xref: /freebsd/sys/netsmb/smb_rq.c (revision 6c6c03be2ddb04c54e455122799923deaefa4114)
1 /*-
2  * Copyright (c) 2000-2001, Boris Popov
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  * 3. All advertising materials mentioning features or use of this software
14  *    must display the following acknowledgement:
15  *    This product includes software developed by Boris Popov.
16  * 4. Neither the name of the author nor the names of any co-contributors
17  *    may be used to endorse or promote products derived from this software
18  *    without specific prior written permission.
19  *
20  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
21  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30  * SUCH DAMAGE.
31  */
32 
33 #include <sys/cdefs.h>
34 __FBSDID("$FreeBSD$");
35 
36 #include <sys/param.h>
37 #include <sys/systm.h>
38 #include <sys/endian.h>
39 #include <sys/kernel.h>
40 #include <sys/malloc.h>
41 #include <sys/module.h>
42 #include <sys/proc.h>
43 #include <sys/lock.h>
44 #include <sys/sysctl.h>
45 #include <sys/socket.h>
46 #include <sys/socketvar.h>
47 #include <sys/mbuf.h>
48 
49 #include <netsmb/smb.h>
50 #include <netsmb/smb_conn.h>
51 #include <netsmb/smb_rq.h>
52 #include <netsmb/smb_subr.h>
53 #include <netsmb/smb_tran.h>
54 
55 MALLOC_DEFINE(M_SMBRQ, "SMBRQ", "SMB request");
56 
57 MODULE_DEPEND(netsmb, libmchain, 1, 1, 1);
58 
59 static int  smb_rq_reply(struct smb_rq *rqp);
60 static int  smb_rq_enqueue(struct smb_rq *rqp);
61 static int  smb_rq_getenv(struct smb_connobj *layer,
62 		struct smb_vc **vcpp, struct smb_share **sspp);
63 static int  smb_rq_new(struct smb_rq *rqp, u_char cmd);
64 static int  smb_t2_reply(struct smb_t2rq *t2p);
65 
66 int
67 smb_rq_alloc(struct smb_connobj *layer, u_char cmd, struct smb_cred *scred,
68 	struct smb_rq **rqpp)
69 {
70 	struct smb_rq *rqp;
71 	int error;
72 
73 	rqp = malloc(sizeof(*rqp), M_SMBRQ, M_WAITOK);
74 	if (rqp == NULL)
75 		return ENOMEM;
76 	error = smb_rq_init(rqp, layer, cmd, scred);
77 	rqp->sr_flags |= SMBR_ALLOCED;
78 	if (error) {
79 		smb_rq_done(rqp);
80 		return error;
81 	}
82 	*rqpp = rqp;
83 	return 0;
84 }
85 
86 static char tzero[12];
87 
88 int
89 smb_rq_init(struct smb_rq *rqp, struct smb_connobj *layer, u_char cmd,
90 	struct smb_cred *scred)
91 {
92 	int error;
93 
94 	bzero(rqp, sizeof(*rqp));
95 	smb_sl_init(&rqp->sr_slock, "srslock");
96 	error = smb_rq_getenv(layer, &rqp->sr_vc, &rqp->sr_share);
97 	if (error)
98 		return error;
99 	error = smb_vc_access(rqp->sr_vc, scred, SMBM_EXEC);
100 	if (error)
101 		return error;
102 	if (rqp->sr_share) {
103 		error = smb_share_access(rqp->sr_share, scred, SMBM_EXEC);
104 		if (error)
105 			return error;
106 	}
107 	rqp->sr_cred = scred;
108 	rqp->sr_mid = smb_vc_nextmid(rqp->sr_vc);
109 	return smb_rq_new(rqp, cmd);
110 }
111 
112 static int
113 smb_rq_new(struct smb_rq *rqp, u_char cmd)
114 {
115 	struct smb_vc *vcp = rqp->sr_vc;
116 	struct mbchain *mbp = &rqp->sr_rq;
117 	int error;
118 	u_int16_t flags2;
119 
120 	rqp->sr_sendcnt = 0;
121 	mb_done(mbp);
122 	md_done(&rqp->sr_rp);
123 	error = mb_init(mbp);
124 	if (error)
125 		return error;
126 	mb_put_mem(mbp, SMB_SIGNATURE, SMB_SIGLEN, MB_MSYSTEM);
127 	mb_put_uint8(mbp, cmd);
128 	mb_put_uint32le(mbp, 0);		/* DosError */
129 	mb_put_uint8(mbp, vcp->vc_hflags);
130 	flags2 = vcp->vc_hflags2;
131 	if (cmd == SMB_COM_TRANSACTION || cmd == SMB_COM_TRANSACTION_SECONDARY)
132 		flags2 &= ~SMB_FLAGS2_UNICODE;
133 	if (cmd == SMB_COM_NEGOTIATE)
134 		flags2 &= ~SMB_FLAGS2_SECURITY_SIGNATURE;
135 	mb_put_uint16le(mbp, flags2);
136 	if ((flags2 & SMB_FLAGS2_SECURITY_SIGNATURE) == 0) {
137 		mb_put_mem(mbp, tzero, 12, MB_MSYSTEM);
138 		rqp->sr_rqsig = NULL;
139 	} else {
140 		mb_put_uint16le(mbp, 0 /*scred->sc_p->p_pid >> 16*/);
141 		rqp->sr_rqsig = (u_int8_t *)mb_reserve(mbp, 8);
142 		mb_put_uint16le(mbp, 0);
143 	}
144 	rqp->sr_rqtid = mb_reserve(mbp, sizeof(u_int16_t));
145 	mb_put_uint16le(mbp, 1 /*scred->sc_p->p_pid & 0xffff*/);
146 	rqp->sr_rquid = mb_reserve(mbp, sizeof(u_int16_t));
147 	mb_put_uint16le(mbp, rqp->sr_mid);
148 	return 0;
149 }
150 
151 void
152 smb_rq_done(struct smb_rq *rqp)
153 {
154 	mb_done(&rqp->sr_rq);
155 	md_done(&rqp->sr_rp);
156 	smb_sl_destroy(&rqp->sr_slock);
157 	if (rqp->sr_flags & SMBR_ALLOCED)
158 		free(rqp, M_SMBRQ);
159 }
160 
161 /*
162  * Simple request-reply exchange
163  */
164 int
165 smb_rq_simple(struct smb_rq *rqp)
166 {
167 	struct smb_vc *vcp = rqp->sr_vc;
168 	int error = EINVAL, i;
169 
170 	for (i = 0; i < SMB_MAXRCN; i++) {
171 		rqp->sr_flags &= ~SMBR_RESTART;
172 		rqp->sr_timo = vcp->vc_timo;
173 		rqp->sr_state = SMBRQ_NOTSENT;
174 		error = smb_rq_enqueue(rqp);
175 		if (error)
176 			return error;
177 		error = smb_rq_reply(rqp);
178 		if (error == 0)
179 			break;
180 		if ((rqp->sr_flags & (SMBR_RESTART | SMBR_NORESTART)) != SMBR_RESTART)
181 			break;
182 	}
183 	return error;
184 }
185 
186 static int
187 smb_rq_enqueue(struct smb_rq *rqp)
188 {
189 	struct smb_share *ssp = rqp->sr_share;
190 	int error;
191 
192 	if (ssp == NULL || rqp->sr_cred == &rqp->sr_vc->vc_iod->iod_scred) {
193 		return smb_iod_addrq(rqp);
194 	}
195 	for (;;) {
196 		SMBS_ST_LOCK(ssp);
197 		if (ssp->ss_flags & SMBS_RECONNECTING) {
198 			msleep(&ssp->ss_vcgenid, SMBS_ST_LOCKPTR(ssp),
199 			    PWAIT | PDROP, "90trcn", hz);
200 			if (smb_td_intr(rqp->sr_cred->scr_td))
201 				return EINTR;
202 			continue;
203 		}
204 		if (smb_share_valid(ssp) || (ssp->ss_flags & SMBS_CONNECTED) == 0) {
205 			SMBS_ST_UNLOCK(ssp);
206 		} else {
207 			SMBS_ST_UNLOCK(ssp);
208 			error = smb_iod_request(rqp->sr_vc->vc_iod,
209 			    SMBIOD_EV_TREECONNECT | SMBIOD_EV_SYNC, ssp);
210 			if (error)
211 				return error;
212 		}
213 		error = smb_iod_addrq(rqp);
214 		if (error != EXDEV)
215 			break;
216 	}
217 	return error;
218 }
219 
220 void
221 smb_rq_wstart(struct smb_rq *rqp)
222 {
223 	rqp->sr_wcount = mb_reserve(&rqp->sr_rq, sizeof(u_int8_t));
224 	rqp->sr_rq.mb_count = 0;
225 }
226 
227 void
228 smb_rq_wend(struct smb_rq *rqp)
229 {
230 	if (rqp->sr_wcount == NULL) {
231 		SMBERROR("no wcount\n");	/* actually panic */
232 		return;
233 	}
234 	if (rqp->sr_rq.mb_count & 1)
235 		SMBERROR("odd word count\n");
236 	*rqp->sr_wcount = rqp->sr_rq.mb_count / 2;
237 }
238 
239 void
240 smb_rq_bstart(struct smb_rq *rqp)
241 {
242 	rqp->sr_bcount = mb_reserve(&rqp->sr_rq, sizeof(u_short));
243 	rqp->sr_rq.mb_count = 0;
244 }
245 
246 void
247 smb_rq_bend(struct smb_rq *rqp)
248 {
249 	int bcnt;
250 
251 	if (rqp->sr_bcount == NULL) {
252 		SMBERROR("no bcount\n");	/* actually panic */
253 		return;
254 	}
255 	bcnt = rqp->sr_rq.mb_count;
256 	if (bcnt > 0xffff)
257 		SMBERROR("byte count too large (%d)\n", bcnt);
258 	le16enc(rqp->sr_bcount, bcnt);
259 }
260 
261 int
262 smb_rq_intr(struct smb_rq *rqp)
263 {
264 	if (rqp->sr_flags & SMBR_INTR)
265 		return EINTR;
266 	return smb_td_intr(rqp->sr_cred->scr_td);
267 }
268 
269 int
270 smb_rq_getrequest(struct smb_rq *rqp, struct mbchain **mbpp)
271 {
272 	*mbpp = &rqp->sr_rq;
273 	return 0;
274 }
275 
276 int
277 smb_rq_getreply(struct smb_rq *rqp, struct mdchain **mbpp)
278 {
279 	*mbpp = &rqp->sr_rp;
280 	return 0;
281 }
282 
283 static int
284 smb_rq_getenv(struct smb_connobj *layer,
285 	struct smb_vc **vcpp, struct smb_share **sspp)
286 {
287 	struct smb_vc *vcp = NULL;
288 	struct smb_share *ssp = NULL;
289 	struct smb_connobj *cp;
290 	int error = 0;
291 
292 	switch (layer->co_level) {
293 	    case SMBL_VC:
294 		vcp = CPTOVC(layer);
295 		if (layer->co_parent == NULL) {
296 			SMBERROR("zombie VC %s\n", vcp->vc_srvname);
297 			error = EINVAL;
298 			break;
299 		}
300 		break;
301 	    case SMBL_SHARE:
302 		ssp = CPTOSS(layer);
303 		cp = layer->co_parent;
304 		if (cp == NULL) {
305 			SMBERROR("zombie share %s\n", ssp->ss_name);
306 			error = EINVAL;
307 			break;
308 		}
309 		error = smb_rq_getenv(cp, &vcp, NULL);
310 		if (error)
311 			break;
312 		break;
313 	    default:
314 		SMBERROR("invalid layer %d passed\n", layer->co_level);
315 		error = EINVAL;
316 	}
317 	if (vcpp)
318 		*vcpp = vcp;
319 	if (sspp)
320 		*sspp = ssp;
321 	return error;
322 }
323 
324 /*
325  * Wait for reply on the request
326  */
327 static int
328 smb_rq_reply(struct smb_rq *rqp)
329 {
330 	struct mdchain *mdp = &rqp->sr_rp;
331 	u_int32_t tdw;
332 	u_int8_t tb;
333 	int error, rperror = 0;
334 
335 	error = smb_iod_waitrq(rqp);
336 	if (error)
337 		return error;
338 	error = md_get_uint32(mdp, &tdw);
339 	if (error)
340 		return error;
341 	error = md_get_uint8(mdp, &tb);
342 	if (rqp->sr_vc->vc_hflags2 & SMB_FLAGS2_ERR_STATUS) {
343 		error = md_get_uint32le(mdp, &rqp->sr_error);
344 	} else {
345 		error = md_get_uint8(mdp, &rqp->sr_errclass);
346 		error = md_get_uint8(mdp, &tb);
347 		error = md_get_uint16le(mdp, &rqp->sr_serror);
348 		if (!error)
349 			rperror = smb_maperror(rqp->sr_errclass, rqp->sr_serror);
350 	}
351 	error = md_get_uint8(mdp, &rqp->sr_rpflags);
352 	error = md_get_uint16le(mdp, &rqp->sr_rpflags2);
353 
354 	error = md_get_uint32(mdp, &tdw);
355 	error = md_get_uint32(mdp, &tdw);
356 	error = md_get_uint32(mdp, &tdw);
357 
358 	error = md_get_uint16le(mdp, &rqp->sr_rptid);
359 	error = md_get_uint16le(mdp, &rqp->sr_rppid);
360 	error = md_get_uint16le(mdp, &rqp->sr_rpuid);
361 	error = md_get_uint16le(mdp, &rqp->sr_rpmid);
362 
363 	if (error == 0 &&
364 	    (rqp->sr_vc->vc_hflags2 & SMB_FLAGS2_SECURITY_SIGNATURE))
365 		error = smb_rq_verify(rqp);
366 
367 	SMBSDEBUG("M:%04x, P:%04x, U:%04x, T:%04x, E: %d:%d\n",
368 	    rqp->sr_rpmid, rqp->sr_rppid, rqp->sr_rpuid, rqp->sr_rptid,
369 	    rqp->sr_errclass, rqp->sr_serror);
370 	return error ? error : rperror;
371 }
372 
373 
374 #define ALIGN4(a)	(((a) + 3) & ~3)
375 
376 /*
377  * TRANS2 request implementation
378  */
379 int
380 smb_t2_alloc(struct smb_connobj *layer, u_short setup, struct smb_cred *scred,
381 	struct smb_t2rq **t2pp)
382 {
383 	struct smb_t2rq *t2p;
384 	int error;
385 
386 	t2p = malloc(sizeof(*t2p), M_SMBRQ, M_WAITOK);
387 	if (t2p == NULL)
388 		return ENOMEM;
389 	error = smb_t2_init(t2p, layer, setup, scred);
390 	t2p->t2_flags |= SMBT2_ALLOCED;
391 	if (error) {
392 		smb_t2_done(t2p);
393 		return error;
394 	}
395 	*t2pp = t2p;
396 	return 0;
397 }
398 
399 int
400 smb_t2_init(struct smb_t2rq *t2p, struct smb_connobj *source, u_short setup,
401 	struct smb_cred *scred)
402 {
403 	int error;
404 
405 	bzero(t2p, sizeof(*t2p));
406 	t2p->t2_source = source;
407 	t2p->t2_setupcount = 1;
408 	t2p->t2_setupdata = t2p->t2_setup;
409 	t2p->t2_setup[0] = setup;
410 	t2p->t2_fid = 0xffff;
411 	t2p->t2_cred = scred;
412 	error = smb_rq_getenv(source, &t2p->t2_vc, NULL);
413 	if (error)
414 		return error;
415 	return 0;
416 }
417 
418 void
419 smb_t2_done(struct smb_t2rq *t2p)
420 {
421 	mb_done(&t2p->t2_tparam);
422 	mb_done(&t2p->t2_tdata);
423 	md_done(&t2p->t2_rparam);
424 	md_done(&t2p->t2_rdata);
425 	if (t2p->t2_flags & SMBT2_ALLOCED)
426 		free(t2p, M_SMBRQ);
427 }
428 
429 static int
430 smb_t2_placedata(struct mbuf *mtop, u_int16_t offset, u_int16_t count,
431 	struct mdchain *mdp)
432 {
433 	struct mbuf *m, *m0;
434 	int len;
435 
436 	m0 = m_split(mtop, offset, M_WAIT);
437 	len = m_length(m0, &m);
438 	m->m_len -= len - count;
439 	if (mdp->md_top == NULL) {
440 		md_initm(mdp, m0);
441 	} else
442 		m_cat(mdp->md_top, m0);
443 	return 0;
444 }
445 
446 static int
447 smb_t2_reply(struct smb_t2rq *t2p)
448 {
449 	struct mdchain *mdp;
450 	struct smb_rq *rqp = t2p->t2_rq;
451 	int error, totpgot, totdgot;
452 	u_int16_t totpcount, totdcount, pcount, poff, doff, pdisp, ddisp;
453 	u_int16_t tmp, bc, dcount;
454 	u_int8_t wc;
455 
456 	error = smb_rq_reply(rqp);
457 	if (error)
458 		return error;
459 	if ((t2p->t2_flags & SMBT2_ALLSENT) == 0) {
460 		/*
461 		 * this is an interim response, ignore it.
462 		 */
463 		SMBRQ_SLOCK(rqp);
464 		md_next_record(&rqp->sr_rp);
465 		SMBRQ_SUNLOCK(rqp);
466 		return 0;
467 	}
468 	/*
469 	 * Now we have to get all subsequent responses. The CIFS specification
470 	 * says that they can be disordered which is weird.
471 	 * TODO: timo
472 	 */
473 	totpgot = totdgot = 0;
474 	totpcount = totdcount = 0xffff;
475 	mdp = &rqp->sr_rp;
476 	for (;;) {
477 		m_dumpm(mdp->md_top);
478 		if ((error = md_get_uint8(mdp, &wc)) != 0)
479 			break;
480 		if (wc < 10) {
481 			error = ENOENT;
482 			break;
483 		}
484 		if ((error = md_get_uint16le(mdp, &tmp)) != 0)
485 			break;
486 		if (totpcount > tmp)
487 			totpcount = tmp;
488 		md_get_uint16le(mdp, &tmp);
489 		if (totdcount > tmp)
490 			totdcount = tmp;
491 		if ((error = md_get_uint16le(mdp, &tmp)) != 0 || /* reserved */
492 		    (error = md_get_uint16le(mdp, &pcount)) != 0 ||
493 		    (error = md_get_uint16le(mdp, &poff)) != 0 ||
494 		    (error = md_get_uint16le(mdp, &pdisp)) != 0)
495 			break;
496 		if (pcount != 0 && pdisp != totpgot) {
497 			SMBERROR("Can't handle disordered parameters %d:%d\n",
498 			    pdisp, totpgot);
499 			error = EINVAL;
500 			break;
501 		}
502 		if ((error = md_get_uint16le(mdp, &dcount)) != 0 ||
503 		    (error = md_get_uint16le(mdp, &doff)) != 0 ||
504 		    (error = md_get_uint16le(mdp, &ddisp)) != 0)
505 			break;
506 		if (dcount != 0 && ddisp != totdgot) {
507 			SMBERROR("Can't handle disordered data\n");
508 			error = EINVAL;
509 			break;
510 		}
511 		md_get_uint8(mdp, &wc);
512 		md_get_uint8(mdp, NULL);
513 		tmp = wc;
514 		while (tmp--)
515 			md_get_uint16(mdp, NULL);
516 		if ((error = md_get_uint16le(mdp, &bc)) != 0)
517 			break;
518 /*		tmp = SMB_HDRLEN + 1 + 10 * 2 + 2 * wc + 2;*/
519 		if (dcount) {
520 			error = smb_t2_placedata(mdp->md_top, doff, dcount,
521 			    &t2p->t2_rdata);
522 			if (error)
523 				break;
524 		}
525 		if (pcount) {
526 			error = smb_t2_placedata(mdp->md_top, poff, pcount,
527 			    &t2p->t2_rparam);
528 			if (error)
529 				break;
530 		}
531 		totpgot += pcount;
532 		totdgot += dcount;
533 		if (totpgot >= totpcount && totdgot >= totdcount) {
534 			error = 0;
535 			t2p->t2_flags |= SMBT2_ALLRECV;
536 			break;
537 		}
538 		/*
539 		 * We're done with this reply, look for the next one.
540 		 */
541 		SMBRQ_SLOCK(rqp);
542 		md_next_record(&rqp->sr_rp);
543 		SMBRQ_SUNLOCK(rqp);
544 		error = smb_rq_reply(rqp);
545 		if (error)
546 			break;
547 	}
548 	return error;
549 }
550 
551 /*
552  * Perform a full round of TRANS2 request
553  */
554 static int
555 smb_t2_request_int(struct smb_t2rq *t2p)
556 {
557 	struct smb_vc *vcp = t2p->t2_vc;
558 	struct smb_cred *scred = t2p->t2_cred;
559 	struct mbchain *mbp;
560 	struct mdchain *mdp, mbparam, mbdata;
561 	struct mbuf *m;
562 	struct smb_rq *rqp;
563 	int totpcount, leftpcount, totdcount, leftdcount, len, txmax, i;
564 	int error, doff, poff, txdcount, txpcount, nmlen;
565 
566 	m = t2p->t2_tparam.mb_top;
567 	if (m) {
568 		md_initm(&mbparam, m);	/* do not free it! */
569 		totpcount = m_fixhdr(m);
570 		if (totpcount > 0xffff)		/* maxvalue for u_short */
571 			return EINVAL;
572 	} else
573 		totpcount = 0;
574 	m = t2p->t2_tdata.mb_top;
575 	if (m) {
576 		md_initm(&mbdata, m);	/* do not free it! */
577 		totdcount =  m_fixhdr(m);
578 		if (totdcount > 0xffff)
579 			return EINVAL;
580 	} else
581 		totdcount = 0;
582 	leftdcount = totdcount;
583 	leftpcount = totpcount;
584 	txmax = vcp->vc_txmax;
585 	error = smb_rq_alloc(t2p->t2_source, t2p->t_name ?
586 	    SMB_COM_TRANSACTION : SMB_COM_TRANSACTION2, scred, &rqp);
587 	if (error)
588 		return error;
589 	rqp->sr_flags |= SMBR_MULTIPACKET;
590 	t2p->t2_rq = rqp;
591 	rqp->sr_t2 = t2p;
592 	mbp = &rqp->sr_rq;
593 	smb_rq_wstart(rqp);
594 	mb_put_uint16le(mbp, totpcount);
595 	mb_put_uint16le(mbp, totdcount);
596 	mb_put_uint16le(mbp, t2p->t2_maxpcount);
597 	mb_put_uint16le(mbp, t2p->t2_maxdcount);
598 	mb_put_uint8(mbp, t2p->t2_maxscount);
599 	mb_put_uint8(mbp, 0);			/* reserved */
600 	mb_put_uint16le(mbp, 0);			/* flags */
601 	mb_put_uint32le(mbp, 0);			/* Timeout */
602 	mb_put_uint16le(mbp, 0);			/* reserved 2 */
603 	len = mb_fixhdr(mbp);
604 	/*
605 	 * now we have known packet size as
606 	 * ALIGN4(len + 5 * 2 + setupcount * 2 + 2 + strlen(name) + 1),
607 	 * and need to decide which parts should go into the first request
608 	 */
609 	nmlen = t2p->t_name ? strlen(t2p->t_name) : 0;
610 	len = ALIGN4(len + 5 * 2 + t2p->t2_setupcount * 2 + 2 + nmlen + 1);
611 	if (len + leftpcount > txmax) {
612 		txpcount = min(leftpcount, txmax - len);
613 		poff = len;
614 		txdcount = 0;
615 		doff = 0;
616 	} else {
617 		txpcount = leftpcount;
618 		poff = txpcount ? len : 0;
619 		len = ALIGN4(len + txpcount);
620 		txdcount = min(leftdcount, txmax - len);
621 		doff = txdcount ? len : 0;
622 	}
623 	leftpcount -= txpcount;
624 	leftdcount -= txdcount;
625 	mb_put_uint16le(mbp, txpcount);
626 	mb_put_uint16le(mbp, poff);
627 	mb_put_uint16le(mbp, txdcount);
628 	mb_put_uint16le(mbp, doff);
629 	mb_put_uint8(mbp, t2p->t2_setupcount);
630 	mb_put_uint8(mbp, 0);
631 	for (i = 0; i < t2p->t2_setupcount; i++)
632 		mb_put_uint16le(mbp, t2p->t2_setupdata[i]);
633 	smb_rq_wend(rqp);
634 	smb_rq_bstart(rqp);
635 	/* TDUNICODE */
636 	if (t2p->t_name)
637 		mb_put_mem(mbp, t2p->t_name, nmlen, MB_MSYSTEM);
638 	mb_put_uint8(mbp, 0);	/* terminating zero */
639 	len = mb_fixhdr(mbp);
640 	if (txpcount) {
641 		mb_put_mem(mbp, NULL, ALIGN4(len) - len, MB_MZERO);
642 		error = md_get_mbuf(&mbparam, txpcount, &m);
643 		SMBSDEBUG("%d:%d:%d\n", error, txpcount, txmax);
644 		if (error)
645 			goto freerq;
646 		mb_put_mbuf(mbp, m);
647 	}
648 	len = mb_fixhdr(mbp);
649 	if (txdcount) {
650 		mb_put_mem(mbp, NULL, ALIGN4(len) - len, MB_MZERO);
651 		error = md_get_mbuf(&mbdata, txdcount, &m);
652 		if (error)
653 			goto freerq;
654 		mb_put_mbuf(mbp, m);
655 	}
656 	smb_rq_bend(rqp);	/* incredible, but thats it... */
657 	error = smb_rq_enqueue(rqp);
658 	if (error)
659 		goto freerq;
660 	if (leftpcount == 0 && leftdcount == 0)
661 		t2p->t2_flags |= SMBT2_ALLSENT;
662 	error = smb_t2_reply(t2p);
663 	if (error)
664 		goto bad;
665 	while (leftpcount || leftdcount) {
666 		t2p->t2_flags |= SMBT2_SECONDARY;
667 		error = smb_rq_new(rqp, t2p->t_name ?
668 		    SMB_COM_TRANSACTION_SECONDARY : SMB_COM_TRANSACTION2_SECONDARY);
669 		if (error)
670 			goto bad;
671 		mbp = &rqp->sr_rq;
672 		smb_rq_wstart(rqp);
673 		mb_put_uint16le(mbp, totpcount);
674 		mb_put_uint16le(mbp, totdcount);
675 		len = mb_fixhdr(mbp);
676 		/*
677 		 * now we have known packet size as
678 		 * ALIGN4(len + 7 * 2 + 2) for T2 request, and -2 for T one,
679 		 * and need to decide which parts should go into request
680 		 */
681 		len = ALIGN4(len + 6 * 2 + 2);
682 		if (t2p->t_name == NULL)
683 			len += 2;
684 		if (len + leftpcount > txmax) {
685 			txpcount = min(leftpcount, txmax - len);
686 			poff = len;
687 			txdcount = 0;
688 			doff = 0;
689 		} else {
690 			txpcount = leftpcount;
691 			poff = txpcount ? len : 0;
692 			len = ALIGN4(len + txpcount);
693 			txdcount = min(leftdcount, txmax - len);
694 			doff = txdcount ? len : 0;
695 		}
696 		mb_put_uint16le(mbp, txpcount);
697 		mb_put_uint16le(mbp, poff);
698 		mb_put_uint16le(mbp, totpcount - leftpcount);
699 		mb_put_uint16le(mbp, txdcount);
700 		mb_put_uint16le(mbp, doff);
701 		mb_put_uint16le(mbp, totdcount - leftdcount);
702 		leftpcount -= txpcount;
703 		leftdcount -= txdcount;
704 		if (t2p->t_name == NULL)
705 			mb_put_uint16le(mbp, t2p->t2_fid);
706 		smb_rq_wend(rqp);
707 		smb_rq_bstart(rqp);
708 		mb_put_uint8(mbp, 0);	/* name */
709 		len = mb_fixhdr(mbp);
710 		if (txpcount) {
711 			mb_put_mem(mbp, NULL, ALIGN4(len) - len, MB_MZERO);
712 			error = md_get_mbuf(&mbparam, txpcount, &m);
713 			if (error)
714 				goto bad;
715 			mb_put_mbuf(mbp, m);
716 		}
717 		len = mb_fixhdr(mbp);
718 		if (txdcount) {
719 			mb_put_mem(mbp, NULL, ALIGN4(len) - len, MB_MZERO);
720 			error = md_get_mbuf(&mbdata, txdcount, &m);
721 			if (error)
722 				goto bad;
723 			mb_put_mbuf(mbp, m);
724 		}
725 		smb_rq_bend(rqp);
726 		rqp->sr_state = SMBRQ_NOTSENT;
727 		error = smb_iod_request(vcp->vc_iod, SMBIOD_EV_NEWRQ, NULL);
728 		if (error)
729 			goto bad;
730 	}	/* while left params or data */
731 	t2p->t2_flags |= SMBT2_ALLSENT;
732 	mdp = &t2p->t2_rdata;
733 	if (mdp->md_top) {
734 		m_fixhdr(mdp->md_top);
735 		md_initm(mdp, mdp->md_top);
736 	}
737 	mdp = &t2p->t2_rparam;
738 	if (mdp->md_top) {
739 		m_fixhdr(mdp->md_top);
740 		md_initm(mdp, mdp->md_top);
741 	}
742 bad:
743 	smb_iod_removerq(rqp);
744 freerq:
745 	smb_rq_done(rqp);
746 	if (error) {
747 		if (rqp->sr_flags & SMBR_RESTART)
748 			t2p->t2_flags |= SMBT2_RESTART;
749 		md_done(&t2p->t2_rparam);
750 		md_done(&t2p->t2_rdata);
751 	}
752 	return error;
753 }
754 
755 int
756 smb_t2_request(struct smb_t2rq *t2p)
757 {
758 	int error = EINVAL, i;
759 
760 	for (i = 0; i < SMB_MAXRCN; i++) {
761 		t2p->t2_flags &= ~SMBR_RESTART;
762 		error = smb_t2_request_int(t2p);
763 		if (error == 0)
764 			break;
765 		if ((t2p->t2_flags & (SMBT2_RESTART | SMBT2_NORESTART)) != SMBT2_RESTART)
766 			break;
767 	}
768 	return error;
769 }
770