1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 /* 27 * Server-side NDR stream (PDU) operations. Stream operations should 28 * return TRUE (non-zero) on success or FALSE (zero or a null pointer) 29 * on failure. When an operation returns FALSE, including ndo_malloc() 30 * returning NULL, it should set the nds->error to indicate what went 31 * wrong. 32 * 33 * When available, the relevant ndr reference is passed to the 34 * operation but keep in mind that it may be a null pointer. 35 * 36 * Functions ndo_get_pdu(), ndo_put_pdu(), and ndo_pad_pdu() 37 * must never grow the PDU data. A request for out-of-bounds data is 38 * an error. The swap_bytes flag is 1 if NDR knows that the byte- 39 * order in the PDU is different from the local system. 40 */ 41 42 #include <sys/types.h> 43 #include <stdarg.h> 44 #include <ctype.h> 45 #include <stdio.h> 46 #include <stdlib.h> 47 #include <strings.h> 48 #include <string.h> 49 #include <assert.h> 50 51 #include <smbsrv/libsmb.h> 52 #include <smbsrv/libmlrpc.h> 53 #include <smbsrv/ntstatus.h> 54 55 #define NDOBUFSZ 128 56 57 #define NDR_PDU_BLOCK_SIZE (4*1024) 58 #define NDR_PDU_BLOCK_MASK (NDR_PDU_BLOCK_SIZE - 1) 59 #define NDR_PDU_ALIGN(N) \ 60 (((N) + NDR_PDU_BLOCK_SIZE) & ~NDR_PDU_BLOCK_MASK) 61 #define NDR_PDU_MAX_SIZE (64*1024*1024) 62 63 static char *ndo_malloc(ndr_stream_t *, unsigned, ndr_ref_t *); 64 static int ndo_free(ndr_stream_t *, char *, ndr_ref_t *); 65 static int ndo_grow_pdu(ndr_stream_t *, unsigned long, ndr_ref_t *); 66 static int ndo_pad_pdu(ndr_stream_t *, unsigned long, unsigned long, 67 ndr_ref_t *); 68 static int ndo_get_pdu(ndr_stream_t *, unsigned long, unsigned long, 69 char *, int, ndr_ref_t *); 70 static int ndo_put_pdu(ndr_stream_t *, unsigned long, unsigned long, 71 char *, int, ndr_ref_t *); 72 static void ndo_tattle(ndr_stream_t *, char *, ndr_ref_t *); 73 static void ndo_tattle_error(ndr_stream_t *, ndr_ref_t *); 74 static int ndo_reset(ndr_stream_t *); 75 static void ndo_destruct(ndr_stream_t *); 76 static void ndo_hexfmt(uint8_t *, int, int, char *, int); 77 78 /* 79 * The ndr stream operations table. 80 */ 81 static ndr_stream_ops_t nds_ops = { 82 ndo_malloc, 83 ndo_free, 84 ndo_grow_pdu, 85 ndo_pad_pdu, 86 ndo_get_pdu, 87 ndo_put_pdu, 88 ndo_tattle, 89 ndo_tattle_error, 90 ndo_reset, 91 ndo_destruct 92 }; 93 94 /* 95 * nds_bswap 96 * 97 * Copies len bytes from src to dst such that dst contains the bytes 98 * from src in reverse order. 99 * 100 * We expect to be dealing with bytes, words, dwords etc. So the 101 * length must be non-zero and a power of 2. 102 */ 103 void 104 nds_bswap(void *srcbuf, void *dstbuf, size_t len) 105 { 106 uint8_t *src = (uint8_t *)srcbuf; 107 uint8_t *dst = (uint8_t *)dstbuf; 108 109 if ((len != 0) && ((len & (len - 1)) == 0)) { 110 src += len; 111 112 while (len--) 113 *dst++ = *(--src); 114 } 115 } 116 117 /* 118 * nds_initialize 119 * 120 * Initialize a stream. Sets up the PDU parameters and assigns the stream 121 * operations and the reference to the heap. An external heap is provided 122 * to the stream, rather than each stream creating its own heap. 123 */ 124 int 125 nds_initialize(ndr_stream_t *nds, unsigned pdu_size_hint, 126 int composite_op, ndr_heap_t *heap) 127 { 128 unsigned size; 129 130 assert(nds); 131 assert(heap); 132 133 bzero(nds, sizeof (*nds)); 134 135 if (pdu_size_hint > NDR_PDU_MAX_SIZE) 136 return (0); 137 138 size = (pdu_size_hint == 0) ? NDR_PDU_BLOCK_SIZE : pdu_size_hint; 139 140 if ((nds->pdu_base_addr = malloc(size)) == NULL) { 141 nds->error = NDR_ERR_MALLOC_FAILED; 142 nds->error_ref = __LINE__; 143 NDS_TATTLE_ERROR(nds, NULL, NULL); 144 return (NDR_DRC_FAULT_OUT_OF_MEMORY); 145 } 146 147 nds->pdu_max_size = size; 148 nds->pdu_size = 0; 149 nds->pdu_base_offset = (unsigned long)nds->pdu_base_addr; 150 151 nds->ndo = &nds_ops; 152 nds->heap = (struct ndr_heap *)heap; 153 154 nds->m_op = NDR_MODE_TO_M_OP(composite_op); 155 nds->dir = NDR_MODE_TO_DIR(composite_op); 156 157 nds->outer_queue_tailp = &nds->outer_queue_head; 158 return (0); 159 } 160 161 void 162 nds_finalize(ndr_stream_t *nds, ndr_fraglist_t *frags) 163 { 164 iovec_t *iov; 165 ndr_frag_t *frag; 166 uint32_t size = 0; 167 168 bzero(frags, sizeof (ndr_fraglist_t)); 169 170 for (frag = nds->frags.head; frag; frag = frag->next) 171 size += frag->len; 172 173 if (size == 0 || size >= NDR_PDU_MAX_SIZE) 174 return; 175 176 frags->iov = malloc(nds->frags.nfrag * sizeof (iovec_t)); 177 if (frags->iov == NULL) 178 return; 179 180 frags->head = nds->frags.head; 181 frags->tail = nds->frags.tail; 182 frags->nfrag = nds->frags.nfrag; 183 bzero(&nds->frags, sizeof (ndr_fraglist_t)); 184 185 frags->uio.uio_iov = frags->iov; 186 frags->uio.uio_iovcnt = frags->nfrag; 187 frags->uio.uio_offset = 0; 188 frags->uio.uio_segflg = UIO_USERSPACE; 189 frags->uio.uio_resid = size; 190 191 iov = frags->uio.uio_iov; 192 for (frag = frags->head; frag; frag = frag->next) { 193 iov->iov_base = (caddr_t)frag->buf; 194 iov->iov_len = frag->len; 195 ++iov; 196 } 197 } 198 199 /* 200 * nds_destruct 201 * 202 * Destroy a stream. This is an external interface to provide access to 203 * the stream's destruct operation. 204 */ 205 void 206 nds_destruct(ndr_stream_t *nds) 207 { 208 if ((nds == NULL) || (nds->ndo == NULL)) 209 return; 210 211 NDS_DESTRUCT(nds); 212 } 213 214 /* 215 * Print NDR stream state. 216 */ 217 void 218 nds_show_state(ndr_stream_t *nds) 219 { 220 if (nds == NULL) { 221 ndo_printf(NULL, NULL, "nds: <null"); 222 return; 223 } 224 225 ndo_printf(NULL, NULL, "nds: base=0x%x, size=%d, max=%d, scan=%d", 226 nds->pdu_base_offset, nds->pdu_size, nds->pdu_max_size, 227 nds->pdu_scan_offset); 228 } 229 230 /* 231 * ndo_malloc 232 * 233 * Allocate memory from the stream heap. 234 */ 235 /*ARGSUSED*/ 236 static char * 237 ndo_malloc(ndr_stream_t *nds, unsigned len, ndr_ref_t *ref) 238 { 239 return (ndr_heap_malloc((ndr_heap_t *)nds->heap, len)); 240 } 241 242 /* 243 * ndo_free 244 * 245 * Always succeeds: cannot free individual stream allocations. 246 */ 247 /*ARGSUSED*/ 248 static int 249 ndo_free(ndr_stream_t *nds, char *p, ndr_ref_t *ref) 250 { 251 return (1); 252 } 253 254 /* 255 * ndo_grow_pdu 256 * 257 * This is the only place that should change the size of the PDU. If the 258 * desired offset is beyond the current PDU size, we realloc the PDU 259 * buffer to accommodate the request. For efficiency, the PDU is always 260 * extended to a NDR_PDU_BLOCK_SIZE boundary. Requests to grow the PDU 261 * beyond NDR_PDU_MAX_SIZE are rejected. 262 * 263 * Returns 1 to indicate success. Otherwise 0 to indicate failure. 264 */ 265 static int 266 ndo_grow_pdu(ndr_stream_t *nds, unsigned long want_end_offset, ndr_ref_t *ref) 267 { 268 unsigned char *pdu_addr; 269 unsigned pdu_max_size; 270 271 ndo_printf(nds, ref, "grow %d", want_end_offset); 272 273 pdu_max_size = nds->pdu_max_size; 274 275 if (want_end_offset > pdu_max_size) { 276 pdu_max_size = NDR_PDU_ALIGN(want_end_offset); 277 278 if (pdu_max_size >= NDR_PDU_MAX_SIZE) 279 return (0); 280 281 pdu_addr = realloc(nds->pdu_base_addr, pdu_max_size); 282 if (pdu_addr == 0) 283 return (0); 284 285 nds->pdu_max_size = pdu_max_size; 286 nds->pdu_base_addr = pdu_addr; 287 nds->pdu_base_offset = (unsigned long)pdu_addr; 288 } 289 290 nds->pdu_size = want_end_offset; 291 return (1); 292 } 293 294 static int 295 ndo_pad_pdu(ndr_stream_t *nds, unsigned long pdu_offset, 296 unsigned long n_bytes, ndr_ref_t *ref) 297 { 298 unsigned char *data; 299 300 data = (unsigned char *)nds->pdu_base_offset; 301 data += pdu_offset; 302 303 ndo_printf(nds, ref, "pad %d@%-3d", n_bytes, pdu_offset); 304 305 bzero(data, n_bytes); 306 return (1); 307 } 308 309 /* 310 * ndo_get_pdu 311 * 312 * The swap flag is 1 if NDR knows that the byte-order in the PDU 313 * is different from the local system. 314 * 315 * Returns 1 on success or 0 to indicate failure. 316 */ 317 static int 318 ndo_get_pdu(ndr_stream_t *nds, unsigned long pdu_offset, 319 unsigned long n_bytes, char *buf, int swap_bytes, ndr_ref_t *ref) 320 { 321 unsigned char *data; 322 char hexbuf[NDOBUFSZ]; 323 324 data = (unsigned char *)nds->pdu_base_offset; 325 data += pdu_offset; 326 327 ndo_hexfmt(data, n_bytes, swap_bytes, hexbuf, NDOBUFSZ); 328 329 ndo_printf(nds, ref, "get %d@%-3d = %s", 330 n_bytes, pdu_offset, hexbuf); 331 332 if (!swap_bytes) 333 bcopy(data, buf, n_bytes); 334 else 335 nds_bswap(data, (unsigned char *)buf, n_bytes); 336 337 return (1); 338 } 339 340 /* 341 * ndo_put_pdu 342 * 343 * This is a receiver makes right protocol. So we do not need 344 * to be concerned about the byte-order of an outgoing PDU. 345 */ 346 /*ARGSUSED*/ 347 static int 348 ndo_put_pdu(ndr_stream_t *nds, unsigned long pdu_offset, 349 unsigned long n_bytes, char *buf, int swap_bytes, ndr_ref_t *ref) 350 { 351 unsigned char *data; 352 char hexbuf[NDOBUFSZ]; 353 354 data = (unsigned char *)nds->pdu_base_offset; 355 data += pdu_offset; 356 357 ndo_hexfmt((uint8_t *)buf, n_bytes, 0, hexbuf, NDOBUFSZ); 358 359 ndo_printf(nds, ref, "put %d@%-3d = %s", 360 n_bytes, pdu_offset, hexbuf); 361 362 bcopy(buf, data, n_bytes); 363 return (1); 364 } 365 366 static void 367 ndo_tattle(ndr_stream_t *nds, char *what, ndr_ref_t *ref) 368 { 369 ndo_printf(nds, ref, what); 370 } 371 372 static void 373 ndo_tattle_error(ndr_stream_t *nds, ndr_ref_t *ref) 374 { 375 unsigned char *data; 376 char hexbuf[NDOBUFSZ]; 377 378 data = (unsigned char *)nds->pdu_base_offset; 379 if (ref) 380 data += ref->pdu_offset; 381 else 382 data += nds->pdu_scan_offset; 383 384 ndo_hexfmt(data, 16, 0, hexbuf, NDOBUFSZ); 385 386 ndo_printf(nds, ref, "ERROR=%d REF=%d OFFSET=%d SIZE=%d/%d", 387 nds->error, nds->error_ref, nds->pdu_scan_offset, 388 nds->pdu_size, nds->pdu_max_size); 389 ndo_printf(nds, ref, " %s", hexbuf); 390 } 391 392 /* 393 * ndo_reset 394 * 395 * Reset a stream: zap the outer_queue. We don't need to tamper 396 * with the stream heap: it's handled externally to the stream. 397 */ 398 static int 399 ndo_reset(ndr_stream_t *nds) 400 { 401 ndo_printf(nds, 0, "reset"); 402 403 nds->pdu_size = 0; 404 nds->pdu_scan_offset = 0; 405 nds->outer_queue_head = 0; 406 nds->outer_current = 0; 407 nds->outer_queue_tailp = &nds->outer_queue_head; 408 409 return (1); 410 } 411 412 /* 413 * ndo_destruct 414 * 415 * Destruct a stream: zap the outer_queue. 416 * Note: heap management (creation/destruction) is external to the stream. 417 */ 418 static void 419 ndo_destruct(ndr_stream_t *nds) 420 { 421 ndr_frag_t *frag; 422 423 ndo_printf(nds, 0, "destruct"); 424 425 if (nds == NULL) 426 return; 427 428 if (nds->pdu_base_addr != NULL) { 429 free(nds->pdu_base_addr); 430 nds->pdu_base_addr = NULL; 431 nds->pdu_base_offset = 0; 432 } 433 434 while ((frag = nds->frags.head) != NULL) { 435 nds->frags.head = frag->next; 436 free(frag); 437 } 438 439 bzero(&nds->frags, sizeof (ndr_fraglist_t)); 440 441 nds->outer_queue_head = 0; 442 nds->outer_current = 0; 443 nds->outer_queue_tailp = &nds->outer_queue_head; 444 } 445 446 /* 447 * Printf style formatting for NDR operations. 448 */ 449 void 450 ndo_printf(ndr_stream_t *nds, ndr_ref_t *ref, const char *fmt, ...) 451 { 452 va_list ap; 453 char buf[NDOBUFSZ]; 454 455 va_start(ap, fmt); 456 (void) vsnprintf(buf, NDOBUFSZ, fmt, ap); 457 va_end(ap); 458 459 if (nds) 460 ndo_fmt(nds, ref, buf); 461 else 462 ndo_trace(buf); 463 } 464 465 /* 466 * Main output formatter for NDR operations. 467 * 468 * UI 03 ... rpc_vers get 1@0 = 5 {05} 469 * UI 03 ... rpc_vers_minor get 1@1 = 0 {00} 470 * 471 * U Marshalling flag (M=marshal, U=unmarshal) 472 * I Direction flag (I=in, O=out) 473 * ... Field name 474 * get PDU operation (get or put) 475 * 1@0 Bytes @ offset (i.e. 1 byte at offset 0) 476 * {05} Value 477 */ 478 void 479 ndo_fmt(ndr_stream_t *nds, ndr_ref_t *ref, char *note) 480 { 481 ndr_ref_t *p; 482 int indent; 483 char ref_name[NDOBUFSZ]; 484 char buf[NDOBUFSZ]; 485 int m_op_c = '?', dir_c = '?'; 486 487 switch (nds->m_op) { 488 case 0: m_op_c = '-'; break; 489 case NDR_M_OP_MARSHALL: m_op_c = 'M'; break; 490 case NDR_M_OP_UNMARSHALL: m_op_c = 'U'; break; 491 default: m_op_c = '?'; break; 492 } 493 494 switch (nds->dir) { 495 case 0: dir_c = '-'; break; 496 case NDR_DIR_IN: dir_c = 'I'; break; 497 case NDR_DIR_OUT: dir_c = 'O'; break; 498 default: dir_c = '?'; break; 499 } 500 501 for (indent = 0, p = ref; p; p = p->enclosing) 502 indent++; 503 504 if (ref && ref->name) { 505 if (*ref->name == '[' && ref->enclosing) { 506 indent--; 507 (void) snprintf(ref_name, NDOBUFSZ, "%s%s", 508 ref->enclosing->name, ref->name); 509 } else { 510 (void) strlcpy(ref_name, ref->name, NDOBUFSZ); 511 } 512 } else { 513 (void) strlcpy(ref_name, "----", NDOBUFSZ); 514 } 515 516 (void) snprintf(buf, NDOBUFSZ, "%c%c %-.*s %-*s %s", 517 m_op_c, dir_c, indent, 518 "....+....+....+....+....+....", 519 20 - indent, ref_name, note); 520 521 ndo_trace(buf); 522 } 523 524 /*ARGSUSED*/ 525 void 526 ndo_trace(const char *s) 527 { 528 /* 529 * Temporary fbt for dtrace until user space sdt enabled. 530 */ 531 } 532 533 /* 534 * Format data as hex bytes (limit is 10 bytes): 535 * 536 * 1188689424 {10 f6 d9 46} 537 * 538 * If the input data is greater than 10 bytes, an ellipsis will 539 * be inserted before the closing brace. 540 */ 541 static void 542 ndo_hexfmt(uint8_t *data, int size, int swap_bytes, char *buf, int len) 543 { 544 char *p = buf; 545 int interp = 1; 546 uint32_t c; 547 int n; 548 int i; 549 550 n = (size > 10) ? 10 : size; 551 if (n > len-1) 552 n = len-1; 553 554 switch (size) { 555 case 1: 556 c = *(uint8_t *)data; 557 break; 558 case 2: 559 if (swap_bytes == 0) /*LINTED E_BAD_PTR_CAST_ALIGN*/ 560 c = *(uint16_t *)data; 561 else 562 c = (data[0] << 8) | data[1]; 563 break; 564 case 4: 565 if (swap_bytes == 0) { /*LINTED E_BAD_PTR_CAST_ALIGN*/ 566 c = *(uint32_t *)data; 567 } else { 568 c = (data[0] << 24) | (data[1] << 16) 569 | (data[2] << 8) | data[3]; 570 } 571 break; 572 default: 573 c = 0; 574 interp = 0; 575 break; 576 } 577 578 if (interp) 579 p += sprintf(p, "%4u {", c); 580 else 581 p += sprintf(p, " {"); 582 583 p += sprintf(p, "%02x", data[0]); 584 for (i = 1; i < n; i++) 585 p += sprintf(p, " %02x", data[i]); 586 if (size > 10) 587 p += sprintf(p, " ...}"); 588 else 589 p += sprintf(p, "}"); 590 591 /* 592 * Show c if it's a printable character or wide-char. 593 */ 594 if (size < 4 && isprint((uint8_t)c)) 595 (void) sprintf(p, " %c", (uint8_t)c); 596 } 597