xref: /illumos-gate/usr/src/uts/common/fs/smbsrv/smb_common_transact.c (revision 4f1e984d138bad36944f2e8fea0b9860ac603f61)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
23  */
24 
25 #include <smbsrv/smb_kproto.h>
26 #include <smbsrv/smb_fsops.h>
27 #include <smbsrv/smb_share.h>
28 #include <smbsrv/string.h>
29 #include <smbsrv/nmpipes.h>
30 #include <smbsrv/mailslot.h>
31 #include <smbsrv/lmerr.h>
32 
33 /*
34  * count of bytes in server response packet
35  * except parameters and data. Note that setup
36  * word count is zero.
37  */
38 #define	RESP_HEADER_LEN		24
39 
40 /*
41  * We started by using common functions for transaction/transaction2
42  * and transaction_secondary/transaction2_secondary because they
43  * are respectively so similar. However, it turned out to be a bad
44  * idea because of quirky differences. Be sure if you modify one
45  * of these four functions to check and see if the modification should
46  * be applied to its peer.
47  */
48 
49 static int smb_trans_ready(smb_xa_t *);
50 static smb_sdrc_t smb_trans_dispatch(smb_request_t *, smb_xa_t *);
51 static smb_sdrc_t smb_trans2_dispatch(smb_request_t *, smb_xa_t *);
52 
53 smb_sdrc_t
54 smb_pre_transaction(smb_request_t *sr)
55 {
56 	DTRACE_SMB_1(op__Transaction__start, smb_request_t *, sr);
57 	return (SDRC_SUCCESS);
58 }
59 
60 void
61 smb_post_transaction(smb_request_t *sr)
62 {
63 	DTRACE_SMB_1(op__Transaction__done, smb_request_t *, sr);
64 }
65 
66 smb_sdrc_t
67 smb_com_transaction(smb_request_t *sr)
68 {
69 	int		rc;
70 	unsigned char	msrcnt, suwcnt;
71 	uint16_t	tpscnt, tdscnt, mprcnt, mdrcnt, flags;
72 	uint16_t	pscnt, psoff, dscnt, dsoff;
73 	uint32_t	timeo;
74 	struct smb_xa *xa;
75 	char *stn;
76 	int ready;
77 
78 	rc = smbsr_decode_vwv(sr, SMB_TRANSHDR_ED_FMT,
79 	    &tpscnt, &tdscnt, &mprcnt, &mdrcnt, &msrcnt, &flags,
80 	    &timeo, &pscnt, &psoff, &dscnt, &dsoff, &suwcnt);
81 
82 	if (rc != 0)
83 		return (SDRC_ERROR);
84 
85 	xa = smb_xa_create(sr->session, sr, tpscnt, tdscnt, mprcnt, mdrcnt,
86 	    msrcnt, suwcnt);
87 	if (xa == NULL) {
88 		smbsr_error(sr, 0, ERRSRV, ERRnoroom);
89 		return (SDRC_ERROR);
90 	}
91 
92 	/* Should be some alignment stuff here in SMB? */
93 	if (sr->smb_flg2 & SMB_FLAGS2_UNICODE) {
94 		rc = smbsr_decode_data(sr, "%.U", sr, &stn);
95 	} else {
96 		rc = smbsr_decode_data(sr, "%s", sr,  &stn);
97 	}
98 	if (rc != 0) {
99 		smb_xa_rele(sr->session, xa);
100 		return (SDRC_ERROR);
101 	}
102 
103 	xa->xa_pipe_name = smb_mem_strdup(stn);
104 	xa->smb_flags  = flags;
105 	xa->smb_timeout = timeo;
106 	xa->req_disp_param = pscnt;
107 	xa->req_disp_data  = dscnt;
108 
109 	if (MBC_SHADOW_CHAIN(&xa->req_setup_mb, &sr->smb_vwv,
110 	    sr->smb_vwv.chain_offset, suwcnt * 2)) {
111 		smb_xa_rele(sr->session, xa);
112 		smbsr_error(sr, 0, ERRDOS, ERRbadformat);
113 		return (SDRC_ERROR);
114 	}
115 	if (MBC_SHADOW_CHAIN(&xa->req_param_mb, &sr->command, psoff, pscnt)) {
116 		smb_xa_rele(sr->session, xa);
117 		smbsr_error(sr, 0, ERRDOS, ERRbadformat);
118 		return (SDRC_ERROR);
119 	}
120 	if (MBC_SHADOW_CHAIN(&xa->req_data_mb, &sr->command, dsoff, dscnt)) {
121 		smb_xa_rele(sr->session, xa);
122 		smbsr_error(sr, 0, ERRDOS, ERRbadformat);
123 		return (SDRC_ERROR);
124 	}
125 
126 	ready = smb_trans_ready(xa);
127 
128 	if (smb_xa_open(xa)) {
129 		smb_xa_rele(sr->session, xa);
130 		smbsr_error(sr, 0, ERRDOS, ERRsrverror);
131 		return (SDRC_ERROR);
132 	}
133 	sr->r_xa = xa;
134 
135 	if (!ready) {
136 		rc = smbsr_encode_empty_result(sr);
137 		return ((rc == 0) ? SDRC_SUCCESS : SDRC_ERROR);
138 	}
139 
140 	if (!smb_xa_complete(xa)) {
141 		smb_xa_close(xa);
142 		smbsr_error(sr, 0, ERRDOS, ERRbadformat);
143 		return (SDRC_ERROR);
144 	}
145 
146 	return (smb_trans_dispatch(sr, xa));
147 }
148 
149 smb_sdrc_t
150 smb_pre_transaction_secondary(smb_request_t *sr)
151 {
152 	DTRACE_SMB_1(op__TransactionSecondary__start, smb_request_t *, sr);
153 	return (SDRC_SUCCESS);
154 }
155 
156 void
157 smb_post_transaction_secondary(smb_request_t *sr)
158 {
159 	DTRACE_SMB_1(op__TransactionSecondary__done, smb_request_t *, sr);
160 }
161 
162 smb_sdrc_t
163 smb_com_transaction_secondary(smb_request_t *sr)
164 {
165 	uint16_t tpscnt, tdscnt, pscnt, psdisp;
166 	uint16_t dscnt, dsoff, dsdisp, psoff;
167 	smb_xa_t *xa;
168 	int rc;
169 
170 	if ((xa = smbsr_lookup_xa(sr)) == 0) {
171 		smbsr_error(sr, 0, ERRSRV, ERRsrverror);
172 		return (SDRC_ERROR);
173 	}
174 
175 	if (sr->session->signing.flags & SMB_SIGNING_ENABLED) {
176 		if (smb_sign_check_secondary(sr, xa->reply_seqnum) != 0) {
177 			smbsr_error(sr, NT_STATUS_ACCESS_DENIED,
178 			    ERRDOS, ERRnoaccess);
179 			return (SDRC_ERROR);
180 		}
181 	}
182 
183 	if (xa->smb_com != SMB_COM_TRANSACTION) {
184 		return (SDRC_DROP_VC);
185 	}
186 
187 	rc = smbsr_decode_vwv(sr, SMB_TRANSSHDR_ED_FMT, &tpscnt, &tdscnt,
188 	    &pscnt, &psoff, &psdisp, &dscnt, &dsoff, &dsdisp);
189 
190 	if (rc != 0)
191 		return (SDRC_ERROR);
192 
193 	mutex_enter(&xa->xa_mutex);
194 	xa->smb_tpscnt = tpscnt;	/* might have shrunk */
195 	xa->smb_tdscnt = tdscnt;	/* might have shrunk */
196 	xa->req_disp_param = psdisp+pscnt;
197 	xa->req_disp_data  = dsdisp+dscnt;
198 
199 	if (MBC_SHADOW_CHAIN(&xa->req_param_mb, &sr->command, psoff, pscnt)) {
200 		mutex_exit(&xa->xa_mutex);
201 		smb_xa_close(xa);
202 		smbsr_error(sr, 0, ERRDOS, ERRbadformat);
203 		return (SDRC_ERROR);
204 	}
205 	if (MBC_SHADOW_CHAIN(&xa->req_data_mb, &sr->command, dsoff, dscnt)) {
206 		mutex_exit(&xa->xa_mutex);
207 		smb_xa_close(xa);
208 		smbsr_error(sr, 0, ERRDOS, ERRbadformat);
209 		return (SDRC_ERROR);
210 	}
211 	mutex_exit(&xa->xa_mutex);
212 
213 	if (!smb_trans_ready(xa))
214 		return (SDRC_NO_REPLY);
215 
216 	if (!smb_xa_complete(xa))
217 		return (SDRC_NO_REPLY);
218 
219 	return (smb_trans_dispatch(sr, xa));
220 }
221 
222 smb_sdrc_t
223 smb_pre_ioctl(smb_request_t *sr)
224 {
225 	DTRACE_SMB_1(op__Ioctl__start, smb_request_t *, sr);
226 	return (SDRC_SUCCESS);
227 }
228 
229 void
230 smb_post_ioctl(smb_request_t *sr)
231 {
232 	DTRACE_SMB_1(op__Ioctl__done, smb_request_t *, sr);
233 }
234 
235 smb_sdrc_t
236 smb_com_ioctl(smb_request_t *sr)
237 {
238 	uint16_t fid, category, function, tpscnt, tdscnt, mprcnt;
239 	uint16_t mdrcnt, pscnt, pdoff, dscnt, dsoff;
240 	uint32_t timeout;
241 	int rc;
242 
243 	rc = smbsr_decode_vwv(sr, "wwwwwwwl2.wwww", &fid, &category, &function,
244 	    &tpscnt, &tdscnt, &mprcnt, &mdrcnt, &timeout, &pscnt,
245 	    &pdoff, &dscnt, &dsoff);
246 
247 	if (rc != 0)
248 		return (SDRC_ERROR);
249 
250 	return (SDRC_NOT_IMPLEMENTED);
251 }
252 
253 smb_sdrc_t
254 smb_pre_transaction2(smb_request_t *sr)
255 {
256 	DTRACE_SMB_1(op__Transaction2__start, smb_request_t *, sr);
257 	return (SDRC_SUCCESS);
258 }
259 
260 void
261 smb_post_transaction2(smb_request_t *sr)
262 {
263 	DTRACE_SMB_1(op__Transaction2__done, smb_request_t *, sr);
264 }
265 
266 smb_sdrc_t
267 smb_com_transaction2(struct smb_request *sr)
268 {
269 	unsigned char	msrcnt, suwcnt;
270 	uint16_t	tpscnt, tdscnt, mprcnt, mdrcnt, flags;
271 	uint16_t	pscnt, psoff, dscnt, dsoff;
272 	uint32_t	timeo;
273 	smb_xa_t *xa;
274 	int ready;
275 	int rc;
276 
277 	rc = smbsr_decode_vwv(sr, SMB_TRANSHDR_ED_FMT, &tpscnt, &tdscnt,
278 	    &mprcnt, &mdrcnt, &msrcnt, &flags, &timeo, &pscnt, &psoff, &dscnt,
279 	    &dsoff, &suwcnt);
280 
281 	if (rc != 0)
282 		return (SDRC_ERROR);
283 
284 	xa = smb_xa_create(sr->session, sr, tpscnt, tdscnt, mprcnt, mdrcnt,
285 	    msrcnt, suwcnt);
286 	if (xa == 0) {
287 		smbsr_error(sr, 0, ERRSRV, ERRnoroom);
288 		return (SDRC_ERROR);
289 	}
290 
291 	xa->smb_flags  = flags;
292 	xa->smb_timeout = timeo;
293 	xa->req_disp_param = pscnt;
294 	xa->req_disp_data  = dscnt;
295 
296 	if (MBC_SHADOW_CHAIN(&xa->req_setup_mb, &sr->smb_vwv,
297 	    sr->smb_vwv.chain_offset, suwcnt*2)) {
298 		smb_xa_rele(sr->session, xa);
299 		smbsr_error(sr, 0, ERRDOS, ERRbadformat);
300 		return (SDRC_ERROR);
301 	}
302 	if (MBC_SHADOW_CHAIN(&xa->req_param_mb, &sr->command, psoff, pscnt)) {
303 		smb_xa_rele(sr->session, xa);
304 		smbsr_error(sr, 0, ERRDOS, ERRbadformat);
305 		return (SDRC_ERROR);
306 	}
307 	if (MBC_SHADOW_CHAIN(&xa->req_data_mb, &sr->command, dsoff, dscnt)) {
308 		smb_xa_rele(sr->session, xa);
309 		smbsr_error(sr, 0, ERRDOS, ERRbadformat);
310 		return (SDRC_ERROR);
311 	}
312 
313 	ready = smb_trans_ready(xa);
314 
315 	if (smb_xa_open(xa)) {
316 		smb_xa_rele(sr->session, xa);
317 		smbsr_error(sr, 0, ERRDOS, ERRsrverror);
318 		return (SDRC_ERROR);
319 	}
320 	sr->r_xa = xa;
321 
322 	if (!ready) {
323 		rc = smbsr_encode_empty_result(sr);
324 		return ((rc == 0) ? SDRC_SUCCESS : SDRC_ERROR);
325 	}
326 
327 	if (!smb_xa_complete(xa)) {
328 		smb_xa_close(xa);
329 		smbsr_error(sr, 0, ERRDOS, ERRbadformat);
330 		return (SDRC_ERROR);
331 	}
332 
333 	return (smb_trans2_dispatch(sr, xa));
334 }
335 
336 smb_sdrc_t
337 smb_pre_transaction2_secondary(smb_request_t *sr)
338 {
339 	DTRACE_SMB_1(op__Transaction2Secondary__start, smb_request_t *, sr);
340 	return (SDRC_SUCCESS);
341 }
342 
343 void
344 smb_post_transaction2_secondary(smb_request_t *sr)
345 {
346 	DTRACE_SMB_1(op__Transaction2Secondary__done, smb_request_t *, sr);
347 }
348 
349 smb_sdrc_t
350 smb_com_transaction2_secondary(smb_request_t *sr)
351 {
352 	uint16_t tpscnt, tdscnt, fid;
353 	uint16_t pscnt, psoff, psdisp, dscnt, dsoff, dsdisp;
354 	smb_xa_t *xa;
355 	int rc;
356 
357 	if ((xa = smbsr_lookup_xa(sr)) == 0) {
358 		smbsr_error(sr, 0, ERRSRV, ERRsrverror);
359 		return (SDRC_ERROR);
360 	}
361 
362 	if (sr->session->signing.flags & SMB_SIGNING_ENABLED) {
363 		if (smb_sign_check_secondary(sr, xa->reply_seqnum) != 0) {
364 			smbsr_error(sr, NT_STATUS_ACCESS_DENIED,
365 			    ERRDOS, ERRnoaccess);
366 			return (SDRC_ERROR);
367 		}
368 	}
369 
370 	if (xa->smb_com != SMB_COM_TRANSACTION2) {
371 		return (SDRC_DROP_VC);
372 	}
373 
374 	rc = smbsr_decode_vwv(sr, SMB_TRANS2SHDR_ED_FMT, &tpscnt, &tdscnt,
375 	    &pscnt, &psoff, &psdisp, &dscnt, &dsoff, &dsdisp, &fid);
376 
377 	if (rc != 0)
378 		return (SDRC_ERROR);
379 
380 	mutex_enter(&xa->xa_mutex);
381 	xa->smb_tpscnt = tpscnt;	/* might have shrunk */
382 	xa->smb_tdscnt = tdscnt;	/* might have shrunk */
383 	xa->xa_smb_fid = fid;		/* overwrite rules? */
384 	xa->req_disp_param = psdisp + pscnt;
385 	xa->req_disp_data  = dsdisp + dscnt;
386 
387 	if (MBC_SHADOW_CHAIN(&xa->req_param_mb, &sr->command, psoff, pscnt)) {
388 		mutex_exit(&xa->xa_mutex);
389 		smb_xa_close(xa);
390 		smbsr_error(sr, 0, ERRDOS, ERRbadformat);
391 		return (SDRC_ERROR);
392 	}
393 	if (MBC_SHADOW_CHAIN(&xa->req_data_mb, &sr->command, dsoff, dscnt)) {
394 		mutex_exit(&xa->xa_mutex);
395 		smb_xa_close(xa);
396 		smbsr_error(sr, 0, ERRDOS, ERRbadformat);
397 		return (SDRC_ERROR);
398 	}
399 	mutex_exit(&xa->xa_mutex);
400 
401 	if (!smb_trans_ready(xa))
402 		return (SDRC_NO_REPLY);
403 
404 	if (!smb_xa_complete(xa))
405 		return (SDRC_NO_REPLY);
406 
407 	return (smb_trans2_dispatch(sr, xa));
408 }
409 
410 static smb_sdrc_t
411 smb_nt_trans_dispatch(struct smb_request *sr, struct smb_xa *xa)
412 {
413 	int rc;
414 	int total_bytes, n_setup, n_param, n_data;
415 	int param_off, param_pad, data_off, data_pad;
416 
417 	n_setup = (xa->smb_msrcnt < 200) ? xa->smb_msrcnt : 200;
418 	n_setup++;
419 	n_setup = n_setup & ~0x0001;
420 	n_param = (xa->smb_mprcnt < smb_maxbufsize)
421 	    ? xa->smb_mprcnt : smb_maxbufsize;
422 	n_param++;
423 	n_param = n_param & ~0x0001;
424 	rc = smb_maxbufsize - (SMBHEADERSIZE + 28 + n_setup + n_param);
425 	n_data = (xa->smb_mdrcnt < rc) ? xa->smb_mdrcnt : rc;
426 	MBC_INIT(&xa->rep_setup_mb, n_setup * 2);
427 	MBC_INIT(&xa->rep_param_mb, n_param);
428 	MBC_INIT(&xa->rep_data_mb, n_data);
429 
430 	switch (xa->smb_func) {
431 	case NT_TRANSACT_CREATE:
432 		if ((rc = smb_pre_nt_transact_create(sr, xa)) == 0)
433 			rc = smb_nt_transact_create(sr, xa);
434 		smb_post_nt_transact_create(sr, xa);
435 		break;
436 	case NT_TRANSACT_NOTIFY_CHANGE:
437 		rc = smb_nt_transact_notify_change(sr, xa);
438 		break;
439 	case NT_TRANSACT_QUERY_SECURITY_DESC:
440 		rc = smb_nt_transact_query_security_info(sr, xa);
441 		break;
442 	case NT_TRANSACT_SET_SECURITY_DESC:
443 		rc = smb_nt_transact_set_security_info(sr, xa);
444 		break;
445 	case NT_TRANSACT_IOCTL:
446 		rc = smb_nt_transact_ioctl(sr, xa);
447 		break;
448 	case NT_TRANSACT_QUERY_QUOTA:
449 		rc = smb_nt_transact_query_quota(sr, xa);
450 		break;
451 	case NT_TRANSACT_SET_QUOTA:
452 		rc = smb_nt_transact_set_quota(sr, xa);
453 		break;
454 	case NT_TRANSACT_RENAME:
455 		rc = smb_nt_transact_rename(sr, xa);
456 		break;
457 
458 	default:
459 		smbsr_error(sr, 0, ERRSRV, ERRsmbcmd);
460 		return (SDRC_ERROR);
461 	}
462 
463 	switch (rc) {
464 	case SDRC_SUCCESS:
465 		break;
466 
467 	case SDRC_DROP_VC:
468 	case SDRC_NO_REPLY:
469 	case SDRC_ERROR:
470 	case SDRC_SR_KEPT:
471 		return (rc);
472 
473 	case SDRC_NOT_IMPLEMENTED:
474 		smbsr_error(sr, 0, ERRSRV, ERRsmbcmd);
475 		return (SDRC_ERROR);
476 
477 	default:
478 		break;
479 	}
480 
481 	n_setup = MBC_LENGTH(&xa->rep_setup_mb);
482 	n_param = MBC_LENGTH(&xa->rep_param_mb);
483 	n_data  = MBC_LENGTH(&xa->rep_data_mb);
484 
485 	if (xa->smb_msrcnt < n_setup ||
486 	    xa->smb_mprcnt < n_param ||
487 	    xa->smb_mdrcnt < n_data) {
488 		smbsr_error(sr, 0, ERRSRV, ERRsmbcmd);
489 		return (SDRC_ERROR);
490 	}
491 
492 	/* neato, blast it over there */
493 
494 	n_setup = (n_setup + 1) / 2;		/* Conver to setup words */
495 	param_pad = 1;				/* must be one */
496 	param_off = param_pad + 32 + 37 + (n_setup << 1) + 2;
497 	data_pad = (4 - ((param_off + n_param) & 3)) % 4; /* Pad to 4 byte */
498 	data_off = param_off + n_param + data_pad; /* Param off from hdr */
499 	total_bytes = param_pad + n_param + data_pad + n_data;
500 
501 	rc = smbsr_encode_result(sr, 18+n_setup, total_bytes,
502 	    "b3.llllllllbCw#.C#.C",
503 	    18 + n_setup,		/* wct */
504 	    n_param,			/* Total Parameter Bytes */
505 	    n_data,			/* Total Data Bytes */
506 	    n_param,			/* Total Parameter Bytes this buffer */
507 	    param_off,			/* Param offset from header start */
508 	    0,				/* Param displacement */
509 	    n_data,			/* Total Data Bytes this buffer */
510 	    data_off,			/* Data offset from header start */
511 	    0,				/* Data displacement */
512 	    n_setup,			/* suwcnt */
513 	    &xa->rep_setup_mb,		/* setup[] */
514 	    total_bytes,		/* Total data bytes */
515 	    param_pad,
516 	    &xa->rep_param_mb,
517 	    data_pad,
518 	    &xa->rep_data_mb);
519 	return ((rc == 0) ? SDRC_SUCCESS : SDRC_ERROR);
520 }
521 
522 smb_sdrc_t
523 smb_pre_nt_transact(smb_request_t *sr)
524 {
525 	DTRACE_SMB_1(op__NtTransact__start, smb_request_t *, sr);
526 	return (SDRC_SUCCESS);
527 }
528 
529 void
530 smb_post_nt_transact(smb_request_t *sr)
531 {
532 	DTRACE_SMB_1(op__NtTransact__done, smb_request_t *, sr);
533 }
534 
535 smb_sdrc_t
536 smb_com_nt_transact(struct smb_request *sr)
537 {
538 	uint16_t	Function;
539 	unsigned char	MaxSetupCount, SetupCount;
540 	uint32_t	TotalParameterCount, TotalDataCount;
541 	uint32_t	MaxParameterCount, MaxDataCount, pscnt;
542 	uint32_t	psoff, dscnt, dsoff;
543 	smb_xa_t *xa;
544 	int ready;
545 	int rc;
546 
547 	rc = smbsr_decode_vwv(sr, SMB_NT_TRANSHDR_ED_FMT, &MaxSetupCount,
548 	    &TotalParameterCount, &TotalDataCount, &MaxParameterCount,
549 	    &MaxDataCount, &pscnt, &psoff, &dscnt,
550 	    &dsoff, &SetupCount, &Function);
551 
552 	if (rc != 0)
553 		return (SDRC_ERROR);
554 
555 	xa = smb_xa_create(sr->session, sr, TotalParameterCount, TotalDataCount,
556 	    MaxParameterCount, MaxDataCount, MaxSetupCount, SetupCount);
557 	if (xa == 0) {
558 		smbsr_error(sr, 0, ERRSRV, ERRnoroom);
559 		return (SDRC_ERROR);
560 	}
561 
562 	xa->smb_flags  = 0;
563 	xa->smb_timeout = 0;
564 	xa->smb_func = Function;
565 	xa->req_disp_param = pscnt;
566 	xa->req_disp_data  = dscnt;
567 
568 	if (MBC_SHADOW_CHAIN(&xa->req_setup_mb, &sr->smb_vwv,
569 	    sr->smb_vwv.chain_offset, SetupCount * 2)) {
570 		smb_xa_rele(sr->session, xa);
571 		smbsr_error(sr, 0, ERRDOS, ERRbadformat);
572 		return (SDRC_ERROR);
573 	}
574 	if (MBC_SHADOW_CHAIN(&xa->req_param_mb, &sr->command, psoff, pscnt)) {
575 		smb_xa_rele(sr->session, xa);
576 		smbsr_error(sr, 0, ERRDOS, ERRbadformat);
577 		return (SDRC_ERROR);
578 	}
579 	if (MBC_SHADOW_CHAIN(&xa->req_data_mb, &sr->command, dsoff, dscnt)) {
580 		smb_xa_rele(sr->session, xa);
581 		smbsr_error(sr, 0, ERRDOS, ERRbadformat);
582 		return (SDRC_ERROR);
583 	}
584 
585 	ready = smb_trans_ready(xa);
586 
587 	if (smb_xa_open(xa)) {
588 		smb_xa_rele(sr->session, xa);
589 		smbsr_error(sr, 0, ERRDOS, ERRsrverror);
590 		return (SDRC_ERROR);
591 	}
592 	sr->r_xa = xa;
593 
594 	if (!ready) {
595 		rc = smbsr_encode_empty_result(sr);
596 		return ((rc == 0) ? SDRC_SUCCESS : SDRC_ERROR);
597 	}
598 
599 	if (!smb_xa_complete(xa)) {
600 		smb_xa_close(xa);
601 		smbsr_error(sr, 0, ERRDOS, ERRbadformat);
602 		return (SDRC_ERROR);
603 	}
604 
605 	return (smb_nt_trans_dispatch(sr, xa));
606 }
607 
608 smb_sdrc_t
609 smb_pre_nt_transact_secondary(smb_request_t *sr)
610 {
611 	DTRACE_SMB_1(op__NtTransactSecondary__start, smb_request_t *, sr);
612 	return (SDRC_SUCCESS);
613 }
614 
615 void
616 smb_post_nt_transact_secondary(smb_request_t *sr)
617 {
618 	DTRACE_SMB_1(op__NtTransactSecondary__done, smb_request_t *, sr);
619 }
620 
621 smb_sdrc_t
622 smb_com_nt_transact_secondary(struct smb_request *sr)
623 {
624 	uint16_t tpscnt, tdscnt, fid;
625 	uint16_t pscnt, psoff, psdisp, dscnt, dsoff, dsdisp;
626 	smb_xa_t *xa;
627 	int rc;
628 
629 	if ((xa = smbsr_lookup_xa(sr)) == 0) {
630 		smbsr_error(sr, 0, ERRSRV, ERRsrverror);
631 		return (SDRC_ERROR);
632 	}
633 
634 	if (sr->session->signing.flags & SMB_SIGNING_ENABLED) {
635 		if (smb_sign_check_secondary(sr, xa->reply_seqnum) != 0) {
636 			smbsr_error(sr, NT_STATUS_ACCESS_DENIED,
637 			    ERRDOS, ERRnoaccess);
638 			return (SDRC_ERROR);
639 		}
640 	}
641 
642 	if (xa->smb_com != SMB_COM_TRANSACTION2) {
643 		return (SDRC_DROP_VC);
644 	}
645 
646 	rc = smbsr_decode_vwv(sr, SMB_TRANS2SHDR_ED_FMT, &tpscnt, &tdscnt,
647 	    &pscnt, &psoff, &psdisp, &dscnt, &dsoff, &dsdisp, &fid);
648 
649 	if (rc != 0)
650 		return (SDRC_ERROR);
651 
652 	mutex_enter(&xa->xa_mutex);
653 	xa->smb_tpscnt = tpscnt;	/* might have shrunk */
654 	xa->smb_tdscnt = tdscnt;	/* might have shrunk */
655 	xa->xa_smb_fid = fid;		/* overwrite rules? */
656 	xa->req_disp_param = psdisp+pscnt;
657 	xa->req_disp_data  = dsdisp+dscnt;
658 
659 	if (MBC_SHADOW_CHAIN(&xa->req_param_mb, &sr->command, psoff, pscnt)) {
660 		mutex_exit(&xa->xa_mutex);
661 		smb_xa_close(xa);
662 		smbsr_error(sr, 0, ERRDOS, ERRbadformat);
663 		return (SDRC_ERROR);
664 	}
665 	if (MBC_SHADOW_CHAIN(&xa->req_data_mb, &sr->command, dsoff, dscnt)) {
666 		mutex_exit(&xa->xa_mutex);
667 		smb_xa_close(xa);
668 		smbsr_error(sr, 0, ERRDOS, ERRbadformat);
669 		return (SDRC_ERROR);
670 	}
671 	mutex_exit(&xa->xa_mutex);
672 
673 	if (!smb_trans_ready(xa))
674 		return (SDRC_NO_REPLY);
675 
676 	if (!smb_xa_complete(xa))
677 		return (SDRC_NO_REPLY);
678 
679 	return (smb_nt_trans_dispatch(sr, xa));
680 }
681 
682 static int
683 smb_trans_ready(smb_xa_t *xa)
684 {
685 	int rc;
686 
687 	mutex_enter(&xa->xa_mutex);
688 	rc = xa->req_disp_data >= xa->smb_tdscnt &&
689 	    xa->req_disp_param >= xa->smb_tpscnt;
690 	mutex_exit(&xa->xa_mutex);
691 
692 	return (rc);
693 }
694 
695 static void
696 smb_encode_SHARE_INFO_1(struct mbuf_chain *output, struct mbuf_chain *text,
697     char *oem_name, uint16_t type, char *comment)
698 {
699 	(void) smb_mbc_encodef(output, "13c.wl", oem_name,
700 	    type, MBC_LENGTH(text));
701 
702 	(void) smb_mbc_encodef(text, "s", comment ? comment : "");
703 }
704 
705 static void
706 smb_encode_SHARE_INFO_2(struct mbuf_chain *output, struct mbuf_chain *text,
707 	smb_request_t *sr, char *oem_name, uint16_t type,
708 	char *comment, uint16_t access, char *path, char *password)
709 {
710 	unsigned char pword[9];
711 
712 	bzero(pword, sizeof (pword));
713 	(void) strncpy((char *)pword, password, sizeof (pword));
714 	smb_encode_SHARE_INFO_1(output, text, oem_name, type, comment);
715 	(void) smb_mbc_encodef(output, "wwwl9c.",
716 	    access,
717 	    sr->sr_cfg->skc_maxconnections,
718 	    smb_server_get_session_count(),
719 	    MBC_LENGTH(text),
720 	    pword);
721 	(void) smb_mbc_encodef(text, "s", path);
722 }
723 
724 int
725 smb_trans_net_share_enum(struct smb_request *sr, struct smb_xa *xa)
726 {
727 	door_handle_t dhdl = sr->sr_server->sv_lmshrd;
728 
729 	/*
730 	 * Number of data bytes that will
731 	 * be sent in the current response
732 	 */
733 	uint16_t data_scnt;
734 
735 	/*
736 	 * Total number of data bytes that
737 	 * are sent till now. This is only
738 	 * used for calculating current data
739 	 * displacement
740 	 */
741 	uint16_t tot_data_scnt;
742 
743 	/*
744 	 * Number of parameter bytes should
745 	 * be sent for the current response.
746 	 * It is 8 for the 1st response and
747 	 * 0 for others
748 	 */
749 	uint16_t param_scnt;
750 
751 	/* number of setup and parameter bytes */
752 	uint16_t n_setup, n_param;
753 
754 	/* data and parameter displacement */
755 	uint16_t data_disp, param_disp;
756 
757 	/* parameter and data offset and pad */
758 	int param_off, param_pad, data_off, data_pad;
759 
760 	/*
761 	 * total bytes of parameters and data
762 	 * in the packet, plus the pad bytes.
763 	 */
764 	int tot_packet_bytes;
765 
766 	boolean_t first_resp;
767 
768 	char fmt[16];
769 	struct mbuf_chain reply;
770 
771 	uint16_t level;
772 	uint16_t pkt_bufsize;
773 	smb_enumshare_info_t esi;
774 	char *sent_buf;
775 
776 	ASSERT(sr->uid_user);
777 
778 	/*
779 	 * Initialize the mbuf chain of reply to zero. If it is not
780 	 * zero, code inside the while loop will try to free the chain.
781 	 */
782 	bzero(&reply, sizeof (struct mbuf_chain));
783 
784 	if (smb_mbc_decodef(&xa->req_param_mb, "ww", &level,
785 	    &esi.es_bufsize) != 0)
786 		return (SDRC_NOT_IMPLEMENTED);
787 
788 	if (level != 1) {
789 		/*
790 		 * Only level 1 is valid for NetShareEnum
791 		 * None of the error codes in the spec are meaningful
792 		 * here. This error code is returned by Windows.
793 		 */
794 		(void) smb_mbc_encodef(&xa->rep_param_mb, "wwww",
795 		    ERROR_INVALID_LEVEL, 0, 0, 0);
796 		return (SDRC_SUCCESS);
797 	}
798 
799 	esi.es_buf = kmem_zalloc(esi.es_bufsize, KM_SLEEP);
800 	esi.es_posix_uid = crgetuid(sr->uid_user->u_cred);
801 	(void) smb_kshare_enum(dhdl, &esi);
802 
803 	/* client buffer size is not big enough to hold any shares */
804 	if (esi.es_nsent == 0) {
805 		(void) smb_mbc_encodef(&xa->rep_param_mb, "wwww",
806 		    ERROR_MORE_DATA, 0, esi.es_nsent, esi.es_ntotal);
807 		kmem_free(esi.es_buf, esi.es_bufsize);
808 		return (SDRC_SUCCESS);
809 	}
810 
811 	/*
812 	 * The rep_setup_mb is already initialized in smb_trans_dispatch().
813 	 * Calling MBC_INIT() will initialized the structure and so the
814 	 * pointer to the mbuf chains will be lost. Therefore, we need
815 	 * to free the resources before calling MBC_INIT() again.
816 	 */
817 	n_setup = 0;	/* Setup count for NetShareEnum SMB is 0 */
818 	m_freem(xa->rep_setup_mb.chain);
819 	MBC_INIT(&xa->rep_setup_mb, n_setup * 2);
820 
821 	n_param = 8;
822 	pkt_bufsize = sr->session->smb_msg_size -
823 	    (SMB_HEADER_ED_LEN + RESP_HEADER_LEN + n_param);
824 
825 	tot_data_scnt = 0;
826 	sent_buf = esi.es_buf;
827 	first_resp = B_TRUE;
828 
829 	while (tot_data_scnt < esi.es_datasize) {
830 		data_scnt = esi.es_datasize - tot_data_scnt;
831 		if (data_scnt > pkt_bufsize)
832 			data_scnt = pkt_bufsize;
833 		m_freem(xa->rep_data_mb.chain);
834 		MBC_INIT(&xa->rep_data_mb, data_scnt);
835 
836 		(void) sprintf(fmt, "%dc", data_scnt);
837 		(void) smb_mbc_encodef(&xa->rep_data_mb, fmt, sent_buf);
838 
839 		sent_buf += data_scnt;
840 		tot_data_scnt += data_scnt;
841 
842 		/* Only the 1st response packet contains parameters */
843 		param_scnt = (first_resp) ? n_param : 0;
844 		param_pad = 1;				/* always one */
845 		param_off = SMB_HEADER_ED_LEN + RESP_HEADER_LEN;
846 		param_disp = (first_resp) ? 0 : n_param;
847 
848 		m_freem(xa->rep_param_mb.chain);
849 		MBC_INIT(&xa->rep_param_mb, param_scnt);
850 
851 		if (first_resp) {
852 			first_resp = B_FALSE;
853 			(void) smb_mbc_encodef(&xa->rep_param_mb, "wwww",
854 			    (esi.es_ntotal > esi.es_nsent)
855 			    ? ERROR_MORE_DATA : 0,
856 			    0, esi.es_nsent, esi.es_ntotal);
857 		}
858 
859 		data_pad = (param_off + n_param) & 1;	/* Pad to short */
860 
861 		/* data off from hdr start */
862 		data_off = param_off + param_scnt + data_pad;
863 		data_disp = tot_data_scnt - data_scnt;
864 		tot_packet_bytes = param_pad + param_scnt + data_pad +
865 		    data_scnt;
866 
867 		/*
868 		 * Calling MBC_INIT() will initialized the structure and so the
869 		 * pointer to the mbuf chains will be lost. Therefore, we need
870 		 * to free the resources if any before calling MBC_INIT().
871 		 */
872 		m_freem(reply.chain);
873 		MBC_INIT(&reply, SMB_HEADER_ED_LEN
874 		    + sizeof (uint8_t)		/* word parameters count */
875 		    + 10*sizeof (uint16_t)	/* word parameters */
876 		    + n_setup*sizeof (uint16_t)	/* setup parameters */
877 		    + sizeof (uint16_t)		/* total data byte count */
878 		    + tot_packet_bytes);
879 
880 		(void) smb_mbc_encodef(&reply, SMB_HEADER_ED_FMT,
881 		    sr->first_smb_com,
882 		    sr->smb_rcls,
883 		    sr->smb_reh,
884 		    sr->smb_err,
885 		    sr->smb_flg | SMB_FLAGS_REPLY,
886 		    sr->smb_flg2,
887 		    sr->smb_pid_high,
888 		    sr->smb_sig,
889 		    sr->smb_tid,
890 		    sr->smb_pid,
891 		    sr->smb_uid,
892 		    sr->smb_mid);
893 
894 		(void) smb_mbc_encodef(&reply,
895 		    "bww2.wwwwwwb.Cw#.C#.C",
896 		    10 + n_setup,	/* wct */
897 		    n_param,		/* Total Parameter Bytes */
898 		    esi.es_datasize,	/* Total Data Bytes */
899 		    param_scnt,		/* Total Parameter Bytes this buffer */
900 		    param_off,		/* Param offset from header start */
901 		    param_disp,		/* Param displacement */
902 		    data_scnt,		/* Total Data Bytes this buffer */
903 		    data_off,		/* Data offset from header start */
904 		    data_disp,		/* Data displacement */
905 		    n_setup,		/* suwcnt */
906 		    &xa->rep_setup_mb, 	/* setup[] */
907 		    tot_packet_bytes,	/* Total data bytes */
908 		    param_pad,
909 		    &xa->rep_param_mb,
910 		    data_pad,
911 		    &xa->rep_data_mb);
912 
913 		if (sr->session->signing.flags & SMB_SIGNING_ENABLED)
914 			smb_sign_reply(sr, &reply);
915 
916 		(void) smb_session_send(sr->session, 0, &reply);
917 	}
918 
919 	kmem_free(esi.es_buf, esi.es_bufsize);
920 	return (SDRC_NO_REPLY);
921 }
922 
923 int
924 smb_trans_net_share_getinfo(smb_request_t *sr, struct smb_xa *xa)
925 {
926 	uint16_t		level, max_bytes, access;
927 	struct mbuf_chain	str_mb;
928 	char			*share;
929 	char			*password;
930 	smb_share_t		si;
931 	int			rc;
932 
933 	if (smb_mbc_decodef(&xa->req_param_mb, "%sww", sr,
934 	    &share, &level, &max_bytes) != 0)
935 		return (SDRC_NOT_IMPLEMENTED);
936 
937 	(void) smb_strlwr(share);
938 	rc = smb_kshare_getinfo(sr->sr_server->sv_lmshrd, share, &si, NULL);
939 	if ((rc != NERR_Success) || (si.shr_flags & SMB_SHRF_LONGNAME)) {
940 		(void) smb_mbc_encodef(&xa->rep_param_mb, "www",
941 		    NERR_NetNameNotFound, 0, 0);
942 		return (SDRC_SUCCESS);
943 	}
944 
945 	access = SHARE_ACCESS_ALL;
946 	password = "";
947 
948 	MBC_INIT(&str_mb, max_bytes);
949 
950 	switch (level) {
951 	case 0 :
952 		(void) smb_mbc_encodef(&xa->rep_data_mb, "13c", si.shr_oemname);
953 		break;
954 
955 	case 1 :
956 		smb_encode_SHARE_INFO_1(&xa->rep_data_mb, &str_mb,
957 		    si.shr_oemname, si.shr_type, si.shr_cmnt);
958 		break;
959 
960 	case 2 :
961 		smb_encode_SHARE_INFO_2(&xa->rep_data_mb, &str_mb, sr,
962 		    si.shr_oemname, si.shr_type, si.shr_cmnt, access,
963 		    si.shr_path, password);
964 		break;
965 
966 	default:
967 		(void) smb_mbc_encodef(&xa->rep_param_mb, "www",
968 		    ERROR_INVALID_LEVEL, 0, 0);
969 		m_freem(str_mb.chain);
970 		return (SDRC_NOT_IMPLEMENTED);
971 	}
972 
973 	(void) smb_mbc_encodef(&xa->rep_param_mb, "www", NERR_Success,
974 	    -MBC_LENGTH(&xa->rep_data_mb),
975 	    MBC_LENGTH(&xa->rep_data_mb) + MBC_LENGTH(&str_mb));
976 	(void) smb_mbc_encodef(&xa->rep_data_mb, "C", &str_mb);
977 	m_freem(str_mb.chain);
978 	return (SDRC_SUCCESS);
979 }
980 
981 int
982 smb_trans_net_workstation_getinfo(struct smb_request *sr, struct smb_xa *xa)
983 {
984 	uint16_t		level, max_bytes;
985 	struct mbuf_chain	str_mb;
986 	char *domain;
987 	char *hostname;
988 
989 	if ((smb_mbc_decodef(&xa->req_param_mb, "ww",
990 	    &level, &max_bytes) != 0) ||
991 	    (level != 10)) {
992 		(void) smb_mbc_encodef(&xa->rep_param_mb, "wwww",
993 		    NERR_BadTransactConfig, 0, 0, 0);
994 		return (SDRC_SUCCESS);
995 	}
996 
997 	domain = sr->sr_cfg->skc_nbdomain;
998 	hostname = sr->sr_cfg->skc_hostname;
999 
1000 	MBC_INIT(&str_mb, max_bytes);
1001 
1002 	(void) smb_mbc_encodef(&str_mb, "."); /* Prevent NULL pointers */
1003 
1004 	(void) smb_mbc_encodef(&xa->rep_data_mb, "l", MBC_LENGTH(&str_mb));
1005 	(void) smb_mbc_encodef(&str_mb, "s", hostname);
1006 	(void) smb_mbc_encodef(&xa->rep_data_mb, "l", MBC_LENGTH(&str_mb));
1007 	(void) smb_mbc_encodef(&str_mb, "s", "nobody");
1008 	(void) smb_mbc_encodef(&xa->rep_data_mb, "l", MBC_LENGTH(&str_mb));
1009 	(void) smb_mbc_encodef(&str_mb, "s", domain);
1010 	(void) smb_mbc_encodef(&xa->rep_data_mb, "bbl",
1011 	    sr->sr_cfg->skc_version.sv_major, sr->sr_cfg->skc_version.sv_minor,
1012 	    MBC_LENGTH(&str_mb));
1013 	(void) smb_mbc_encodef(&str_mb, "s", domain);
1014 	(void) smb_mbc_encodef(&xa->rep_data_mb, "l", MBC_LENGTH(&str_mb));
1015 	(void) smb_mbc_encodef(&str_mb, "s", domain);
1016 
1017 	(void) smb_mbc_encodef(&xa->rep_param_mb, "www", 0,
1018 	    -MBC_LENGTH(&xa->rep_data_mb),
1019 	    MBC_LENGTH(&xa->rep_data_mb) + MBC_LENGTH(&str_mb));
1020 	(void) smb_mbc_encodef(&xa->rep_data_mb, "C", &str_mb);
1021 	m_freem(str_mb.chain);
1022 	return (SDRC_SUCCESS);
1023 }
1024 
1025 int
1026 smb_trans_net_user_getinfo(struct smb_request *sr, struct smb_xa *xa)
1027 {
1028 	uint16_t		level, max_bytes;
1029 	unsigned char		*user;
1030 	int rc;
1031 
1032 	rc = smb_mbc_decodef(&xa->req_param_mb, "%sww", sr,
1033 	    &user,
1034 	    &level,
1035 	    &max_bytes);
1036 
1037 	if (rc != 0)
1038 		return (SDRC_NOT_IMPLEMENTED);
1039 
1040 	(void) smb_mbc_encodef(&xa->rep_param_mb, "www",
1041 	    NERR_UserNotFound, 0, 0);
1042 	return (SDRC_SUCCESS);
1043 }
1044 
1045 smb_sdrc_t
1046 smb_trans_net_server_getinfo(struct smb_request *sr, struct smb_xa *xa)
1047 {
1048 	uint16_t		level, buf_size;
1049 	uint16_t		avail_data, max_data;
1050 	char			server_name[16];
1051 	struct mbuf_chain	str_mb;
1052 
1053 	if (smb_mbc_decodef(&xa->req_param_mb, "ww", &level, &buf_size) != 0)
1054 		return (SDRC_ERROR);
1055 
1056 	max_data = MBC_MAXBYTES(&xa->rep_data_mb);
1057 
1058 	MBC_INIT(&str_mb, buf_size);
1059 
1060 	bzero(server_name, sizeof (server_name));
1061 	(void) strncpy(server_name, sr->sr_cfg->skc_hostname,
1062 	    sizeof (server_name));
1063 
1064 	/* valid levels are 0 and 1 */
1065 	switch (level) {
1066 	case 0:
1067 		(void) smb_mbc_encodef(&xa->rep_data_mb, "16c", server_name);
1068 		break;
1069 
1070 	case 1:
1071 		(void) smb_mbc_encodef(&str_mb, "s",
1072 		    sr->sr_cfg->skc_system_comment);
1073 		(void) smb_mbc_encodef(&xa->rep_data_mb, "16cbbll", server_name,
1074 		    sr->sr_cfg->skc_version.sv_major,
1075 		    sr->sr_cfg->skc_version.sv_minor,
1076 		    MY_SERVER_TYPE, max_data - MBC_LENGTH(&str_mb));
1077 		break;
1078 
1079 	default:
1080 		(void) smb_mbc_encodef(&xa->rep_param_mb, "www",
1081 		    ERROR_INVALID_LEVEL, 0, 0);
1082 		m_freem(str_mb.chain);
1083 		return (SDRC_SUCCESS);
1084 	}
1085 
1086 	avail_data = MBC_LENGTH(&xa->rep_data_mb) + MBC_LENGTH(&str_mb);
1087 	(void) smb_mbc_encodef(&xa->rep_param_mb, "www",
1088 	    NERR_Success, max_data - avail_data, avail_data);
1089 	(void) smb_mbc_encodef(&xa->rep_data_mb, "C", &str_mb);
1090 	m_freem(str_mb.chain);
1091 	return (SDRC_SUCCESS);
1092 }
1093 
1094 /*
1095  * 6.4 The NetServerEnum2 RAP Service
1096  *
1097  * The NetServerEnum2 RAP service lists all computers of the specified type
1098  * or types that are visible in the specified domains. It may also
1099  * enumerate domains.
1100  *
1101  * The following definition uses the notation and terminology defined in
1102  * the CIFS Remote Administration Protocol specification, which is required
1103  * in order to make it well-defined. The definition is:
1104  *
1105  *     uint16_t NetServerEnum2 (
1106  *         uint16_t  sLevel,
1107  *         RCVBUF          pbBuffer,
1108  *         RCVBUFLEN       cbBuffer,
1109  *         ENTCOUNT        pcEntriesRead,
1110  *         uint16_t  *pcTotalAvail,
1111  *         uint32_t   fServerType,
1112  *         char            *pszDomain,
1113  *     );
1114  *
1115  * where:
1116  *
1117  *    sLevel specifies the level of detail (0 or 1) requested.
1118  *
1119  *    pbBuffer points to the buffer to receive the returned data. If the
1120  *    function is successful, the buffer contains a sequence of
1121  *    server_info_x structures, where x is 0 or 1, depending on the
1122  *    level of detail requested.
1123  *
1124  *    cbBuffer specifies the size, in bytes, of the buffer pointed to by
1125  *    the pbBuffer parameter.
1126  *
1127  *    pcEntriesRead points to a 16 bit variable that receives a count of
1128  *    the number of servers enumerated in the buffer. This count is
1129  *    valid only if NetServerEnum2 returns the NERR_Success or
1130  *    ERROR_MORE_DATA values.
1131  *
1132  *    pcTotal Avail points to a 16 bit variable that receives a count of
1133  *    the total number of available entries. This count is valid only if
1134  *    NetServerEnum2 returns the NERR_Success or ERROR_MORE_DATA values.
1135  *
1136  *     fServerType specifies the type or types of computers to enumerate.
1137  *     Computers that match at least one of the specified types are
1138  *     returned in the buffer. Possible values are defined in the request
1139  *     parameters section.
1140  *
1141  *    pszDomain points to a null-terminated string that contains the
1142  *    name of the workgroup in which to enumerate computers of the
1143  *    specified type or types. If the pszDomain parameter is a null
1144  *    string or a null pointer, servers are enumerated for the current
1145  *    domain of the computer.
1146  *
1147  * 6.4.1 Transaction Request Parameters section
1148  *
1149  * The Transaction request parameters section in this instance contains:
1150  * . The 16 bit function number for NetServerEnum2 which is 104.
1151  * . The parameter descriptor string which is "WrLehDz".
1152  * . The data descriptor string for the (returned) data which is "B16" for
1153  *   level detail 0 or "B16BBDz" for level detail 1.
1154  * . The actual parameters as described by the parameter descriptor
1155  *   string.
1156  *
1157  * The parameters are:
1158  * . A 16 bit integer with a value of 0 or 1 (corresponding to the "W" in
1159  *   the parameter descriptor string. This represents the level of detail
1160  *   the server is expected to return
1161  * . A 16 bit integer that contains the size of the receive buffer.
1162  * . A 32 bit integer that represents the type of servers the function
1163  *   should enumerate. The possible values may be any of the following or
1164  *   a combination of the following:
1165  *
1166  * SV_TYPE_WORKSTATION        0x00000001 All workstations
1167  * SV_TYPE_SERVER             0x00000002 All servers
1168  * SV_TYPE_SQLSERVER          0x00000004 Any server running with SQL
1169  *                                       server
1170  * SV_TYPE_DOMAIN_CTRL        0x00000008 Primary domain controller
1171  * SV_TYPE_DOMAIN_BAKCTRL     0x00000010 Backup domain controller
1172  * SV_TYPE_TIME_SOURCE        0x00000020 Server running the timesource
1173  *                                       service
1174  * SV_TYPE_AFP                0x00000040 Apple File Protocol servers
1175  * SV_TYPE_NOVELL             0x00000080 Novell servers
1176  * SV_TYPE_DOMAIN_MEMBER      0x00000100 Domain Member
1177  * SV_TYPE_PRINTQ_SERVER      0x00000200 Server sharing print queue
1178  * SV_TYPE_DIALIN_SERVER      0x00000400 Server running dialin service.
1179  * SV_TYPE_XENIX_SERVER       0x00000800 Xenix server
1180  * SV_TYPE_NT                 0x00001000 NT server
1181  * SV_TYPE_WFW                0x00002000 Server running Windows for
1182  *                                       Workgroups
1183  * SV_TYPE_SERVER_NT          0x00008000 Windows NT non DC server
1184  * SV_TYPE_POTENTIAL_BROWSER  0x00010000 Server that can run the browser
1185  *                                       service
1186  * SV_TYPE_BACKUP_BROWSER     0x00020000 Backup browser server
1187  * SV_TYPE_MASTER_BROWSER     0x00040000 Master browser server
1188  * SV_TYPE_DOMAIN_MASTER      0x00080000 Domain Master Browser server
1189  * SV_TYPE_LOCAL_LIST_ONLY    0x40000000 Enumerate only entries marked
1190  *                                       "local"
1191  * SV_TYPE_DOMAIN_ENUM        0x80000000 Enumerate Domains. The pszDomain
1192  *                                       parameter must be NULL.
1193  *
1194  * . A null terminated ASCII string representing the pszDomain parameter
1195  *   described above
1196  *
1197  * 6.4.2 Transaction Request Data section
1198  *
1199  * There is no data or auxiliary data to send as part of the request.
1200  *
1201  * 6.4.3 Transaction Response Parameters section
1202  *
1203  * The transaction response parameters section consists of:
1204  * . A 16 bit word indicating the return status. The possible values are:
1205  *
1206  * Code                   Value  Description
1207  * NERR_Success           0      No errors encountered
1208  * ERROR_MORE_DATA        234    Additional data is available
1209  * NERR_ServerNotStarted  2114   The RAP service on the remote computer
1210  *                               is not running
1211  * NERR_BadTransactConfig 2141   The server is not configured for
1212  *                               transactions, IPC$ is not shared
1213  *
1214  * . A 16 bit "converter" word.
1215  * . A 16 bit number representing the number of entries returned.
1216  * . A 16 bit number representing the total number of available entries.
1217  *   If the supplied buffer is large enough, this will equal the number of
1218  *   entries returned.
1219  *
1220  * 6.4.4 Transaction Response Data section
1221  *
1222  * The return data section consists of a number of SERVER_INFO_1 structures.
1223  * The number of such structures present is determined by the third entry
1224  * (described above) in the return parameters section.
1225  *
1226  * At level detail 0, the Transaction response data section contains a
1227  * number of SERVER_INFO_0 data structure. The number of such structures is
1228  * equal to the 16 bit number returned by the server in the third parameter
1229  * in the Transaction response parameter section. The SERVER_INFO_0 data
1230  * structure is defined as:
1231  *
1232  *     struct SERVER_INFO_0 {
1233  *         char        sv0_name[16];
1234  *     };
1235  *
1236  *  where:
1237  *
1238  *    sv0_name is a null-terminated string that specifies the name of a
1239  *    computer or domain .
1240  *
1241  * At level detail 1, the Transaction response data section contains a
1242  * number of SERVER_INFO_1 data structure. The number of such structures is
1243  * equal to the 16 bit number returned by the server in the third parameter
1244  * in the Transaction response parameter section. The SERVER_INFO_1 data
1245  * structure is defined as:
1246  *
1247  *     struct SERVER_INFO_1 {
1248  *         char            sv1_name[16];
1249  *         char            sv1_version_major;
1250  *         char            sv1_version_minor;
1251  *         uint32_t   sv1_type;
1252  *         char        *sv1_comment_or_master_browser;
1253  *     };
1254  *
1255  *    sv1_name contains a null-terminated string that specifies the name
1256  *    of a computer, or a domain name if SV_TYPE_DOMAIN_ENUM is set in
1257  *    sv1_type.
1258  *
1259  *    sv1_version_major whatever was specified in the HostAnnouncement
1260  *    or DomainAnnouncement frame with which the entry was registered.
1261  *
1262  *    sv1_version_minor whatever was specified in the HostAnnouncement
1263  *    or DomainAnnouncement frame with which the entry was registered.
1264  *
1265  *    sv1_type specifies the type of software the computer is running.
1266  *    The member can be one or a combination of the values defined above
1267  *    in the Transaction request parameters section for fServerType.
1268  *
1269  *
1270  *    sv1_comment_or_master_browser points to a null-terminated string. If
1271  *    the sv1_type indicates that the entry is for a domain, this
1272  *    specifies the name of server running the domain master browser;
1273  *    otherwise, it specifies a comment describing the server. The comment
1274  *    can be a null string or the pointer may be a null pointer.
1275  *
1276  *    In case there are multiple SERVER_INFO_1 data structures to
1277  *    return, the server may put all these fixed length structures in
1278  *    the return buffer, leave some space and then put all the variable
1279  *    length data (the actual value of the sv1_comment strings) at the
1280  *    end of the buffer.
1281  *
1282  * There is no auxiliary data to receive.
1283  */
1284 
1285 int
1286 smb_trans_net_server_enum2(struct smb_request *sr, struct smb_xa *xa)
1287 {
1288 	uint16_t opcode, level, max_bytes;
1289 	uint32_t server_type;
1290 	unsigned char *domain;
1291 	struct mbuf_chain str_mb;
1292 	char *hostname, *s;
1293 	smb_kmod_cfg_t *si;
1294 
1295 	if (smb_mbc_decodef(&xa->req_param_mb,
1296 	    "%wsswwls", sr, &opcode, &s, &s,
1297 	    &level, &max_bytes, &server_type, &domain) != 0)
1298 		return (SDRC_NOT_IMPLEMENTED);
1299 
1300 	si = sr->sr_cfg;
1301 
1302 	if (smb_strcasecmp(si->skc_nbdomain, (char *)domain, 0) != 0) {
1303 		(void) smb_mbc_encodef(&xa->rep_param_mb, "wwww", 0, 0, 0, 0);
1304 		return (SDRC_SUCCESS);
1305 	}
1306 
1307 	if ((server_type & MY_SERVER_TYPE) == 0) {
1308 		(void) smb_mbc_encodef(&xa->rep_param_mb, "wwww", 0, 0, 0, 0);
1309 		return (SDRC_SUCCESS);
1310 	}
1311 
1312 	MBC_INIT(&str_mb, max_bytes);
1313 
1314 	hostname = si->skc_hostname;
1315 
1316 	(void) smb_mbc_encodef(&xa->rep_data_mb, "16c", hostname);
1317 	if (level == 1) {
1318 		(void) smb_mbc_encodef(&xa->rep_data_mb, "bbll",
1319 		    sr->sr_cfg->skc_version.sv_major,
1320 		    sr->sr_cfg->skc_version.sv_minor,
1321 		    MY_SERVER_TYPE, MBC_LENGTH(&str_mb));
1322 		(void) smb_mbc_encodef(&str_mb, "s", si->skc_system_comment);
1323 	}
1324 
1325 	(void) smb_mbc_encodef(&xa->rep_param_mb, "wwww", 0,
1326 	    -MBC_LENGTH(&xa->rep_data_mb), 1, 1);
1327 	(void) smb_mbc_encodef(&xa->rep_data_mb, "m", str_mb.chain);
1328 	return (SDRC_SUCCESS);
1329 }
1330 
1331 static boolean_t
1332 is_supported_mailslot(const char *mailslot)
1333 {
1334 	static char *mailslots[] = {
1335 		PIPE_LANMAN,
1336 		MAILSLOT_LANMAN,
1337 		MAILSLOT_BROWSE,
1338 		MAILSLOT_MSBROWSE
1339 	};
1340 
1341 	int i;
1342 
1343 	for (i = 0; i < sizeof (mailslots)/sizeof (mailslots[0]); ++i)
1344 		if (smb_strcasecmp(mailslot, mailslots[i], 0) == 0)
1345 			return (B_TRUE);
1346 
1347 	return (B_FALSE);
1348 }
1349 
1350 /*
1351  * Currently, just return false if the pipe is \\PIPE\repl.
1352  * Otherwise, return true.
1353  */
1354 static boolean_t
1355 is_supported_pipe(const char *pname)
1356 {
1357 	if (smb_strcasecmp(pname, PIPE_REPL, 0) == 0)
1358 		return (B_FALSE);
1359 
1360 	return (B_TRUE);
1361 }
1362 
1363 static smb_sdrc_t
1364 smb_trans_dispatch(smb_request_t *sr, smb_xa_t *xa)
1365 {
1366 	int		rc, pos;
1367 	int		total_bytes, n_setup, n_param, n_data;
1368 	int		param_off, param_pad, data_off, data_pad;
1369 	uint16_t	opcode;
1370 	uint16_t	devstate;
1371 	char		*req_fmt;
1372 	char		*rep_fmt;
1373 	smb_vdb_t	vdb;
1374 
1375 	n_setup = (xa->smb_msrcnt < 200) ? xa->smb_msrcnt : 200;
1376 	n_setup++;
1377 	n_setup = n_setup & ~0x0001;
1378 	n_param = (xa->smb_mprcnt < smb_maxbufsize)
1379 	    ? xa->smb_mprcnt : smb_maxbufsize;
1380 	n_param++;
1381 	n_param = n_param & ~0x0001;
1382 	rc = smb_maxbufsize - (SMBHEADERSIZE + 28 + n_setup + n_param);
1383 	n_data =  (xa->smb_mdrcnt < rc) ? xa->smb_mdrcnt : rc;
1384 	MBC_INIT(&xa->rep_setup_mb, n_setup * 2);
1385 	MBC_INIT(&xa->rep_param_mb, n_param);
1386 	MBC_INIT(&xa->rep_data_mb, n_data);
1387 
1388 	if (xa->smb_suwcnt > 0 && STYPE_ISIPC(sr->tid_tree->t_res_type)) {
1389 		rc = smb_mbc_decodef(&xa->req_setup_mb, "ww", &opcode,
1390 		    &sr->smb_fid);
1391 		if (rc != 0)
1392 			goto trans_err_not_supported;
1393 		switch (opcode) {
1394 		case TRANS_SET_NMPIPE_STATE:
1395 			if ((rc = smb_mbc_decodef(&xa->req_param_mb, "w",
1396 			    &devstate)) != 0)
1397 				goto trans_err_not_supported;
1398 
1399 			rc = SDRC_SUCCESS;
1400 			break;
1401 
1402 		case TRANS_TRANSACT_NMPIPE:
1403 			smbsr_lookup_file(sr);
1404 			if (sr->fid_ofile == NULL) {
1405 				smbsr_error(sr, NT_STATUS_INVALID_HANDLE,
1406 				    ERRDOS, ERRbadfid);
1407 				return (SDRC_ERROR);
1408 			}
1409 
1410 			rc = smb_mbc_decodef(&xa->req_data_mb, "#B",
1411 			    xa->smb_tdscnt, &vdb);
1412 			if (rc != 0)
1413 				goto trans_err_not_supported;
1414 
1415 			rc = smb_opipe_transact(sr, &vdb.vdb_uio);
1416 			break;
1417 
1418 		case TRANS_WAIT_NMPIPE:
1419 			if (!is_supported_pipe(xa->xa_pipe_name)) {
1420 				smbsr_error(sr, 0, ERRDOS, ERRbadfile);
1421 				return (SDRC_ERROR);
1422 			}
1423 			rc = SDRC_SUCCESS;
1424 			break;
1425 
1426 		default:
1427 			goto trans_err_not_supported;
1428 		}
1429 	} else {
1430 		if (!is_supported_mailslot(xa->xa_pipe_name))
1431 			goto trans_err_not_supported;
1432 
1433 		if ((rc = smb_mbc_decodef(&xa->req_param_mb, "%wss", sr,
1434 		    &opcode, &req_fmt, &rep_fmt)) != 0)
1435 			goto trans_err_not_supported;
1436 
1437 		switch (opcode) {
1438 		case API_WshareEnum:
1439 			rc = smb_trans_net_share_enum(sr, xa);
1440 			break;
1441 
1442 		case API_WshareGetInfo:
1443 			rc = smb_trans_net_share_getinfo(sr, xa);
1444 			break;
1445 
1446 		case API_WserverGetInfo:
1447 			rc = smb_trans_net_server_getinfo(sr, xa);
1448 			break;
1449 
1450 		case API_WUserGetInfo:
1451 			rc = smb_trans_net_user_getinfo(sr, xa);
1452 			break;
1453 
1454 		case API_WWkstaGetInfo:
1455 			rc = smb_trans_net_workstation_getinfo(sr, xa);
1456 			break;
1457 
1458 		case API_NetServerEnum2:
1459 			rc = smb_trans_net_server_enum2(sr, xa);
1460 			break;
1461 
1462 		default:
1463 			goto trans_err_not_supported;
1464 		}
1465 	}
1466 
1467 	switch (rc) {
1468 	case SDRC_SUCCESS:
1469 		break;
1470 
1471 	case SDRC_DROP_VC:
1472 	case SDRC_NO_REPLY:
1473 	case SDRC_ERROR:
1474 		return (rc);
1475 
1476 	case SDRC_NOT_IMPLEMENTED:
1477 		goto trans_err_not_supported;
1478 
1479 	default:
1480 		break;
1481 	}
1482 
1483 	n_setup = MBC_LENGTH(&xa->rep_setup_mb);
1484 	n_param = MBC_LENGTH(&xa->rep_param_mb);
1485 	n_data  = MBC_LENGTH(&xa->rep_data_mb);
1486 
1487 	if (xa->smb_msrcnt < n_setup ||
1488 	    xa->smb_mprcnt < n_param ||
1489 	    xa->smb_mdrcnt < n_data) {
1490 		goto trans_err_too_small;
1491 	}
1492 
1493 	/* neato, blast it over there */
1494 
1495 	n_setup = (n_setup + 1) / 2;		/* Convert to setup words */
1496 	param_pad = 1;				/* always one */
1497 	param_off = param_pad + 32 + 21 + (n_setup << 1) + 2;
1498 	data_pad = (param_off + n_param) & 1;	/* Pad to short */
1499 	/* Param off from hdr start */
1500 	data_off = param_off + n_param + data_pad;
1501 	total_bytes = param_pad + n_param + data_pad + n_data;
1502 
1503 	rc = smbsr_encode_result(sr, 10+n_setup, total_bytes,
1504 	    "bww2.wwwwwwb.Cw#.C#.C",
1505 	    10 + n_setup,		/* wct */
1506 	    n_param,			/* Total Parameter Bytes */
1507 	    n_data,			/* Total Data Bytes */
1508 	    n_param,			/* Total Parameter Bytes this buffer */
1509 	    param_off,			/* Param offset from header start */
1510 	    0,				/* Param displacement */
1511 	    n_data,			/* Total Data Bytes this buffer */
1512 	    data_off,			/* Data offset from header start */
1513 	    0,				/* Data displacement */
1514 	    n_setup,			/* suwcnt */
1515 	    &xa->rep_setup_mb, /* setup[] */
1516 	    total_bytes,		/* Total data bytes */
1517 	    param_pad,
1518 	    &xa->rep_param_mb,
1519 	    data_pad,
1520 	    &xa->rep_data_mb);
1521 	return ((rc == 0) ? SDRC_SUCCESS : SDRC_ERROR);
1522 
1523 trans_err_too_small:
1524 	rc = NERR_BufTooSmall;
1525 	goto trans_err;
1526 
1527 trans_err_not_supported:
1528 	rc = ERROR_NOT_SUPPORTED;
1529 	goto trans_err;
1530 
1531 trans_err:
1532 	pos = MBC_LENGTH(&sr->reply) + 23;
1533 	rc = smbsr_encode_result(sr, 10, 4, "bww2.wwwwwwb.www",
1534 	    10,		/* wct */
1535 	    4, 0,	/* tpscnt tdscnt */
1536 	    4, pos, 0,	/* pscnt psoff psdisp */
1537 	    0, 0, 0,	/* dscnt dsoff dsdisp */
1538 	    0,		/* suwcnt */
1539 	    4,		/* bcc */
1540 	    rc,
1541 	    0);		/* converter word? */
1542 	return ((rc == 0) ? SDRC_SUCCESS : SDRC_ERROR);
1543 }
1544 
1545 static smb_sdrc_t
1546 smb_trans2_dispatch(smb_request_t *sr, smb_xa_t *xa)
1547 {
1548 	int		rc, pos;
1549 	int		total_bytes, n_setup, n_param, n_data;
1550 	int		param_off, param_pad, data_off, data_pad;
1551 	uint16_t	opcode;
1552 	uint16_t  nt_unknown_secret = 0x0100;
1553 	char *fmt;
1554 
1555 	n_setup = (xa->smb_msrcnt < 200) ? xa->smb_msrcnt : 200;
1556 	n_setup++;
1557 	n_setup = n_setup & ~0x0001;
1558 	n_param = (xa->smb_mprcnt < smb_maxbufsize)
1559 	    ? xa->smb_mprcnt : smb_maxbufsize;
1560 	n_param++;
1561 	n_param = n_param & ~0x0001;
1562 	rc = smb_maxbufsize - (SMBHEADERSIZE + 28 + n_setup + n_param);
1563 	n_data =  (xa->smb_mdrcnt < rc) ? xa->smb_mdrcnt : rc;
1564 	MBC_INIT(&xa->rep_setup_mb, n_setup * 2);
1565 	MBC_INIT(&xa->rep_param_mb, n_param);
1566 	MBC_INIT(&xa->rep_data_mb, n_data);
1567 
1568 	if (smb_mbc_decodef(&xa->req_setup_mb, "w", &opcode) != 0)
1569 		goto trans_err_not_supported;
1570 
1571 	/*
1572 	 * Save this for /proc to read later.
1573 	 */
1574 	xa->smb_func = opcode;
1575 
1576 	/* for now, only respond to the */
1577 	switch (opcode) {
1578 	case TRANS2_OPEN2:
1579 		rc = smb_com_trans2_open2(sr, xa);
1580 		break;
1581 
1582 	case TRANS2_CREATE_DIRECTORY:
1583 		rc = smb_com_trans2_create_directory(sr, xa);
1584 		break;
1585 
1586 	case TRANS2_FIND_FIRST2:
1587 		/*
1588 		 * Should have enough room to send the response
1589 		 * data back to client.
1590 		 */
1591 		if (n_data == 0) {
1592 			smbsr_error(sr, NT_STATUS_INFO_LENGTH_MISMATCH,
1593 			    ERRDOS, ERROR_BAD_LENGTH);
1594 			return (SDRC_ERROR);
1595 		}
1596 		rc = smb_com_trans2_find_first2(sr, xa);
1597 		break;
1598 
1599 	case TRANS2_FIND_NEXT2:
1600 		/*
1601 		 * Should have enough room to send the response
1602 		 * data back to client.
1603 		 */
1604 		if (n_data == 0) {
1605 			smbsr_error(sr, NT_STATUS_INFO_LENGTH_MISMATCH,
1606 			    ERRDOS, ERROR_BAD_LENGTH);
1607 			return (SDRC_ERROR);
1608 		}
1609 		rc = smb_com_trans2_find_next2(sr, xa);
1610 		break;
1611 
1612 	case TRANS2_QUERY_FS_INFORMATION:
1613 		/*
1614 		 * Should have enough room to send the response
1615 		 * data back to client.
1616 		 */
1617 		if (n_data == 0) {
1618 			smbsr_error(sr, NT_STATUS_INFO_LENGTH_MISMATCH,
1619 			    ERRDOS, ERROR_BAD_LENGTH);
1620 			return (SDRC_ERROR);
1621 		}
1622 		rc = smb_com_trans2_query_fs_information(sr, xa);
1623 		break;
1624 
1625 	case TRANS2_SET_FS_INFORMATION:
1626 		rc = smb_com_trans2_set_fs_information(sr, xa);
1627 		break;
1628 
1629 	case TRANS2_QUERY_PATH_INFORMATION:
1630 		/*
1631 		 * Should have enough room to send the response
1632 		 * data back to client.
1633 		 */
1634 		if (n_data == 0) {
1635 			smbsr_error(sr, NT_STATUS_INFO_LENGTH_MISMATCH,
1636 			    ERRDOS, ERROR_BAD_LENGTH);
1637 			return (SDRC_ERROR);
1638 		}
1639 		rc = smb_com_trans2_query_path_information(sr, xa);
1640 		break;
1641 
1642 	case TRANS2_QUERY_FILE_INFORMATION:
1643 		/*
1644 		 * Should have enough room to send the response
1645 		 * data back to client.
1646 		 */
1647 		if (n_data == 0) {
1648 			smbsr_error(sr, NT_STATUS_INFO_LENGTH_MISMATCH,
1649 			    ERRDOS, ERROR_BAD_LENGTH);
1650 			return (SDRC_ERROR);
1651 		}
1652 		rc = smb_com_trans2_query_file_information(sr, xa);
1653 		break;
1654 
1655 	case TRANS2_SET_PATH_INFORMATION:
1656 		rc = smb_com_trans2_set_path_information(sr, xa);
1657 		break;
1658 
1659 	case TRANS2_SET_FILE_INFORMATION:
1660 		rc = smb_com_trans2_set_file_information(sr, xa);
1661 		break;
1662 
1663 	case TRANS2_GET_DFS_REFERRAL:
1664 		rc = smb_com_trans2_get_dfs_referral(sr, xa);
1665 		break;
1666 
1667 	default:
1668 		(void) smb_mbc_encodef(&xa->rep_param_mb, "w", 0);
1669 		goto trans_err_not_supported;
1670 	}
1671 
1672 	switch (rc) {
1673 	case SDRC_SUCCESS:
1674 		break;
1675 
1676 	case SDRC_DROP_VC:
1677 	case SDRC_NO_REPLY:
1678 	case SDRC_ERROR:
1679 		return (rc);
1680 
1681 	case SDRC_NOT_IMPLEMENTED:
1682 		goto trans_err_not_supported;
1683 
1684 	default:
1685 		break;
1686 	}
1687 
1688 	n_setup = MBC_LENGTH(&xa->rep_setup_mb);
1689 	n_param = MBC_LENGTH(&xa->rep_param_mb);
1690 	n_data  = MBC_LENGTH(&xa->rep_data_mb);
1691 
1692 	if (xa->smb_msrcnt < n_setup ||
1693 	    xa->smb_mprcnt < n_param ||
1694 	    xa->smb_mdrcnt < n_data) {
1695 		goto trans_err_too_small;
1696 	}
1697 
1698 	/* neato, blast it over there */
1699 
1700 	n_setup = (n_setup + 1) / 2;		/* Conver to setup words */
1701 	param_pad = 1;				/* must be one */
1702 	param_off = param_pad + 32 + 21 + (n_setup << 1) + 2;
1703 
1704 	/*
1705 	 * Including the nt_unknown_secret value persuades netmon to
1706 	 * display the correct data format for QueryPathInfo and
1707 	 * QueryFileInfo.
1708 	 */
1709 	if (opcode == TRANS2_QUERY_FILE_INFORMATION ||
1710 	    opcode == TRANS2_QUERY_PATH_INFORMATION) {
1711 		data_pad = sizeof (uint16_t);
1712 		data_off = param_off + n_param + data_pad;
1713 		fmt = "bww2.wwwwwwb.Cw#.CwC";
1714 		nt_unknown_secret = 0x0100;
1715 	}
1716 	else
1717 	{
1718 		data_pad = (param_off + n_param) & 1; /* Pad to short */
1719 		/* Param off from hdr start */
1720 		data_off = param_off + n_param + data_pad;
1721 		fmt = "bww2.wwwwwwb.Cw#.C#.C";
1722 		/*LINTED E_ASSIGN_NARROW_CONV*/
1723 		nt_unknown_secret = data_pad;
1724 	}
1725 
1726 	total_bytes = param_pad + n_param + data_pad + n_data;
1727 
1728 	rc = smbsr_encode_result(sr, 10+n_setup, total_bytes,
1729 	    fmt,
1730 	    10 + n_setup,		/* wct */
1731 	    n_param,			/* Total Parameter Bytes */
1732 	    n_data /* + data_pad */,	/* Total Data Bytes */
1733 	    n_param,			/* Total Parameter Bytes this buffer */
1734 	    param_off,			/* Param offset from header start */
1735 	    0,				/* Param displacement */
1736 	    n_data /* + data_pad */,	/* Total Data Bytes this buffer */
1737 	    data_off,			/* Data offset from header start */
1738 	    0,				/* Data displacement */
1739 	    n_setup,			/* suwcnt */
1740 	    &xa->rep_setup_mb,		/* setup[] */
1741 	    total_bytes,		/* Total data bytes */
1742 	    param_pad,
1743 	    &xa->rep_param_mb,
1744 	    nt_unknown_secret,
1745 	    &xa->rep_data_mb);
1746 	return ((rc == 0) ? SDRC_SUCCESS : SDRC_ERROR);
1747 
1748 trans_err_too_small:
1749 	rc = NERR_BufTooSmall;
1750 	goto trans_err;
1751 
1752 trans_err_not_supported:
1753 	rc = ERROR_NOT_SUPPORTED;
1754 	goto trans_err;
1755 
1756 trans_err:
1757 	pos = MBC_LENGTH(&sr->reply) + 23;
1758 	rc = smbsr_encode_result(sr, 10, 4, "bww2.wwwwwwb.www",
1759 	    10,		/* wct */
1760 	    4, 0,	/* tpscnt tdscnt */
1761 	    4, pos, 0,	/* pscnt psoff psdisp */
1762 	    0, 0, 0,	/* dscnt dsoff dsdisp */
1763 	    0,		/* suwcnt */
1764 	    4,		/* bcc */
1765 	    rc,
1766 	    0);		/* converter word? */
1767 	return ((rc == 0) ? SDRC_SUCCESS : SDRC_ERROR);
1768 }
1769 
1770 smb_xa_t *
1771 smb_xa_create(
1772     smb_session_t	*session,
1773     smb_request_t	*sr,
1774     uint32_t		total_parameter_count,
1775     uint32_t		total_data_count,
1776     uint32_t		max_parameter_count,
1777     uint32_t		max_data_count,
1778     uint32_t		max_setup_count,
1779     uint32_t		setup_word_count)
1780 {
1781 	smb_xa_t	*xa, *nxa;
1782 	smb_llist_t	*xlist;
1783 
1784 	xa = kmem_zalloc(sizeof (smb_xa_t), KM_SLEEP);
1785 	xa->xa_refcnt = 1;
1786 	xa->smb_com = sr->smb_com;
1787 	xa->smb_flg = sr->smb_flg;
1788 	xa->smb_flg2 = sr->smb_flg2;
1789 	xa->smb_tid = sr->smb_tid;
1790 	xa->smb_pid = sr->smb_pid;
1791 	xa->smb_uid = sr->smb_uid;
1792 	xa->xa_smb_mid = sr->smb_mid;
1793 	xa->reply_seqnum = sr->reply_seqnum;
1794 	xa->smb_tpscnt = total_parameter_count;
1795 	xa->smb_tdscnt = total_data_count;
1796 	xa->smb_mprcnt = max_parameter_count;
1797 	xa->smb_mdrcnt = max_data_count;
1798 	xa->smb_msrcnt = max_setup_count;
1799 	xa->smb_suwcnt = setup_word_count;
1800 	xa->xa_session = session;
1801 	xa->xa_magic = SMB_XA_MAGIC;
1802 
1803 	/*
1804 	 * The new xa structure is checked against the current list to see
1805 	 * if it exists already.
1806 	 */
1807 	xlist = &session->s_xa_list;
1808 	smb_llist_enter(xlist, RW_WRITER);
1809 	nxa = smb_llist_head(xlist);
1810 	while (nxa) {
1811 		ASSERT(nxa->xa_magic == SMB_XA_MAGIC);
1812 		if (nxa->xa_smb_mid == xa->xa_smb_mid &&
1813 		    nxa->smb_pid == xa->smb_pid &&
1814 		    !SMB_XA_CLOSED(nxa) &&
1815 		    !(nxa->xa_flags & SMB_XA_FLAG_COMPLETE)) {
1816 			smb_llist_exit(xlist);
1817 			kmem_free(xa, sizeof (smb_xa_t));
1818 			return (NULL);
1819 		}
1820 		nxa = smb_llist_next(xlist, nxa);
1821 	}
1822 	smb_llist_insert_tail(xlist, xa);
1823 	smb_llist_exit(xlist);
1824 	return (xa);
1825 }
1826 
1827 void
1828 smb_xa_delete(smb_xa_t *xa)
1829 {
1830 	ASSERT(xa->xa_refcnt == 0);
1831 	ASSERT(SMB_XA_CLOSED(xa));
1832 
1833 	if (xa->xa_pipe_name)
1834 		smb_mem_free(xa->xa_pipe_name);
1835 
1836 	if (xa->rep_setup_mb.chain != NULL)
1837 		m_freem(xa->rep_setup_mb.chain);
1838 	if (xa->rep_param_mb.chain != NULL)
1839 		m_freem(xa->rep_param_mb.chain);
1840 	if (xa->rep_data_mb.chain != NULL)
1841 		m_freem(xa->rep_data_mb.chain);
1842 
1843 	xa->xa_magic = (uint32_t)~SMB_XA_MAGIC;
1844 	kmem_free(xa, sizeof (smb_xa_t));
1845 }
1846 
1847 smb_xa_t *
1848 smb_xa_hold(smb_xa_t *xa)
1849 {
1850 	mutex_enter(&xa->xa_mutex);
1851 	xa->xa_refcnt++;
1852 	ASSERT(xa->xa_refcnt);
1853 	mutex_exit(&xa->xa_mutex);
1854 	return (xa);
1855 }
1856 
1857 void
1858 smb_xa_rele(smb_session_t *session, smb_xa_t *xa)
1859 {
1860 	mutex_enter(&xa->xa_mutex);
1861 	ASSERT(xa->xa_refcnt);
1862 	xa->xa_refcnt--;
1863 	if (SMB_XA_CLOSED(xa) && (xa->xa_refcnt == 0)) {
1864 		mutex_exit(&xa->xa_mutex);
1865 		smb_llist_enter(&session->s_xa_list, RW_WRITER);
1866 		smb_llist_remove(&session->s_xa_list, xa);
1867 		smb_llist_exit(&session->s_xa_list);
1868 		smb_xa_delete(xa);
1869 		return;
1870 	}
1871 	mutex_exit(&xa->xa_mutex);
1872 }
1873 
1874 int
1875 smb_xa_open(smb_xa_t *xa)
1876 {
1877 	int rc;
1878 
1879 	mutex_enter(&xa->xa_mutex);
1880 
1881 	ASSERT((xa->xa_flags & SMB_XA_FLAG_OPEN) == 0);
1882 
1883 	if ((xa->xa_flags & SMB_XA_FLAG_CLOSE) == 0) {
1884 		xa->xa_flags |= SMB_XA_FLAG_OPEN;
1885 		rc = 0;
1886 	} else {
1887 		rc = ERROR_INVALID_HANDLE;
1888 	}
1889 
1890 	mutex_exit(&xa->xa_mutex);
1891 
1892 	return (rc);
1893 }
1894 
1895 void
1896 smb_xa_close(smb_xa_t *xa)
1897 {
1898 	mutex_enter(&xa->xa_mutex);
1899 	xa->xa_flags |= SMB_XA_FLAG_CLOSE;
1900 	xa->xa_flags &= ~SMB_XA_FLAG_OPEN;
1901 
1902 	if (xa->xa_refcnt == 0) {
1903 		mutex_exit(&xa->xa_mutex);
1904 		smb_llist_enter(&xa->xa_session->s_xa_list, RW_WRITER);
1905 		smb_llist_remove(&xa->xa_session->s_xa_list, xa);
1906 		smb_llist_exit(&xa->xa_session->s_xa_list);
1907 		smb_xa_delete(xa);
1908 		return;
1909 	}
1910 
1911 	mutex_exit(&xa->xa_mutex);
1912 }
1913 
1914 int
1915 smb_xa_complete(smb_xa_t *xa)
1916 {
1917 	int rc;
1918 
1919 	mutex_enter(&xa->xa_mutex);
1920 	if (xa->xa_flags & (SMB_XA_FLAG_COMPLETE | SMB_XA_FLAG_CLOSE)) {
1921 		rc = 0;
1922 	} else {
1923 		rc = 1;
1924 		xa->xa_flags |= SMB_XA_FLAG_COMPLETE;
1925 	}
1926 	mutex_exit(&xa->xa_mutex);
1927 	return (rc);
1928 }
1929 
1930 smb_xa_t *
1931 smb_xa_find(
1932     smb_session_t	*session,
1933     uint16_t		pid,
1934     uint16_t		mid)
1935 {
1936 	smb_xa_t	*xa;
1937 	smb_llist_t	*xlist;
1938 
1939 	xlist = &session->s_xa_list;
1940 	smb_llist_enter(xlist, RW_READER);
1941 	xa = smb_llist_head(xlist);
1942 	while (xa) {
1943 		mutex_enter(&xa->xa_mutex);
1944 		if (xa->xa_smb_mid == mid &&
1945 		    xa->smb_pid == pid &&
1946 		    !SMB_XA_CLOSED(xa) &&
1947 		    !(xa->xa_flags & SMB_XA_FLAG_COMPLETE)) {
1948 			xa->xa_refcnt++;
1949 			ASSERT(xa->xa_refcnt);
1950 			mutex_exit(&xa->xa_mutex);
1951 			break;
1952 		}
1953 		mutex_exit(&xa->xa_mutex);
1954 		xa = smb_llist_next(xlist, xa);
1955 	}
1956 	smb_llist_exit(xlist);
1957 	return (xa);
1958 }
1959