1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved. 24 */ 25 26 /* 27 * Server-side NDR stream (PDU) operations. Stream operations should 28 * return TRUE (non-zero) on success or FALSE (zero or a null pointer) 29 * on failure. When an operation returns FALSE, including ndo_malloc() 30 * returning NULL, it should set the nds->error to indicate what went 31 * wrong. 32 * 33 * When available, the relevant ndr reference is passed to the 34 * operation but keep in mind that it may be a null pointer. 35 * 36 * Functions ndo_get_pdu(), ndo_put_pdu(), and ndo_pad_pdu() 37 * must never grow the PDU data. A request for out-of-bounds data is 38 * an error. The swap_bytes flag is 1 if NDR knows that the byte- 39 * order in the PDU is different from the local system. 40 */ 41 42 #include <sys/types.h> 43 #include <stdarg.h> 44 #include <ctype.h> 45 #include <stdio.h> 46 #include <stdlib.h> 47 #include <strings.h> 48 #include <string.h> 49 #include <assert.h> 50 51 #include <smbsrv/libsmb.h> 52 #include <smbsrv/libmlrpc.h> 53 54 #define NDOBUFSZ 128 55 56 #define NDR_PDU_BLOCK_SIZE (4*1024) 57 #define NDR_PDU_BLOCK_MASK (NDR_PDU_BLOCK_SIZE - 1) 58 #define NDR_PDU_ALIGN(N) \ 59 (((N) + NDR_PDU_BLOCK_SIZE) & ~NDR_PDU_BLOCK_MASK) 60 #define NDR_PDU_MAX_SIZE (64*1024*1024) 61 62 static char *ndo_malloc(ndr_stream_t *, unsigned, ndr_ref_t *); 63 static int ndo_free(ndr_stream_t *, char *, ndr_ref_t *); 64 static int ndo_grow_pdu(ndr_stream_t *, unsigned long, ndr_ref_t *); 65 static int ndo_pad_pdu(ndr_stream_t *, unsigned long, unsigned long, 66 ndr_ref_t *); 67 static int ndo_get_pdu(ndr_stream_t *, unsigned long, unsigned long, 68 char *, int, ndr_ref_t *); 69 static int ndo_put_pdu(ndr_stream_t *, unsigned long, unsigned long, 70 char *, int, ndr_ref_t *); 71 static void ndo_tattle(ndr_stream_t *, char *, ndr_ref_t *); 72 static void ndo_tattle_error(ndr_stream_t *, ndr_ref_t *); 73 static int ndo_reset(ndr_stream_t *); 74 static void ndo_destruct(ndr_stream_t *); 75 static void ndo_hexfmt(uint8_t *, int, int, char *, int); 76 77 /* 78 * The ndr stream operations table. 79 */ 80 static ndr_stream_ops_t nds_ops = { 81 ndo_malloc, 82 ndo_free, 83 ndo_grow_pdu, 84 ndo_pad_pdu, 85 ndo_get_pdu, 86 ndo_put_pdu, 87 ndo_tattle, 88 ndo_tattle_error, 89 ndo_reset, 90 ndo_destruct 91 }; 92 93 /* 94 * nds_bswap 95 * 96 * Copies len bytes from src to dst such that dst contains the bytes 97 * from src in reverse order. 98 * 99 * We expect to be dealing with bytes, words, dwords etc. So the 100 * length must be non-zero and a power of 2. 101 */ 102 void 103 nds_bswap(void *srcbuf, void *dstbuf, size_t len) 104 { 105 uint8_t *src = (uint8_t *)srcbuf; 106 uint8_t *dst = (uint8_t *)dstbuf; 107 108 if ((len != 0) && ((len & (len - 1)) == 0)) { 109 src += len; 110 111 while (len--) 112 *dst++ = *(--src); 113 } 114 } 115 116 /* 117 * nds_initialize 118 * 119 * Initialize a stream. Sets up the PDU parameters and assigns the stream 120 * operations and the reference to the heap. An external heap is provided 121 * to the stream, rather than each stream creating its own heap. 122 */ 123 int 124 nds_initialize(ndr_stream_t *nds, unsigned pdu_size_hint, 125 int composite_op, ndr_heap_t *heap) 126 { 127 unsigned size; 128 129 assert(nds); 130 assert(heap); 131 132 bzero(nds, sizeof (*nds)); 133 nds->ndo = &nds_ops; 134 nds->heap = (struct ndr_heap *)heap; 135 136 if (pdu_size_hint > NDR_PDU_MAX_SIZE) { 137 nds->error = NDR_ERR_BOUNDS_CHECK; 138 nds->error_ref = __LINE__; 139 NDS_TATTLE_ERROR(nds, NULL, NULL); 140 return (NDR_DRC_FAULT_RESOURCE_1); 141 } 142 143 size = (pdu_size_hint == 0) ? NDR_PDU_BLOCK_SIZE : pdu_size_hint; 144 145 if ((nds->pdu_base_addr = malloc(size)) == NULL) { 146 nds->error = NDR_ERR_MALLOC_FAILED; 147 nds->error_ref = __LINE__; 148 NDS_TATTLE_ERROR(nds, NULL, NULL); 149 return (NDR_DRC_FAULT_OUT_OF_MEMORY); 150 } 151 152 nds->pdu_max_size = size; 153 nds->pdu_size = 0; 154 nds->pdu_base_offset = (unsigned long)nds->pdu_base_addr; 155 156 nds->m_op = NDR_MODE_TO_M_OP(composite_op); 157 nds->dir = NDR_MODE_TO_DIR(composite_op); 158 159 nds->outer_queue_tailp = &nds->outer_queue_head; 160 return (0); 161 } 162 163 void 164 nds_finalize(ndr_stream_t *nds, ndr_fraglist_t *frags) 165 { 166 iovec_t *iov; 167 ndr_frag_t *frag; 168 uint32_t size = 0; 169 170 bzero(frags, sizeof (ndr_fraglist_t)); 171 172 for (frag = nds->frags.head; frag; frag = frag->next) 173 size += frag->len; 174 175 if (size == 0 || size >= NDR_PDU_MAX_SIZE) 176 return; 177 178 frags->iov = malloc(nds->frags.nfrag * sizeof (iovec_t)); 179 if (frags->iov == NULL) 180 return; 181 182 frags->head = nds->frags.head; 183 frags->tail = nds->frags.tail; 184 frags->nfrag = nds->frags.nfrag; 185 bzero(&nds->frags, sizeof (ndr_fraglist_t)); 186 187 frags->uio.uio_iov = frags->iov; 188 frags->uio.uio_iovcnt = frags->nfrag; 189 frags->uio.uio_offset = 0; 190 frags->uio.uio_segflg = UIO_USERSPACE; 191 frags->uio.uio_resid = size; 192 193 iov = frags->uio.uio_iov; 194 for (frag = frags->head; frag; frag = frag->next) { 195 iov->iov_base = (caddr_t)frag->buf; 196 iov->iov_len = frag->len; 197 ++iov; 198 } 199 } 200 201 /* 202 * nds_destruct 203 * 204 * Destroy a stream. This is an external interface to provide access to 205 * the stream's destruct operation. 206 */ 207 void 208 nds_destruct(ndr_stream_t *nds) 209 { 210 if ((nds == NULL) || (nds->ndo == NULL)) 211 return; 212 213 NDS_DESTRUCT(nds); 214 } 215 216 /* 217 * Print NDR stream state. 218 */ 219 void 220 nds_show_state(ndr_stream_t *nds) 221 { 222 if (nds == NULL) { 223 ndo_printf(NULL, NULL, "nds: <null"); 224 return; 225 } 226 227 ndo_printf(NULL, NULL, "nds: base=0x%x, size=%d, max=%d, scan=%d", 228 nds->pdu_base_offset, nds->pdu_size, nds->pdu_max_size, 229 nds->pdu_scan_offset); 230 } 231 232 /* 233 * ndo_malloc 234 * 235 * Allocate memory from the stream heap. 236 */ 237 /*ARGSUSED*/ 238 static char * 239 ndo_malloc(ndr_stream_t *nds, unsigned len, ndr_ref_t *ref) 240 { 241 return (ndr_heap_malloc((ndr_heap_t *)nds->heap, len)); 242 } 243 244 /* 245 * ndo_free 246 * 247 * Always succeeds: cannot free individual stream allocations. 248 */ 249 /*ARGSUSED*/ 250 static int 251 ndo_free(ndr_stream_t *nds, char *p, ndr_ref_t *ref) 252 { 253 return (1); 254 } 255 256 /* 257 * ndo_grow_pdu 258 * 259 * This is the only place that should change the size of the PDU. If the 260 * desired offset is beyond the current PDU size, we realloc the PDU 261 * buffer to accommodate the request. For efficiency, the PDU is always 262 * extended to a NDR_PDU_BLOCK_SIZE boundary. Requests to grow the PDU 263 * beyond NDR_PDU_MAX_SIZE are rejected. 264 * 265 * Returns 1 to indicate success. Otherwise 0 to indicate failure. 266 */ 267 static int 268 ndo_grow_pdu(ndr_stream_t *nds, unsigned long want_end_offset, ndr_ref_t *ref) 269 { 270 unsigned char *pdu_addr; 271 unsigned pdu_max_size; 272 273 ndo_printf(nds, ref, "grow %d", want_end_offset); 274 275 pdu_max_size = nds->pdu_max_size; 276 277 if (want_end_offset > pdu_max_size) { 278 pdu_max_size = NDR_PDU_ALIGN(want_end_offset); 279 280 if (pdu_max_size >= NDR_PDU_MAX_SIZE) 281 return (0); 282 283 pdu_addr = realloc(nds->pdu_base_addr, pdu_max_size); 284 if (pdu_addr == 0) 285 return (0); 286 287 nds->pdu_max_size = pdu_max_size; 288 nds->pdu_base_addr = pdu_addr; 289 nds->pdu_base_offset = (unsigned long)pdu_addr; 290 } 291 292 nds->pdu_size = want_end_offset; 293 return (1); 294 } 295 296 static int 297 ndo_pad_pdu(ndr_stream_t *nds, unsigned long pdu_offset, 298 unsigned long n_bytes, ndr_ref_t *ref) 299 { 300 unsigned char *data; 301 302 data = (unsigned char *)nds->pdu_base_offset; 303 data += pdu_offset; 304 305 ndo_printf(nds, ref, "pad %d@%-3d", n_bytes, pdu_offset); 306 307 bzero(data, n_bytes); 308 return (1); 309 } 310 311 /* 312 * ndo_get_pdu 313 * 314 * The swap flag is 1 if NDR knows that the byte-order in the PDU 315 * is different from the local system. 316 * 317 * Returns 1 on success or 0 to indicate failure. 318 */ 319 static int 320 ndo_get_pdu(ndr_stream_t *nds, unsigned long pdu_offset, 321 unsigned long n_bytes, char *buf, int swap_bytes, ndr_ref_t *ref) 322 { 323 unsigned char *data; 324 char hexbuf[NDOBUFSZ]; 325 326 data = (unsigned char *)nds->pdu_base_offset; 327 data += pdu_offset; 328 329 ndo_hexfmt(data, n_bytes, swap_bytes, hexbuf, NDOBUFSZ); 330 331 ndo_printf(nds, ref, "get %d@%-3d = %s", 332 n_bytes, pdu_offset, hexbuf); 333 334 if (!swap_bytes) 335 bcopy(data, buf, n_bytes); 336 else 337 nds_bswap(data, (unsigned char *)buf, n_bytes); 338 339 return (1); 340 } 341 342 /* 343 * ndo_put_pdu 344 * 345 * This is a receiver makes right protocol. So we do not need 346 * to be concerned about the byte-order of an outgoing PDU. 347 */ 348 /*ARGSUSED*/ 349 static int 350 ndo_put_pdu(ndr_stream_t *nds, unsigned long pdu_offset, 351 unsigned long n_bytes, char *buf, int swap_bytes, ndr_ref_t *ref) 352 { 353 unsigned char *data; 354 char hexbuf[NDOBUFSZ]; 355 356 data = (unsigned char *)nds->pdu_base_offset; 357 data += pdu_offset; 358 359 ndo_hexfmt((uint8_t *)buf, n_bytes, 0, hexbuf, NDOBUFSZ); 360 361 ndo_printf(nds, ref, "put %d@%-3d = %s", 362 n_bytes, pdu_offset, hexbuf); 363 364 bcopy(buf, data, n_bytes); 365 return (1); 366 } 367 368 static void 369 ndo_tattle(ndr_stream_t *nds, char *what, ndr_ref_t *ref) 370 { 371 ndo_printf(nds, ref, what); 372 } 373 374 static void 375 ndo_tattle_error(ndr_stream_t *nds, ndr_ref_t *ref) 376 { 377 unsigned char *data; 378 char hexbuf[NDOBUFSZ]; 379 380 if (nds->pdu_base_addr != NULL) { 381 data = (unsigned char *)nds->pdu_base_offset; 382 if (ref) 383 data += ref->pdu_offset; 384 else 385 data += nds->pdu_scan_offset; 386 387 ndo_hexfmt(data, 16, 0, hexbuf, NDOBUFSZ); 388 } else { 389 bzero(hexbuf, NDOBUFSZ); 390 } 391 392 ndo_printf(nds, ref, "ERROR=%d REF=%d OFFSET=%d SIZE=%d/%d", 393 nds->error, nds->error_ref, nds->pdu_scan_offset, 394 nds->pdu_size, nds->pdu_max_size); 395 ndo_printf(nds, ref, " %s", hexbuf); 396 } 397 398 /* 399 * ndo_reset 400 * 401 * Reset a stream: zap the outer_queue. We don't need to tamper 402 * with the stream heap: it's handled externally to the stream. 403 */ 404 static int 405 ndo_reset(ndr_stream_t *nds) 406 { 407 ndo_printf(nds, 0, "reset"); 408 409 nds->pdu_size = 0; 410 nds->pdu_scan_offset = 0; 411 nds->outer_queue_head = 0; 412 nds->outer_current = 0; 413 nds->outer_queue_tailp = &nds->outer_queue_head; 414 415 return (1); 416 } 417 418 /* 419 * ndo_destruct 420 * 421 * Destruct a stream: zap the outer_queue. 422 * Note: heap management (creation/destruction) is external to the stream. 423 */ 424 static void 425 ndo_destruct(ndr_stream_t *nds) 426 { 427 ndr_frag_t *frag; 428 429 ndo_printf(nds, 0, "destruct"); 430 431 if (nds == NULL) 432 return; 433 434 if (nds->pdu_base_addr != NULL) { 435 free(nds->pdu_base_addr); 436 nds->pdu_base_addr = NULL; 437 nds->pdu_base_offset = 0; 438 } 439 440 while ((frag = nds->frags.head) != NULL) { 441 nds->frags.head = frag->next; 442 free(frag); 443 } 444 445 bzero(&nds->frags, sizeof (ndr_fraglist_t)); 446 447 nds->outer_queue_head = 0; 448 nds->outer_current = 0; 449 nds->outer_queue_tailp = &nds->outer_queue_head; 450 } 451 452 /* 453 * Printf style formatting for NDR operations. 454 */ 455 void 456 ndo_printf(ndr_stream_t *nds, ndr_ref_t *ref, const char *fmt, ...) 457 { 458 va_list ap; 459 char buf[NDOBUFSZ]; 460 461 va_start(ap, fmt); 462 (void) vsnprintf(buf, NDOBUFSZ, fmt, ap); 463 va_end(ap); 464 465 if (nds) 466 ndo_fmt(nds, ref, buf); 467 else 468 ndo_trace(buf); 469 } 470 471 /* 472 * Main output formatter for NDR operations. 473 * 474 * UI 03 ... rpc_vers get 1@0 = 5 {05} 475 * UI 03 ... rpc_vers_minor get 1@1 = 0 {00} 476 * 477 * U Marshalling flag (M=marshal, U=unmarshal) 478 * I Direction flag (I=in, O=out) 479 * ... Field name 480 * get PDU operation (get or put) 481 * 1@0 Bytes @ offset (i.e. 1 byte at offset 0) 482 * {05} Value 483 */ 484 void 485 ndo_fmt(ndr_stream_t *nds, ndr_ref_t *ref, char *note) 486 { 487 ndr_ref_t *p; 488 int indent; 489 char ref_name[NDOBUFSZ]; 490 char buf[NDOBUFSZ]; 491 int m_op_c = '?', dir_c = '?'; 492 493 switch (nds->m_op) { 494 case 0: m_op_c = '-'; break; 495 case NDR_M_OP_MARSHALL: m_op_c = 'M'; break; 496 case NDR_M_OP_UNMARSHALL: m_op_c = 'U'; break; 497 default: m_op_c = '?'; break; 498 } 499 500 switch (nds->dir) { 501 case 0: dir_c = '-'; break; 502 case NDR_DIR_IN: dir_c = 'I'; break; 503 case NDR_DIR_OUT: dir_c = 'O'; break; 504 default: dir_c = '?'; break; 505 } 506 507 for (indent = 0, p = ref; p; p = p->enclosing) 508 indent++; 509 510 if (ref && ref->name) { 511 if (*ref->name == '[' && ref->enclosing) { 512 indent--; 513 (void) snprintf(ref_name, NDOBUFSZ, "%s%s", 514 ref->enclosing->name, ref->name); 515 } else { 516 (void) strlcpy(ref_name, ref->name, NDOBUFSZ); 517 } 518 } else { 519 (void) strlcpy(ref_name, "----", NDOBUFSZ); 520 } 521 522 (void) snprintf(buf, NDOBUFSZ, "%c%c %-.*s %-*s %s", 523 m_op_c, dir_c, indent, 524 "....+....+....+....+....+....", 525 20 - indent, ref_name, note); 526 527 ndo_trace(buf); 528 } 529 530 /*ARGSUSED*/ 531 void 532 ndo_trace(const char *s) 533 { 534 /* 535 * Temporary fbt for dtrace until user space sdt enabled. 536 */ 537 } 538 539 /* 540 * Format data as hex bytes (limit is 10 bytes): 541 * 542 * 1188689424 {10 f6 d9 46} 543 * 544 * If the input data is greater than 10 bytes, an ellipsis will 545 * be inserted before the closing brace. 546 */ 547 static void 548 ndo_hexfmt(uint8_t *data, int size, int swap_bytes, char *buf, int len) 549 { 550 char *p = buf; 551 int interp = 1; 552 uint32_t c; 553 int n; 554 int i; 555 556 n = (size > 10) ? 10 : size; 557 if (n > len-1) 558 n = len-1; 559 560 switch (size) { 561 case 1: 562 c = *(uint8_t *)data; 563 break; 564 case 2: 565 if (swap_bytes == 0) /*LINTED E_BAD_PTR_CAST_ALIGN*/ 566 c = *(uint16_t *)data; 567 else 568 c = (data[0] << 8) | data[1]; 569 break; 570 case 4: 571 if (swap_bytes == 0) { /*LINTED E_BAD_PTR_CAST_ALIGN*/ 572 c = *(uint32_t *)data; 573 } else { 574 c = (data[0] << 24) | (data[1] << 16) 575 | (data[2] << 8) | data[3]; 576 } 577 break; 578 default: 579 c = 0; 580 interp = 0; 581 break; 582 } 583 584 if (interp) 585 p += sprintf(p, "%4u {", c); 586 else 587 p += sprintf(p, " {"); 588 589 p += sprintf(p, "%02x", data[0]); 590 for (i = 1; i < n; i++) 591 p += sprintf(p, " %02x", data[i]); 592 if (size > 10) 593 p += sprintf(p, " ...}"); 594 else 595 p += sprintf(p, "}"); 596 597 /* 598 * Show c if it's a printable character or wide-char. 599 */ 600 if (size < 4 && isprint((uint8_t)c)) 601 (void) sprintf(p, " %c", (uint8_t)c); 602 } 603