xref: /titanic_50/usr/src/uts/common/fs/smbsrv/smb2_create.c (revision 620f322510b2d6433f7f6af60fa52380c07756ad)
1 /*
2  * This file and its contents are supplied under the terms of the
3  * Common Development and Distribution License ("CDDL"), version 1.0.
4  * You may only use this file in accordance with the terms of version
5  * 1.0 of the CDDL.
6  *
7  * A full copy of the text of the CDDL should have accompanied this
8  * source.  A copy of the CDDL is also available via the Internet at
9  * http://www.illumos.org/license/CDDL.
10  */
11 
12 /*
13  * Copyright 2015 Nexenta Systems, Inc.  All rights reserved.
14  */
15 
16 /*
17  * Dispatch function for SMB2_CREATE
18  * [MS-SMB2] 2.2.13
19  */
20 
21 #include <smbsrv/smb2_kproto.h>
22 #include <smbsrv/smb_fsops.h>
23 
24 /*
25  * Some flags used locally to keep track of which Create Context
26  * names have been provided and/or requested.
27  */
28 #define	CCTX_EA_BUFFER			1
29 #define	CCTX_SD_BUFFER			2
30 #define	CCTX_DH_REQUEST			4
31 #define	CCTX_DH_RECONNECT		8
32 #define	CCTX_ALLOCATION_SIZE		0x10
33 #define	CCTX_QUERY_MAX_ACCESS		0x20
34 #define	CCTX_TIMEWARP_TOKEN		0x40
35 #define	CCTX_QUERY_ON_DISK_ID		0x80
36 #define	CCTX_REQUEST_LEASE		0x100
37 
38 
39 typedef struct smb2_create_ctx_elem {
40 	uint32_t cce_len;
41 	mbuf_chain_t cce_mbc;
42 } smb2_create_ctx_elem_t;
43 
44 typedef struct smb2_create_ctx {
45 	uint_t	cc_in_flags;	/* CCTX_... */
46 	uint_t	cc_out_flags;	/* CCTX_... */
47 	/* Elements we may see in the request. */
48 	smb2_create_ctx_elem_t cc_in_ext_attr;
49 	smb2_create_ctx_elem_t cc_in_sec_desc;
50 	smb2_create_ctx_elem_t cc_in_dh_request;
51 	smb2_create_ctx_elem_t cc_in_dh_reconnect;
52 	smb2_create_ctx_elem_t cc_in_alloc_size;
53 	smb2_create_ctx_elem_t cc_in_time_warp;
54 	smb2_create_ctx_elem_t cc_in_req_lease;
55 	/* Elements we my place in the response */
56 	smb2_create_ctx_elem_t cc_out_max_access;
57 	smb2_create_ctx_elem_t cc_out_file_id;
58 } smb2_create_ctx_t;
59 
60 static uint32_t smb2_decode_create_ctx(
61 	mbuf_chain_t *,	smb2_create_ctx_t *);
62 static uint32_t smb2_encode_create_ctx(
63 	mbuf_chain_t *, smb2_create_ctx_t *);
64 static int smb2_encode_create_ctx_elem(
65 	mbuf_chain_t *, smb2_create_ctx_elem_t *, uint32_t);
66 static void smb2_free_create_ctx(smb2_create_ctx_t *);
67 
68 smb_sdrc_t
69 smb2_create(smb_request_t *sr)
70 {
71 	smb_attr_t *attr;
72 	smb2_create_ctx_elem_t *cce;
73 	smb2_create_ctx_t cctx;
74 	mbuf_chain_t cc_mbc;
75 	smb_arg_open_t *op = &sr->arg.open;
76 	smb_ofile_t *of = NULL;
77 	uint16_t StructSize;
78 	uint8_t SecurityFlags;
79 	uint8_t OplockLevel;
80 	uint32_t ImpersonationLevel;
81 	uint64_t SmbCreateFlags;
82 	uint64_t Reserved4;
83 	uint16_t NameOffset;
84 	uint16_t NameLength;
85 	uint32_t CreateCtxOffset;
86 	uint32_t CreateCtxLength;
87 	smb2fid_t smb2fid;
88 	uint32_t status;
89 	int skip;
90 	int rc = 0;
91 
92 	bzero(&cctx, sizeof (cctx));
93 	bzero(&cc_mbc, sizeof (cc_mbc));
94 
95 	/*
96 	 * Paranoia.  This will set sr->fid_ofile, so
97 	 * if we already have one, release it now.
98 	 */
99 	if (sr->fid_ofile != NULL) {
100 		smb_ofile_request_complete(sr->fid_ofile);
101 		smb_ofile_release(sr->fid_ofile);
102 		sr->fid_ofile = NULL;
103 	}
104 
105 	/*
106 	 * SMB2 Create request
107 	 */
108 	rc = smb_mbc_decodef(
109 	    &sr->smb_data, "wbblqqlllllwwll",
110 	    &StructSize,		/* w */
111 	    &SecurityFlags,		/* b */
112 	    &OplockLevel,		/* b */
113 	    &ImpersonationLevel,	/* l */
114 	    &SmbCreateFlags,		/* q */
115 	    &Reserved4,			/* q */
116 	    &op->desired_access,	/* l */
117 	    &op->dattr,			/* l */
118 	    &op->share_access,		/* l */
119 	    &op->create_disposition,	/* l */
120 	    &op->create_options,	/* l */
121 	    &NameOffset,		/* w */
122 	    &NameLength,		/* w */
123 	    &CreateCtxOffset,		/* l */
124 	    &CreateCtxLength);		/* l */
125 	if (rc != 0 || StructSize != 57)
126 		return (SDRC_ERROR);
127 
128 	/*
129 	 * We're normally positioned at the path name now,
130 	 * but there could be some padding before it.
131 	 */
132 	skip = (NameOffset + sr->smb2_cmd_hdr) -
133 	    sr->smb_data.chain_offset;
134 	if (skip < 0) {
135 		status = NT_STATUS_OBJECT_PATH_INVALID;
136 		goto errout;
137 	}
138 	if (skip > 0)
139 		(void) smb_mbc_decodef(&sr->smb_data, "#.", skip);
140 
141 	/*
142 	 * Get the path name
143 	 */
144 	if (NameLength >= SMB_MAXPATHLEN) {
145 		status = NT_STATUS_OBJECT_PATH_INVALID;
146 		goto errout;
147 	}
148 	if (NameLength == 0) {
149 		op->fqi.fq_path.pn_path = "\\";
150 	} else {
151 		rc = smb_mbc_decodef(&sr->smb_data, "%#U", sr,
152 		    NameLength, &op->fqi.fq_path.pn_path);
153 		if (rc) {
154 			status = NT_STATUS_OBJECT_PATH_INVALID;
155 			goto errout;
156 		}
157 	}
158 	op->fqi.fq_dnode = sr->tid_tree->t_snode;
159 
160 	switch (OplockLevel) {
161 	case SMB2_OPLOCK_LEVEL_NONE:
162 		op->op_oplock_level = SMB_OPLOCK_NONE;
163 		break;
164 	case SMB2_OPLOCK_LEVEL_II:
165 		op->op_oplock_level = SMB_OPLOCK_LEVEL_II;
166 		break;
167 	case SMB2_OPLOCK_LEVEL_EXCLUSIVE:
168 		op->op_oplock_level = SMB_OPLOCK_EXCLUSIVE;
169 		break;
170 	case SMB2_OPLOCK_LEVEL_BATCH:
171 		op->op_oplock_level = SMB_OPLOCK_BATCH;
172 		break;
173 	case SMB2_OPLOCK_LEVEL_LEASE:
174 		status = NT_STATUS_INVALID_PARAMETER;
175 		goto errout;
176 	}
177 	op->op_oplock_levelII = B_TRUE;
178 
179 	/*
180 	 * ImpersonationLevel (spec. says ignore)
181 	 * SmbCreateFlags (spec. says ignore)
182 	 */
183 
184 	if ((op->create_options & FILE_DELETE_ON_CLOSE) &&
185 	    !(op->desired_access & DELETE)) {
186 		status = NT_STATUS_INVALID_PARAMETER;
187 		goto errout;
188 	}
189 	if (op->create_disposition > FILE_MAXIMUM_DISPOSITION) {
190 		status = NT_STATUS_INVALID_PARAMETER;
191 		goto errout;
192 	}
193 
194 	if (op->dattr & FILE_FLAG_WRITE_THROUGH)
195 		op->create_options |= FILE_WRITE_THROUGH;
196 	if (op->dattr & FILE_FLAG_DELETE_ON_CLOSE)
197 		op->create_options |= FILE_DELETE_ON_CLOSE;
198 	if (op->dattr & FILE_FLAG_BACKUP_SEMANTICS)
199 		op->create_options |= FILE_OPEN_FOR_BACKUP_INTENT;
200 	if (op->create_options & FILE_OPEN_FOR_BACKUP_INTENT)
201 		sr->user_cr = smb_user_getprivcred(sr->uid_user);
202 
203 	/*
204 	 * If there is a "Create Context" payload, decode it.
205 	 * This may carry things like a security descriptor,
206 	 * extended attributes, etc. to be used in create.
207 	 *
208 	 * The create ctx buffer must start after the headers
209 	 * and file name, and must be 8-byte aligned.
210 	 */
211 	if (CreateCtxLength != 0) {
212 		if ((CreateCtxOffset & 7) != 0 ||
213 		    (CreateCtxOffset + sr->smb2_cmd_hdr) <
214 		    sr->smb_data.chain_offset) {
215 			status = NT_STATUS_INVALID_PARAMETER;
216 			goto errout;
217 		}
218 
219 		rc = MBC_SHADOW_CHAIN(&cc_mbc, &sr->smb_data,
220 		    sr->smb2_cmd_hdr + CreateCtxOffset, CreateCtxLength);
221 		if (rc) {
222 			status = NT_STATUS_INVALID_PARAMETER;
223 			goto errout;
224 		}
225 		status = smb2_decode_create_ctx(&cc_mbc, &cctx);
226 		if (status)
227 			goto errout;
228 
229 		if (cctx.cc_in_flags & CCTX_EA_BUFFER) {
230 			status = NT_STATUS_EAS_NOT_SUPPORTED;
231 			goto errout;
232 		}
233 
234 		if (cctx.cc_in_flags & CCTX_SD_BUFFER) {
235 			smb_sd_t sd;
236 			cce = &cctx.cc_in_sec_desc;
237 			status = smb_decode_sd(
238 			    &cce->cce_mbc, &sd);
239 			if (status)
240 				goto errout;
241 			op->sd = kmem_alloc(sizeof (sd), KM_SLEEP);
242 			*op->sd = sd;
243 		}
244 
245 		if (cctx.cc_in_flags & CCTX_ALLOCATION_SIZE) {
246 			cce = &cctx.cc_in_alloc_size;
247 			rc = smb_mbc_decodef(&cce->cce_mbc, "q", &op->dsize);
248 			if (rc) {
249 				status = NT_STATUS_INVALID_PARAMETER;
250 				goto errout;
251 			}
252 		}
253 
254 		/*
255 		 * Support for opening "Previous Versions".
256 		 * [MS-SMB2] 2.2.13.2.7  Data is an NT time.
257 		 */
258 		if (cctx.cc_in_flags & CCTX_TIMEWARP_TOKEN) {
259 			uint64_t timewarp;
260 			cce = &cctx.cc_in_time_warp;
261 			status = smb_mbc_decodef(&cce->cce_mbc,
262 			    "q", &timewarp);
263 			if (status)
264 				goto errout;
265 			smb_time_nt_to_unix(timewarp, &op->timewarp);
266 			op->create_timewarp = B_TRUE;
267 		}
268 	}
269 
270 	/*
271 	 * The real open call.   Note: this gets attributes into
272 	 * op->fqi.fq_fattr (SMB_AT_ALL).  We need those below.
273 	 */
274 	status = smb_common_open(sr);
275 	if (status != NT_STATUS_SUCCESS)
276 		goto errout;
277 	attr = &op->fqi.fq_fattr;
278 
279 	/*
280 	 * Convert the negotiate Oplock level back into
281 	 * SMB2 encoding form.
282 	 */
283 	switch (op->op_oplock_level) {
284 	default:
285 	case SMB_OPLOCK_NONE:
286 		OplockLevel = SMB2_OPLOCK_LEVEL_NONE;
287 		break;
288 	case SMB_OPLOCK_LEVEL_II:
289 		OplockLevel = SMB2_OPLOCK_LEVEL_II;
290 		break;
291 	case SMB_OPLOCK_EXCLUSIVE:
292 		OplockLevel = SMB2_OPLOCK_LEVEL_EXCLUSIVE;
293 		break;
294 	case SMB_OPLOCK_BATCH:
295 		OplockLevel = SMB2_OPLOCK_LEVEL_BATCH;
296 		break;
297 	}
298 
299 	/*
300 	 * NB: after the above smb_common_open() success,
301 	 * we have a handle allocated (sr->fid_ofile).
302 	 * If we don't return success, we must close it.
303 	 *
304 	 * Using sr->smb_fid as the file handle for now,
305 	 * though it could later be something larger,
306 	 * (16 bytes) similar to an NFSv4 open handle.
307 	 */
308 	of = sr->fid_ofile;
309 	smb2fid.persistent = 0;
310 	smb2fid.temporal = sr->smb_fid;
311 
312 	switch (sr->tid_tree->t_res_type & STYPE_MASK) {
313 	case STYPE_DISKTREE:
314 	case STYPE_PRINTQ:
315 		if (op->create_options & FILE_DELETE_ON_CLOSE)
316 			smb_ofile_set_delete_on_close(of);
317 		break;
318 	}
319 
320 	/*
321 	 * Build the Create Context to return; first the
322 	 * per-element parts, then the aggregated buffer.
323 	 *
324 	 * No response for these:
325 	 *	CCTX_EA_BUFFER
326 	 *	CCTX_SD_BUFFER
327 	 *	CCTX_ALLOCATION_SIZE
328 	 *	CCTX_TIMEWARP_TOKEN
329 	 *
330 	 * We don't handle these yet.
331 	 *	CCTX_DH_REQUEST
332 	 *	CCTX_DH_RECONNECT
333 	 *	CCTX_REQUEST_LEASE
334 	 */
335 	if (cctx.cc_in_flags & CCTX_QUERY_MAX_ACCESS) {
336 		cce = &cctx.cc_out_max_access;
337 		uint32_t MaxAccess = 0;
338 		if (of->f_node != NULL) {
339 			smb_fsop_eaccess(sr, of->f_cr, of->f_node, &MaxAccess);
340 		}
341 		MaxAccess |= of->f_granted_access;
342 		cce->cce_len = 8;
343 		cce->cce_mbc.max_bytes = 8;
344 		(void) smb_mbc_encodef(&cce->cce_mbc,
345 		    "ll", 0, MaxAccess);
346 		cctx.cc_out_flags |= CCTX_QUERY_MAX_ACCESS;
347 	}
348 	if ((cctx.cc_in_flags & CCTX_QUERY_ON_DISK_ID) != 0 &&
349 	    of->f_node != NULL) {
350 		cce = &cctx.cc_out_file_id;
351 		fsid_t fsid;
352 
353 		fsid = SMB_NODE_FSID(of->f_node);
354 
355 		cce->cce_len = 32;
356 		cce->cce_mbc.max_bytes = 32;
357 		(void) smb_mbc_encodef(
358 		    &cce->cce_mbc, "qll.15.",
359 		    op->fileid,		/* q */
360 		    fsid.val[0],	/* l */
361 		    fsid.val[1]);	/* l */
362 		/* reserved (16 bytes)  .15. */
363 		cctx.cc_out_flags |= CCTX_QUERY_ON_DISK_ID;
364 	}
365 	if (cctx.cc_out_flags) {
366 		sr->raw_data.max_bytes = smb2_max_trans;
367 		status = smb2_encode_create_ctx(&sr->raw_data, &cctx);
368 		if (status)
369 			goto errout;
370 	}
371 
372 	/*
373 	 * SMB2 Create reply
374 	 */
375 	rc = smb_mbc_encodef(
376 	    &sr->reply,
377 	    "wb.lTTTTqqllqqll",
378 	    89,	/* StructSize */	/* w */
379 	    OplockLevel,		/* b */
380 	    op->action_taken,		/* l */
381 	    &attr->sa_crtime,		/* T */
382 	    &attr->sa_vattr.va_atime,	/* T */
383 	    &attr->sa_vattr.va_mtime,	/* T */
384 	    &attr->sa_vattr.va_ctime,	/* T */
385 	    attr->sa_allocsz,		/* q */
386 	    attr->sa_vattr.va_size,	/* q */
387 	    attr->sa_dosattr,		/* l */
388 	    0, /* reserved2 */		/* l */
389 	    smb2fid.persistent,		/* q */
390 	    smb2fid.temporal,		/* q */
391 	    0,  /* CreateCtxOffset	   l */
392 	    0); /* CreateCtxLength	   l */
393 	if (rc != 0) {
394 		status = NT_STATUS_UNSUCCESSFUL;
395 		goto errout;
396 	}
397 
398 	CreateCtxOffset = sr->reply.chain_offset - sr->smb2_reply_hdr;
399 	CreateCtxLength = MBC_LENGTH(&sr->raw_data);
400 	if (CreateCtxLength != 0) {
401 		/*
402 		 * Overwrite CreateCtxOffset, CreateCtxLength, pad
403 		 */
404 		sr->reply.chain_offset -= 8;
405 		rc = smb_mbc_encodef(
406 		    &sr->reply,
407 		    "ll#C",
408 		    CreateCtxOffset,	/* l */
409 		    CreateCtxLength,	/* l */
410 		    CreateCtxLength,	/* # */
411 		    &sr->raw_data);	/* C */
412 		if (rc != 0) {
413 			status = NT_STATUS_UNSUCCESSFUL;
414 			goto errout;
415 		}
416 	} else {
417 		(void) smb_mbc_encodef(&sr->reply, ".");
418 	}
419 	return (SDRC_SUCCESS);
420 
421 errout:
422 	if (of != NULL)
423 		smb_ofile_close(of, 0);
424 	if (cctx.cc_out_flags)
425 		smb2_free_create_ctx(&cctx);
426 	smb2sr_put_error(sr, status);
427 	return (SDRC_SUCCESS);
428 }
429 
430 /*
431  * Decode an SMB2 Create Context buffer into our internal form.
432  * No policy decisions about what's supported here, just decode.
433  */
434 static uint32_t
435 smb2_decode_create_ctx(mbuf_chain_t *in_mbc, smb2_create_ctx_t *cc)
436 {
437 	smb2_create_ctx_elem_t *cce;
438 	mbuf_chain_t name_mbc;
439 	union {
440 		uint32_t i;
441 		char ch[4];
442 	} cc_name;
443 	uint32_t status;
444 	int32_t next_off;
445 	uint32_t data_len;
446 	uint16_t data_off;
447 	uint16_t name_off;
448 	uint16_t name_len;
449 	int top_offset;
450 	int rc;
451 
452 	status = NT_STATUS_INVALID_PARAMETER;
453 	for (;;) {
454 		cce = NULL;
455 		top_offset = in_mbc->chain_offset;
456 		rc = smb_mbc_decodef(
457 		    in_mbc,
458 		    "lww..wl",
459 		    &next_off,	/* l */
460 		    &name_off,	/* w */
461 		    &name_len,	/* w */
462 		    /* reserved	  .. */
463 		    &data_off,	/* w */
464 		    &data_len); /* l */
465 		if (rc)
466 			break;
467 
468 		/*
469 		 * The Create Context "name", per [MS-SMB] 2.2.13.2
470 		 * They're defined as network-order integers for our
471 		 * switch below.  We don't have routines to decode
472 		 * native order, so read as char[4] then ntohl.
473 		 * NB: in SMB3, some of these are 8 bytes.
474 		 */
475 		if ((top_offset + name_off) < in_mbc->chain_offset)
476 			break;
477 		rc = MBC_SHADOW_CHAIN(&name_mbc, in_mbc,
478 		    top_offset + name_off, name_len);
479 		if (rc)
480 			break;
481 		rc = smb_mbc_decodef(&name_mbc, "4c", &cc_name);
482 		if (rc)
483 			break;
484 		cc_name.i = ntohl(cc_name.i);
485 
486 		switch (cc_name.i) {
487 		case SMB2_CREATE_EA_BUFFER:		/* ("ExtA") */
488 			cc->cc_in_flags |= CCTX_EA_BUFFER;
489 			cce = &cc->cc_in_ext_attr;
490 			break;
491 		case SMB2_CREATE_SD_BUFFER:		/* ("SecD") */
492 			cc->cc_in_flags |= CCTX_SD_BUFFER;
493 			cce = &cc->cc_in_sec_desc;
494 			break;
495 		case SMB2_CREATE_DURABLE_HANDLE_REQUEST: /* ("DHnQ") */
496 			cc->cc_in_flags |= CCTX_DH_REQUEST;
497 			cce = &cc->cc_in_dh_request;
498 			break;
499 		case SMB2_CREATE_DURABLE_HANDLE_RECONNECT: /* ("DHnC") */
500 			cc->cc_in_flags |= CCTX_DH_RECONNECT;
501 			cce = &cc->cc_in_dh_reconnect;
502 			break;
503 		case SMB2_CREATE_ALLOCATION_SIZE:	/* ("AISi") */
504 			cc->cc_in_flags |= CCTX_ALLOCATION_SIZE;
505 			cce = &cc->cc_in_alloc_size;
506 			break;
507 		case SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQ: /* ("MxAc") */
508 			cc->cc_in_flags |= CCTX_QUERY_MAX_ACCESS;
509 			/* no input data for this */
510 			break;
511 		case SMB2_CREATE_TIMEWARP_TOKEN:	/* ("TWrp") */
512 			cc->cc_in_flags |= CCTX_TIMEWARP_TOKEN;
513 			cce = &cc->cc_in_time_warp;
514 			break;
515 		case SMB2_CREATE_QUERY_ON_DISK_ID:	/* ("QFid") */
516 			cc->cc_in_flags |= CCTX_QUERY_ON_DISK_ID;
517 			/* no input data for this */
518 			break;
519 		case SMB2_CREATE_REQUEST_LEASE:		/* ("RqLs") */
520 			cc->cc_in_flags |= CCTX_REQUEST_LEASE;
521 			cce = &cc->cc_in_req_lease;
522 			break;
523 		default:
524 			/*
525 			 * Unknown create context values are normal, and
526 			 * should be ignored.  However, in debug mode,
527 			 * let's log them so we know which ones we're
528 			 * not handling (and may want to add).
529 			 */
530 #ifdef	DEBUG
531 			cmn_err(CE_NOTE, "unknown create context ID 0x%x",
532 			    cc_name.i);
533 #endif
534 			cce = NULL;
535 			break;
536 		}
537 
538 		if (cce != NULL && data_len != 0) {
539 			if ((data_off & 7) != 0)
540 				break;
541 			if ((top_offset + data_off) < in_mbc->chain_offset)
542 				break;
543 			rc = MBC_SHADOW_CHAIN(&cce->cce_mbc, in_mbc,
544 			    top_offset + data_off, data_len);
545 			if (rc)
546 				break;
547 			cce->cce_len = data_len;
548 		}
549 
550 		if (next_off == 0) {
551 			/* Normal loop termination */
552 			status = 0;
553 			break;
554 		}
555 
556 		if ((next_off & 7) != 0)
557 			break;
558 		if ((top_offset + next_off) < in_mbc->chain_offset)
559 			break;
560 		if ((top_offset + next_off) > in_mbc->max_bytes)
561 			break;
562 		in_mbc->chain_offset = top_offset + next_off;
563 	}
564 
565 	return (status);
566 }
567 
568 /*
569  * Encode an SMB2 Create Context buffer from our internal form.
570  */
571 /* ARGSUSED */
572 static uint32_t
573 smb2_encode_create_ctx(mbuf_chain_t *mbc, smb2_create_ctx_t *cc)
574 {
575 	smb2_create_ctx_elem_t *cce;
576 	int last_top = -1;
577 	int rc;
578 
579 	if (cc->cc_out_flags & CCTX_QUERY_MAX_ACCESS) {
580 		cce = &cc->cc_out_max_access;
581 		last_top = mbc->chain_offset;
582 		rc = smb2_encode_create_ctx_elem(mbc, cce,
583 		    SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQ);
584 		if (rc)
585 			return (NT_STATUS_INTERNAL_ERROR);
586 		(void) smb_mbc_poke(mbc, last_top, "l",
587 		    mbc->chain_offset - last_top);
588 	}
589 
590 	if (cc->cc_out_flags & CCTX_QUERY_ON_DISK_ID) {
591 		cce = &cc->cc_out_file_id;
592 		last_top = mbc->chain_offset;
593 		rc = smb2_encode_create_ctx_elem(mbc, cce,
594 		    SMB2_CREATE_QUERY_ON_DISK_ID);
595 		if (rc)
596 			return (NT_STATUS_INTERNAL_ERROR);
597 		(void) smb_mbc_poke(mbc, last_top, "l",
598 		    mbc->chain_offset - last_top);
599 	}
600 
601 	if (last_top >= 0)
602 		(void) smb_mbc_poke(mbc, last_top, "l", 0);
603 
604 	return (0);
605 }
606 
607 static int
608 smb2_encode_create_ctx_elem(mbuf_chain_t *out_mbc,
609 	smb2_create_ctx_elem_t *cce, uint32_t id)
610 {
611 	union {
612 		uint32_t i;
613 		char ch[4];
614 	} cc_name;
615 	int rc;
616 
617 	/* as above */
618 	cc_name.i = htonl(id);
619 
620 	/*
621 	 * This is the header, per [MS-SMB2] 2.2.13.2
622 	 * Sorry about the fixed offsets.  We know we'll
623 	 * layout the data part as [name, payload] and
624 	 * name is a fixed length, so this easy.
625 	 * The final layout looks like this:
626 	 * 	a: this header (16 bytes)
627 	 *	b: the name (4 bytes, 4 pad)
628 	 *	c: the payload (variable)
629 	 *
630 	 * Note that "Next elem." is filled in later.
631 	 */
632 	rc = smb_mbc_encodef(
633 	    out_mbc, "lwwwwl",
634 	    0,		/* Next offset	l */
635 	    16,		/* NameOffset	w */
636 	    4,		/* NameLength	w */
637 	    0,		/* Reserved	w */
638 	    24,		/* DataOffset	w */
639 	    cce->cce_len);	/*	l */
640 	if (rc)
641 		return (rc);
642 
643 	/*
644 	 * Now the "name" and payload.
645 	 */
646 	rc = smb_mbc_encodef(
647 	    out_mbc, "4c4.#C",
648 	    cc_name.ch,		/* 4c4. */
649 	    cce->cce_len,	/* # */
650 	    &cce->cce_mbc);	/* C */
651 
652 	return (rc);
653 }
654 
655 static void
656 smb2_free_create_ctx(smb2_create_ctx_t *cc)
657 {
658 	smb2_create_ctx_elem_t *cce;
659 
660 	if (cc->cc_out_flags & CCTX_QUERY_MAX_ACCESS) {
661 		cce = &cc->cc_out_max_access;
662 		MBC_FLUSH(&cce->cce_mbc);
663 	}
664 	if (cc->cc_out_flags & CCTX_QUERY_ON_DISK_ID) {
665 		cce = &cc->cc_out_file_id;
666 		MBC_FLUSH(&cce->cce_mbc);
667 	}
668 }
669