1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. 23 */ 24 25 /* 26 * Server side RPC handler. 27 */ 28 29 #include <sys/byteorder.h> 30 #include <sys/errno.h> 31 #include <sys/uio.h> 32 #include <thread.h> 33 #include <synch.h> 34 #include <stdlib.h> 35 #include <strings.h> 36 #include <string.h> 37 #include <time.h> 38 39 #include <smbsrv/libsmb.h> 40 #include <smbsrv/libmlrpc.h> 41 #include <smbsrv/ntaccess.h> 42 43 /* 44 * Fragment size (5680: NT style). 45 */ 46 #define NDR_FRAG_SZ 5680 47 48 #define NDR_GROW_SIZE (8 * 1024) 49 #define NDR_GROW_MASK (NDR_GROW_SIZE - 1) 50 #define NDR_ALIGN_BUF(S) (((S) + NDR_GROW_SIZE) & ~NDR_GROW_MASK) 51 52 #define NDR_PIPE_BUFSZ (64 * 1024) 53 #define NDR_PIPE_BUFMAX (64 * 1024 * 1024) 54 #define NDR_PIPE_MAX 128 55 56 static ndr_pipe_t ndr_pipe_table[NDR_PIPE_MAX]; 57 static mutex_t ndr_pipe_lock; 58 59 static int ndr_pipe_process(ndr_pipe_t *); 60 static ndr_pipe_t *ndr_pipe_lookup(int); 61 static void ndr_pipe_release(ndr_pipe_t *); 62 static ndr_pipe_t *ndr_pipe_allocate(int); 63 static int ndr_pipe_grow(ndr_pipe_t *, size_t); 64 static void ndr_pipe_deallocate(ndr_pipe_t *); 65 static void ndr_pipe_rewind(ndr_pipe_t *); 66 static void ndr_pipe_flush(ndr_pipe_t *); 67 68 static int ndr_svc_process(ndr_xa_t *); 69 static int ndr_svc_defrag(ndr_xa_t *); 70 static int ndr_svc_bind(ndr_xa_t *); 71 static int ndr_svc_request(ndr_xa_t *); 72 static void ndr_reply_prepare_hdr(ndr_xa_t *); 73 static int ndr_svc_alter_context(ndr_xa_t *); 74 static void ndr_reply_fault(ndr_xa_t *, unsigned long); 75 static int ndr_build_reply(ndr_xa_t *); 76 static void ndr_build_frag(ndr_stream_t *, uint8_t *, uint32_t); 77 78 /* 79 * Allocate and associate a service context with a fid. 80 */ 81 int 82 ndr_pipe_open(int fid, uint8_t *data, uint32_t datalen) 83 { 84 ndr_pipe_t *np; 85 86 (void) mutex_lock(&ndr_pipe_lock); 87 88 if ((np = ndr_pipe_lookup(fid)) != NULL) { 89 ndr_pipe_release(np); 90 (void) mutex_unlock(&ndr_pipe_lock); 91 return (EEXIST); 92 } 93 94 if ((np = ndr_pipe_allocate(fid)) == NULL) { 95 (void) mutex_unlock(&ndr_pipe_lock); 96 return (ENOMEM); 97 } 98 99 if (smb_netuserinfo_decode(&np->np_user, data, datalen, NULL) == -1) { 100 ndr_pipe_release(np); 101 (void) mutex_unlock(&ndr_pipe_lock); 102 return (EINVAL); 103 } 104 105 ndr_svc_binding_pool_init(&np->np_binding, np->np_binding_pool, 106 NDR_N_BINDING_POOL); 107 108 (void) mutex_unlock(&ndr_pipe_lock); 109 return (0); 110 } 111 112 /* 113 * Release the context associated with a fid when an opipe is closed. 114 */ 115 int 116 ndr_pipe_close(int fid) 117 { 118 ndr_pipe_t *np; 119 120 (void) mutex_lock(&ndr_pipe_lock); 121 122 if ((np = ndr_pipe_lookup(fid)) == NULL) { 123 (void) mutex_unlock(&ndr_pipe_lock); 124 return (ENOENT); 125 } 126 127 /* 128 * Release twice: once for the lookup above 129 * and again to close the fid. 130 */ 131 ndr_pipe_release(np); 132 ndr_pipe_release(np); 133 (void) mutex_unlock(&ndr_pipe_lock); 134 return (0); 135 } 136 137 /* 138 * Write RPC request data to the input stream. Input data is buffered 139 * until the response is requested. 140 */ 141 int 142 ndr_pipe_write(int fid, uint8_t *buf, uint32_t len) 143 { 144 ndr_pipe_t *np; 145 ssize_t nbytes; 146 int rc; 147 148 if (len == 0) 149 return (0); 150 151 (void) mutex_lock(&ndr_pipe_lock); 152 153 if ((np = ndr_pipe_lookup(fid)) == NULL) { 154 (void) mutex_unlock(&ndr_pipe_lock); 155 return (ENOENT); 156 } 157 158 if ((rc = ndr_pipe_grow(np, len)) != 0) { 159 (void) mutex_unlock(&ndr_pipe_lock); 160 return (rc); 161 } 162 163 nbytes = ndr_uiomove((caddr_t)buf, len, UIO_READ, &np->np_uio); 164 165 ndr_pipe_release(np); 166 (void) mutex_unlock(&ndr_pipe_lock); 167 return ((nbytes == len) ? 0 : EIO); 168 } 169 170 /* 171 * Read RPC response data. 172 */ 173 int 174 ndr_pipe_read(int fid, uint8_t *buf, uint32_t *len, uint32_t *resid) 175 { 176 ndr_pipe_t *np; 177 ssize_t nbytes = *len; 178 179 if (nbytes == 0) { 180 *resid = 0; 181 return (0); 182 } 183 184 (void) mutex_lock(&ndr_pipe_lock); 185 if ((np = ndr_pipe_lookup(fid)) == NULL) { 186 (void) mutex_unlock(&ndr_pipe_lock); 187 return (ENOENT); 188 } 189 (void) mutex_unlock(&ndr_pipe_lock); 190 191 *len = ndr_uiomove((caddr_t)buf, nbytes, UIO_WRITE, &np->np_frags.uio); 192 *resid = np->np_frags.uio.uio_resid; 193 194 if (*resid == 0) { 195 /* 196 * Nothing left, cleanup the output stream. 197 */ 198 ndr_pipe_flush(np); 199 } 200 201 (void) mutex_lock(&ndr_pipe_lock); 202 ndr_pipe_release(np); 203 (void) mutex_unlock(&ndr_pipe_lock); 204 return (0); 205 } 206 207 /* 208 * If the input stream contains an RPC request, process the RPC transaction, 209 * which will place the RPC response in the output (frags) stream. 210 * 211 * arg is freed here; it must have been allocated by malloc(). 212 */ 213 void * 214 ndr_pipe_transact(void *arg) 215 { 216 uint32_t *tmp = (uint32_t *)arg; 217 uint32_t fid; 218 ndr_pipe_t *np; 219 220 if (arg == NULL) 221 return (NULL); 222 223 fid = *tmp; 224 225 (void) mutex_lock(&ndr_pipe_lock); 226 if ((np = ndr_pipe_lookup(fid)) == NULL) { 227 (void) mutex_unlock(&ndr_pipe_lock); 228 (void) smb_kmod_event_notify(fid); 229 free(arg); 230 return (NULL); 231 } 232 (void) mutex_unlock(&ndr_pipe_lock); 233 234 if (ndr_pipe_process(np) != 0) 235 ndr_pipe_flush(np); 236 237 (void) mutex_lock(&ndr_pipe_lock); 238 ndr_pipe_release(np); 239 (void) mutex_unlock(&ndr_pipe_lock); 240 (void) smb_kmod_event_notify(fid); 241 free(arg); 242 return (NULL); 243 } 244 245 /* 246 * Process a server-side RPC request. 247 */ 248 static int 249 ndr_pipe_process(ndr_pipe_t *np) 250 { 251 ndr_xa_t *mxa; 252 ndr_stream_t *recv_nds; 253 ndr_stream_t *send_nds; 254 char *data; 255 int datalen; 256 int rc; 257 258 data = np->np_buf; 259 datalen = np->np_uio.uio_offset; 260 261 if (datalen == 0) 262 return (0); 263 264 if ((mxa = (ndr_xa_t *)malloc(sizeof (ndr_xa_t))) == NULL) 265 return (ENOMEM); 266 267 bzero(mxa, sizeof (ndr_xa_t)); 268 mxa->fid = np->np_fid; 269 mxa->pipe = np; 270 mxa->binding_list = np->np_binding; 271 272 if ((mxa->heap = ndr_heap_create()) == NULL) { 273 free(mxa); 274 return (ENOMEM); 275 } 276 277 recv_nds = &mxa->recv_nds; 278 rc = nds_initialize(recv_nds, datalen, NDR_MODE_CALL_RECV, mxa->heap); 279 if (rc != 0) { 280 ndr_heap_destroy(mxa->heap); 281 free(mxa); 282 return (ENOMEM); 283 } 284 285 /* 286 * Copy the input data and reset the input stream. 287 */ 288 bcopy(data, recv_nds->pdu_base_addr, datalen); 289 ndr_pipe_rewind(np); 290 291 send_nds = &mxa->send_nds; 292 rc = nds_initialize(send_nds, 0, NDR_MODE_RETURN_SEND, mxa->heap); 293 if (rc != 0) { 294 nds_destruct(&mxa->recv_nds); 295 ndr_heap_destroy(mxa->heap); 296 free(mxa); 297 return (ENOMEM); 298 } 299 300 (void) ndr_svc_process(mxa); 301 302 nds_finalize(send_nds, &np->np_frags); 303 nds_destruct(&mxa->recv_nds); 304 nds_destruct(&mxa->send_nds); 305 ndr_heap_destroy(mxa->heap); 306 free(mxa); 307 return (0); 308 } 309 310 /* 311 * Must be called with ndr_pipe_lock held. 312 */ 313 static ndr_pipe_t * 314 ndr_pipe_lookup(int fid) 315 { 316 ndr_pipe_t *np; 317 int i; 318 319 for (i = 0; i < NDR_PIPE_MAX; ++i) { 320 np = &ndr_pipe_table[i]; 321 322 if (np->np_fid == fid) { 323 if (np->np_refcnt == 0) 324 return (NULL); 325 326 np->np_refcnt++; 327 return (np); 328 } 329 } 330 331 return (NULL); 332 } 333 334 /* 335 * Must be called with ndr_pipe_lock held. 336 */ 337 static void 338 ndr_pipe_release(ndr_pipe_t *np) 339 { 340 np->np_refcnt--; 341 ndr_pipe_deallocate(np); 342 } 343 344 /* 345 * Must be called with ndr_pipe_lock held. 346 */ 347 static ndr_pipe_t * 348 ndr_pipe_allocate(int fid) 349 { 350 ndr_pipe_t *np = NULL; 351 int i; 352 353 for (i = 0; i < NDR_PIPE_MAX; ++i) { 354 np = &ndr_pipe_table[i]; 355 356 if (np->np_fid == 0) { 357 bzero(np, sizeof (ndr_pipe_t)); 358 359 if ((np->np_buf = malloc(NDR_PIPE_BUFSZ)) == NULL) 360 return (NULL); 361 362 ndr_pipe_rewind(np); 363 np->np_fid = fid; 364 np->np_refcnt = 1; 365 return (np); 366 } 367 } 368 369 return (NULL); 370 } 371 372 /* 373 * If the desired space exceeds the current pipe size, try to expand 374 * the pipe. Leave the current pipe intact if the realloc fails. 375 * 376 * Must be called with ndr_pipe_lock held. 377 */ 378 static int 379 ndr_pipe_grow(ndr_pipe_t *np, size_t desired) 380 { 381 char *newbuf; 382 size_t current; 383 size_t required; 384 385 required = np->np_uio.uio_offset + desired; 386 current = np->np_uio.uio_offset + np->np_uio.uio_resid; 387 388 if (required <= current) 389 return (0); 390 391 if (required > NDR_PIPE_BUFMAX) { 392 smb_tracef("ndr_pipe_grow: required=%d, max=%d (ENOSPC)", 393 required, NDR_PIPE_BUFMAX); 394 return (ENOSPC); 395 } 396 397 required = NDR_ALIGN_BUF(required); 398 if (required > NDR_PIPE_BUFMAX) 399 required = NDR_PIPE_BUFMAX; 400 401 if ((newbuf = realloc(np->np_buf, required)) == NULL) { 402 smb_tracef("ndr_pipe_grow: realloc failed (ENOMEM)"); 403 return (ENOMEM); 404 } 405 406 np->np_buf = newbuf; 407 np->np_iov.iov_base = np->np_buf + np->np_uio.uio_offset; 408 np->np_uio.uio_resid += desired; 409 np->np_iov.iov_len += desired; 410 smb_tracef("ndr_pipe_grow: %d bytes", required); 411 return (0); 412 } 413 414 /* 415 * Must be called with ndr_pipe_lock held. 416 */ 417 static void 418 ndr_pipe_deallocate(ndr_pipe_t *np) 419 { 420 if (np->np_refcnt == 0) { 421 /* 422 * Ensure that there are no RPC service policy handles 423 * (associated with this fid) left around. 424 */ 425 ndr_hdclose(np->np_fid); 426 427 ndr_pipe_rewind(np); 428 ndr_pipe_flush(np); 429 free(np->np_buf); 430 free(np->np_user.ui_domain); 431 free(np->np_user.ui_account); 432 free(np->np_user.ui_workstation); 433 bzero(np, sizeof (ndr_pipe_t)); 434 } 435 } 436 437 /* 438 * Rewind the input data stream, ready for the next write. 439 */ 440 static void 441 ndr_pipe_rewind(ndr_pipe_t *np) 442 { 443 np->np_uio.uio_iov = &np->np_iov; 444 np->np_uio.uio_iovcnt = 1; 445 np->np_uio.uio_offset = 0; 446 np->np_uio.uio_segflg = UIO_USERSPACE; 447 np->np_uio.uio_resid = NDR_PIPE_BUFSZ; 448 np->np_iov.iov_base = np->np_buf; 449 np->np_iov.iov_len = NDR_PIPE_BUFSZ; 450 } 451 452 /* 453 * Flush the output data stream. 454 */ 455 static void 456 ndr_pipe_flush(ndr_pipe_t *np) 457 { 458 ndr_frag_t *frag; 459 460 while ((frag = np->np_frags.head) != NULL) { 461 np->np_frags.head = frag->next; 462 free(frag); 463 } 464 465 free(np->np_frags.iov); 466 bzero(&np->np_frags, sizeof (ndr_fraglist_t)); 467 } 468 469 /* 470 * Check whether or not the specified user has administrator privileges, 471 * i.e. is a member of Domain Admins or Administrators. 472 * Returns true if the user is an administrator, otherwise returns false. 473 */ 474 boolean_t 475 ndr_is_admin(ndr_xa_t *xa) 476 { 477 smb_netuserinfo_t *ctx = &xa->pipe->np_user; 478 479 return (ctx->ui_flags & SMB_ATF_ADMIN); 480 } 481 482 /* 483 * Check whether or not the specified user has power-user privileges, 484 * i.e. is a member of Domain Admins, Administrators or Power Users. 485 * This is typically required for operations such as managing shares. 486 * Returns true if the user is a power user, otherwise returns false. 487 */ 488 boolean_t 489 ndr_is_poweruser(ndr_xa_t *xa) 490 { 491 smb_netuserinfo_t *ctx = &xa->pipe->np_user; 492 493 return ((ctx->ui_flags & SMB_ATF_ADMIN) || 494 (ctx->ui_flags & SMB_ATF_POWERUSER)); 495 } 496 497 int32_t 498 ndr_native_os(ndr_xa_t *xa) 499 { 500 smb_netuserinfo_t *ctx = &xa->pipe->np_user; 501 502 return (ctx->ui_native_os); 503 } 504 505 /* 506 * This is the entry point for all server-side RPC processing. 507 * It is assumed that the PDU has already been received. 508 */ 509 static int 510 ndr_svc_process(ndr_xa_t *mxa) 511 { 512 ndr_common_header_t *hdr = &mxa->recv_hdr.common_hdr; 513 ndr_stream_t *nds = &mxa->recv_nds; 514 unsigned long saved_offset; 515 unsigned long saved_size; 516 int rc; 517 518 rc = ndr_decode_pdu_hdr(mxa); 519 if (!NDR_DRC_IS_OK(rc)) 520 return (-1); 521 522 (void) ndr_reply_prepare_hdr(mxa); 523 524 switch (mxa->ptype) { 525 case NDR_PTYPE_BIND: 526 rc = ndr_svc_bind(mxa); 527 break; 528 529 case NDR_PTYPE_REQUEST: 530 if (!NDR_IS_FIRST_FRAG(hdr->pfc_flags)) { 531 ndr_show_hdr(hdr); 532 rc = NDR_DRC_FAULT_DECODE_FAILED; 533 goto ndr_svc_process_fault; 534 } 535 536 if (!NDR_IS_LAST_FRAG(hdr->pfc_flags)) { 537 /* 538 * Multi-fragment request. Preserve the PDU scan 539 * offset and size during defrag so that we can 540 * continue as if we had received contiguous data. 541 */ 542 saved_offset = nds->pdu_scan_offset; 543 saved_size = nds->pdu_size; 544 545 nds->pdu_scan_offset = hdr->frag_length; 546 nds->pdu_size = nds->pdu_max_size; 547 548 rc = ndr_svc_defrag(mxa); 549 if (NDR_DRC_IS_FAULT(rc)) { 550 ndr_show_hdr(hdr); 551 nds_show_state(nds); 552 goto ndr_svc_process_fault; 553 } 554 555 nds->pdu_scan_offset = saved_offset; 556 nds->pdu_size = saved_size; 557 } 558 559 rc = ndr_svc_request(mxa); 560 break; 561 562 case NDR_PTYPE_ALTER_CONTEXT: 563 rc = ndr_svc_alter_context(mxa); 564 break; 565 566 default: 567 rc = NDR_DRC_FAULT_RPCHDR_PTYPE_INVALID; 568 break; 569 } 570 571 ndr_svc_process_fault: 572 if (NDR_DRC_IS_FAULT(rc)) 573 ndr_reply_fault(mxa, rc); 574 575 (void) ndr_build_reply(mxa); 576 return (rc); 577 } 578 579 /* 580 * Remove RPC fragment headers from the received data stream. 581 * The first fragment has already been accounted for before this call. 582 * 583 * NDR stream on entry: 584 * 585 * |<-- frag 2 -->|<-- frag 3 -->| ... |<- last frag ->| 586 * 587 * +-----+--------+-----+--------+-----+-----+---------+ 588 * | hdr | data | hdr | data | ... | hdr | data | 589 * +-----+--------+-----+--------+-----+-----+---------+ 590 * 591 * NDR stream on return: 592 * 593 * +----------------------------------+ 594 * | data | 595 * +----------------------------------+ 596 */ 597 static int 598 ndr_svc_defrag(ndr_xa_t *mxa) 599 { 600 ndr_stream_t *nds = &mxa->recv_nds; 601 ndr_common_header_t frag_hdr; 602 int frag_size; 603 int last_frag; 604 605 do { 606 ndr_decode_frag_hdr(nds, &frag_hdr); 607 ndr_show_hdr(&frag_hdr); 608 609 if (NDR_IS_FIRST_FRAG(frag_hdr.pfc_flags)) 610 return (NDR_DRC_FAULT_DECODE_FAILED); 611 612 last_frag = NDR_IS_LAST_FRAG(frag_hdr.pfc_flags); 613 frag_size = frag_hdr.frag_length; 614 615 if (frag_size > (nds->pdu_size - nds->pdu_scan_offset)) 616 return (NDR_DRC_FAULT_DECODE_FAILED); 617 618 ndr_remove_frag_hdr(nds); 619 nds->pdu_scan_offset += frag_size - NDR_RSP_HDR_SIZE; 620 } while (!last_frag); 621 622 return (NDR_DRC_OK); 623 } 624 625 /* 626 * Multiple p_cont_elem[]s, multiple transfer_syntaxes[] and multiple 627 * p_results[] not supported. 628 */ 629 static int 630 ndr_svc_bind(ndr_xa_t *mxa) 631 { 632 ndr_p_cont_list_t *cont_list; 633 ndr_p_result_list_t *result_list; 634 ndr_p_result_t *result; 635 unsigned p_cont_id; 636 ndr_binding_t *mbind; 637 ndr_uuid_t *as_uuid; 638 ndr_uuid_t *ts_uuid; 639 int as_vers; 640 int ts_vers; 641 ndr_service_t *msvc; 642 int rc; 643 ndr_port_any_t *sec_addr; 644 645 /* acquire targets */ 646 cont_list = &mxa->recv_hdr.bind_hdr.p_context_elem; 647 result_list = &mxa->send_hdr.bind_ack_hdr.p_result_list; 648 result = &result_list->p_results[0]; 649 650 /* 651 * Set up temporary secondary address port. 652 * We will correct this later (below). 653 */ 654 sec_addr = &mxa->send_hdr.bind_ack_hdr.sec_addr; 655 sec_addr->length = 13; 656 (void) strcpy((char *)sec_addr->port_spec, "\\PIPE\\ntsvcs"); 657 658 result_list->n_results = 1; 659 result_list->reserved = 0; 660 result_list->reserved2 = 0; 661 result->result = NDR_PCDR_ACCEPTANCE; 662 result->reason = 0; 663 bzero(&result->transfer_syntax, sizeof (result->transfer_syntax)); 664 665 /* sanity check */ 666 if (cont_list->n_context_elem != 1 || 667 cont_list->p_cont_elem[0].n_transfer_syn != 1) { 668 ndo_trace("ndr_svc_bind: warning: multiple p_cont_elem"); 669 } 670 671 p_cont_id = cont_list->p_cont_elem[0].p_cont_id; 672 673 if ((mbind = ndr_svc_find_binding(mxa, p_cont_id)) != NULL) { 674 /* 675 * Duplicate presentation context id. 676 */ 677 ndo_trace("ndr_svc_bind: duplicate binding"); 678 return (NDR_DRC_FAULT_BIND_PCONT_BUSY); 679 } 680 681 if ((mbind = ndr_svc_new_binding(mxa)) == NULL) { 682 /* 683 * No free binding slot 684 */ 685 result->result = NDR_PCDR_PROVIDER_REJECTION; 686 result->reason = NDR_PPR_LOCAL_LIMIT_EXCEEDED; 687 ndo_trace("ndr_svc_bind: no resources"); 688 return (NDR_DRC_OK); 689 } 690 691 as_uuid = &cont_list->p_cont_elem[0].abstract_syntax.if_uuid; 692 as_vers = cont_list->p_cont_elem[0].abstract_syntax.if_version; 693 694 ts_uuid = &cont_list->p_cont_elem[0].transfer_syntaxes[0].if_uuid; 695 ts_vers = cont_list->p_cont_elem[0].transfer_syntaxes[0].if_version; 696 697 msvc = ndr_svc_lookup_uuid(as_uuid, as_vers, ts_uuid, ts_vers); 698 if (msvc == NULL) { 699 result->result = NDR_PCDR_PROVIDER_REJECTION; 700 result->reason = NDR_PPR_ABSTRACT_SYNTAX_NOT_SUPPORTED; 701 return (NDR_DRC_OK); 702 } 703 704 /* 705 * We can now use the correct secondary address port. 706 */ 707 sec_addr = &mxa->send_hdr.bind_ack_hdr.sec_addr; 708 sec_addr->length = strlen(msvc->sec_addr_port) + 1; 709 (void) strlcpy((char *)sec_addr->port_spec, msvc->sec_addr_port, 710 NDR_PORT_ANY_MAX_PORT_SPEC); 711 712 mbind->p_cont_id = p_cont_id; 713 mbind->which_side = NDR_BIND_SIDE_SERVER; 714 /* mbind->context set by app */ 715 mbind->service = msvc; 716 mbind->instance_specific = 0; 717 718 mxa->binding = mbind; 719 720 if (msvc->bind_req) { 721 /* 722 * Call the service-specific bind() handler. If 723 * this fails, we shouild send a specific error 724 * on the bind ack. 725 */ 726 rc = (msvc->bind_req)(mxa); 727 if (NDR_DRC_IS_FAULT(rc)) { 728 mbind->service = 0; /* free binding slot */ 729 mbind->which_side = 0; 730 mbind->p_cont_id = 0; 731 mbind->instance_specific = 0; 732 return (rc); 733 } 734 } 735 736 result->transfer_syntax = 737 cont_list->p_cont_elem[0].transfer_syntaxes[0]; 738 739 return (NDR_DRC_BINDING_MADE); 740 } 741 742 /* 743 * ndr_svc_alter_context 744 * 745 * The alter context request is used to request additional presentation 746 * context for another interface and/or version. It is very similar to 747 * a bind request. 748 */ 749 static int 750 ndr_svc_alter_context(ndr_xa_t *mxa) 751 { 752 ndr_p_result_list_t *result_list; 753 ndr_p_result_t *result; 754 ndr_p_cont_list_t *cont_list; 755 ndr_binding_t *mbind; 756 ndr_service_t *msvc; 757 unsigned p_cont_id; 758 ndr_uuid_t *as_uuid; 759 ndr_uuid_t *ts_uuid; 760 int as_vers; 761 int ts_vers; 762 ndr_port_any_t *sec_addr; 763 764 result_list = &mxa->send_hdr.alter_context_rsp_hdr.p_result_list; 765 result_list->n_results = 1; 766 result_list->reserved = 0; 767 result_list->reserved2 = 0; 768 769 result = &result_list->p_results[0]; 770 result->result = NDR_PCDR_ACCEPTANCE; 771 result->reason = 0; 772 bzero(&result->transfer_syntax, sizeof (result->transfer_syntax)); 773 774 cont_list = &mxa->recv_hdr.alter_context_hdr.p_context_elem; 775 p_cont_id = cont_list->p_cont_elem[0].p_cont_id; 776 777 if (ndr_svc_find_binding(mxa, p_cont_id) != NULL) 778 return (NDR_DRC_FAULT_BIND_PCONT_BUSY); 779 780 if ((mbind = ndr_svc_new_binding(mxa)) == NULL) { 781 result->result = NDR_PCDR_PROVIDER_REJECTION; 782 result->reason = NDR_PPR_LOCAL_LIMIT_EXCEEDED; 783 return (NDR_DRC_OK); 784 } 785 786 as_uuid = &cont_list->p_cont_elem[0].abstract_syntax.if_uuid; 787 as_vers = cont_list->p_cont_elem[0].abstract_syntax.if_version; 788 789 ts_uuid = &cont_list->p_cont_elem[0].transfer_syntaxes[0].if_uuid; 790 ts_vers = cont_list->p_cont_elem[0].transfer_syntaxes[0].if_version; 791 792 msvc = ndr_svc_lookup_uuid(as_uuid, as_vers, ts_uuid, ts_vers); 793 if (msvc == NULL) { 794 result->result = NDR_PCDR_PROVIDER_REJECTION; 795 result->reason = NDR_PPR_ABSTRACT_SYNTAX_NOT_SUPPORTED; 796 return (NDR_DRC_OK); 797 } 798 799 mbind->p_cont_id = p_cont_id; 800 mbind->which_side = NDR_BIND_SIDE_SERVER; 801 /* mbind->context set by app */ 802 mbind->service = msvc; 803 mbind->instance_specific = 0; 804 mxa->binding = mbind; 805 806 sec_addr = &mxa->send_hdr.alter_context_rsp_hdr.sec_addr; 807 sec_addr->length = 0; 808 bzero(sec_addr->port_spec, NDR_PORT_ANY_MAX_PORT_SPEC); 809 810 result->transfer_syntax = 811 cont_list->p_cont_elem[0].transfer_syntaxes[0]; 812 813 return (NDR_DRC_BINDING_MADE); 814 } 815 816 static int 817 ndr_svc_request(ndr_xa_t *mxa) 818 { 819 ndr_binding_t *mbind; 820 ndr_service_t *msvc; 821 unsigned p_cont_id; 822 int rc; 823 824 mxa->opnum = mxa->recv_hdr.request_hdr.opnum; 825 p_cont_id = mxa->recv_hdr.request_hdr.p_cont_id; 826 827 if ((mbind = ndr_svc_find_binding(mxa, p_cont_id)) == NULL) 828 return (NDR_DRC_FAULT_REQUEST_PCONT_INVALID); 829 830 mxa->binding = mbind; 831 msvc = mbind->service; 832 833 /* 834 * Make room for the response hdr. 835 */ 836 mxa->send_nds.pdu_scan_offset = NDR_RSP_HDR_SIZE; 837 838 if (msvc->call_stub) 839 rc = (*msvc->call_stub)(mxa); 840 else 841 rc = ndr_generic_call_stub(mxa); 842 843 if (NDR_DRC_IS_FAULT(rc)) { 844 ndo_printf(0, 0, "%s[0x%02x]: 0x%04x", 845 msvc->name, mxa->opnum, rc); 846 } 847 848 return (rc); 849 } 850 851 /* 852 * The transaction and the two nds streams use the same heap, which 853 * should already exist at this point. The heap will also be available 854 * to the stub. 855 */ 856 int 857 ndr_generic_call_stub(ndr_xa_t *mxa) 858 { 859 ndr_binding_t *mbind = mxa->binding; 860 ndr_service_t *msvc = mbind->service; 861 ndr_typeinfo_t *intf_ti = msvc->interface_ti; 862 ndr_stub_table_t *ste; 863 int opnum = mxa->opnum; 864 unsigned p_len = intf_ti->c_size_fixed_part; 865 char *param; 866 int rc; 867 868 if (mxa->heap == NULL) { 869 ndo_printf(0, 0, "%s[0x%02x]: no heap", msvc->name, opnum); 870 return (NDR_DRC_FAULT_OUT_OF_MEMORY); 871 } 872 873 if ((ste = ndr_svc_find_stub(msvc, opnum)) == NULL) { 874 ndo_printf(0, 0, "%s[0x%02x]: invalid opnum", 875 msvc->name, opnum); 876 return (NDR_DRC_FAULT_REQUEST_OPNUM_INVALID); 877 } 878 879 if ((param = ndr_heap_malloc(mxa->heap, p_len)) == NULL) 880 return (NDR_DRC_FAULT_OUT_OF_MEMORY); 881 882 bzero(param, p_len); 883 884 rc = ndr_decode_call(mxa, param); 885 if (!NDR_DRC_IS_OK(rc)) 886 return (rc); 887 888 rc = (*ste->func)(param, mxa); 889 if (rc == NDR_DRC_OK) 890 rc = ndr_encode_return(mxa, param); 891 892 return (rc); 893 } 894 895 /* 896 * We can perform some initial setup of the response header here. 897 * We also need to cache some of the information from the bind 898 * negotiation for use during subsequent RPC calls. 899 */ 900 static void 901 ndr_reply_prepare_hdr(ndr_xa_t *mxa) 902 { 903 ndr_common_header_t *rhdr = &mxa->recv_hdr.common_hdr; 904 ndr_common_header_t *hdr = &mxa->send_hdr.common_hdr; 905 906 hdr->rpc_vers = 5; 907 hdr->rpc_vers_minor = 0; 908 hdr->pfc_flags = NDR_PFC_FIRST_FRAG + NDR_PFC_LAST_FRAG; 909 hdr->packed_drep = rhdr->packed_drep; 910 hdr->frag_length = 0; 911 hdr->auth_length = 0; 912 hdr->call_id = rhdr->call_id; 913 #ifdef _BIG_ENDIAN 914 hdr->packed_drep.intg_char_rep = NDR_REPLAB_CHAR_ASCII 915 | NDR_REPLAB_INTG_BIG_ENDIAN; 916 #else 917 hdr->packed_drep.intg_char_rep = NDR_REPLAB_CHAR_ASCII 918 | NDR_REPLAB_INTG_LITTLE_ENDIAN; 919 #endif 920 921 switch (mxa->ptype) { 922 case NDR_PTYPE_BIND: 923 hdr->ptype = NDR_PTYPE_BIND_ACK; 924 mxa->send_hdr.bind_ack_hdr.max_xmit_frag = 925 mxa->recv_hdr.bind_hdr.max_xmit_frag; 926 mxa->send_hdr.bind_ack_hdr.max_recv_frag = 927 mxa->recv_hdr.bind_hdr.max_recv_frag; 928 mxa->send_hdr.bind_ack_hdr.assoc_group_id = 929 mxa->recv_hdr.bind_hdr.assoc_group_id; 930 931 if (mxa->send_hdr.bind_ack_hdr.assoc_group_id == 0) 932 mxa->send_hdr.bind_ack_hdr.assoc_group_id = time(0); 933 934 /* 935 * Save the maximum fragment sizes 936 * for use with subsequent requests. 937 */ 938 mxa->pipe->np_max_xmit_frag = 939 mxa->recv_hdr.bind_hdr.max_xmit_frag; 940 mxa->pipe->np_max_recv_frag = 941 mxa->recv_hdr.bind_hdr.max_recv_frag; 942 break; 943 944 case NDR_PTYPE_REQUEST: 945 hdr->ptype = NDR_PTYPE_RESPONSE; 946 /* mxa->send_hdr.response_hdr.alloc_hint */ 947 mxa->send_hdr.response_hdr.p_cont_id = 948 mxa->recv_hdr.request_hdr.p_cont_id; 949 mxa->send_hdr.response_hdr.cancel_count = 0; 950 mxa->send_hdr.response_hdr.reserved = 0; 951 break; 952 953 case NDR_PTYPE_ALTER_CONTEXT: 954 hdr->ptype = NDR_PTYPE_ALTER_CONTEXT_RESP; 955 /* 956 * The max_xmit_frag, max_recv_frag and assoc_group_id are 957 * ignored by the client but it's useful to fill them in. 958 */ 959 mxa->send_hdr.alter_context_rsp_hdr.max_xmit_frag = 960 mxa->recv_hdr.alter_context_hdr.max_xmit_frag; 961 mxa->send_hdr.alter_context_rsp_hdr.max_recv_frag = 962 mxa->recv_hdr.alter_context_hdr.max_recv_frag; 963 mxa->send_hdr.alter_context_rsp_hdr.assoc_group_id = 964 mxa->recv_hdr.alter_context_hdr.assoc_group_id; 965 break; 966 967 default: 968 hdr->ptype = 0xFF; 969 } 970 } 971 972 /* 973 * Signal an RPC fault. The stream is reset and we overwrite whatever 974 * was in the response header with the fault information. 975 */ 976 static void 977 ndr_reply_fault(ndr_xa_t *mxa, unsigned long drc) 978 { 979 ndr_common_header_t *rhdr = &mxa->recv_hdr.common_hdr; 980 ndr_common_header_t *hdr = &mxa->send_hdr.common_hdr; 981 ndr_stream_t *nds = &mxa->send_nds; 982 unsigned long fault_status; 983 984 NDS_RESET(nds); 985 986 hdr->rpc_vers = 5; 987 hdr->rpc_vers_minor = 0; 988 hdr->pfc_flags = NDR_PFC_FIRST_FRAG + NDR_PFC_LAST_FRAG; 989 hdr->packed_drep = rhdr->packed_drep; 990 hdr->frag_length = sizeof (mxa->send_hdr.fault_hdr); 991 hdr->auth_length = 0; 992 hdr->call_id = rhdr->call_id; 993 #ifdef _BIG_ENDIAN 994 hdr->packed_drep.intg_char_rep = NDR_REPLAB_CHAR_ASCII 995 | NDR_REPLAB_INTG_BIG_ENDIAN; 996 #else 997 hdr->packed_drep.intg_char_rep = NDR_REPLAB_CHAR_ASCII 998 | NDR_REPLAB_INTG_LITTLE_ENDIAN; 999 #endif 1000 1001 switch (drc & NDR_DRC_MASK_SPECIFIER) { 1002 case NDR_DRC_FAULT_OUT_OF_MEMORY: 1003 case NDR_DRC_FAULT_ENCODE_TOO_BIG: 1004 fault_status = NDR_FAULT_NCA_OUT_ARGS_TOO_BIG; 1005 break; 1006 1007 case NDR_DRC_FAULT_REQUEST_PCONT_INVALID: 1008 fault_status = NDR_FAULT_NCA_INVALID_PRES_CONTEXT_ID; 1009 break; 1010 1011 case NDR_DRC_FAULT_REQUEST_OPNUM_INVALID: 1012 fault_status = NDR_FAULT_NCA_OP_RNG_ERROR; 1013 break; 1014 1015 case NDR_DRC_FAULT_DECODE_FAILED: 1016 case NDR_DRC_FAULT_ENCODE_FAILED: 1017 fault_status = NDR_FAULT_NCA_PROTO_ERROR; 1018 break; 1019 1020 default: 1021 fault_status = NDR_FAULT_NCA_UNSPEC_REJECT; 1022 break; 1023 } 1024 1025 mxa->send_hdr.fault_hdr.common_hdr.ptype = NDR_PTYPE_FAULT; 1026 mxa->send_hdr.fault_hdr.status = fault_status; 1027 mxa->send_hdr.response_hdr.alloc_hint = hdr->frag_length; 1028 } 1029 1030 /* 1031 * Note that the frag_length for bind ack and alter context is 1032 * non-standard. 1033 */ 1034 static int 1035 ndr_build_reply(ndr_xa_t *mxa) 1036 { 1037 ndr_common_header_t *hdr = &mxa->send_hdr.common_hdr; 1038 ndr_stream_t *nds = &mxa->send_nds; 1039 uint8_t *pdu_buf; 1040 unsigned long pdu_size; 1041 unsigned long frag_size; 1042 unsigned long pdu_data_size; 1043 unsigned long frag_data_size; 1044 1045 frag_size = NDR_FRAG_SZ; 1046 pdu_size = nds->pdu_size; 1047 pdu_buf = nds->pdu_base_addr; 1048 1049 if (pdu_size <= frag_size) { 1050 /* 1051 * Single fragment response. The PDU size may be zero 1052 * here (i.e. bind or fault response). So don't make 1053 * any assumptions about it until after the header is 1054 * encoded. 1055 */ 1056 switch (hdr->ptype) { 1057 case NDR_PTYPE_BIND_ACK: 1058 hdr->frag_length = ndr_bind_ack_hdr_size(mxa); 1059 break; 1060 1061 case NDR_PTYPE_FAULT: 1062 /* already setup */ 1063 break; 1064 1065 case NDR_PTYPE_RESPONSE: 1066 hdr->frag_length = pdu_size; 1067 mxa->send_hdr.response_hdr.alloc_hint = 1068 hdr->frag_length; 1069 break; 1070 1071 case NDR_PTYPE_ALTER_CONTEXT_RESP: 1072 hdr->frag_length = ndr_alter_context_rsp_hdr_size(); 1073 break; 1074 1075 default: 1076 hdr->frag_length = pdu_size; 1077 break; 1078 } 1079 1080 nds->pdu_scan_offset = 0; 1081 (void) ndr_encode_pdu_hdr(mxa); 1082 pdu_size = nds->pdu_size; 1083 ndr_build_frag(nds, pdu_buf, pdu_size); 1084 return (0); 1085 } 1086 1087 /* 1088 * Multiple fragment response. 1089 */ 1090 hdr->pfc_flags = NDR_PFC_FIRST_FRAG; 1091 hdr->frag_length = frag_size; 1092 mxa->send_hdr.response_hdr.alloc_hint = pdu_size - NDR_RSP_HDR_SIZE; 1093 nds->pdu_scan_offset = 0; 1094 (void) ndr_encode_pdu_hdr(mxa); 1095 ndr_build_frag(nds, pdu_buf, frag_size); 1096 1097 /* 1098 * We need to update the 24-byte header in subsequent fragments. 1099 * 1100 * pdu_data_size: total data remaining to be handled 1101 * frag_size: total fragment size including header 1102 * frag_data_size: data in fragment 1103 * (i.e. frag_size - NDR_RSP_HDR_SIZE) 1104 */ 1105 pdu_data_size = pdu_size - NDR_RSP_HDR_SIZE; 1106 frag_data_size = frag_size - NDR_RSP_HDR_SIZE; 1107 1108 while (pdu_data_size) { 1109 mxa->send_hdr.response_hdr.alloc_hint -= frag_data_size; 1110 pdu_data_size -= frag_data_size; 1111 pdu_buf += frag_data_size; 1112 1113 if (pdu_data_size <= frag_data_size) { 1114 frag_data_size = pdu_data_size; 1115 frag_size = frag_data_size + NDR_RSP_HDR_SIZE; 1116 hdr->pfc_flags = NDR_PFC_LAST_FRAG; 1117 } else { 1118 hdr->pfc_flags = 0; 1119 } 1120 1121 hdr->frag_length = frag_size; 1122 nds->pdu_scan_offset = 0; 1123 (void) ndr_encode_pdu_hdr(mxa); 1124 bcopy(nds->pdu_base_addr, pdu_buf, NDR_RSP_HDR_SIZE); 1125 1126 ndr_build_frag(nds, pdu_buf, frag_size); 1127 1128 if (hdr->pfc_flags & NDR_PFC_LAST_FRAG) 1129 break; 1130 } 1131 1132 return (0); 1133 } 1134 1135 /* 1136 * ndr_build_frag 1137 * 1138 * Build an RPC PDU fragment from the specified buffer. 1139 * If malloc fails, the client will see a header/pdu inconsistency 1140 * and report an error. 1141 */ 1142 static void 1143 ndr_build_frag(ndr_stream_t *nds, uint8_t *buf, uint32_t len) 1144 { 1145 ndr_frag_t *frag; 1146 int size = sizeof (ndr_frag_t) + len; 1147 1148 if ((frag = (ndr_frag_t *)malloc(size)) == NULL) 1149 return; 1150 1151 frag->next = NULL; 1152 frag->buf = (uint8_t *)frag + sizeof (ndr_frag_t); 1153 frag->len = len; 1154 bcopy(buf, frag->buf, len); 1155 1156 if (nds->frags.head == NULL) { 1157 nds->frags.head = frag; 1158 nds->frags.tail = frag; 1159 nds->frags.nfrag = 1; 1160 } else { 1161 nds->frags.tail->next = frag; 1162 nds->frags.tail = frag; 1163 ++nds->frags.nfrag; 1164 } 1165 } 1166