1 /* 2 * This file and its contents are supplied under the terms of the 3 * Common Development and Distribution License ("CDDL"), version 1.0. 4 * You may only use this file in accordance with the terms of version 5 * 1.0 of the CDDL. 6 * 7 * A full copy of the text of the CDDL should have accompanied this 8 * source. A copy of the CDDL is also available via the Internet at 9 * http://www.illumos.org/license/CDDL. 10 */ 11 12 /* 13 * Copyright 2019 Nexenta Systems, Inc. All rights reserved. 14 * Copyright 2022 RackTop Systems, Inc. 15 */ 16 17 18 #include <smbsrv/smb2_kproto.h> 19 #include <smbsrv/smb_kstat.h> 20 #include <smbsrv/smb2.h> 21 22 #define SMB2_ASYNCID(sr) (sr->smb2_messageid ^ (1ULL << 62)) 23 24 smb_sdrc_t smb2_invalid_cmd(smb_request_t *); 25 static void smb2_tq_work(void *); 26 static void smb2sr_run_postwork(smb_request_t *); 27 static int smb3_decrypt_msg(smb_request_t *); 28 29 static const smb_disp_entry_t 30 smb2_disp_table[SMB2__NCMDS] = { 31 32 /* text-name, pre, func, post, cmd-code, dialect, flags */ 33 34 { "smb2_negotiate", NULL, 35 smb2_negotiate, NULL, 0, 0, 36 SDDF_SUPPRESS_TID | SDDF_SUPPRESS_UID }, 37 38 { "smb2_session_setup", NULL, 39 smb2_session_setup, NULL, 0, 0, 40 SDDF_SUPPRESS_TID | SDDF_SUPPRESS_UID }, 41 42 { "smb2_logoff", NULL, 43 smb2_logoff, NULL, 0, 0, 44 SDDF_SUPPRESS_TID }, 45 46 { "smb2_tree_connect", NULL, 47 smb2_tree_connect, NULL, 0, 0, 48 SDDF_SUPPRESS_TID }, 49 50 { "smb2_tree_disconn", NULL, 51 smb2_tree_disconn, NULL, 0, 0 }, 52 53 { "smb2_create", NULL, 54 smb2_create, NULL, 0, 0 }, 55 56 { "smb2_close", NULL, 57 smb2_close, NULL, 0, 0 }, 58 59 { "smb2_flush", NULL, 60 smb2_flush, NULL, 0, 0 }, 61 62 { "smb2_read", NULL, 63 smb2_read, NULL, 0, 0 }, 64 65 { "smb2_write", NULL, 66 smb2_write, NULL, 0, 0 }, 67 68 { "smb2_lock", NULL, 69 smb2_lock, NULL, 0, 0 }, 70 71 { "smb2_ioctl", NULL, 72 smb2_ioctl, NULL, 0, 0 }, 73 74 { "smb2_cancel", NULL, 75 smb2_cancel, NULL, 0, 0, 76 SDDF_SUPPRESS_UID | SDDF_SUPPRESS_TID }, 77 78 { "smb2_echo", NULL, 79 smb2_echo, NULL, 0, 0, 80 SDDF_SUPPRESS_UID | SDDF_SUPPRESS_TID }, 81 82 { "smb2_query_dir", NULL, 83 smb2_query_dir, NULL, 0, 0 }, 84 85 { "smb2_change_notify", NULL, 86 smb2_change_notify, NULL, 0, 0 }, 87 88 { "smb2_query_info", NULL, 89 smb2_query_info, NULL, 0, 0 }, 90 91 { "smb2_set_info", NULL, 92 smb2_set_info, NULL, 0, 0 }, 93 94 { "smb2_oplock_break_ack", NULL, 95 smb2_oplock_break_ack, NULL, 0, 0 }, 96 97 { "smb2_invalid_cmd", NULL, 98 smb2_invalid_cmd, NULL, 0, 0, 99 SDDF_SUPPRESS_UID | SDDF_SUPPRESS_TID }, 100 }; 101 102 smb_sdrc_t 103 smb2_invalid_cmd(smb_request_t *sr) 104 { 105 #ifdef DEBUG 106 cmn_err(CE_NOTE, "clnt %s bad SMB2 cmd code", 107 sr->session->ip_addr_str); 108 #endif 109 sr->smb2_status = NT_STATUS_INVALID_PARAMETER; 110 return (SDRC_DROP_VC); 111 } 112 113 /* 114 * This is the SMB2 handler for new smb requests, called from 115 * smb_session_reader after SMB negotiate is done. For most SMB2 116 * requests, we just enqueue them for the smb_session_worker to 117 * execute via the task queue, so they can block for resources 118 * without stopping the reader thread. A few protocol messages 119 * are special cases and are handled directly here in the reader 120 * thread so they don't wait for taskq scheduling. 121 * 122 * This function must either enqueue the new request for 123 * execution via the task queue, or execute it directly 124 * and then free it. If this returns non-zero, the caller 125 * will drop the session. 126 */ 127 int 128 smb2sr_newrq(smb_request_t *sr) 129 { 130 struct mbuf_chain *mbc = &sr->command; 131 taskqid_t tqid; 132 uint32_t magic; 133 int rc, skip; 134 135 if (smb_mbc_peek(mbc, 0, "l", &magic) != 0) 136 goto drop; 137 138 /* 0xFD S M B */ 139 if (magic == SMB3_ENCRYPTED_MAGIC) { 140 if (smb3_decrypt_msg(sr) != 0) 141 goto drop; 142 /* 143 * Should now be looking at an un-encrypted 144 * SMB2 message header. 145 */ 146 if (smb_mbc_peek(mbc, 0, "l", &magic) != 0) 147 goto drop; 148 } 149 150 if (magic != SMB2_PROTOCOL_MAGIC) 151 goto drop; 152 153 /* 154 * Walk the SMB2 commands in this compound message and 155 * keep track of the range of message IDs it uses. 156 */ 157 for (;;) { 158 if (smb2_decode_header(sr) != 0) 159 goto drop; 160 161 /* 162 * Cancel requests are special: They refer to 163 * an earlier message ID (or an async. ID), 164 * never a new ID, and are never compounded. 165 * This is intentionally not "goto drop" 166 * because rc may be zero (success). 167 */ 168 if (sr->smb2_cmd_code == SMB2_CANCEL) { 169 rc = smb2_newrq_cancel(sr); 170 smb_request_free(sr); 171 return (rc); 172 } 173 174 /* 175 * Keep track of the total credits in this compound 176 * and the first (real) message ID (not: 0, -1) 177 * While we're looking, verify that all (real) IDs 178 * are (first <= ID < (first + msg_credits)) 179 */ 180 if (sr->smb2_credit_charge == 0) 181 sr->smb2_credit_charge = 1; 182 sr->smb2_total_credits += sr->smb2_credit_charge; 183 184 if (sr->smb2_messageid != 0 && 185 sr->smb2_messageid != UINT64_MAX) { 186 187 if (sr->smb2_first_msgid == 0) 188 sr->smb2_first_msgid = sr->smb2_messageid; 189 190 if (sr->smb2_messageid < sr->smb2_first_msgid || 191 sr->smb2_messageid >= (sr->smb2_first_msgid + 192 sr->smb2_total_credits)) { 193 long long id = (long long) sr->smb2_messageid; 194 cmn_err(CE_WARN, "clnt %s msg ID 0x%llx " 195 "out of sequence in compound", 196 sr->session->ip_addr_str, id); 197 } 198 } 199 200 /* Normal loop exit on next == zero */ 201 if (sr->smb2_next_command == 0) 202 break; 203 204 /* Abundance of caution... */ 205 if (sr->smb2_next_command < SMB2_HDR_SIZE) 206 goto drop; 207 208 /* Advance to the next header. */ 209 skip = sr->smb2_next_command - SMB2_HDR_SIZE; 210 if (MBC_ROOM_FOR(mbc, skip) == 0) 211 goto drop; 212 mbc->chain_offset += skip; 213 } 214 /* Rewind back to the top. */ 215 mbc->chain_offset = 0; 216 217 /* 218 * Submit the request to the task queue, which calls 219 * smb2_tq_work when the workload permits. 220 */ 221 sr->sr_time_submitted = gethrtime(); 222 sr->sr_state = SMB_REQ_STATE_SUBMITTED; 223 smb_srqueue_waitq_enter(sr->session->s_srqueue); 224 tqid = taskq_dispatch(sr->sr_server->sv_worker_pool, 225 smb2_tq_work, sr, TQ_SLEEP); 226 VERIFY(tqid != TASKQID_INVALID); 227 228 return (0); 229 230 drop: 231 smb_request_free(sr); 232 return (-1); 233 } 234 235 static void 236 smb2_tq_work(void *arg) 237 { 238 smb_request_t *sr; 239 smb_srqueue_t *srq; 240 241 sr = (smb_request_t *)arg; 242 SMB_REQ_VALID(sr); 243 244 srq = sr->session->s_srqueue; 245 smb_srqueue_waitq_to_runq(srq); 246 sr->sr_worker = curthread; 247 sr->sr_time_active = gethrtime(); 248 249 /* 250 * Always dispatch to the work function, because cancelled 251 * requests need an error reply (NT_STATUS_CANCELLED). 252 */ 253 mutex_enter(&sr->sr_mutex); 254 if (sr->sr_state == SMB_REQ_STATE_SUBMITTED) 255 sr->sr_state = SMB_REQ_STATE_ACTIVE; 256 mutex_exit(&sr->sr_mutex); 257 258 smb2sr_work(sr); 259 260 smb_srqueue_runq_exit(srq); 261 } 262 263 /* 264 * Any non-zero return code and we'll drop the connection. 265 * Other than that, return codes are just informative eg. 266 * when looking at dtrace logs, which return did we take? 267 */ 268 static int 269 smb3_decrypt_msg(smb_request_t *sr) 270 { 271 int save_offset; 272 273 if (sr->session->dialect < SMB_VERS_3_0) { 274 /* Encrypted message in SMB 2.x */ 275 return (-1); 276 } 277 if ((sr->session->srv_cap & SMB2_CAP_ENCRYPTION) == 0) { 278 /* Should have srv_cap SMB2_CAP_ENCRYPTION flag set! */ 279 return (-2); 280 } 281 282 sr->encrypted = B_TRUE; 283 save_offset = sr->command.chain_offset; 284 if (smb3_decode_tform_header(sr) != 0) { 285 /* Bad transform header */ 286 return (-3); 287 } 288 sr->command.chain_offset = save_offset; 289 290 sr->tform_ssn = smb_session_lookup_ssnid(sr->session, 291 sr->smb3_tform_ssnid); 292 if (sr->tform_ssn == NULL) { 293 /* Session not found */ 294 return (-4); 295 } 296 297 if (smb3_decrypt_sr(sr) != 0) { 298 /* Decryption failed */ 299 return (-5); 300 } 301 302 return (0); 303 } 304 305 /* 306 * SMB2 credits determine how many simultaneous commands the 307 * client may issue, and bounds the range of message IDs those 308 * commands may use. With multi-credit support, commands may 309 * use ranges of message IDs, where the credits used by each 310 * command are proportional to their data transfer size. 311 * 312 * Every command may request an increase or decrease of 313 * the currently granted credits, based on the difference 314 * between the credit request and the credit charge. 315 * [MS-SMB2] 3.3.1.2 Algorithm for the Granting of Credits 316 * 317 * Most commands have credit_request=1, credit_charge=1, 318 * which keeps the credit grant unchanged. 319 * 320 * All we're really doing here (for now) is reducing the 321 * credit_response if the client requests a credit increase 322 * that would take their credit over the maximum, and 323 * limiting the decrease so they don't run out of credits. 324 * 325 * Later, this could do something dynamic based on load. 326 * 327 * One other non-obvious bit about credits: We keep the 328 * session s_max_credits low until the 1st authentication, 329 * at which point we'll set the normal maximum_credits. 330 * Some clients ask for more credits with session setup, 331 * and we need to handle that requested increase _after_ 332 * the command-specific handler returns so it won't be 333 * restricted to the lower (pre-auth) limit. 334 */ 335 static inline void 336 smb2_credit_decrease(smb_request_t *sr) 337 { 338 smb_session_t *session = sr->session; 339 uint16_t cur, d; 340 341 ASSERT3U(sr->smb2_credit_request, <, sr->smb2_credit_charge); 342 343 mutex_enter(&session->s_credits_mutex); 344 cur = session->s_cur_credits; 345 ASSERT(cur > 0); 346 347 /* Handle credit decrease. */ 348 d = sr->smb2_credit_charge - sr->smb2_credit_request; 349 350 /* 351 * Prevent underflow of current credits, and 352 * enforce a minimum of one credit, per: 353 * [MS-SMB2] 3.3.1.2 354 */ 355 if (d >= cur) { 356 /* 357 * Tried to give up more credits than we should. 358 * Reduce the decrement. 359 */ 360 d = cur - 1; 361 cur = 1; 362 DTRACE_PROBE1(smb2__credit__neg, smb_request_t *, sr); 363 } else { 364 cur -= d; 365 } 366 367 ASSERT3U(d, <=, sr->smb2_credit_charge); 368 sr->smb2_credit_response = sr->smb2_credit_charge - d; 369 370 DTRACE_PROBE3(smb2__credit__decrease, 371 smb_request_t *, sr, int, (int)cur, 372 int, (int)session->s_cur_credits); 373 374 session->s_cur_credits = cur; 375 mutex_exit(&session->s_credits_mutex); 376 } 377 378 /* 379 * Second half of SMB2 credit handling (increases) 380 */ 381 static inline void 382 smb2_credit_increase(smb_request_t *sr) 383 { 384 smb_session_t *session = sr->session; 385 uint16_t cur, d; 386 387 ASSERT3U(sr->smb2_credit_request, >, sr->smb2_credit_charge); 388 389 mutex_enter(&session->s_credits_mutex); 390 cur = session->s_cur_credits; 391 392 /* Handle credit increase. */ 393 d = sr->smb2_credit_request - sr->smb2_credit_charge; 394 395 /* 396 * If new credits would be above max, 397 * reduce the credit grant. 398 */ 399 if (d > (session->s_max_credits - cur)) { 400 d = session->s_max_credits - cur; 401 cur = session->s_max_credits; 402 DTRACE_PROBE1(smb2__credit__max, smb_request_t *, sr); 403 } else { 404 cur += d; 405 } 406 sr->smb2_credit_response = sr->smb2_credit_charge + d; 407 408 DTRACE_PROBE3(smb2__credit__increase, 409 smb_request_t *, sr, int, (int)cur, 410 int, (int)session->s_cur_credits); 411 412 session->s_cur_credits = cur; 413 mutex_exit(&session->s_credits_mutex); 414 } 415 416 /* 417 * Record some statistics: latency, rx bytes, tx bytes 418 * per: server, session & kshare. 419 */ 420 static inline void 421 smb2_record_stats(smb_request_t *sr, smb_disp_stats_t *sds, boolean_t tx_only) 422 { 423 hrtime_t dt; 424 int64_t rxb; 425 int64_t txb; 426 427 dt = gethrtime() - sr->sr_time_start; 428 rxb = (int64_t)(sr->command.chain_offset - sr->smb2_cmd_hdr); 429 txb = (int64_t)(sr->reply.chain_offset - sr->smb2_reply_hdr); 430 431 if (!tx_only) { 432 smb_server_inc_req(sr->sr_server); 433 smb_latency_add_sample(&sds->sdt_lat, dt); 434 atomic_add_64(&sds->sdt_rxb, rxb); 435 } 436 atomic_add_64(&sds->sdt_txb, txb); 437 } 438 439 /* 440 * smb2sr_work 441 * 442 * This function processes each SMB command in the current request 443 * (which may be a compound request) building a reply containing 444 * SMB reply messages, one-to-one with the SMB commands. Some SMB 445 * commands (change notify, blocking locks) may require both an 446 * "interim response" and a later "async response" at completion. 447 * In such cases, we'll encode the interim response in the reply 448 * compound we're building, and put the (now async) command on a 449 * list of commands that need further processing. After we've 450 * finished processing the commands in this compound and building 451 * the compound reply, we'll send the compound reply, and finally 452 * process the list of async commands. 453 * 454 * As we work our way through the compound request and reply, 455 * we need to keep track of the bounds of the current request 456 * and reply. For the request, this uses an MBC_SHADOW_CHAIN 457 * that begins at smb2_cmd_hdr. The reply is appended to the 458 * sr->reply chain starting at smb2_reply_hdr. 459 * 460 * This function must always free the smb request, or arrange 461 * for it to be completed and free'd later (if SDRC_SR_KEPT). 462 */ 463 void 464 smb2sr_work(struct smb_request *sr) 465 { 466 const smb_disp_entry_t *sdd; 467 smb_disp_stats_t *sds; 468 smb_session_t *session; 469 uint32_t msg_len; 470 uint16_t cmd_idx; 471 int rc = 0; 472 boolean_t disconnect = B_FALSE; 473 boolean_t related; 474 475 session = sr->session; 476 477 ASSERT(sr->smb2_async == B_FALSE); 478 ASSERT(sr->tid_tree == 0); 479 ASSERT(sr->uid_user == 0); 480 ASSERT(sr->fid_ofile == 0); 481 sr->smb_fid = (uint16_t)-1; 482 sr->smb2_status = 0; 483 484 /* temporary until we identify a user */ 485 sr->user_cr = zone_kcred(); 486 487 cmd_start: 488 /* 489 * Note that we don't check sr_state here and abort the 490 * compound if cancelled (etc.) because some SMB2 command 491 * handlers need to do work even when cancelled. 492 * 493 * We treat some status codes as if "sticky", meaning 494 * once they're set after some command handler returns, 495 * all remaining commands get this status without even 496 * calling the command-specific handler. 497 */ 498 if (sr->smb2_status != NT_STATUS_CANCELLED && 499 sr->smb2_status != NT_STATUS_INSUFFICIENT_RESOURCES) 500 sr->smb2_status = 0; 501 502 /* 503 * Decode the request header 504 * 505 * Most problems with decoding will result in the error 506 * STATUS_INVALID_PARAMETER. If the decoding problem 507 * prevents continuing, we'll close the connection. 508 * [MS-SMB2] 3.3.5.2.6 Handling Incorrectly Formatted... 509 */ 510 sr->smb2_cmd_hdr = sr->command.chain_offset; 511 if ((rc = smb2_decode_header(sr)) != 0) { 512 cmn_err(CE_WARN, "clnt %s bad SMB2 header", 513 session->ip_addr_str); 514 disconnect = B_TRUE; 515 goto cleanup; 516 } 517 518 /* 519 * The SMB2_FLAGS_SERVER_TO_REDIR should only appear 520 * in messages from the server back to the client. 521 */ 522 if ((sr->smb2_hdr_flags & SMB2_FLAGS_SERVER_TO_REDIR) != 0) { 523 cmn_err(CE_WARN, "clnt %s bad SMB2 flags", 524 session->ip_addr_str); 525 disconnect = B_TRUE; 526 goto cleanup; 527 } 528 related = (sr->smb2_hdr_flags & SMB2_FLAGS_RELATED_OPERATIONS); 529 sr->smb2_hdr_flags |= SMB2_FLAGS_SERVER_TO_REDIR; 530 if (sr->smb2_hdr_flags & SMB2_FLAGS_ASYNC_COMMAND) { 531 /* Probably an async cancel. */ 532 DTRACE_PROBE1(smb2__dispatch__async, smb_request_t *, sr); 533 } else if (sr->smb2_async) { 534 /* Previous command in compound went async. */ 535 sr->smb2_hdr_flags |= SMB2_FLAGS_ASYNC_COMMAND; 536 sr->smb2_async_id = SMB2_ASYNCID(sr); 537 } 538 539 /* 540 * In case we bail out with an error before we get to the 541 * section that computes the credit grant, initialize the 542 * response header fields so that credits won't change. 543 * Note: SMB 2.02 clients may send credit charge zero. 544 */ 545 if (sr->smb2_credit_charge == 0) 546 sr->smb2_credit_charge = 1; 547 sr->smb2_credit_response = sr->smb2_credit_charge; 548 549 /* 550 * Write a tentative reply header. 551 * 552 * We could just leave this blank, but if we're using the 553 * mdb module feature that extracts packets, it's useful 554 * to have the header mostly correct here. 555 * 556 * If we have already exhausted the output space, then the 557 * client is trying something funny. Log it and kill 'em. 558 */ 559 sr->smb2_next_reply = 0; 560 ASSERT((sr->reply.chain_offset & 7) == 0); 561 sr->smb2_reply_hdr = sr->reply.chain_offset; 562 if ((rc = smb2_encode_header(sr, B_FALSE)) != 0) { 563 cmn_err(CE_WARN, "clnt %s excessive reply", 564 session->ip_addr_str); 565 disconnect = B_TRUE; 566 goto cleanup; 567 } 568 569 /* 570 * Figure out the length of data following the SMB2 header. 571 * It ends at either the next SMB2 header if there is one 572 * (smb2_next_command != 0) or at the end of the message. 573 */ 574 if (sr->smb2_next_command != 0) { 575 /* [MS-SMB2] says this is 8-byte aligned */ 576 msg_len = sr->smb2_next_command; 577 if ((msg_len & 7) != 0 || (msg_len < SMB2_HDR_SIZE) || 578 ((sr->smb2_cmd_hdr + msg_len) > sr->command.max_bytes)) { 579 cmn_err(CE_WARN, "clnt %s bad SMB2 next cmd", 580 session->ip_addr_str); 581 disconnect = B_TRUE; 582 goto cleanup; 583 } 584 } else { 585 msg_len = sr->command.max_bytes - sr->smb2_cmd_hdr; 586 } 587 588 /* 589 * Setup a shadow chain for this SMB2 command, starting 590 * with the header and ending at either the next command 591 * or the end of the message. The signing check below 592 * needs the entire SMB2 command. After that's done, we 593 * advance chain_offset to the end of the header where 594 * the command specific handlers continue decoding. 595 */ 596 (void) MBC_SHADOW_CHAIN(&sr->smb_data, &sr->command, 597 sr->smb2_cmd_hdr, msg_len); 598 599 /* 600 * We will consume the data for this request from smb_data. 601 * That effectively consumes msg_len bytes from sr->command 602 * but doesn't update its chain_offset, so we need to update 603 * that here to make later received bytes accounting work. 604 */ 605 sr->command.chain_offset = sr->smb2_cmd_hdr + msg_len; 606 ASSERT(sr->command.chain_offset <= sr->command.max_bytes); 607 608 /* 609 * Validate the commmand code, get dispatch table entries. 610 * [MS-SMB2] 3.3.5.2.6 Handling Incorrectly Formatted... 611 * 612 * The last slot in the dispatch table is used to handle 613 * invalid commands. Same for statistics. 614 */ 615 if (sr->smb2_cmd_code < SMB2_INVALID_CMD) 616 cmd_idx = sr->smb2_cmd_code; 617 else 618 cmd_idx = SMB2_INVALID_CMD; 619 sdd = &smb2_disp_table[cmd_idx]; 620 sds = &session->s_server->sv_disp_stats2[cmd_idx]; 621 622 /* 623 * If this command is NOT "related" to the previous, 624 * clear out the UID, TID, FID state that might be 625 * left over from the previous command. 626 * 627 * If the command IS related, any new IDs are ignored, 628 * and we simply continue with the previous user, tree, 629 * and open file. 630 */ 631 if (!related) { 632 /* 633 * Drop user, tree, file; carefully ordered to 634 * avoid dangling references: file, tree, user 635 */ 636 if (sr->fid_ofile != NULL) { 637 smb_ofile_release(sr->fid_ofile); 638 sr->fid_ofile = NULL; 639 } 640 if (sr->tid_tree != NULL) { 641 smb_tree_release(sr->tid_tree); 642 sr->tid_tree = NULL; 643 } 644 if (sr->uid_user != NULL) { 645 smb_user_release(sr->uid_user); 646 sr->uid_user = NULL; 647 sr->user_cr = zone_kcred(); 648 } 649 } 650 651 /* 652 * Make sure we have a user and tree as needed 653 * according to the flags for the this command. 654 * Note that we may have inherited these. 655 */ 656 if ((sdd->sdt_flags & SDDF_SUPPRESS_UID) == 0) { 657 /* 658 * This command requires a user session. 659 */ 660 if (related) { 661 /* 662 * Previous command should have given us a user. 663 * [MS-SMB2] 3.3.5.2 Handling Related Requests 664 */ 665 if (sr->uid_user == NULL) { 666 smb2sr_put_error(sr, 667 NT_STATUS_INVALID_PARAMETER); 668 goto cmd_done; 669 } 670 sr->smb2_ssnid = sr->uid_user->u_ssnid; 671 } else { 672 /* 673 * Lookup the UID 674 * [MS-SMB2] 3.3.5.2 Verifying the Session 675 */ 676 ASSERT(sr->uid_user == NULL); 677 /* 678 * [MS-SMB2] 3.3.5.2.7 Handling Compounded Requests 679 * 680 * If this is an encrypted compound request, 681 * ensure that the ssnid in the request 682 * is the same as the tform ssnid if this 683 * message is not related. 684 * 685 * The reasons this is done seem to apply equally 686 * to uncompounded requests, so we apply it to all. 687 */ 688 689 if (sr->encrypted && 690 sr->smb2_ssnid != sr->smb3_tform_ssnid) { 691 disconnect = B_TRUE; 692 goto cleanup; /* just do this for now */ 693 } 694 695 sr->uid_user = smb_session_lookup_ssnid(session, 696 sr->smb2_ssnid); 697 if (sr->uid_user == NULL) { 698 smb2sr_put_error(sr, 699 NT_STATUS_USER_SESSION_DELETED); 700 goto cmd_done; 701 } 702 703 /* 704 * [MS-SMB2] 3.3.5.2.9 Verifying the Session 705 * 706 * If we're talking 3.x, 707 * RejectUnencryptedAccess is TRUE, 708 * Session.EncryptData is TRUE, 709 * and the message wasn't encrypted, 710 * return ACCESS_DENIED. 711 * 712 * Note that Session.EncryptData can only be TRUE when 713 * we're talking 3.x. 714 */ 715 if (sr->uid_user->u_encrypt == SMB_CONFIG_REQUIRED && 716 !sr->encrypted) { 717 smb2sr_put_error(sr, 718 NT_STATUS_ACCESS_DENIED); 719 goto cmd_done; 720 } 721 722 sr->user_cr = smb_user_getcred(sr->uid_user); 723 } 724 ASSERT(sr->uid_user != NULL); 725 726 /* 727 * Encrypt if: 728 * - The cmd is not SESSION_SETUP or NEGOTIATE; AND 729 * - Session.EncryptData is TRUE 730 * 731 * Those commands suppress UID, so they can't be the cmd here. 732 */ 733 if (sr->uid_user->u_encrypt != SMB_CONFIG_DISABLED && 734 sr->tform_ssn == NULL) { 735 smb_user_hold_internal(sr->uid_user); 736 sr->tform_ssn = sr->uid_user; 737 sr->smb3_tform_ssnid = sr->smb2_ssnid; 738 } 739 } 740 741 if ((sdd->sdt_flags & SDDF_SUPPRESS_TID) == 0) { 742 /* 743 * This command requires a tree connection. 744 */ 745 if (related) { 746 /* 747 * Previous command should have given us a tree. 748 * [MS-SMB2] 3.3.5.2 Handling Related Requests 749 */ 750 if (sr->tid_tree == NULL) { 751 smb2sr_put_error(sr, 752 NT_STATUS_INVALID_PARAMETER); 753 goto cmd_done; 754 } 755 sr->smb_tid = sr->tid_tree->t_tid; 756 } else { 757 /* 758 * Lookup the TID 759 * [MS-SMB2] 3.3.5.2 Verifying the Tree Connect 760 */ 761 ASSERT(sr->tid_tree == NULL); 762 sr->tid_tree = smb_session_lookup_tree(session, 763 sr->smb_tid); 764 if (sr->tid_tree == NULL) { 765 smb2sr_put_error(sr, 766 NT_STATUS_NETWORK_NAME_DELETED); 767 goto cmd_done; 768 } 769 770 /* 771 * [MS-SMB2] 3.3.5.2.11 Verifying the Tree Connect 772 * 773 * If we support 3.x, RejectUnencryptedAccess is TRUE, 774 * if Tcon.EncryptData is TRUE or 775 * global EncryptData is TRUE and 776 * the message wasn't encrypted, or 777 * if Tcon.EncryptData is TRUE or 778 * global EncryptData is TRUE or 779 * the request was encrypted and 780 * the connection doesn't support encryption, 781 * return ACCESS_DENIED. 782 * 783 * If RejectUnencryptedAccess is TRUE, we force 784 * max_protocol to at least 3.0. Additionally, 785 * if the tree requires encryption, we don't care 786 * what we support, we still enforce encryption. 787 */ 788 if (sr->tid_tree->t_encrypt == SMB_CONFIG_REQUIRED && 789 (!sr->encrypted || 790 (session->srv_cap & SMB2_CAP_ENCRYPTION) == 0)) { 791 smb2sr_put_error(sr, 792 NT_STATUS_ACCESS_DENIED); 793 goto cmd_done; 794 } 795 } 796 ASSERT(sr->tid_tree != NULL); 797 798 /* 799 * Encrypt if: 800 * - The cmd is not TREE_CONNECT; AND 801 * - Tree.EncryptData is TRUE 802 * 803 * TREE_CONNECT suppresses TID, so that can't be the cmd here. 804 * NOTE: assumes we can't have a tree without a user 805 */ 806 if (sr->tid_tree->t_encrypt != SMB_CONFIG_DISABLED && 807 sr->tform_ssn == NULL) { 808 smb_user_hold_internal(sr->uid_user); 809 sr->tform_ssn = sr->uid_user; 810 sr->smb3_tform_ssnid = sr->smb2_ssnid; 811 } 812 } 813 814 /* 815 * SMB2 signature verification, two parts: 816 * (a) Require SMB2_FLAGS_SIGNED (for most request types) 817 * (b) If SMB2_FLAGS_SIGNED is set, check the signature. 818 * [MS-SMB2] 3.3.5.2.4 Verifying the Signature 819 */ 820 821 /* 822 * No user session means no signature check. That's OK, 823 * i.e. for commands marked SDDF_SUPPRESS_UID above. 824 * Note, this also means we won't sign the reply. 825 */ 826 if (sr->uid_user == NULL) 827 sr->smb2_hdr_flags &= ~SMB2_FLAGS_SIGNED; 828 829 /* 830 * The SDDF_SUPPRESS_UID dispatch is set for requests that 831 * don't need a UID (user). These also don't require a 832 * signature check here. 833 * 834 * [MS-SMB2] 3.3.5.2.4 Verifying the Signature 835 * 836 * If the packet was successfully decrypted, the message 837 * signature has already been verified, so we can skip this. 838 */ 839 if ((sdd->sdt_flags & SDDF_SUPPRESS_UID) == 0 && 840 !sr->encrypted && sr->uid_user != NULL && 841 (sr->uid_user->u_sign_flags & SMB_SIGNING_ENABLED) != 0) { 842 /* 843 * If the request is signed, check the signature. 844 * Otherwise, if signing is required, deny access. 845 */ 846 if ((sr->smb2_hdr_flags & SMB2_FLAGS_SIGNED) != 0) { 847 if (smb2_sign_check_request(sr) != 0) { 848 smb2sr_put_error(sr, NT_STATUS_ACCESS_DENIED); 849 DTRACE_PROBE1(smb2__sign__check, 850 smb_request_t *, sr); 851 goto cmd_done; 852 } 853 } else if ( 854 (sr->uid_user->u_sign_flags & SMB_SIGNING_CHECK) != 0) { 855 smb2sr_put_error(sr, NT_STATUS_ACCESS_DENIED); 856 goto cmd_done; 857 } 858 } 859 860 /* 861 * Now that the signing check is done with smb_data, 862 * advance past the SMB2 header we decoded earlier. 863 * This leaves sr->smb_data correctly positioned 864 * for command-specific decoding in the dispatch 865 * function called next. 866 */ 867 sr->smb_data.chain_offset = sr->smb2_cmd_hdr + SMB2_HDR_SIZE; 868 869 /* 870 * Credit adjustments (decrease) 871 * 872 * If we've gone async, credit adjustments were done 873 * when we sent the interim reply. 874 */ 875 if (!sr->smb2_async) { 876 if (sr->smb2_credit_request < sr->smb2_credit_charge) { 877 smb2_credit_decrease(sr); 878 } 879 } 880 881 /* 882 * The real work: call the SMB2 command handler 883 * (except for "sticky" smb2_status - see above) 884 */ 885 sr->sr_time_start = gethrtime(); 886 rc = SDRC_SUCCESS; 887 if (sr->smb2_status == 0) { 888 /* NB: not using pre_op */ 889 rc = (*sdd->sdt_function)(sr); 890 /* NB: not using post_op */ 891 } else { 892 smb2sr_put_error(sr, sr->smb2_status); 893 } 894 895 /* 896 * When the sdt_function returns SDRC_SR_KEPT, it means 897 * this SR may have been passed to another thread so we 898 * MUST NOT touch it anymore. 899 */ 900 if (rc == SDRC_SR_KEPT) 901 return; 902 903 MBC_FLUSH(&sr->raw_data); 904 905 /* 906 * Credit adjustments (increase) 907 */ 908 if (!sr->smb2_async) { 909 if (sr->smb2_credit_request > sr->smb2_credit_charge) { 910 smb2_credit_increase(sr); 911 } 912 } 913 914 cmd_done: 915 switch (rc) { 916 case SDRC_SUCCESS: 917 break; 918 default: 919 /* 920 * SMB2 does not use the other dispatch return codes. 921 * If we see something else, log an event so we'll 922 * know something is returning bogus status codes. 923 * If you see these in the log, use dtrace to find 924 * the code returning something else. 925 */ 926 #ifdef DEBUG 927 cmn_err(CE_NOTE, "handler for %u returned 0x%x", 928 sr->smb2_cmd_code, rc); 929 #endif 930 smb2sr_put_error(sr, NT_STATUS_INTERNAL_ERROR); 931 break; 932 case SDRC_ERROR: 933 /* 934 * Many command handlers return SDRC_ERROR for any 935 * problems decoding the request, and don't bother 936 * setting smb2_status. For those cases, the best 937 * status return would be "invalid parameter". 938 */ 939 if (sr->smb2_status == 0) 940 sr->smb2_status = NT_STATUS_INVALID_PARAMETER; 941 smb2sr_put_error(sr, sr->smb2_status); 942 break; 943 case SDRC_DROP_VC: 944 disconnect = B_TRUE; 945 goto cleanup; 946 947 case SDRC_NO_REPLY: 948 /* will free sr */ 949 goto cleanup; 950 } 951 952 /* 953 * Pad the reply to align(8) if there will be another. 954 * (We don't compound async replies.) 955 */ 956 if (!sr->smb2_async && sr->smb2_next_command != 0) 957 (void) smb_mbc_put_align(&sr->reply, 8); 958 959 /* 960 * Record some statistics. Uses: 961 * rxb = command.chain_offset - smb2_cmd_hdr; 962 * txb = reply.chain_offset - smb2_reply_hdr; 963 * which at this point represent the current cmd/reply. 964 * 965 * Note: If async, this does txb only, and 966 * skips the smb_latency_add_sample() calls. 967 */ 968 smb2_record_stats(sr, sds, sr->smb2_async); 969 970 /* 971 * If there's a next command, figure out where it starts, 972 * and fill in the next header offset for the reply. 973 * Note: We sanity checked smb2_next_command above. 974 */ 975 if (sr->smb2_next_command != 0) { 976 sr->command.chain_offset = 977 sr->smb2_cmd_hdr + sr->smb2_next_command; 978 sr->smb2_next_reply = 979 sr->reply.chain_offset - sr->smb2_reply_hdr; 980 } else { 981 ASSERT(sr->smb2_next_reply == 0); 982 } 983 984 /* 985 * Overwrite the (now final) SMB2 header for this response. 986 */ 987 (void) smb2_encode_header(sr, B_TRUE); 988 989 /* 990 * Cannot move this into smb2_session_setup() - encoded header required. 991 */ 992 if (session->dialect >= SMB_VERS_3_11 && 993 sr->smb2_cmd_code == SMB2_SESSION_SETUP && 994 sr->smb2_status == NT_STATUS_MORE_PROCESSING_REQUIRED) { 995 if (smb31_preauth_sha512_calc(sr, &sr->reply, 996 sr->uid_user->u_preauth_hashval, 997 sr->uid_user->u_preauth_hashval) != 0) 998 cmn_err(CE_WARN, "(3) Preauth hash calculation " 999 "failed"); 1000 } 1001 1002 /* Don't sign if we're going to encrypt */ 1003 if (sr->tform_ssn == NULL && 1004 (sr->smb2_hdr_flags & SMB2_FLAGS_SIGNED) != 0) 1005 smb2_sign_reply(sr); 1006 1007 /* 1008 * Non-async runs the whole compound before send. 1009 * When we've gone async, send each individually. 1010 */ 1011 if (!sr->smb2_async && sr->smb2_next_command != 0) 1012 goto cmd_start; 1013 1014 /* 1015 * If we have a durable handle, and this operation updated 1016 * the nvlist, write it out (before smb2_send_reply). 1017 */ 1018 if (sr->dh_nvl_dirty) { 1019 sr->dh_nvl_dirty = B_FALSE; 1020 smb2_dh_update_nvfile(sr); 1021 } 1022 1023 smb2_send_reply(sr); 1024 if (sr->smb2_async && sr->smb2_next_command != 0) { 1025 MBC_FLUSH(&sr->reply); /* New reply buffer. */ 1026 ASSERT(sr->reply.max_bytes == sr->session->reply_max_bytes); 1027 goto cmd_start; 1028 } 1029 1030 cleanup: 1031 if (disconnect) 1032 smb_session_disconnect(session); 1033 1034 /* 1035 * Do "postwork" for oplock (and maybe other things) 1036 */ 1037 if (sr->sr_postwork != NULL) 1038 smb2sr_run_postwork(sr); 1039 1040 mutex_enter(&sr->sr_mutex); 1041 sr->sr_state = SMB_REQ_STATE_COMPLETED; 1042 mutex_exit(&sr->sr_mutex); 1043 1044 smb_request_free(sr); 1045 } 1046 1047 /* 1048 * Build interim responses for the current and all following 1049 * requests in this compound, then send the compound response, 1050 * leaving the SR state so that smb2sr_work() can continue its 1051 * processing of this compound in "async mode". 1052 * 1053 * If we agree to "go async", this should return STATUS_SUCCESS. 1054 * Otherwise return STATUS_INSUFFICIENT_RESOURCES for this and 1055 * all requests following this request. (See the comments re. 1056 * "sticky" smb2_status values in smb2sr_work). 1057 * 1058 * Note: the Async ID we assign here is arbitrary, and need only 1059 * be unique among pending async responses on this connection, so 1060 * this just uses a modified messageID, which is already unique. 1061 * 1062 * Credits: All credit changes should happen via the interim 1063 * responses, so we have to manage credits here. After this 1064 * returns to smb2sr_work, the final replies for all these 1065 * commands will have smb2_credit_response = smb2_credit_charge 1066 * (meaning no further changes to the clients' credits). 1067 */ 1068 uint32_t 1069 smb2sr_go_async(smb_request_t *sr) 1070 { 1071 smb_session_t *session; 1072 smb_disp_stats_t *sds; 1073 uint16_t cmd_idx; 1074 int32_t saved_com_offset; 1075 uint32_t saved_cmd_hdr; 1076 uint16_t saved_cred_resp; 1077 uint32_t saved_hdr_flags; 1078 uint32_t saved_reply_hdr; 1079 uint32_t msg_len; 1080 boolean_t disconnect = B_FALSE; 1081 1082 if (sr->smb2_async) { 1083 /* already went async in some previous cmd. */ 1084 return (NT_STATUS_SUCCESS); 1085 } 1086 sr->smb2_async = B_TRUE; 1087 1088 /* The "server" session always runs async. */ 1089 session = sr->session; 1090 if (session->sock == NULL) 1091 return (NT_STATUS_SUCCESS); 1092 1093 sds = NULL; 1094 saved_com_offset = sr->command.chain_offset; 1095 saved_cmd_hdr = sr->smb2_cmd_hdr; 1096 saved_cred_resp = sr->smb2_credit_response; 1097 saved_hdr_flags = sr->smb2_hdr_flags; 1098 saved_reply_hdr = sr->smb2_reply_hdr; 1099 1100 /* 1101 * The command-specific handler should not yet have put any 1102 * data in the reply except for the (place holder) header. 1103 */ 1104 if (sr->reply.chain_offset != sr->smb2_reply_hdr + SMB2_HDR_SIZE) { 1105 ASSERT3U(sr->reply.chain_offset, ==, 1106 sr->smb2_reply_hdr + SMB2_HDR_SIZE); 1107 return (NT_STATUS_INTERNAL_ERROR); 1108 } 1109 1110 /* 1111 * Rewind to the start of the current header in both the 1112 * command and reply bufers, so the loop below can just 1113 * decode/encode just in every pass. This means the 1114 * current command header is decoded again, but that 1115 * avoids having to special-case the first loop pass. 1116 */ 1117 sr->command.chain_offset = sr->smb2_cmd_hdr; 1118 sr->reply.chain_offset = sr->smb2_reply_hdr; 1119 1120 /* 1121 * This command processing loop is a simplified version of 1122 * smb2sr_work() that just puts an "interim response" for 1123 * every command in the compound (NT_STATUS_PENDING). 1124 */ 1125 cmd_start: 1126 sr->smb2_status = NT_STATUS_PENDING; 1127 1128 /* 1129 * Decode the request header 1130 */ 1131 sr->smb2_cmd_hdr = sr->command.chain_offset; 1132 if ((smb2_decode_header(sr)) != 0) { 1133 cmn_err(CE_WARN, "clnt %s bad SMB2 header", 1134 session->ip_addr_str); 1135 disconnect = B_TRUE; 1136 goto cleanup; 1137 } 1138 sr->smb2_hdr_flags |= (SMB2_FLAGS_SERVER_TO_REDIR | 1139 SMB2_FLAGS_ASYNC_COMMAND); 1140 sr->smb2_async_id = SMB2_ASYNCID(sr); 1141 1142 /* 1143 * In case we bail out... 1144 */ 1145 if (sr->smb2_credit_charge == 0) 1146 sr->smb2_credit_charge = 1; 1147 sr->smb2_credit_response = sr->smb2_credit_charge; 1148 1149 /* 1150 * Write a tentative reply header. 1151 */ 1152 sr->smb2_next_reply = 0; 1153 ASSERT((sr->reply.chain_offset & 7) == 0); 1154 sr->smb2_reply_hdr = sr->reply.chain_offset; 1155 if ((smb2_encode_header(sr, B_FALSE)) != 0) { 1156 cmn_err(CE_WARN, "clnt %s excessive reply", 1157 session->ip_addr_str); 1158 disconnect = B_TRUE; 1159 goto cleanup; 1160 } 1161 1162 /* 1163 * Figure out the length of data... 1164 */ 1165 if (sr->smb2_next_command != 0) { 1166 /* [MS-SMB2] says this is 8-byte aligned */ 1167 msg_len = sr->smb2_next_command; 1168 if ((msg_len & 7) != 0 || (msg_len < SMB2_HDR_SIZE) || 1169 ((sr->smb2_cmd_hdr + msg_len) > sr->command.max_bytes)) { 1170 cmn_err(CE_WARN, "clnt %s bad SMB2 next cmd", 1171 session->ip_addr_str); 1172 disconnect = B_TRUE; 1173 goto cleanup; 1174 } 1175 } else { 1176 msg_len = sr->command.max_bytes - sr->smb2_cmd_hdr; 1177 } 1178 1179 /* 1180 * We just skip any data, so no shadow chain etc. 1181 */ 1182 sr->command.chain_offset = sr->smb2_cmd_hdr + msg_len; 1183 ASSERT(sr->command.chain_offset <= sr->command.max_bytes); 1184 1185 /* 1186 * Validate the commmand code... 1187 */ 1188 if (sr->smb2_cmd_code < SMB2_INVALID_CMD) 1189 cmd_idx = sr->smb2_cmd_code; 1190 else 1191 cmd_idx = SMB2_INVALID_CMD; 1192 sds = &session->s_server->sv_disp_stats2[cmd_idx]; 1193 1194 /* 1195 * Don't change (user, tree, file) because we want them 1196 * exactly as they were when we entered. That also means 1197 * we may not have the right user in sr->uid_user for 1198 * signature checks, so leave that until smb2sr_work 1199 * runs these commands "for real". Therefore, here 1200 * we behave as if: (sr->uid_user == NULL) 1201 */ 1202 sr->smb2_hdr_flags &= ~SMB2_FLAGS_SIGNED; 1203 1204 /* 1205 * Credit adjustments (decrease) 1206 * 1207 * NOTE: interim responses are not signed. 1208 * Any attacker can modify the credit grant 1209 * in the response. Because of this property, 1210 * it is no worse to assume the credit charge and grant 1211 * are sane without verifying the signature, 1212 * and that saves us a whole lot of work. 1213 * If the credits WERE modified, we'll find out 1214 * when we verify the signature later, 1215 * which nullifies any changes caused here. 1216 * 1217 * Skip this on the first command, because the 1218 * credit decrease was done by the caller. 1219 */ 1220 if (sr->smb2_cmd_hdr != saved_cmd_hdr) { 1221 if (sr->smb2_credit_request < sr->smb2_credit_charge) { 1222 smb2_credit_decrease(sr); 1223 } 1224 } 1225 1226 /* 1227 * The real work: ... (would be here) 1228 */ 1229 smb2sr_put_error(sr, sr->smb2_status); 1230 1231 /* 1232 * Credit adjustments (increase) 1233 */ 1234 if (sr->smb2_credit_request > sr->smb2_credit_charge) { 1235 smb2_credit_increase(sr); 1236 } 1237 1238 /* cmd_done: label */ 1239 1240 /* 1241 * Pad the reply to align(8) if there will be another. 1242 * This (interim) reply uses compounding. 1243 */ 1244 if (sr->smb2_next_command != 0) 1245 (void) smb_mbc_put_align(&sr->reply, 8); 1246 1247 /* 1248 * Record some statistics. Uses: 1249 * rxb = command.chain_offset - smb2_cmd_hdr; 1250 * txb = reply.chain_offset - smb2_reply_hdr; 1251 * which at this point represent the current cmd/reply. 1252 * 1253 * Note: We're doing smb_latency_add_sample() for all 1254 * remaining commands NOW, which means we won't include 1255 * the async part of their work in latency statistics. 1256 * That's intentional, as the async part of a command 1257 * would otherwise skew our latency statistics. 1258 */ 1259 smb2_record_stats(sr, sds, B_FALSE); 1260 1261 /* 1262 * If there's a next command, figure out where it starts, 1263 * and fill in the next header offset for the reply. 1264 * Note: We sanity checked smb2_next_command above. 1265 */ 1266 if (sr->smb2_next_command != 0) { 1267 sr->command.chain_offset = 1268 sr->smb2_cmd_hdr + sr->smb2_next_command; 1269 sr->smb2_next_reply = 1270 sr->reply.chain_offset - sr->smb2_reply_hdr; 1271 } else { 1272 ASSERT(sr->smb2_next_reply == 0); 1273 } 1274 1275 /* 1276 * Overwrite the (now final) SMB2 header for this response. 1277 */ 1278 (void) smb2_encode_header(sr, B_TRUE); 1279 1280 /* 1281 * Process whole compound before sending. 1282 */ 1283 if (sr->smb2_next_command != 0) 1284 goto cmd_start; 1285 smb2_send_reply(sr); 1286 1287 ASSERT(!disconnect); 1288 1289 cleanup: 1290 /* 1291 * Restore caller's command processing state. 1292 */ 1293 sr->smb2_cmd_hdr = saved_cmd_hdr; 1294 sr->command.chain_offset = saved_cmd_hdr; 1295 (void) smb2_decode_header(sr); 1296 sr->command.chain_offset = saved_com_offset; 1297 1298 sr->smb2_credit_response = saved_cred_resp; 1299 sr->smb2_hdr_flags = saved_hdr_flags; 1300 sr->smb2_status = NT_STATUS_SUCCESS; 1301 1302 /* 1303 * In here, the "disconnect" flag just means we had an 1304 * error decoding or encoding something. Rather than 1305 * actually disconnect here, let's assume whatever 1306 * problem we encountered will be seen by the caller 1307 * as they continue processing the compound, and just 1308 * restore everything and return an error. 1309 */ 1310 if (disconnect) { 1311 sr->smb2_async = B_FALSE; 1312 sr->smb2_reply_hdr = saved_reply_hdr; 1313 sr->reply.chain_offset = sr->smb2_reply_hdr; 1314 (void) smb2_encode_header(sr, B_FALSE); 1315 return (NT_STATUS_INVALID_PARAMETER); 1316 } 1317 1318 /* 1319 * The compound reply buffer we sent is now gone. 1320 * Setup a new reply buffer for the caller. 1321 */ 1322 sr->smb2_hdr_flags |= SMB2_FLAGS_ASYNC_COMMAND; 1323 sr->smb2_async_id = SMB2_ASYNCID(sr); 1324 sr->smb2_next_reply = 0; 1325 MBC_FLUSH(&sr->reply); 1326 ASSERT(sr->reply.max_bytes == sr->session->reply_max_bytes); 1327 ASSERT(sr->reply.chain_offset == 0); 1328 sr->smb2_reply_hdr = 0; 1329 (void) smb2_encode_header(sr, B_FALSE); 1330 1331 return (NT_STATUS_SUCCESS); 1332 } 1333 1334 int 1335 smb3_decode_tform_header(smb_request_t *sr) 1336 { 1337 uint16_t flags; 1338 int rc; 1339 uint32_t protocolid; 1340 1341 rc = smb_mbc_decodef( 1342 &sr->command, "l16c16cl..wq", 1343 &protocolid, /* l */ 1344 sr->smb2_sig, /* 16c */ 1345 sr->nonce, /* 16c */ 1346 &sr->msgsize, /* l */ 1347 /* reserved .. */ 1348 &flags, /* w */ 1349 &sr->smb3_tform_ssnid); /* q */ 1350 if (rc) 1351 return (rc); 1352 1353 ASSERT3U(protocolid, ==, SMB3_ENCRYPTED_MAGIC); 1354 1355 if (flags != 1) { 1356 #ifdef DEBUG 1357 cmn_err(CE_NOTE, "flags field not 1: %x", flags); 1358 #endif 1359 return (-1); 1360 } 1361 1362 /* 1363 * MsgSize is the amount of data the client tell us to decrypt. 1364 * Make sure this value is not too big and not too small. 1365 */ 1366 if (sr->msgsize < SMB2_HDR_SIZE || 1367 sr->msgsize > sr->session->cmd_max_bytes || 1368 sr->msgsize > sr->command.max_bytes - SMB3_TFORM_HDR_SIZE) 1369 return (-1); 1370 1371 return (rc); 1372 } 1373 1374 int 1375 smb3_encode_tform_header(smb_request_t *sr, struct mbuf_chain *mbc) 1376 { 1377 int rc; 1378 1379 /* Signature and Nonce are added in smb3_encrypt_sr */ 1380 rc = smb_mbc_encodef( 1381 mbc, "l32.lwwq", 1382 SMB3_ENCRYPTED_MAGIC, /* l */ 1383 /* signature(16), nonce(16) 32. */ 1384 sr->msgsize, /* l */ 1385 0, /* reserved w */ 1386 1, /* flags w */ 1387 sr->smb3_tform_ssnid); /* q */ 1388 1389 return (rc); 1390 } 1391 1392 int 1393 smb2_decode_header(smb_request_t *sr) 1394 { 1395 uint32_t pid, tid; 1396 uint16_t hdr_len; 1397 int rc; 1398 1399 rc = smb_mbc_decodef( 1400 &sr->command, "Nwww..wwllqllq16c", 1401 &hdr_len, /* w */ 1402 &sr->smb2_credit_charge, /* w */ 1403 &sr->smb2_chan_seq, /* w */ 1404 /* reserved .. */ 1405 &sr->smb2_cmd_code, /* w */ 1406 &sr->smb2_credit_request, /* w */ 1407 &sr->smb2_hdr_flags, /* l */ 1408 &sr->smb2_next_command, /* l */ 1409 &sr->smb2_messageid, /* q */ 1410 &pid, /* l */ 1411 &tid, /* l */ 1412 &sr->smb2_ssnid, /* q */ 1413 sr->smb2_sig); /* 16c */ 1414 if (rc) 1415 return (rc); 1416 1417 if (hdr_len != SMB2_HDR_SIZE) 1418 return (-1); 1419 1420 if (sr->smb2_hdr_flags & SMB2_FLAGS_ASYNC_COMMAND) { 1421 sr->smb2_async_id = pid | 1422 ((uint64_t)tid) << 32; 1423 sr->smb_pid = 0; 1424 sr->smb_tid = 0; 1425 } else { 1426 sr->smb2_async_id = 0; 1427 sr->smb_pid = pid; 1428 sr->smb_tid = (uint16_t)tid; /* XXX wide TIDs */ 1429 } 1430 1431 return (rc); 1432 } 1433 1434 int 1435 smb2_encode_header(smb_request_t *sr, boolean_t overwrite) 1436 { 1437 uint64_t pid_tid_aid; /* pid+tid, or async id */ 1438 int rc; 1439 1440 if (sr->smb2_hdr_flags & SMB2_FLAGS_ASYNC_COMMAND) { 1441 pid_tid_aid = sr->smb2_async_id; 1442 } else { 1443 pid_tid_aid = sr->smb_pid | 1444 ((uint64_t)sr->smb_tid) << 32; 1445 } 1446 1447 if (overwrite) { 1448 rc = smb_mbc_poke(&sr->reply, 1449 sr->smb2_reply_hdr, 1450 "Nwwlwwllqqq16c", 1451 SMB2_HDR_SIZE, /* w */ 1452 sr->smb2_credit_charge, /* w */ 1453 sr->smb2_status, /* l */ 1454 sr->smb2_cmd_code, /* w */ 1455 sr->smb2_credit_response, /* w */ 1456 sr->smb2_hdr_flags, /* l */ 1457 sr->smb2_next_reply, /* l */ 1458 sr->smb2_messageid, /* q */ 1459 pid_tid_aid, /* q */ 1460 sr->smb2_ssnid, /* q */ 1461 sr->smb2_sig); /* 16c */ 1462 } else { 1463 rc = smb_mbc_encodef(&sr->reply, 1464 "Nwwlwwllqqq16c", 1465 SMB2_HDR_SIZE, /* w */ 1466 sr->smb2_credit_charge, /* w */ 1467 sr->smb2_status, /* l */ 1468 sr->smb2_cmd_code, /* w */ 1469 sr->smb2_credit_response, /* w */ 1470 sr->smb2_hdr_flags, /* l */ 1471 sr->smb2_next_reply, /* l */ 1472 sr->smb2_messageid, /* q */ 1473 pid_tid_aid, /* q */ 1474 sr->smb2_ssnid, /* q */ 1475 sr->smb2_sig); /* 16c */ 1476 } 1477 1478 return (rc); 1479 } 1480 1481 void 1482 smb2_send_reply(smb_request_t *sr) 1483 { 1484 struct mbuf_chain enc_reply; 1485 smb_session_t *session = sr->session; 1486 void *tmpbuf; 1487 size_t buflen; 1488 struct mbuf_chain tmp; 1489 1490 /* 1491 * [MS-SMB2] 3.3.4.1.4 Encrypting the Message 1492 * 1493 * When the connection supports encryption and the dialect 1494 * is 3.x, encrypt if: 1495 * - The request was encrypted OR 1496 * - The cmd is not SESSION_SETUP or NEGOTIATE AND 1497 * -- Session.EncryptData is TRUE OR 1498 * -- The cmd is not TREE_CONNECT AND 1499 * --- Tree.EncryptData is TRUE 1500 * 1501 * This boils down to sr->tform_ssn != NULL, and the rest 1502 * is enforced when tform_ssn is set. 1503 */ 1504 1505 if ((session->capabilities & SMB2_CAP_ENCRYPTION) == 0 || 1506 sr->tform_ssn == NULL) { 1507 (void) smb_session_send(sr->session, 0, &sr->reply); 1508 return; 1509 } 1510 1511 sr->msgsize = sr->reply.chain_offset; 1512 (void) MBC_SHADOW_CHAIN(&tmp, &sr->reply, 1513 0, sr->msgsize); 1514 1515 buflen = SMB3_TFORM_HDR_SIZE + sr->msgsize; 1516 1517 /* taken from smb_request_init_command_mbuf */ 1518 tmpbuf = kmem_alloc(buflen, KM_SLEEP); 1519 MBC_ATTACH_BUF(&enc_reply, tmpbuf, buflen); 1520 enc_reply.flags = 0; 1521 enc_reply.shadow_of = NULL; 1522 1523 if (smb3_encode_tform_header(sr, &enc_reply) != 0) { 1524 cmn_err(CE_WARN, "couldn't encode transform header"); 1525 goto errout; 1526 } 1527 if (smb3_encrypt_sr(sr, &tmp, &enc_reply) != 0) { 1528 cmn_err(CE_WARN, "smb3 encryption failed"); 1529 goto errout; 1530 } 1531 1532 (void) smb_session_send(sr->session, 0, &enc_reply); 1533 kmem_free(tmpbuf, buflen); 1534 return; 1535 1536 errout: 1537 kmem_free(tmpbuf, buflen); 1538 smb_session_disconnect(sr->session); 1539 } 1540 1541 /* 1542 * This wrapper function exists to help catch calls to smbsr_status() 1543 * (which is SMB1-specific) in common code. See smbsr_status(). 1544 * If the log message below is seen, put a dtrace probe on this 1545 * function with a stack() action to see who is calling the SMB1 1546 * "put error" from common code, and fix it. 1547 */ 1548 void 1549 smbsr_status_smb2(smb_request_t *sr, DWORD status) 1550 { 1551 const char *name; 1552 1553 if (sr->smb2_cmd_code < SMB2__NCMDS) 1554 name = smb2_disp_table[sr->smb2_cmd_code].sdt_name; 1555 else 1556 name = "<unknown>"; 1557 #ifdef DEBUG 1558 cmn_err(CE_NOTE, "smbsr_status called for %s", name); 1559 #endif 1560 1561 smb2sr_put_error_data(sr, status, NULL); 1562 } 1563 1564 void 1565 smb2sr_put_errno(struct smb_request *sr, int errnum) 1566 { 1567 uint32_t status = smb_errno2status(errnum); 1568 smb2sr_put_error_data(sr, status, NULL); 1569 } 1570 1571 void 1572 smb2sr_put_error(smb_request_t *sr, uint32_t status) 1573 { 1574 smb2sr_put_error_data(sr, status, NULL); 1575 } 1576 1577 /* 1578 * Build an SMB2 error response. [MS-SMB2] 2.2.2 1579 */ 1580 void 1581 smb2sr_put_error_data(smb_request_t *sr, uint32_t status, mbuf_chain_t *mbc) 1582 { 1583 DWORD len; 1584 1585 /* 1586 * The common dispatch code writes this when it 1587 * updates the SMB2 header before sending. 1588 */ 1589 sr->smb2_status = status; 1590 1591 /* Rewind to the end of the SMB header. */ 1592 sr->reply.chain_offset = sr->smb2_reply_hdr + SMB2_HDR_SIZE; 1593 1594 /* 1595 * NB: Must provide at least one byte of error data, 1596 * per [MS-SMB2] 2.2.2 1597 */ 1598 if (mbc != NULL && (len = MBC_LENGTH(mbc)) != 0) { 1599 (void) smb_mbc_encodef( 1600 &sr->reply, 1601 "wwlC", 1602 9, /* StructSize */ /* w */ 1603 0, /* reserved */ /* w */ 1604 len, /* l */ 1605 mbc); /* C */ 1606 } else { 1607 (void) smb_mbc_encodef( 1608 &sr->reply, 1609 "wwl.", 1610 9, /* StructSize */ /* w */ 1611 0, /* reserved */ /* w */ 1612 0); /* l. */ 1613 } 1614 } 1615 1616 /* 1617 * Build an SMB2 error context response (dialect 3.1.1). 1618 */ 1619 void 1620 smb2sr_put_error_ctx(smb_request_t *sr, uint32_t status, uint32_t errid, 1621 mbuf_chain_t *mbc) 1622 { 1623 DWORD len; 1624 1625 /* 1626 * The common dispatch code writes this when it 1627 * updates the SMB2 header before sending. 1628 */ 1629 sr->smb2_status = status; 1630 1631 /* Rewind to the end of the SMB header. */ 1632 sr->reply.chain_offset = sr->smb2_reply_hdr + SMB2_HDR_SIZE; 1633 1634 /* 1635 * Error Context is 8-byte header plus encaps. data (ErrorContextData), 1636 * which can be zero-length. 1637 */ 1638 if (mbc != NULL && (len = MBC_LENGTH(mbc)) != 0) { 1639 (void) smb_mbc_encodef( 1640 &sr->reply, 1641 "wbblllC", 1642 9, /* StructSize */ /* w */ 1643 1, /* ErrorContextCount */ /* b */ 1644 0, /* reserved */ /* b */ 1645 8+len, /* ByteCount */ /* l */ 1646 len, /* ErrorDataLength */ /* l */ 1647 errid, /* ErrorId */ /* l */ 1648 mbc); /* C */ 1649 } else { 1650 (void) smb_mbc_encodef( 1651 &sr->reply, 1652 "wbblll", 1653 9, /* StructSize */ /* w */ 1654 1, /* ErrorContextCount */ /* b */ 1655 0, /* reserved */ /* b */ 1656 8, /* ByteCount */ /* l */ 1657 0, /* ErrorDataLength */ /* l */ 1658 errid); /* ErrorId */ /* l */ 1659 } 1660 } 1661 1662 /* 1663 * Build an SMB2 error context response with SMB2_ERROR_ID_DEFAULT ErrorId. 1664 * 1665 * This only handles the case we currently need, encapsulating a 1666 * single error data section inside an SMB2_ERROR_ID_DEFAULT 1667 * error context type (which is type zero, and that's what 1668 * the zero on the end of this function name refers to). 1669 */ 1670 void 1671 smb2sr_put_error_ctx0(smb_request_t *sr, uint32_t status, mbuf_chain_t *mbc) 1672 { 1673 return (smb2sr_put_error_ctx(sr, status, SMB2_ERROR_ID_DEFAULT, mbc)); 1674 } 1675 1676 /* 1677 * smb2sr_lookup_fid 1678 * 1679 * Setup sr->fid_ofile, either inherited from a related command, 1680 * or obtained via FID lookup. Similar inheritance logic as in 1681 * smb2sr_work. 1682 */ 1683 uint32_t 1684 smb2sr_lookup_fid(smb_request_t *sr, smb2fid_t *fid) 1685 { 1686 boolean_t related = sr->smb2_hdr_flags & 1687 SMB2_FLAGS_RELATED_OPERATIONS; 1688 1689 if (related) { 1690 if (sr->fid_ofile == NULL) 1691 return (NT_STATUS_INVALID_PARAMETER); 1692 sr->smb_fid = sr->fid_ofile->f_fid; 1693 return (0); 1694 } 1695 1696 /* 1697 * If we could be sure this is called only once per cmd, 1698 * we could simply ASSERT(sr->fid_ofile == NULL) here. 1699 * However, there are cases where it can be called again 1700 * handling the same command, so let's tolerate that. 1701 */ 1702 if (sr->fid_ofile == NULL) { 1703 sr->smb_fid = (uint16_t)fid->temporal; 1704 sr->fid_ofile = smb_ofile_lookup_by_fid(sr, sr->smb_fid); 1705 } 1706 if (sr->fid_ofile == NULL || 1707 sr->fid_ofile->f_persistid != fid->persistent) 1708 return (NT_STATUS_FILE_CLOSED); 1709 1710 return (0); 1711 } 1712 1713 /* 1714 * smb2_dispatch_stats_init 1715 * 1716 * Initializes dispatch statistics for SMB2. 1717 * See also smb_dispatch_stats_init(), which fills in 1718 * the lower part of the statistics array, from zero 1719 * through SMB_COM_NUM; 1720 */ 1721 void 1722 smb2_dispatch_stats_init(smb_server_t *sv) 1723 { 1724 smb_disp_stats_t *sds = sv->sv_disp_stats2; 1725 smb_kstat_req_t *ksr; 1726 int i; 1727 1728 ksr = ((smbsrv_kstats_t *)sv->sv_ksp->ks_data)->ks_reqs2; 1729 1730 for (i = 0; i < SMB2__NCMDS; i++, ksr++) { 1731 smb_latency_init(&sds[i].sdt_lat); 1732 (void) strlcpy(ksr->kr_name, smb2_disp_table[i].sdt_name, 1733 sizeof (ksr->kr_name)); 1734 } 1735 } 1736 1737 /* 1738 * smb2_dispatch_stats_fini 1739 * 1740 * Frees and destroyes the resources used for statistics. 1741 */ 1742 void 1743 smb2_dispatch_stats_fini(smb_server_t *sv) 1744 { 1745 smb_disp_stats_t *sds = sv->sv_disp_stats2; 1746 int i; 1747 1748 for (i = 0; i < SMB2__NCMDS; i++) 1749 smb_latency_destroy(&sds[i].sdt_lat); 1750 } 1751 1752 void 1753 smb2_dispatch_stats_update(smb_server_t *sv, 1754 smb_kstat_req_t *ksr, int first, int nreq) 1755 { 1756 smb_disp_stats_t *sds = sv->sv_disp_stats2; 1757 int i; 1758 int last; 1759 1760 last = first + nreq - 1; 1761 1762 if ((first < SMB2__NCMDS) && (last < SMB2__NCMDS)) { 1763 for (i = first; i <= last; i++, ksr++) { 1764 ksr->kr_rxb = sds[i].sdt_rxb; 1765 ksr->kr_txb = sds[i].sdt_txb; 1766 mutex_enter(&sds[i].sdt_lat.ly_mutex); 1767 ksr->kr_nreq = sds[i].sdt_lat.ly_a_nreq; 1768 ksr->kr_sum = sds[i].sdt_lat.ly_a_sum; 1769 ksr->kr_a_mean = sds[i].sdt_lat.ly_a_mean; 1770 ksr->kr_a_stddev = 1771 sds[i].sdt_lat.ly_a_stddev; 1772 ksr->kr_d_mean = sds[i].sdt_lat.ly_d_mean; 1773 ksr->kr_d_stddev = 1774 sds[i].sdt_lat.ly_d_stddev; 1775 sds[i].sdt_lat.ly_d_mean = 0; 1776 sds[i].sdt_lat.ly_d_nreq = 0; 1777 sds[i].sdt_lat.ly_d_stddev = 0; 1778 sds[i].sdt_lat.ly_d_sum = 0; 1779 mutex_exit(&sds[i].sdt_lat.ly_mutex); 1780 } 1781 } 1782 } 1783 1784 /* 1785 * Append new_sr to the postwork queue. sr->smb2_cmd_code encodes 1786 * the action that should be run by this sr. 1787 * 1788 * This queue is rarely used (and normally empty) so we're OK 1789 * using a simple "walk to tail and insert" here. 1790 */ 1791 void 1792 smb2sr_append_postwork(smb_request_t *top_sr, smb_request_t *new_sr) 1793 { 1794 smb_request_t *last_sr; 1795 1796 ASSERT(top_sr->session->dialect >= SMB_VERS_2_BASE); 1797 1798 last_sr = top_sr; 1799 while (last_sr->sr_postwork != NULL) 1800 last_sr = last_sr->sr_postwork; 1801 1802 last_sr->sr_postwork = new_sr; 1803 } 1804 1805 /* 1806 * Run any "post work" that was appended to the main SR while it 1807 * was running. This is called after the request has been sent 1808 * for the main SR, and used in cases i.e. the oplock code, where 1809 * we need to send something to the client only _after_ the main 1810 * sr request has gone out. 1811 */ 1812 static void 1813 smb2sr_run_postwork(smb_request_t *top_sr) 1814 { 1815 smb_request_t *post_sr; /* the one we're running */ 1816 smb_request_t *next_sr; 1817 1818 while ((post_sr = top_sr->sr_postwork) != NULL) { 1819 next_sr = post_sr->sr_postwork; 1820 top_sr->sr_postwork = next_sr; 1821 post_sr->sr_postwork = NULL; 1822 1823 post_sr->sr_worker = top_sr->sr_worker; 1824 post_sr->sr_state = SMB_REQ_STATE_ACTIVE; 1825 1826 switch (post_sr->smb2_cmd_code) { 1827 case SMB2_OPLOCK_BREAK: 1828 smb_oplock_send_break(post_sr); 1829 break; 1830 default: 1831 ASSERT(0); 1832 } 1833 1834 /* 1835 * If we have a durable handle, and this operation 1836 * updated the nvlist, write it out. 1837 */ 1838 if (post_sr->dh_nvl_dirty) { 1839 post_sr->dh_nvl_dirty = B_FALSE; 1840 smb2_dh_update_nvfile(post_sr); 1841 } 1842 1843 post_sr->sr_state = SMB_REQ_STATE_COMPLETED; 1844 smb_request_free(post_sr); 1845 } 1846 } 1847