xref: /illumos-gate/usr/src/uts/common/fs/smbclnt/netsmb/smb_trantcp.c (revision 76f6fbeac333be11c1c6311713124da1b8b33ebc)
1 /*
2  * Copyright (c) 2000-2001 Boris Popov
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  * 3. All advertising materials mentioning features or use of this software
14  *    must display the following acknowledgement:
15  *    This product includes software developed by Boris Popov.
16  * 4. Neither the name of the author nor the names of any co-contributors
17  *    may be used to endorse or promote products derived from this software
18  *    without specific prior written permission.
19  *
20  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
21  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30  * SUCH DAMAGE.
31  *
32  * $Id: smb_trantcp.c,v 1.39 2005/03/02 01:27:44 lindak Exp $
33  */
34 /*
35  * Copyright 2012 Nexenta Systems, Inc.  All rights reserved.
36  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
37  * Use is subject to license terms.
38  */
39 
40 #include <sys/param.h>
41 #include <sys/systm.h>
42 #include <sys/autoconf.h>
43 #include <sys/sysmacros.h>
44 #include <sys/sunddi.h>
45 #include <sys/kmem.h>
46 #include <sys/proc.h>
47 #include <sys/protosw.h>
48 #include <sys/socket.h>
49 #include <sys/poll.h>
50 #include <sys/stream.h>
51 #include <sys/strsubr.h>
52 #include <sys/strsun.h>
53 #include <sys/stropts.h>
54 #include <sys/cmn_err.h>
55 #include <sys/tihdr.h>
56 #include <sys/tiuser.h>
57 #include <sys/t_kuser.h>
58 #include <sys/priv.h>
59 
60 #include <net/if.h>
61 #include <net/route.h>
62 
63 #include <netinet/in.h>
64 #include <netinet/tcp.h>
65 
66 #include <netsmb/smb_osdep.h>
67 #include <netsmb/mchain.h>
68 #include <netsmb/netbios.h>
69 
70 #include <netsmb/smb.h>
71 #include <netsmb/smb_conn.h>
72 #include <netsmb/smb_subr.h>
73 #include <netsmb/smb_tran.h>
74 #include <netsmb/smb_trantcp.h>
75 
76 /*
77  * SMB messages are up to 64K.
78  * Let's leave room for two.
79  */
80 static int smb_tcpsndbuf = 0x20000;
81 static int smb_tcprcvbuf = 0x20000;
82 
83 static int  nb_disconnect(struct nbpcb *nbp);
84 
85 
86 /*
87  * Get mblks into *mpp until the data length is at least mlen.
88  * Note that *mpp may already contain a fragment.
89  *
90  * If we ever have to wait more than 15 sec. to read a message,
91  * return ETIME.  (Caller will declare the VD dead.)
92  */
93 static int
94 nb_getmsg_mlen(struct nbpcb *nbp, mblk_t **mpp, size_t mlen)
95 {
96 	mblk_t *im, *tm;
97 	union T_primitives	*pptr;
98 	size_t dlen;
99 	int events, fmode, timo, waitflg;
100 	int error = 0;
101 
102 	/* We should be the only reader. */
103 	ASSERT(nbp->nbp_flags & NBF_RECVLOCK);
104 	/* nbp->nbp_tiptr checked by caller */
105 
106 	/*
107 	 * Get the first message (fragment) if
108 	 * we don't already have a left-over.
109 	 */
110 	dlen = msgdsize(*mpp); /* *mpp==null is OK */
111 	while (dlen < mlen) {
112 
113 		/*
114 		 * I think we still want this to return ETIME
115 		 * if nothing arrives for SMB_NBTIMO (15) sec.
116 		 * so we can report "server not responding".
117 		 * We _could_ just block here now that our
118 		 * IOD is just a reader.
119 		 */
120 #if 1
121 		/* Wait with timeout... */
122 		events = 0;
123 		waitflg = READWAIT;
124 		timo = SEC_TO_TICK(SMB_NBTIMO);
125 		error = t_kspoll(nbp->nbp_tiptr, timo, waitflg, &events);
126 		if (!error && !events)
127 			error = ETIME;
128 		if (error)
129 			break;
130 		/* file mode for recv is: */
131 		fmode = FNDELAY; /* non-blocking */
132 #else
133 		fmode = 0; /* normal (blocking) */
134 #endif
135 
136 		/* Get some more... */
137 		tm = NULL;
138 		error = tli_recv(nbp->nbp_tiptr, &tm, fmode);
139 		if (error == EAGAIN)
140 			continue;
141 		if (error)
142 			break;
143 
144 		/*
145 		 * Normally get M_DATA messages here,
146 		 * but have to check for other types.
147 		 */
148 		switch (tm->b_datap->db_type) {
149 		case M_DATA:
150 			break;
151 		case M_PROTO:
152 		case M_PCPROTO:
153 			/*LINTED*/
154 			pptr = (union T_primitives *)tm->b_rptr;
155 			switch (pptr->type) {
156 			case T_DATA_IND:
157 				/* remove 1st mblk, keep the rest. */
158 				im = tm->b_cont;
159 				tm->b_cont = NULL;
160 				freeb(tm);
161 				tm = im;
162 				break;
163 			case T_DISCON_IND:
164 				/* Peer disconnected. */
165 				NBDEBUG("T_DISCON_IND: reason=%d",
166 				    pptr->discon_ind.DISCON_reason);
167 				goto discon;
168 			case T_ORDREL_IND:
169 				/* Peer disconnecting. */
170 				NBDEBUG("T_ORDREL_IND");
171 				goto discon;
172 			case T_OK_ACK:
173 				switch (pptr->ok_ack.CORRECT_prim) {
174 				case T_DISCON_REQ:
175 					NBDEBUG("T_OK_ACK/T_DISCON_REQ");
176 					goto discon;
177 				default:
178 					NBDEBUG("T_OK_ACK/prim=%d",
179 					    pptr->ok_ack.CORRECT_prim);
180 					goto discon;
181 				}
182 			default:
183 				NBDEBUG("M_PROTO/type=%d", pptr->type);
184 				goto discon;
185 			}
186 			break; /* M_PROTO, M_PCPROTO */
187 
188 		default:
189 			NBDEBUG("unexpected msg type=%d",
190 			    tm->b_datap->db_type);
191 			/*FALLTHROUGH*/
192 discon:
193 			/*
194 			 * The connection is no longer usable.
195 			 * Drop this message and disconnect.
196 			 *
197 			 * Note: nb_disconnect only does t_snddis
198 			 * on the first call, but does important
199 			 * cleanup and state change on any call.
200 			 */
201 			freemsg(tm);
202 			(void) nb_disconnect(nbp);
203 			return (ENOTCONN);
204 		}
205 
206 		/*
207 		 * If we have a data message, append it to
208 		 * the previous chunk(s) and update dlen
209 		 */
210 		if (!tm)
211 			continue;
212 		if (*mpp == NULL) {
213 			*mpp = tm;
214 		} else {
215 			/* Append */
216 			for (im = *mpp; im->b_cont; im = im->b_cont)
217 				;
218 			im->b_cont = tm;
219 		}
220 		dlen += msgdsize(tm);
221 	}
222 
223 	return (error);
224 }
225 
226 /*
227  * Send a T_DISCON_REQ (disconnect)
228  */
229 static int
230 nb_snddis(struct nbpcb *nbp)
231 {
232 	TIUSER *tiptr = nbp->nbp_tiptr;
233 	cred_t *cr = nbp->nbp_cred;
234 	mblk_t *mp;
235 	struct T_discon_req *dreq;
236 	int error, mlen;
237 
238 	ASSERT(MUTEX_HELD(&nbp->nbp_lock));
239 
240 	if (tiptr == NULL)
241 		return (EBADF);
242 
243 	mlen = sizeof (struct T_discon_req);
244 	if (!(mp = allocb_cred_wait(mlen, STR_NOSIG, &error, cr, NOPID)))
245 		return (error);
246 
247 	mp->b_datap->db_type = M_PROTO;
248 	/*LINTED*/
249 	dreq = (struct T_discon_req *)mp->b_wptr;
250 	dreq->PRIM_type = T_DISCON_REQ;
251 	dreq->SEQ_number = -1;
252 	mp->b_wptr += sizeof (struct T_discon_req);
253 
254 	error = tli_send(tiptr, mp, tiptr->fp->f_flag);
255 	/*
256 	 * There is an OK/ACK response expected, which is
257 	 * either handled by our receiver thread, or just
258 	 * discarded if we're closing this endpoint.
259 	 */
260 
261 	return (error);
262 }
263 
264 /*
265  * Stuff the NetBIOS header into space already prepended.
266  */
267 static void
268 nb_sethdr(mblk_t *m, uint8_t type, uint32_t len)
269 {
270 	uint32_t *p;
271 
272 	len &= 0x1FFFF;
273 	len |= (type << 24);
274 
275 	/*LINTED*/
276 	p = (uint32_t *)m->b_rptr;
277 	*p = htonl(len);
278 }
279 
280 /*
281  * Wait for up to 15 sec. for the next packet.
282  * Often return ETIME and do nothing else.
283  * When a packet header is available, check
284  * the header and get the length, but don't
285  * consume it.  No side effects here except
286  * for the pullupmsg call.
287  */
288 static int
289 nbssn_peekhdr(struct nbpcb *nbp, size_t *lenp,	uint8_t *rpcodep)
290 {
291 	uint32_t len, *hdr;
292 	int error;
293 
294 	/*
295 	 * Get the first message (fragment) if
296 	 * we don't already have a left-over.
297 	 */
298 	error = nb_getmsg_mlen(nbp, &nbp->nbp_frag, sizeof (len));
299 	if (error)
300 		return (error);
301 
302 	if (!pullupmsg(nbp->nbp_frag, sizeof (len)))
303 		return (ENOSR);
304 
305 	/*
306 	 * Check the NetBIOS header.
307 	 * (NOT consumed here)
308 	 */
309 	/*LINTED*/
310 	hdr = (uint32_t *)nbp->nbp_frag->b_rptr;
311 
312 	len = ntohl(*hdr);
313 	if ((len >> 16) & 0xFE) {
314 		NBDEBUG("bad nb header received 0x%x (MBZ flag set)\n", len);
315 		return (EPIPE);
316 	}
317 	*rpcodep = (len >> 24) & 0xFF;
318 	switch (*rpcodep) {
319 	case NB_SSN_MESSAGE:
320 	case NB_SSN_REQUEST:
321 	case NB_SSN_POSRESP:
322 	case NB_SSN_NEGRESP:
323 	case NB_SSN_RTGRESP:
324 	case NB_SSN_KEEPALIVE:
325 		break;
326 	default:
327 		NBDEBUG("bad nb header received 0x%x (bogus type)\n", len);
328 		return (EPIPE);
329 	}
330 	len &= 0x1ffff;
331 	if (len > NB_MAXPKTLEN) {
332 		NBDEBUG("packet too long (%d)\n", len);
333 		return (EFBIG);
334 	}
335 	*lenp = len;
336 	return (0);
337 }
338 
339 /*
340  * Receive a NetBIOS message.  This may block to wait for the entire
341  * message to arrive.  The caller knows there is (or should be) a
342  * message to be read.  When we receive and drop a keepalive or
343  * zero-length message, return EAGAIN so the caller knows that
344  * something was received.  This avoids false triggering of the
345  * "server not responding" state machine.
346  *
347  * Calls to this are serialized at a higher level.
348  */
349 static int
350 nbssn_recv(struct nbpcb *nbp, mblk_t **mpp, int *lenp,
351     uint8_t *rpcodep)
352 {
353 	mblk_t *m0;
354 	uint8_t rpcode;
355 	int error;
356 	size_t rlen, len;
357 
358 	/* We should be the only reader. */
359 	ASSERT(nbp->nbp_flags & NBF_RECVLOCK);
360 
361 	if (nbp->nbp_tiptr == NULL)
362 		return (EBADF);
363 	if (mpp) {
364 		if (*mpp) {
365 			NBDEBUG("*mpp not 0 - leak?");
366 		}
367 		*mpp = NULL;
368 	}
369 	m0 = NULL;
370 
371 	/*
372 	 * Get the NetBIOS header (not consumed yet)
373 	 */
374 	error = nbssn_peekhdr(nbp, &len, &rpcode);
375 	if (error) {
376 		if (error != ETIME)
377 			NBDEBUG("peekhdr, error=%d\n", error);
378 		return (error);
379 	}
380 	NBDEBUG("Have pkt, type=0x%x len=0x%x\n",
381 	    (int)rpcode, (int)len);
382 
383 	/*
384 	 * Block here waiting for the whole packet to arrive.
385 	 * If we get a timeout, return without side effects.
386 	 * The data length we wait for here includes both the
387 	 * NetBIOS header and the payload.
388 	 */
389 	error = nb_getmsg_mlen(nbp, &nbp->nbp_frag, len + 4);
390 	if (error) {
391 		NBDEBUG("getmsg(body), error=%d\n", error);
392 		return (error);
393 	}
394 
395 	/*
396 	 * We now have an entire NetBIOS message.
397 	 * Trim off the NetBIOS header and consume it.
398 	 * Note: _peekhdr has done pullupmsg for us,
399 	 * so we know it's safe to advance b_rptr.
400 	 */
401 	m0 = nbp->nbp_frag;
402 	m0->b_rptr += 4;
403 
404 	/*
405 	 * There may be more data after the message
406 	 * we're about to return, in which case we
407 	 * split it and leave the remainder.
408 	 */
409 	rlen = msgdsize(m0);
410 	ASSERT(rlen >= len);
411 	nbp->nbp_frag = NULL;
412 	if (rlen > len)
413 		nbp->nbp_frag = m_split(m0, len, 1);
414 
415 	if (nbp->nbp_state != NBST_SESSION) {
416 		/*
417 		 * No session is established.
418 		 * Return whatever packet we got.
419 		 */
420 		goto out;
421 	}
422 
423 	/*
424 	 * A session is established; the only packets
425 	 * we should see are session message and
426 	 * keep-alive packets.  Drop anything else.
427 	 */
428 	switch (rpcode) {
429 
430 	case NB_SSN_KEEPALIVE:
431 		/*
432 		 * It's a keepalive.  Discard any data in it
433 		 * (there's not supposed to be any, but that
434 		 * doesn't mean some server won't send some)
435 		 */
436 		if (len)
437 			NBDEBUG("Keepalive with data %d\n", (int)len);
438 		error = EAGAIN;
439 		break;
440 
441 	case NB_SSN_MESSAGE:
442 		/*
443 		 * Session message.  Does it have any data?
444 		 */
445 		if (len == 0) {
446 			/*
447 			 * No data - treat as keepalive (drop).
448 			 */
449 			error = EAGAIN;
450 			break;
451 		}
452 		/*
453 		 * Yes, has data.  Return it.
454 		 */
455 		error = 0;
456 		break;
457 
458 	default:
459 		/*
460 		 * Drop anything else.
461 		 */
462 		NBDEBUG("non-session packet %x\n", rpcode);
463 		error = EAGAIN;
464 		break;
465 	}
466 
467 out:
468 	if (error) {
469 		if (m0)
470 			m_freem(m0);
471 		return (error);
472 	}
473 	if (mpp)
474 		*mpp = m0;
475 	else
476 		m_freem(m0);
477 	*lenp = (int)len;
478 	*rpcodep = rpcode;
479 	return (0);
480 }
481 
482 /*
483  * SMB transport interface
484  *
485  * This is called only by the thread creating this endpoint,
486  * so we're single-threaded here.
487  */
488 /*ARGSUSED*/
489 static int
490 smb_nbst_create(struct smb_vc *vcp, cred_t *cr)
491 {
492 	struct nbpcb *nbp;
493 
494 	nbp = kmem_zalloc(sizeof (struct nbpcb), KM_SLEEP);
495 
496 	nbp->nbp_timo.tv_sec = SMB_NBTIMO;
497 	nbp->nbp_state = NBST_CLOSED; /* really IDLE */
498 	nbp->nbp_vc = vcp;
499 	nbp->nbp_sndbuf = smb_tcpsndbuf;
500 	nbp->nbp_rcvbuf = smb_tcprcvbuf;
501 	nbp->nbp_cred = cr;
502 	crhold(cr);
503 	mutex_init(&nbp->nbp_lock, NULL, MUTEX_DRIVER, NULL);
504 	vcp->vc_tdata = nbp;
505 
506 	return (0);
507 }
508 
509 /*
510  * destroy a transport endpoint
511  *
512  * This is called only by the thread with the last reference
513  * to this endpoint, so we're single-threaded here.
514  */
515 static int
516 smb_nbst_done(struct smb_vc *vcp)
517 {
518 	struct nbpcb *nbp = vcp->vc_tdata;
519 
520 	if (nbp == NULL)
521 		return (ENOTCONN);
522 	vcp->vc_tdata = NULL;
523 
524 	/*
525 	 * Don't really need to disconnect here,
526 	 * because the close following will do it.
527 	 * But it's harmless.
528 	 */
529 	if (nbp->nbp_flags & NBF_CONNECTED)
530 		(void) nb_disconnect(nbp);
531 	if (nbp->nbp_tiptr)
532 		(void) t_kclose(nbp->nbp_tiptr, 0);
533 	if (nbp->nbp_laddr)
534 		smb_free_sockaddr((struct sockaddr *)nbp->nbp_laddr);
535 	if (nbp->nbp_paddr)
536 		smb_free_sockaddr((struct sockaddr *)nbp->nbp_paddr);
537 	if (nbp->nbp_cred)
538 		crfree(nbp->nbp_cred);
539 	mutex_destroy(&nbp->nbp_lock);
540 	kmem_free(nbp, sizeof (*nbp));
541 	return (0);
542 }
543 
544 /*
545  * Loan a transport file pointer (from user space) to this
546  * IOD endpoint.  There should be no other thread using this
547  * endpoint when we do this, but lock for consistency.
548  */
549 static int
550 nb_loan_fp(struct nbpcb *nbp, struct file *fp, cred_t *cr)
551 {
552 	TIUSER *tiptr;
553 	int err;
554 
555 	err = t_kopen(fp, 0, 0, &tiptr, cr);
556 	if (err != 0)
557 		return (err);
558 
559 	mutex_enter(&nbp->nbp_lock);
560 
561 	nbp->nbp_tiptr = tiptr;
562 	nbp->nbp_fmode = tiptr->fp->f_flag;
563 	nbp->nbp_flags |= NBF_CONNECTED;
564 	nbp->nbp_state = NBST_SESSION;
565 
566 	mutex_exit(&nbp->nbp_lock);
567 
568 	return (0);
569 }
570 
571 /*
572  * Take back the transport file pointer we previously loaned.
573  * It's possible there may be another thread in here, so let
574  * others get out of the way before we pull the rug out.
575  *
576  * Some notes about the locking here:  The higher-level IOD code
577  * serializes activity such that at most one reader and writer
578  * thread can be active in this code (and possibly both).
579  * Keeping nbp_lock held during the activities of these two
580  * threads would lead to the possibility of nbp_lock being
581  * held by a blocked thread, so this instead sets one of the
582  * flags (NBF_SENDLOCK | NBF_RECVLOCK) when a sender or a
583  * receiver is active (respectively).  Lastly, tear-down is
584  * the only tricky bit (here) where we must wait for any of
585  * these activities to get out of current calls so they will
586  * notice that we've turned off the NBF_CONNECTED flag.
587  */
588 static void
589 nb_unloan_fp(struct nbpcb *nbp)
590 {
591 
592 	mutex_enter(&nbp->nbp_lock);
593 
594 	nbp->nbp_flags &= ~NBF_CONNECTED;
595 	while (nbp->nbp_flags & (NBF_SENDLOCK | NBF_RECVLOCK)) {
596 		nbp->nbp_flags |= NBF_LOCKWAIT;
597 		cv_wait(&nbp->nbp_cv, &nbp->nbp_lock);
598 	}
599 
600 	if (nbp->nbp_tiptr != NULL) {
601 		(void) t_kclose(nbp->nbp_tiptr, 0);
602 		nbp->nbp_tiptr = NULL;
603 	}
604 	nbp->nbp_state = NBST_CLOSED;
605 
606 	mutex_exit(&nbp->nbp_lock);
607 }
608 
609 static int
610 smb_nbst_loan_fp(struct smb_vc *vcp, struct file *fp, cred_t *cr)
611 {
612 	struct nbpcb *nbp = vcp->vc_tdata;
613 	int error = 0;
614 
615 	/*
616 	 * Un-loan the existing one, if any.
617 	 */
618 	(void) nb_disconnect(nbp);
619 	nb_unloan_fp(nbp);
620 
621 	/*
622 	 * Loan the new one passed in.
623 	 */
624 	if (fp != NULL) {
625 		error = nb_loan_fp(nbp, fp, cr);
626 	}
627 
628 	return (error);
629 }
630 
631 /*ARGSUSED*/
632 static int
633 smb_nbst_bind(struct smb_vc *vcp, struct sockaddr *sap)
634 {
635 	return (ENOTSUP);
636 }
637 
638 /*ARGSUSED*/
639 static int
640 smb_nbst_connect(struct smb_vc *vcp, struct sockaddr *sap)
641 {
642 	return (ENOTSUP);
643 }
644 
645 /*ARGSUSED*/
646 static int
647 smb_nbst_disconnect(struct smb_vc *vcp)
648 {
649 	struct nbpcb *nbp = vcp->vc_tdata;
650 
651 	if (nbp == NULL)
652 		return (ENOTCONN);
653 
654 	return (nb_disconnect(nbp));
655 }
656 
657 static int
658 nb_disconnect(struct nbpcb *nbp)
659 {
660 	int err = 0;
661 
662 	mutex_enter(&nbp->nbp_lock);
663 
664 	if ((nbp->nbp_flags & NBF_CONNECTED) != 0) {
665 		nbp->nbp_flags &= ~NBF_CONNECTED;
666 
667 		if (nbp->nbp_frag != NULL) {
668 			freemsg(nbp->nbp_frag);
669 			nbp->nbp_frag = NULL;
670 		}
671 
672 		err = nb_snddis(nbp);
673 	}
674 
675 	mutex_exit(&nbp->nbp_lock);
676 	return (err);
677 }
678 
679 /*
680  * Add the NetBIOS session header and send.
681  *
682  * Calls to this are serialized at a higher level.
683  */
684 static int
685 nbssn_send(struct nbpcb *nbp, mblk_t *m)
686 {
687 	ptrdiff_t diff;
688 	uint32_t mlen;
689 	int error;
690 
691 	/* We should be the only sender. */
692 	ASSERT(nbp->nbp_flags & NBF_SENDLOCK);
693 
694 	if (nbp->nbp_tiptr == NULL) {
695 		error = EBADF;
696 		goto errout;
697 	}
698 
699 	/*
700 	 * Get the message length, which
701 	 * does NOT include the NetBIOS header
702 	 */
703 	mlen = msgdsize(m);
704 
705 	/*
706 	 * Normally, mb_init() will have left space
707 	 * for us to prepend the NetBIOS header in
708 	 * the data block of the first mblk.
709 	 * However, we have to check in case other
710 	 * code did not leave this space, or if the
711 	 * message is from dupmsg (db_ref > 1)
712 	 *
713 	 * If don't find room in the first data block,
714 	 * we have to allocb a new message and link it
715 	 * on the front of the chain.  We try not to
716 	 * do this becuase it's less efficient.  Also,
717 	 * some network drivers will apparently send
718 	 * each mblk in the chain as separate frames.
719 	 * (That's arguably a driver bug.)
720 	 *
721 	 * Not bothering with allocb_cred_wait below
722 	 * because the message we're prepending to
723 	 * should already have a db_credp.
724 	 */
725 
726 	diff = MBLKHEAD(m);
727 	if (diff == 4 && DB_REF(m) == 1) {
728 		/* We can use the first dblk. */
729 		m->b_rptr -= 4;
730 	} else {
731 		/* Link a new mblk on the head. */
732 		mblk_t *m0;
733 
734 		/* M_PREPEND */
735 		m0 = allocb_wait(4, BPRI_LO, STR_NOSIG, &error);
736 		if (m0 == NULL)
737 			goto errout;
738 
739 		m0->b_wptr += 4;
740 		m0->b_cont = m;
741 		m = m0;
742 	}
743 
744 	nb_sethdr(m, NB_SSN_MESSAGE, mlen);
745 	error = tli_send(nbp->nbp_tiptr, m, 0);
746 	return (error);
747 
748 errout:
749 	if (m != NULL)
750 		m_freem(m);
751 	return (error);
752 }
753 
754 /*
755  * Always consume the message.
756  * (On error too!)
757  */
758 static int
759 smb_nbst_send(struct smb_vc *vcp, mblk_t *m)
760 {
761 	struct nbpcb *nbp = vcp->vc_tdata;
762 	int err;
763 
764 	mutex_enter(&nbp->nbp_lock);
765 	if ((nbp->nbp_flags & NBF_CONNECTED) == 0) {
766 		err = ENOTCONN;
767 		goto out;
768 	}
769 	if (nbp->nbp_flags & NBF_SENDLOCK) {
770 		NBDEBUG("multiple smb_nbst_send!\n");
771 		err = EWOULDBLOCK;
772 		goto out;
773 	}
774 	nbp->nbp_flags |= NBF_SENDLOCK;
775 	mutex_exit(&nbp->nbp_lock);
776 
777 	err = nbssn_send(nbp, m);
778 	m = NULL; /* nbssn_send always consumes this */
779 
780 	mutex_enter(&nbp->nbp_lock);
781 	nbp->nbp_flags &= ~NBF_SENDLOCK;
782 	if (nbp->nbp_flags & NBF_LOCKWAIT) {
783 		nbp->nbp_flags &= ~NBF_LOCKWAIT;
784 		cv_broadcast(&nbp->nbp_cv);
785 	}
786 out:
787 	mutex_exit(&nbp->nbp_lock);
788 	if (m != NULL)
789 		m_freem(m);
790 	return (err);
791 }
792 
793 static int
794 smb_nbst_recv(struct smb_vc *vcp, mblk_t **mpp)
795 {
796 	struct nbpcb *nbp = vcp->vc_tdata;
797 	uint8_t rpcode;
798 	int err, rplen;
799 
800 	mutex_enter(&nbp->nbp_lock);
801 	if ((nbp->nbp_flags & NBF_CONNECTED) == 0) {
802 		err = ENOTCONN;
803 		goto out;
804 	}
805 	if (nbp->nbp_flags & NBF_RECVLOCK) {
806 		NBDEBUG("multiple smb_nbst_recv!\n");
807 		err = EWOULDBLOCK;
808 		goto out;
809 	}
810 	nbp->nbp_flags |= NBF_RECVLOCK;
811 	mutex_exit(&nbp->nbp_lock);
812 
813 	err = nbssn_recv(nbp, mpp, &rplen, &rpcode);
814 
815 	mutex_enter(&nbp->nbp_lock);
816 	nbp->nbp_flags &= ~NBF_RECVLOCK;
817 	if (nbp->nbp_flags & NBF_LOCKWAIT) {
818 		nbp->nbp_flags &= ~NBF_LOCKWAIT;
819 		cv_broadcast(&nbp->nbp_cv);
820 	}
821 out:
822 	mutex_exit(&nbp->nbp_lock);
823 	return (err);
824 }
825 
826 /*
827  * Wait for up to "ticks" clock ticks for input on vcp.
828  * Returns zero if input is available, otherwise ETIME
829  * indicating time expired, or other error codes.
830  */
831 /*ARGSUSED*/
832 static int
833 smb_nbst_poll(struct smb_vc *vcp, int ticks)
834 {
835 	return (ENOTSUP);
836 }
837 
838 static int
839 smb_nbst_getparam(struct smb_vc *vcp, int param, void *data)
840 {
841 	struct nbpcb *nbp = vcp->vc_tdata;
842 
843 	switch (param) {
844 	case SMBTP_SNDSZ:
845 		*(int *)data = nbp->nbp_sndbuf;
846 		break;
847 	case SMBTP_RCVSZ:
848 		*(int *)data = nbp->nbp_rcvbuf;
849 		break;
850 	case SMBTP_TIMEOUT:
851 		*(struct timespec *)data = nbp->nbp_timo;
852 		break;
853 #ifdef SMBTP_SELECTID
854 	case SMBTP_SELECTID:
855 		*(void **)data = nbp->nbp_selectid;
856 		break;
857 #endif
858 #ifdef SMBTP_UPCALL
859 	case SMBTP_UPCALL:
860 		*(void **)data = nbp->nbp_upcall;
861 		break;
862 #endif
863 	default:
864 		return (EINVAL);
865 	}
866 	return (0);
867 }
868 
869 /*ARGSUSED*/
870 static int
871 smb_nbst_setparam(struct smb_vc *vcp, int param, void *data)
872 {
873 	return (EINVAL);
874 }
875 
876 /*
877  * Check for fatal errors
878  */
879 /*ARGSUSED*/
880 static int
881 smb_nbst_fatal(struct smb_vc *vcp, int error)
882 {
883 	switch (error) {
884 	case ENOTCONN:
885 	case ENETRESET:
886 	case ECONNABORTED:
887 	case EPIPE:
888 		return (1);
889 	}
890 	return (0);
891 }
892 
893 
894 struct smb_tran_desc smb_tran_nbtcp_desc = {
895 	SMBT_NBTCP,
896 	smb_nbst_create,
897 	smb_nbst_done,
898 	smb_nbst_bind,
899 	smb_nbst_connect,
900 	smb_nbst_disconnect,
901 	smb_nbst_send,
902 	smb_nbst_recv,
903 	smb_nbst_poll,
904 	smb_nbst_loan_fp,
905 	smb_nbst_getparam,
906 	smb_nbst_setparam,
907 	smb_nbst_fatal,
908 	{NULL, NULL}
909 };
910