_stream_t *nds)
172 {
173 if ((nds == NULL) || (nds->ndo == NULL))
174 return;
175
176 NDS_DESTRUCT(nds);
177 }
178
179 /*
180 * Print NDR stream state.
181 */
182 void
nds_show_state(ndr_stream_t * nds)183 nds_show_state(ndr_stream_t *nds)
184 {
185 if (nds == NULL) {
186 ndo_printf(NULL, NULL, "nds: <null");
187 return;
188 }
189
190 ndo_printf(NULL, NULL, "nds: base=0x%x, size=%d, max=%d, scan=%d",
191 nds->pdu_base_offset, nds->pdu_size, nds->pdu_max_size,
192 nds->pdu_scan_offset);
193 }
194
195 /*
196 * ndo_malloc
197 *
198 * Allocate memory from the stream heap.
199 */
200 /*ARGSUSED*/
201 static char *
ndo_malloc(ndr_stream_t * nds,unsigned len,ndr_ref_t * ref)202 ndo_malloc(ndr_stream_t *nds, unsigned len, ndr_ref_t *ref)
203 {
204 return (ndr_heap_malloc((ndr_heap_t *)nds->heap, len));
205 }
206
207 /*
208 * ndo_free
209 *
210 * Always succeeds: cannot free individual stream allocations.
211 */
212 /*ARGSUSED*/
213 static int
ndo_free(ndr_stream_t * nds,char * p,ndr_ref_t * ref)214 ndo_free(ndr_stream_t *nds, char *p, ndr_ref_t *ref)
215 {
216 return (1);
217 }
218
219 /*
220 * ndo_grow_pdu
221 *
222 * This is the only place that should change the size of the PDU. If the
223 * desired offset is beyond the current PDU size, we realloc the PDU
224 * buffer to accommodate the request. For efficiency, the PDU is always
225 * extended to a NDR_PDU_BLOCK_SIZE boundary. Requests to grow the PDU
226 * beyond NDR_PDU_MAX_SIZE are rejected.
227 *
228 * Returns 1 to indicate success. Otherwise 0 to indicate failure.
229 */
230 static int
ndo_grow_pdu(ndr_stream_t * nds,unsigned long want_end_offset,ndr_ref_t * ref)231 ndo_grow_pdu(ndr_stream_t *nds, unsigned long want_end_offset, ndr_ref_t *ref)
232 {
233 unsigned char *pdu_addr;
234 unsigned pdu_max_size;
235
236 ndo_printf(nds, ref, "grow %d", want_end_offset);
237
238 pdu_max_size = nds->pdu_max_size;
239
240 if (want_end_offset > pdu_max_size) {
241 pdu_max_size = NDR_PDU_ALIGN(want_end_offset);
242
243 if (pdu_max_size >= NDR_PDU_MAX_SIZE)
244 return (0);
245
246 pdu_addr = realloc(nds->pdu_base_addr, pdu_max_size);
247 if (pdu_addr == 0)
248 return (0);
249
250 nds->pdu_max_size = pdu_max_size;
251 nds->pdu_base_addr = pdu_addr;
252 nds->pdu_base_offset = (unsigned long)pdu_addr;
253 }
254
255 nds->pdu_size = want_end_offset;
256 return (1);
257 }
258
259 static int
ndo_pad_pdu(ndr_stream_t * nds,unsigned long pdu_offset,unsigned long n_bytes,ndr_ref_t * ref)260 ndo_pad_pdu(ndr_stream_t *nds, unsigned long pdu_offset,
261 unsigned long n_bytes, ndr_ref_t *ref)
262 {
263 unsigned char *data;
264
265 data = (unsigned char *)nds->pdu_base_offset;
266 data += pdu_offset;
267
268 ndo_printf(nds, ref, "pad %d@%-3d", n_bytes, pdu_offset);
269
270 bzero(data, n_bytes);
271 return (1);
272 }
273
274 /*
275 * ndo_get_pdu
276 *
277 * The swap flag is 1 if NDR knows that the byte-order in the PDU
278 * is different from the local system.
279 *
280 * Returns 1 on success or 0 to indicate failure.
281 */
282 static int
ndo_get_pdu(ndr_stream_t * nds,unsigned long pdu_offset,unsigned long n_bytes,char * buf,int swap_bytes,ndr_ref_t * ref)283 ndo_get_pdu(ndr_stream_t *nds, unsigned long pdu_offset,
284 unsigned long n_bytes, char *buf, int swap_bytes, ndr_ref_t *ref)
285 {
286 unsigned char *data;
287 char hexbuf[NDOBUFSZ];
288
289 data = (unsigned char *)nds->pdu_base_offset;
290 data += pdu_offset;
291
292 ndo_hexfmt(data, n_bytes, swap_bytes, hexbuf, NDOBUFSZ);
293
294 ndo_printf(nds, ref, "get %d@%-3d = %s",
295 n_bytes, pdu_offset, hexbuf);
296
297 if (!swap_bytes)
298 bcopy(data, buf, n_bytes);
299 else
300 nds_bswap(data, (unsigned char *)buf, n_bytes);
301
302 return (1);
303 }
304
305 /*
306 * ndo_put_pdu
307 *
308 * This is a receiver makes right protocol. So we do not need
309 * to be concerned about the byte-order of an outgoing PDU.
310 */
311 /*ARGSUSED*/
312 static int
ndo_put_pdu(ndr_stream_t * nds,unsigned long pdu_offset,unsigned long n_bytes,char * buf,int swap_bytes,ndr_ref_t * ref)313 ndo_put_pdu(ndr_stream_t *nds, unsigned long pdu_offset,
314 unsigned long n_bytes, char *buf, int swap_bytes, ndr_ref_t *ref)
315 {
316 unsigned char *data;
317 char hexbuf[NDOBUFSZ];
318
319 data = (unsigned char *)nds->pdu_base_offset;
320 data += pdu_offset;
321
322 ndo_hexfmt((uint8_t *)buf, n_bytes, 0, hexbuf, NDOBUFSZ);
323
324 ndo_printf(nds, ref, "put %d@%-3d = %s",
325 n_bytes, pdu_offset, hexbuf);
326
327 bcopy(buf, data, n_bytes);
328 return (1);
329 }
330
331 static void
ndo_tattle(ndr_stream_t * nds,char * what,ndr_ref_t * ref)332 ndo_tattle(ndr_stream_t *nds, char *what, ndr_ref_t *ref)
333 {
334 ndo_printf(nds, ref, what);
335 }
336
337 static void
ndo_tattle_error(ndr_stream_t * nds,ndr_ref_t * ref)338 ndo_tattle_error(ndr_stream_t *nds, ndr_ref_t *ref)
339 {
340 unsigned char *data;
341 char hexbuf[NDOBUFSZ];
342
343 if (nds->pdu_base_addr != NULL) {
344 data = (unsigned char *)nds->pdu_base_offset;
345 if (ref)
346 data += ref->pdu_offset;
347 else
348 data += nds->pdu_scan_offset;
349
350 ndo_hexfmt(data, 16, 0, hexbuf, NDOBUFSZ);
351 } else {
352 bzero(hexbuf, NDOBUFSZ);
353 }
354
355 ndo_printf(nds, ref, "ERROR=%d REF=%d OFFSET=%d SIZE=%d/%d",
356 nds->error, nds->error_ref, nds->pdu_scan_offset,
357 nds->pdu_size, nds->pdu_max_size);
358 ndo_printf(nds, ref, " %s", hexbuf);
359 }
360
361 /*
362 * ndo_reset
363 *
364 * Reset a stream: zap the outer_queue. We don't need to tamper
365 * with the stream heap: it's handled externally to the stream.
366 */
367 static int
ndo_reset(ndr_stream_t * nds)368 ndo_reset(ndr_stream_t *nds)
369 {
370 ndo_printf(nds, 0, "reset");
371
372 nds->pdu_size = 0;
373 nds->pdu_scan_offset = 0;
374 nds->outer_queue_head = 0;
375 nds->outer_current = 0;
376 nds->outer_queue_tailp = &nds->outer_queue_head;
377
378 return (1);
379 }
380
381 /*
382 * ndo_destruct
383 *
384 * Destruct a stream: zap the outer_queue.
385 * Note: heap management (creation/destruction) is external to the stream.
386 */
387 static void
ndo_destruct(ndr_stream_t * nds)388 ndo_destruct(ndr_stream_t *nds)
389 {
390
391 ndo_printf(nds, 0, "destruct");
392
393 if (nds == NULL)
394 return;
395
396 if (nds->pdu_base_addr != NULL) {
397 free(nds->pdu_base_addr);
398 nds->pdu_base_addr = NULL;
399 nds->pdu_base_offset = 0;
400 }
401
402 nds->outer_queue_head = 0;
403 nds->outer_current = 0;
404 nds->outer_queue_tailp = &nds->outer_queue_head;
405 }
406
407 /*
408 * Printf style formatting for NDR operations.
409 */
410 void
ndo_printf(ndr_stream_t * nds,ndr_ref_t * ref,const char * fmt,...)411 ndo_printf(ndr_stream_t *nds, ndr_ref_t *ref, const char *fmt, ...)
412 {
413 va_list ap;
414 char buf[NDOBUFSZ];
415
416 va_start(ap, fmt);
417 (void) vsnprintf(buf, NDOBUFSZ, fmt, ap);
418 va_end(ap);
419
420 if (nds)
421 ndo_fmt(nds, ref, buf);
422 else
423 ndo_trace(buf);
424 }
425
426 /*
427 * Main output formatter for NDR operations.
428 *
429 * UI 03 ... rpc_vers get 1@0 = 5 {05}
430 * UI 03 ... rpc_vers_minor get 1@1 = 0 {00}
431 *
432 * U Marshalling flag (M=marshal, U=unmarshal)
433 * I Direction flag (I=in, O=out)
434 * ... Field name
435 * get PDU operation (get or put)
436 * 1@0 Bytes @ offset (i.e. 1 byte at offset 0)
437 * {05} Value
438 */
439 void
ndo_fmt(ndr_stream_t * nds,ndr_ref_t * ref,char * note)440 ndo_fmt(ndr_stream_t *nds, ndr_ref_t *ref, char *note)
441 {
442 ndr_ref_t *p;
443 int indent;
444 char ref_name[NDOBUFSZ];
445 char buf[NDOBUFSZ];
446 int m_op_c = '?', dir_c = '?';
447
448 switch (nds->m_op) {
449 case 0: m_op_c = '-'; break;
450 case NDR_M_OP_MARSHALL: m_op_c = 'M'; break;
451 case NDR_M_OP_UNMARSHALL: m_op_c = 'U'; break;
452 default: m_op_c = '?'; break;
453 }
454
455 switch (nds->dir) {
456 case 0: dir_c = '-'; break;
457 case NDR_DIR_IN: dir_c = 'I'; break;
458 case NDR_DIR_OUT: dir_c = 'O'; break;
459 default: dir_c = '?'; break;
460 }
461
462 for (indent = 0, p = ref; p; p = p->enclosing)
463 indent++;
464
465 if (ref && ref->name) {
466 if (*ref->name == '[' && ref->enclosing) {
467 indent--;
468 (void) snprintf(ref_name, NDOBUFSZ, "%s%s",
469 ref->enclosing->name, ref->name);
470 } else {
471 (void) strlcpy(ref_name, ref->name, NDOBUFSZ);
472 }
473 } else {
474 (void) strlcpy(ref_name, "----", NDOBUFSZ);
475 }
476
477 (void) snprintf(buf, NDOBUFSZ, "%c%c %-.*s %-*s %s",
478 m_op_c, dir_c, indent,
479 "....+....+....+....+....+....",
480 20 - indent, ref_name, note);
481
482 ndo_trace(buf);
483 }
484
485 /*ARGSUSED*/
486 void
ndo_trace(const char * s)487 ndo_trace(const char *s)
488 {
489 /*
490 * Temporary fbt for dtrace until user space sdt enabled.
491 */
492 }
493
494 /*
495 * Format data as hex bytes (limit is 10 bytes):
496 *
497 * 1188689424 {10 f6 d9 46}
498 *
499 * If the input data is greater than 10 bytes, an ellipsis will
500 * be inserted before the closing brace.
501 */
502 static void
ndo_hexfmt(uint8_t * data,int size,int swap_bytes,char * buf,int len)503 ndo_hexfmt(uint8_t *data, int size, int swap_bytes, char *buf, int len)
504 {
505 char *p = buf;
506 int interp = 1;
507 uint32_t c;
508 int n;
509 int i;
510
511 n = (size > 10) ? 10 : size;
512 if (n > len-1)
513 n = len-1;
514
515 switch (size) {
516 case 1:
517 c = *(uint8_t *)data;
518 break;
519 case 2:
520 if (swap_bytes == 0) /*LINTED E_BAD_PTR_CAST_ALIGN*/
521 c = *(uint16_t *)data;
522 else
523 c = (data[0] << 8) | data[1];
524 break;
525 case 4:
526 if (swap_bytes == 0) { /*LINTED E_BAD_PTR_CAST_ALIGN*/
527 c = *(uint32_t *)data;
528 } else {
529 c = (data[0] << 24) | (data[1] << 16)
530 | (data[2] << 8) | data[3];
531 }
532 break;
533 default:
534 c = 0;
535 interp = 0;
536 break;
537 }
538
539 if (interp)
540 p += sprintf(p, "%4u {", c);
541 else
542 p += sprintf(p, " {");
543
544 p += sprintf(p, "%02x", data[0]);
545 for (i = 1; i < n; i++)
546 p += sprintf(p, " %02x", data[i]);
547 if (size > 10)
548 p += sprintf(p, " ...}");
549 else
550 p += sprintf(p, "}");
551
552 /*
553 * Show c if it's a printable character or wide-char.
554 */
555 if (size < 4 && isprint((uint8_t)c))
556 (void) sprintf(p, " %c", (uint8_t)c);
557 }
558