Line data Source code
1 : /*
2 : Unix SMB/CIFS implementation.
3 :
4 : server side dcerpc core code
5 :
6 : Copyright (C) Andrew Tridgell 2003-2005
7 : Copyright (C) Stefan (metze) Metzmacher 2004-2005
8 : Copyright (C) Samuel Cabrero <scabrero@samba.org> 2019
9 :
10 : This program is free software; you can redistribute it and/or modify
11 : it under the terms of the GNU General Public License as published by
12 : the Free Software Foundation; either version 3 of the License, or
13 : (at your option) any later version.
14 :
15 : This program is distributed in the hope that it will be useful,
16 : but WITHOUT ANY WARRANTY; without even the implied warranty of
17 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 : GNU General Public License for more details.
19 :
20 : You should have received a copy of the GNU General Public License
21 : along with this program. If not, see <http://www.gnu.org/licenses/>.
22 : */
23 :
24 : #include "includes.h"
25 : #include "librpc/rpc/dcesrv_core.h"
26 : #include "librpc/rpc/dcesrv_core_proto.h"
27 : #include "librpc/rpc/dcerpc_util.h"
28 : #include "librpc/gen_ndr/auth.h"
29 : #include "auth/gensec/gensec.h"
30 : #include "lib/util/dlinklist.h"
31 : #include "libcli/security/security.h"
32 : #include "param/param.h"
33 : #include "lib/tsocket/tsocket.h"
34 : #include "librpc/gen_ndr/ndr_dcerpc.h"
35 : #include "lib/util/tevent_ntstatus.h"
36 : #include "system/network.h"
37 : #include "nsswitch/winbind_client.h"
38 :
39 : /**
40 : * @file
41 : * @brief DCERPC server
42 : */
43 :
44 : #undef DBGC_CLASS
45 : #define DBGC_CLASS DBGC_RPC_SRV
46 :
47 : #undef strcasecmp
48 :
49 : static NTSTATUS dcesrv_negotiate_contexts(struct dcesrv_call_state *call,
50 : const struct dcerpc_bind *b,
51 : struct dcerpc_ack_ctx *ack_ctx_list);
52 :
53 : /*
54 : see if two endpoints match
55 : */
56 54765 : static bool endpoints_match(const struct dcerpc_binding *ep1,
57 : const struct dcerpc_binding *ep2)
58 : {
59 : enum dcerpc_transport_t t1;
60 : enum dcerpc_transport_t t2;
61 : const char *e1;
62 : const char *e2;
63 :
64 54765 : t1 = dcerpc_binding_get_transport(ep1);
65 54765 : t2 = dcerpc_binding_get_transport(ep2);
66 :
67 54765 : e1 = dcerpc_binding_get_string_option(ep1, "endpoint");
68 54765 : e2 = dcerpc_binding_get_string_option(ep2, "endpoint");
69 :
70 54765 : if (t1 != t2) {
71 36137 : return false;
72 : }
73 :
74 18628 : if (!e1 || !e2) {
75 5240 : return e1 == e2;
76 : }
77 :
78 13388 : if (strcasecmp(e1, e2) != 0) {
79 12097 : return false;
80 : }
81 :
82 1291 : return true;
83 : }
84 :
85 : /*
86 : find an endpoint in the dcesrv_context
87 : */
88 4086 : _PUBLIC_ NTSTATUS dcesrv_find_endpoint(struct dcesrv_context *dce_ctx,
89 : const struct dcerpc_binding *ep_description,
90 : struct dcesrv_endpoint **_out)
91 : {
92 4086 : struct dcesrv_endpoint *ep = NULL;
93 25800 : for (ep=dce_ctx->endpoint_list; ep; ep=ep->next) {
94 24085 : if (endpoints_match(ep->ep_description, ep_description)) {
95 2371 : *_out = ep;
96 2371 : return NT_STATUS_OK;
97 : }
98 : }
99 1715 : return NT_STATUS_NOT_FOUND;
100 : }
101 :
102 : /*
103 : find a registered context_id from a bind or alter_context
104 : */
105 198220 : static struct dcesrv_connection_context *dcesrv_find_context(struct dcesrv_connection *conn,
106 : uint16_t context_id)
107 : {
108 : struct dcesrv_connection_context *c;
109 198352 : for (c=conn->contexts;c;c=c->next) {
110 181402 : if (c->context_id == context_id) return c;
111 : }
112 16950 : return NULL;
113 : }
114 :
115 : /*
116 : find the interface operations on any endpoint with this binding
117 : */
118 3411 : static const struct dcesrv_interface *find_interface_by_binding(struct dcesrv_context *dce_ctx,
119 : struct dcerpc_binding *binding,
120 : const struct dcesrv_interface *iface)
121 : {
122 : struct dcesrv_endpoint *ep;
123 34091 : for (ep=dce_ctx->endpoint_list; ep; ep=ep->next) {
124 30680 : if (endpoints_match(ep->ep_description, binding)) {
125 1696 : const struct dcesrv_interface *ret = NULL;
126 :
127 1696 : ret = find_interface_by_syntax_id(
128 : ep, &iface->syntax_id);
129 1696 : if (ret != NULL) {
130 0 : return ret;
131 : }
132 : }
133 : }
134 3411 : return NULL;
135 : }
136 :
137 : /*
138 : find the interface operations on an endpoint by uuid
139 : */
140 24305 : _PUBLIC_ const struct dcesrv_interface *find_interface_by_syntax_id(
141 : const struct dcesrv_endpoint *endpoint,
142 : const struct ndr_syntax_id *interface)
143 : {
144 : struct dcesrv_if_list *ifl;
145 99831 : for (ifl=endpoint->interface_list; ifl; ifl=ifl->next) {
146 98114 : if (ndr_syntax_id_equal(&ifl->iface->syntax_id, interface)) {
147 22588 : return ifl->iface;
148 : }
149 : }
150 1717 : return NULL;
151 : }
152 :
153 : /*
154 : find the earlier parts of a fragmented call awaiting reassembly
155 : */
156 15819 : static struct dcesrv_call_state *dcesrv_find_fragmented_call(struct dcesrv_connection *dce_conn, uint32_t call_id)
157 : {
158 : struct dcesrv_call_state *c;
159 15868 : for (c=dce_conn->incoming_fragmented_call_list;c;c=c->next) {
160 15781 : if (c->pkt.call_id == call_id) {
161 15732 : return c;
162 : }
163 : }
164 87 : return NULL;
165 : }
166 :
167 : /*
168 : register an interface on an endpoint
169 :
170 : An endpoint is one unix domain socket (for ncalrpc), one TCP port
171 : (for ncacn_ip_tcp) or one (forwarded) named pipe (for ncacn_np).
172 :
173 : Each endpoint can have many interfaces such as netlogon, lsa or
174 : samr. Some have essentially the full set.
175 :
176 : This is driven from the set of interfaces listed in each IDL file
177 : via the PIDL generated *__op_init_server() functions.
178 : */
179 3411 : _PUBLIC_ NTSTATUS dcesrv_interface_register(struct dcesrv_context *dce_ctx,
180 : const char *ep_name,
181 : const char *ncacn_np_secondary_endpoint,
182 : const struct dcesrv_interface *iface,
183 : const struct security_descriptor *sd)
184 : {
185 3411 : struct dcerpc_binding *binding = NULL;
186 3411 : struct dcerpc_binding *binding2 = NULL;
187 : NTSTATUS ret;
188 :
189 3411 : ret = dcerpc_parse_binding(dce_ctx, ep_name, &binding);
190 3411 : if (NT_STATUS_IS_ERR(ret)) {
191 0 : DBG_ERR("Trouble parsing binding string '%s'\n", ep_name);
192 0 : goto out;
193 : }
194 :
195 3411 : if (ncacn_np_secondary_endpoint != NULL) {
196 442 : ret = dcerpc_parse_binding(dce_ctx,
197 : ncacn_np_secondary_endpoint,
198 : &binding2);
199 442 : if (NT_STATUS_IS_ERR(ret)) {
200 0 : DBG_ERR("Trouble parsing 2nd binding string '%s'\n",
201 : ncacn_np_secondary_endpoint);
202 0 : goto out;
203 : }
204 : }
205 :
206 3411 : ret = dcesrv_interface_register_b(dce_ctx,
207 : binding,
208 : binding2,
209 : iface,
210 : sd);
211 3411 : out:
212 3411 : TALLOC_FREE(binding);
213 3411 : TALLOC_FREE(binding2);
214 3411 : return ret;
215 : }
216 :
217 3411 : _PUBLIC_ NTSTATUS dcesrv_interface_register_b(struct dcesrv_context *dce_ctx,
218 : struct dcerpc_binding *binding,
219 : struct dcerpc_binding *binding2,
220 : const struct dcesrv_interface *iface,
221 : const struct security_descriptor *sd)
222 : {
223 : struct dcesrv_endpoint *ep;
224 : struct dcesrv_if_list *ifl;
225 3411 : bool add_ep = false;
226 : NTSTATUS status;
227 : enum dcerpc_transport_t transport;
228 3411 : char *ep_string = NULL;
229 3411 : bool use_single_process = true;
230 : const char *ep_process_string;
231 :
232 : /*
233 : * If we are not using handles, there is no need for force
234 : * this service into using a single process.
235 : *
236 : * However, due to the way we listen for RPC packets, we can
237 : * only do this if we have a single service per pipe or TCP
238 : * port, so we still force a single combined process for
239 : * ncalrpc.
240 : */
241 3411 : if (iface->flags & DCESRV_INTERFACE_FLAGS_HANDLES_NOT_USED) {
242 156 : use_single_process = false;
243 : }
244 :
245 3411 : transport = dcerpc_binding_get_transport(binding);
246 3411 : if (transport == NCACN_IP_TCP) {
247 : int port;
248 :
249 : /*
250 : * First check if there is already a port specified, eg
251 : * for epmapper on ncacn_ip_tcp:[135]
252 : */
253 693 : const char *endpoint
254 311 : = dcerpc_binding_get_string_option(binding,
255 : "endpoint");
256 1004 : if (endpoint == NULL) {
257 941 : port = lpcfg_parm_int(dce_ctx->lp_ctx, NULL,
258 292 : "rpc server port", iface->name, 0);
259 :
260 : /*
261 : * For RPC services that are not set to use a single
262 : * process, we do not default to using the 'rpc server
263 : * port' because that would cause a double-bind on
264 : * that port.
265 : */
266 941 : if (port == 0 && !use_single_process) {
267 0 : port = lpcfg_rpc_server_port(dce_ctx->lp_ctx);
268 : }
269 941 : if (port != 0) {
270 : char port_str[6];
271 52 : snprintf(port_str, sizeof(port_str), "%u", port);
272 52 : status = dcerpc_binding_set_string_option(binding,
273 : "endpoint",
274 : port_str);
275 52 : if (!NT_STATUS_IS_OK(status)) {
276 0 : return status;
277 : }
278 : }
279 : }
280 : }
281 :
282 3411 : if (transport == NCACN_NP && binding2 != NULL) {
283 : enum dcerpc_transport_t transport2;
284 :
285 248 : transport2 = dcerpc_binding_get_transport(binding2);
286 248 : SMB_ASSERT(transport2 == transport);
287 : }
288 :
289 : /* see if the interface is already registered on the endpoint */
290 3411 : if (find_interface_by_binding(dce_ctx, binding, iface)!=NULL) {
291 0 : char *binding_string = dcerpc_binding_string(dce_ctx, binding);
292 0 : DBG_ERR("Interface '%s' already registered on endpoint '%s'\n",
293 : iface->name, binding_string);
294 0 : TALLOC_FREE(binding_string);
295 0 : return NT_STATUS_OBJECT_NAME_COLLISION;
296 : }
297 :
298 : /* check if this endpoint exists
299 : */
300 3411 : status = dcesrv_find_endpoint(dce_ctx, binding, &ep);
301 3411 : if (NT_STATUS_IS_OK(status)) {
302 : /*
303 : * We want a new port on ncacn_ip_tcp for NETLOGON, so
304 : * it can be multi-process. Other processes can also
305 : * listen on distinct ports, if they have one forced
306 : * in the code above with eg 'rpc server port:drsuapi = 1027'
307 : *
308 : * If we have mulitiple endpoints on port 0, they each
309 : * get an epemeral port (currently by walking up from
310 : * 1024).
311 : *
312 : * Because one endpoint can only have one process
313 : * model, we add a new IP_TCP endpoint for each model.
314 : *
315 : * This works in conjunction with the forced overwrite
316 : * of ep->use_single_process below.
317 : */
318 1696 : if (ep->use_single_process != use_single_process
319 61 : && transport == NCACN_IP_TCP) {
320 0 : add_ep = true;
321 : }
322 : }
323 :
324 3411 : if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND) || add_ep) {
325 1715 : ep = talloc_zero(dce_ctx, struct dcesrv_endpoint);
326 1715 : if (!ep) {
327 0 : return NT_STATUS_NO_MEMORY;
328 : }
329 1715 : ep->ep_description = dcerpc_binding_dup(ep, binding);
330 1715 : if (transport == NCACN_NP && binding2 != NULL) {
331 390 : ep->ep_2nd_description =
332 390 : dcerpc_binding_dup(ep, binding2);
333 : }
334 1715 : add_ep = true;
335 :
336 : /* add mgmt interface */
337 1715 : ifl = talloc_zero(ep, struct dcesrv_if_list);
338 1715 : if (!ifl) {
339 0 : TALLOC_FREE(ep);
340 0 : return NT_STATUS_NO_MEMORY;
341 : }
342 :
343 1715 : ifl->iface = talloc_memdup(ifl,
344 : dcesrv_get_mgmt_interface(),
345 : sizeof(struct dcesrv_interface));
346 1715 : if (ifl->iface == NULL) {
347 0 : talloc_free(ep);
348 0 : return NT_STATUS_NO_MEMORY;
349 : }
350 :
351 1715 : DLIST_ADD(ep->interface_list, ifl);
352 1696 : } else if (!NT_STATUS_IS_OK(status)) {
353 0 : DBG_NOTICE("Failed to find endpoint: %s\n", nt_errstr(status));
354 0 : return status;
355 : }
356 :
357 : /*
358 : * By default don't force into a single process, but if any
359 : * interface on this endpoint on this service uses handles
360 : * (most do), then we must force into single process mode
361 : *
362 : * By overwriting this each time a new interface is added to
363 : * this endpoint, we end up with the most restrictive setting.
364 : */
365 3411 : if (use_single_process) {
366 3255 : ep->use_single_process = true;
367 : }
368 :
369 : /* talloc a new interface list element */
370 3411 : ifl = talloc_zero(ep, struct dcesrv_if_list);
371 3411 : if (!ifl) {
372 0 : return NT_STATUS_NO_MEMORY;
373 : }
374 :
375 : /* copy the given interface struct to the one on the endpoints interface list */
376 3411 : ifl->iface = talloc_memdup(ifl,
377 : iface,
378 : sizeof(struct dcesrv_interface));
379 3411 : if (ifl->iface == NULL) {
380 0 : talloc_free(ep);
381 0 : return NT_STATUS_NO_MEMORY;
382 : }
383 :
384 : /* if we have a security descriptor given,
385 : * we should see if we can set it up on the endpoint
386 : */
387 3411 : if (sd != NULL) {
388 : /* if there's currently no security descriptor given on the endpoint
389 : * we try to set it
390 : */
391 0 : if (ep->sd == NULL) {
392 0 : ep->sd = security_descriptor_copy(ep, sd);
393 : }
394 :
395 : /* if now there's no security descriptor given on the endpoint
396 : * something goes wrong, either we failed to copy the security descriptor
397 : * or there was already one on the endpoint
398 : */
399 0 : if (ep->sd != NULL) {
400 0 : char *binding_string =
401 0 : dcerpc_binding_string(dce_ctx, binding);
402 0 : DBG_ERR("Interface '%s' failed to setup a security "
403 : "descriptor on endpoint '%s'\n",
404 : iface->name, binding_string);
405 0 : TALLOC_FREE(binding_string);
406 0 : if (add_ep) free(ep);
407 0 : free(ifl);
408 0 : return NT_STATUS_OBJECT_NAME_COLLISION;
409 : }
410 : }
411 :
412 : /* finally add the interface on the endpoint */
413 3411 : DLIST_ADD(ep->interface_list, ifl);
414 :
415 : /* if it's a new endpoint add it to the dcesrv_context */
416 3411 : if (add_ep) {
417 1715 : DLIST_ADD(dce_ctx->endpoint_list, ep);
418 : }
419 :
420 : /* Re-get the string as we may have set a port */
421 3411 : ep_string = dcerpc_binding_string(dce_ctx, ep->ep_description);
422 :
423 3411 : if (use_single_process) {
424 3255 : ep_process_string = "single process required";
425 : } else {
426 156 : ep_process_string = "multi process compatible";
427 : }
428 :
429 3411 : DBG_INFO("Interface '%s' registered on endpoint '%s' (%s)\n",
430 : iface->name, ep_string, ep_process_string);
431 3411 : TALLOC_FREE(ep_string);
432 :
433 3411 : return NT_STATUS_OK;
434 : }
435 :
436 9625 : static NTSTATUS dcesrv_session_info_session_key(struct dcesrv_auth *auth,
437 : DATA_BLOB *session_key)
438 : {
439 9625 : if (auth->session_info == NULL) {
440 0 : return NT_STATUS_NO_USER_SESSION_KEY;
441 : }
442 :
443 9625 : if (auth->session_info->session_key.length == 0) {
444 0 : return NT_STATUS_NO_USER_SESSION_KEY;
445 : }
446 :
447 9625 : *session_key = auth->session_info->session_key;
448 9625 : return NT_STATUS_OK;
449 : }
450 :
451 4464 : static NTSTATUS dcesrv_remote_session_key(struct dcesrv_auth *auth,
452 : DATA_BLOB *session_key)
453 : {
454 4464 : if (auth->auth_type != DCERPC_AUTH_TYPE_NONE) {
455 0 : return NT_STATUS_NO_USER_SESSION_KEY;
456 : }
457 :
458 4464 : return dcesrv_session_info_session_key(auth, session_key);
459 : }
460 :
461 113 : static NTSTATUS dcesrv_local_fixed_session_key(struct dcesrv_auth *auth,
462 : DATA_BLOB *session_key)
463 : {
464 113 : return dcerpc_generic_session_key(session_key);
465 : }
466 :
467 : /*
468 : * Fetch the authentication session key if available.
469 : *
470 : * This is the key generated by a gensec authentication.
471 : *
472 : */
473 5161 : _PUBLIC_ NTSTATUS dcesrv_auth_session_key(struct dcesrv_call_state *call,
474 : DATA_BLOB *session_key)
475 : {
476 5161 : struct dcesrv_auth *auth = call->auth_state;
477 5161 : SMB_ASSERT(auth->auth_finished);
478 5161 : return dcesrv_session_info_session_key(auth, session_key);
479 : }
480 :
481 : /*
482 : * Fetch the transport session key if available.
483 : * Typically this is the SMB session key
484 : * or a fixed key for local transports.
485 : *
486 : * The key is always truncated to 16 bytes.
487 : */
488 4577 : _PUBLIC_ NTSTATUS dcesrv_transport_session_key(struct dcesrv_call_state *call,
489 : DATA_BLOB *session_key)
490 : {
491 4577 : struct dcesrv_auth *auth = call->auth_state;
492 : NTSTATUS status;
493 :
494 4577 : SMB_ASSERT(auth->auth_finished);
495 :
496 4577 : if (auth->session_key_fn == NULL) {
497 0 : return NT_STATUS_NO_USER_SESSION_KEY;
498 : }
499 :
500 4577 : status = auth->session_key_fn(auth, session_key);
501 4577 : if (!NT_STATUS_IS_OK(status)) {
502 0 : return status;
503 : }
504 :
505 4577 : session_key->length = MIN(session_key->length, 16);
506 :
507 4577 : return NT_STATUS_OK;
508 : }
509 :
510 23500 : static struct dcesrv_auth *dcesrv_auth_create(struct dcesrv_connection *conn)
511 : {
512 23500 : const struct dcesrv_endpoint *ep = conn->endpoint;
513 19975 : enum dcerpc_transport_t transport =
514 23500 : dcerpc_binding_get_transport(ep->ep_description);
515 23500 : struct dcesrv_auth *auth = NULL;
516 :
517 23500 : auth = talloc_zero(conn, struct dcesrv_auth);
518 23500 : if (auth == NULL) {
519 0 : return NULL;
520 : }
521 :
522 23500 : switch (transport) {
523 6286 : case NCACN_NP:
524 6286 : auth->session_key_fn = dcesrv_remote_session_key;
525 6286 : break;
526 2269 : case NCALRPC:
527 : case NCACN_UNIX_STREAM:
528 2269 : auth->session_key_fn = dcesrv_local_fixed_session_key;
529 2269 : break;
530 14945 : default:
531 : /*
532 : * All other's get a NULL pointer, which
533 : * results in NT_STATUS_NO_USER_SESSION_KEY
534 : */
535 14945 : break;
536 : }
537 :
538 23500 : return auth;
539 : }
540 :
541 : /*
542 : connect to a dcerpc endpoint
543 : */
544 16985 : _PUBLIC_ NTSTATUS dcesrv_endpoint_connect(struct dcesrv_context *dce_ctx,
545 : TALLOC_CTX *mem_ctx,
546 : const struct dcesrv_endpoint *ep,
547 : struct auth_session_info *session_info,
548 : struct tevent_context *event_ctx,
549 : uint32_t state_flags,
550 : struct dcesrv_connection **_p)
551 : {
552 16985 : struct dcesrv_auth *auth = NULL;
553 16985 : struct dcesrv_connection *p = NULL;
554 :
555 16985 : if (!session_info) {
556 0 : return NT_STATUS_ACCESS_DENIED;
557 : }
558 :
559 16985 : p = talloc_zero(mem_ctx, struct dcesrv_connection);
560 16985 : if (p == NULL) {
561 0 : goto nomem;
562 : }
563 :
564 16985 : p->dce_ctx = dce_ctx;
565 16985 : p->endpoint = ep;
566 16985 : p->packet_log_dir = lpcfg_parm_string(dce_ctx->lp_ctx,
567 : NULL,
568 : "dcesrv",
569 : "stubs directory");
570 16985 : p->event_ctx = event_ctx;
571 16985 : p->state_flags = state_flags;
572 16985 : p->allow_bind = true;
573 16985 : p->max_recv_frag = 5840;
574 16985 : p->max_xmit_frag = 5840;
575 16985 : p->max_total_request_size = DCERPC_NCACN_REQUEST_DEFAULT_MAX_SIZE;
576 :
577 16985 : p->support_hdr_signing = lpcfg_parm_bool(dce_ctx->lp_ctx,
578 : NULL,
579 : "dcesrv",
580 : "header signing",
581 : true);
582 16985 : p->max_auth_states = lpcfg_parm_ulong(dce_ctx->lp_ctx,
583 : NULL,
584 : "dcesrv",
585 : "max auth states",
586 : 2049);
587 :
588 16985 : auth = dcesrv_auth_create(p);
589 16985 : if (auth == NULL) {
590 0 : goto nomem;
591 : }
592 :
593 16985 : auth->session_info = talloc_reference(auth, session_info);
594 16985 : if (auth->session_info == NULL) {
595 0 : goto nomem;
596 : }
597 :
598 16985 : p->default_auth_state = auth;
599 :
600 : /*
601 : * For now we only support NDR32.
602 : */
603 16985 : p->preferred_transfer = &ndr_transfer_syntax_ndr;
604 :
605 16985 : *_p = p;
606 16985 : return NT_STATUS_OK;
607 0 : nomem:
608 0 : TALLOC_FREE(p);
609 0 : return NT_STATUS_NO_MEMORY;
610 : }
611 :
612 : /*
613 : move a call from an existing linked list to the specified list. This
614 : prevents bugs where we forget to remove the call from a previous
615 : list when moving it.
616 : */
617 594485 : static void dcesrv_call_set_list(struct dcesrv_call_state *call,
618 : enum dcesrv_call_list list)
619 : {
620 594485 : switch (call->list) {
621 578750 : case DCESRV_LIST_NONE:
622 578750 : break;
623 0 : case DCESRV_LIST_CALL_LIST:
624 0 : DLIST_REMOVE(call->conn->call_list, call);
625 0 : break;
626 15735 : case DCESRV_LIST_FRAGMENTED_CALL_LIST:
627 15735 : DLIST_REMOVE(call->conn->incoming_fragmented_call_list, call);
628 15735 : break;
629 0 : case DCESRV_LIST_PENDING_CALL_LIST:
630 0 : DLIST_REMOVE(call->conn->pending_call_list, call);
631 0 : break;
632 : }
633 594485 : call->list = list;
634 594485 : switch (list) {
635 395592 : case DCESRV_LIST_NONE:
636 395592 : break;
637 22625 : case DCESRV_LIST_CALL_LIST:
638 22625 : DLIST_ADD_END(call->conn->call_list, call);
639 22625 : break;
640 15781 : case DCESRV_LIST_FRAGMENTED_CALL_LIST:
641 15781 : DLIST_ADD_END(call->conn->incoming_fragmented_call_list, call);
642 15781 : break;
643 160487 : case DCESRV_LIST_PENDING_CALL_LIST:
644 160487 : DLIST_ADD_END(call->conn->pending_call_list, call);
645 160487 : break;
646 : }
647 594485 : }
648 :
649 356 : static void dcesrv_call_disconnect_after(struct dcesrv_call_state *call,
650 : const char *reason)
651 : {
652 356 : struct dcesrv_auth *a = NULL;
653 :
654 356 : if (call->conn->terminate != NULL) {
655 0 : return;
656 : }
657 :
658 356 : call->conn->allow_bind = false;
659 356 : call->conn->allow_alter = false;
660 :
661 356 : call->conn->default_auth_state->auth_invalid = true;
662 :
663 696 : for (a = call->conn->auth_states; a != NULL; a = a->next) {
664 340 : a->auth_invalid = true;
665 : }
666 :
667 356 : call->terminate_reason = talloc_strdup(call, reason);
668 356 : if (call->terminate_reason == NULL) {
669 0 : call->terminate_reason = __location__;
670 : }
671 : }
672 :
673 : /*
674 : return a dcerpc bind_nak
675 : */
676 99 : static NTSTATUS dcesrv_bind_nak(struct dcesrv_call_state *call, uint32_t reason)
677 : {
678 : struct ncacn_packet pkt;
679 : struct dcerpc_bind_nak_version version;
680 : struct data_blob_list_item *rep;
681 : NTSTATUS status;
682 : static const uint8_t _pad[3] = { 0, };
683 :
684 : /*
685 : * We add the call to the pending_call_list
686 : * in order to defer the termination.
687 : */
688 99 : dcesrv_call_disconnect_after(call, "dcesrv_bind_nak");
689 :
690 : /* setup a bind_nak */
691 99 : dcesrv_init_hdr(&pkt, lpcfg_rpc_big_endian(call->conn->dce_ctx->lp_ctx));
692 99 : pkt.auth_length = 0;
693 99 : pkt.call_id = call->pkt.call_id;
694 99 : pkt.ptype = DCERPC_PKT_BIND_NAK;
695 99 : pkt.pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
696 99 : pkt.u.bind_nak.reject_reason = reason;
697 99 : version.rpc_vers = 5;
698 99 : version.rpc_vers_minor = 0;
699 99 : pkt.u.bind_nak.num_versions = 1;
700 99 : pkt.u.bind_nak.versions = &version;
701 99 : pkt.u.bind_nak._pad = data_blob_const(_pad, sizeof(_pad));
702 :
703 99 : rep = talloc_zero(call, struct data_blob_list_item);
704 99 : if (!rep) {
705 0 : return NT_STATUS_NO_MEMORY;
706 : }
707 :
708 99 : status = dcerpc_ncacn_push_auth(&rep->blob, call, &pkt, NULL);
709 99 : if (!NT_STATUS_IS_OK(status)) {
710 0 : return status;
711 : }
712 :
713 99 : dcerpc_set_frag_length(&rep->blob, rep->blob.length);
714 :
715 99 : DLIST_ADD_END(call->replies, rep);
716 99 : dcesrv_call_set_list(call, DCESRV_LIST_CALL_LIST);
717 :
718 99 : if (call->conn->call_list && call->conn->call_list->replies) {
719 99 : if (call->conn->transport.report_output_data) {
720 99 : call->conn->transport.report_output_data(call->conn);
721 : }
722 : }
723 :
724 99 : return NT_STATUS_OK;
725 : }
726 :
727 257 : static NTSTATUS _dcesrv_fault_disconnect_flags(struct dcesrv_call_state *call,
728 : uint32_t fault_code,
729 : uint8_t extra_flags,
730 : const char *func,
731 : const char *location)
732 : {
733 257 : const char *reason = NULL;
734 :
735 257 : reason = talloc_asprintf(call, "%s:%s: fault=%u (%s) flags=0x%x",
736 : func, location,
737 : fault_code,
738 : dcerpc_errstr(call, fault_code),
739 : extra_flags);
740 257 : if (reason == NULL) {
741 0 : reason = location;
742 : }
743 :
744 : /*
745 : * We add the call to the pending_call_list
746 : * in order to defer the termination.
747 : */
748 :
749 257 : dcesrv_call_disconnect_after(call, reason);
750 :
751 257 : return dcesrv_fault_with_flags(call, fault_code, extra_flags);
752 : }
753 :
754 : #define dcesrv_fault_disconnect(call, fault_code) \
755 : _dcesrv_fault_disconnect_flags(call, fault_code, \
756 : DCERPC_PFC_FLAG_DID_NOT_EXECUTE, \
757 : __func__, __location__)
758 : #define dcesrv_fault_disconnect0(call, fault_code) \
759 : _dcesrv_fault_disconnect_flags(call, fault_code, 0, \
760 : __func__, __location__)
761 :
762 18073 : static int dcesrv_connection_context_destructor(struct dcesrv_connection_context *c)
763 : {
764 18073 : DLIST_REMOVE(c->conn->contexts, c);
765 :
766 18073 : if (c->iface && c->iface->unbind) {
767 18069 : c->iface->unbind(c, c->iface);
768 18069 : c->iface = NULL;
769 : }
770 :
771 18073 : return 0;
772 : }
773 :
774 16925 : static void dcesrv_prepare_context_auth(struct dcesrv_call_state *dce_call)
775 : {
776 16925 : struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
777 16925 : const struct dcesrv_endpoint *endpoint = dce_call->conn->endpoint;
778 14116 : enum dcerpc_transport_t transport =
779 16925 : dcerpc_binding_get_transport(endpoint->ep_description);
780 16925 : struct dcesrv_connection_context *context = dce_call->context;
781 16925 : const struct dcesrv_interface *iface = context->iface;
782 :
783 16925 : context->min_auth_level = DCERPC_AUTH_LEVEL_NONE;
784 :
785 16925 : if (transport == NCALRPC) {
786 1468 : context->allow_connect = true;
787 1468 : return;
788 : }
789 :
790 : /*
791 : * allow overwrite per interface
792 : * allow dcerpc auth level connect:<interface>
793 : */
794 15457 : context->allow_connect = lpcfg_allow_dcerpc_auth_level_connect(lp_ctx);
795 15457 : context->allow_connect = lpcfg_parm_bool(lp_ctx, NULL,
796 : "allow dcerpc auth level connect",
797 2594 : iface->name,
798 15457 : context->allow_connect);
799 : }
800 :
801 1458 : NTSTATUS dcesrv_interface_bind_require_integrity(struct dcesrv_connection_context *context,
802 : const struct dcesrv_interface *iface)
803 : {
804 : /*
805 : * For connection oriented DCERPC DCERPC_AUTH_LEVEL_PACKET (4)
806 : * has the same behavior as DCERPC_AUTH_LEVEL_INTEGRITY (5).
807 : */
808 1458 : context->min_auth_level = DCERPC_AUTH_LEVEL_PACKET;
809 1458 : return NT_STATUS_OK;
810 : }
811 :
812 2159 : NTSTATUS dcesrv_interface_bind_require_privacy(struct dcesrv_connection_context *context,
813 : const struct dcesrv_interface *iface)
814 : {
815 2159 : context->min_auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
816 2159 : return NT_STATUS_OK;
817 : }
818 :
819 6487 : _PUBLIC_ NTSTATUS dcesrv_interface_bind_reject_connect(struct dcesrv_connection_context *context,
820 : const struct dcesrv_interface *iface)
821 : {
822 6487 : struct loadparm_context *lp_ctx = context->conn->dce_ctx->lp_ctx;
823 6487 : const struct dcesrv_endpoint *endpoint = context->conn->endpoint;
824 4996 : enum dcerpc_transport_t transport =
825 6487 : dcerpc_binding_get_transport(endpoint->ep_description);
826 :
827 6487 : if (transport == NCALRPC) {
828 689 : context->allow_connect = true;
829 689 : return NT_STATUS_OK;
830 : }
831 :
832 : /*
833 : * allow overwrite per interface
834 : * allow dcerpc auth level connect:<interface>
835 : */
836 5798 : context->allow_connect = false;
837 7183 : context->allow_connect = lpcfg_parm_bool(lp_ctx, NULL,
838 : "allow dcerpc auth level connect",
839 1385 : iface->name,
840 5798 : context->allow_connect);
841 5798 : return NT_STATUS_OK;
842 : }
843 :
844 6396 : _PUBLIC_ NTSTATUS dcesrv_interface_bind_allow_connect(struct dcesrv_connection_context *context,
845 : const struct dcesrv_interface *iface)
846 : {
847 6396 : struct loadparm_context *lp_ctx = context->conn->dce_ctx->lp_ctx;
848 6396 : const struct dcesrv_endpoint *endpoint = context->conn->endpoint;
849 5544 : enum dcerpc_transport_t transport =
850 6396 : dcerpc_binding_get_transport(endpoint->ep_description);
851 :
852 6396 : if (transport == NCALRPC) {
853 700 : context->allow_connect = true;
854 700 : return NT_STATUS_OK;
855 : }
856 :
857 : /*
858 : * allow overwrite per interface
859 : * allow dcerpc auth level connect:<interface>
860 : */
861 5696 : context->allow_connect = true;
862 6442 : context->allow_connect = lpcfg_parm_bool(lp_ctx, NULL,
863 : "allow dcerpc auth level connect",
864 746 : iface->name,
865 5696 : context->allow_connect);
866 5696 : return NT_STATUS_OK;
867 : }
868 :
869 : struct dcesrv_conn_auth_wait_context {
870 : struct tevent_req *req;
871 : bool done;
872 : NTSTATUS status;
873 : };
874 :
875 : struct dcesrv_conn_auth_wait_state {
876 : uint8_t dummy;
877 : };
878 :
879 12513 : static struct tevent_req *dcesrv_conn_auth_wait_send(TALLOC_CTX *mem_ctx,
880 : struct tevent_context *ev,
881 : void *private_data)
882 : {
883 10824 : struct dcesrv_conn_auth_wait_context *auth_wait =
884 1689 : talloc_get_type_abort(private_data,
885 : struct dcesrv_conn_auth_wait_context);
886 12513 : struct tevent_req *req = NULL;
887 12513 : struct dcesrv_conn_auth_wait_state *state = NULL;
888 :
889 12513 : req = tevent_req_create(mem_ctx, &state,
890 : struct dcesrv_conn_auth_wait_state);
891 12513 : if (req == NULL) {
892 0 : return NULL;
893 : }
894 12513 : auth_wait->req = req;
895 :
896 12513 : tevent_req_defer_callback(req, ev);
897 :
898 12513 : if (!auth_wait->done) {
899 12513 : return req;
900 : }
901 :
902 0 : if (tevent_req_nterror(req, auth_wait->status)) {
903 0 : return tevent_req_post(req, ev);
904 : }
905 :
906 0 : tevent_req_done(req);
907 0 : return tevent_req_post(req, ev);
908 : }
909 :
910 12513 : static NTSTATUS dcesrv_conn_auth_wait_recv(struct tevent_req *req)
911 : {
912 12513 : return tevent_req_simple_recv_ntstatus(req);
913 : }
914 :
915 12513 : static NTSTATUS dcesrv_conn_auth_wait_setup(struct dcesrv_connection *conn)
916 : {
917 12513 : struct dcesrv_conn_auth_wait_context *auth_wait = NULL;
918 :
919 12513 : if (conn->wait_send != NULL) {
920 0 : return NT_STATUS_INTERNAL_ERROR;
921 : }
922 :
923 12513 : auth_wait = talloc_zero(conn, struct dcesrv_conn_auth_wait_context);
924 12513 : if (auth_wait == NULL) {
925 0 : return NT_STATUS_NO_MEMORY;
926 : }
927 :
928 12513 : conn->wait_private = auth_wait;
929 12513 : conn->wait_send = dcesrv_conn_auth_wait_send;
930 12513 : conn->wait_recv = dcesrv_conn_auth_wait_recv;
931 12513 : return NT_STATUS_OK;
932 : }
933 :
934 12513 : static void dcesrv_conn_auth_wait_finished(struct dcesrv_connection *conn,
935 : NTSTATUS status)
936 : {
937 10824 : struct dcesrv_conn_auth_wait_context *auth_wait =
938 12513 : talloc_get_type_abort(conn->wait_private,
939 : struct dcesrv_conn_auth_wait_context);
940 :
941 12513 : auth_wait->done = true;
942 12513 : auth_wait->status = status;
943 :
944 12513 : if (auth_wait->req == NULL) {
945 0 : return;
946 : }
947 :
948 12513 : if (tevent_req_nterror(auth_wait->req, status)) {
949 0 : return;
950 : }
951 :
952 12513 : tevent_req_done(auth_wait->req);
953 : }
954 :
955 : static NTSTATUS dcesrv_auth_reply(struct dcesrv_call_state *call);
956 :
957 : static void dcesrv_bind_done(struct tevent_req *subreq);
958 :
959 : /*
960 : handle a bind request
961 : */
962 16962 : static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
963 : {
964 16962 : struct dcesrv_connection *conn = call->conn;
965 16962 : struct dcesrv_context *dce_ctx = conn->dce_ctx;
966 16962 : struct ncacn_packet *pkt = &call->ack_pkt;
967 : NTSTATUS status;
968 16962 : uint32_t extra_flags = 0;
969 16962 : uint16_t max_req = 0;
970 16962 : uint16_t max_rep = 0;
971 16962 : struct dcerpc_binding *ep_2nd_description = NULL;
972 16962 : const char *endpoint = NULL;
973 16962 : struct dcesrv_auth *auth = call->auth_state;
974 16962 : struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
975 16962 : struct dcerpc_ack_ctx *ack_ctx_list = NULL;
976 16962 : struct dcerpc_ack_ctx *ack_features = NULL;
977 16962 : struct tevent_req *subreq = NULL;
978 : size_t i;
979 :
980 16962 : status = dcerpc_verify_ncacn_packet_header(&call->pkt,
981 : DCERPC_PKT_BIND,
982 : call->pkt.u.bind.auth_info.length,
983 : 0, /* required flags */
984 : DCERPC_PFC_FLAG_FIRST |
985 : DCERPC_PFC_FLAG_LAST |
986 : DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN |
987 : 0x08 | /* this is not defined, but should be ignored */
988 : DCERPC_PFC_FLAG_CONC_MPX |
989 : DCERPC_PFC_FLAG_DID_NOT_EXECUTE |
990 : DCERPC_PFC_FLAG_MAYBE |
991 : DCERPC_PFC_FLAG_OBJECT_UUID);
992 16962 : if (!NT_STATUS_IS_OK(status)) {
993 3 : return dcesrv_bind_nak(call,
994 : DCERPC_BIND_NAK_REASON_PROTOCOL_VERSION_NOT_SUPPORTED);
995 : }
996 :
997 : /* max_recv_frag and max_xmit_frag result always in the same value! */
998 16959 : max_req = MIN(call->pkt.u.bind.max_xmit_frag,
999 : call->pkt.u.bind.max_recv_frag);
1000 : /*
1001 : * The values are between 2048 and 5840 tested against Windows 2012R2
1002 : * via ncacn_ip_tcp on port 135.
1003 : */
1004 16959 : max_req = MAX(2048, max_req);
1005 16959 : max_rep = MIN(max_req, conn->max_recv_frag);
1006 : /* They are truncated to an 8 byte boundary. */
1007 16959 : max_rep &= 0xFFF8;
1008 :
1009 : /* max_recv_frag and max_xmit_frag result always in the same value! */
1010 16959 : conn->max_recv_frag = max_rep;
1011 16959 : conn->max_xmit_frag = max_rep;
1012 :
1013 31101 : status = dce_ctx->callbacks->assoc_group.find(
1014 16959 : call, dce_ctx->callbacks->assoc_group.private_data);
1015 16959 : if (!NT_STATUS_IS_OK(status)) {
1016 25 : DBG_NOTICE("Failed to find assoc_group 0x%08x: %s\n",
1017 : call->pkt.u.bind.assoc_group_id, nt_errstr(status));
1018 25 : return dcesrv_bind_nak(call, 0);
1019 : }
1020 :
1021 16934 : if (call->pkt.u.bind.num_contexts < 1) {
1022 6 : return dcesrv_bind_nak(call, 0);
1023 : }
1024 :
1025 16928 : ack_ctx_list = talloc_zero_array(call, struct dcerpc_ack_ctx,
1026 : call->pkt.u.bind.num_contexts);
1027 16928 : if (ack_ctx_list == NULL) {
1028 0 : return dcesrv_bind_nak(call, 0);
1029 : }
1030 :
1031 : /*
1032 : * Set some sane defaults (required by dcesrv_negotiate_contexts()/
1033 : * dcesrv_check_or_create_context()) and do some protocol validation
1034 : * and set sane defaults.
1035 : */
1036 48329 : for (i = 0; i < call->pkt.u.bind.num_contexts; i++) {
1037 31407 : const struct dcerpc_ctx_list *c = &call->pkt.u.bind.ctx_list[i];
1038 31407 : struct dcerpc_ack_ctx *a = &ack_ctx_list[i];
1039 31407 : bool is_feature = false;
1040 31407 : uint64_t features = 0;
1041 :
1042 31407 : if (c->num_transfer_syntaxes == 0) {
1043 8 : return dcesrv_bind_nak(call, 0);
1044 : }
1045 :
1046 31404 : a->result = DCERPC_BIND_ACK_RESULT_PROVIDER_REJECTION;
1047 31404 : a->reason.value = DCERPC_BIND_ACK_REASON_ABSTRACT_SYNTAX_NOT_SUPPORTED;
1048 :
1049 : /*
1050 : * It's only treated as bind time feature request, if the first
1051 : * transfer_syntax matches, all others are ignored.
1052 : */
1053 31404 : is_feature = dcerpc_extract_bind_time_features(c->transfer_syntaxes[0],
1054 : &features);
1055 31404 : if (!is_feature) {
1056 16907 : continue;
1057 : }
1058 :
1059 14497 : if (ack_features != NULL) {
1060 : /*
1061 : * Only one bind time feature context is allowed.
1062 : */
1063 3 : return dcesrv_bind_nak(call, 0);
1064 : }
1065 14494 : ack_features = a;
1066 :
1067 14494 : a->result = DCERPC_BIND_ACK_RESULT_NEGOTIATE_ACK;
1068 14494 : a->reason.negotiate = 0;
1069 14494 : if (features & DCERPC_BIND_TIME_SECURITY_CONTEXT_MULTIPLEXING) {
1070 14479 : if (conn->max_auth_states != 0) {
1071 13129 : a->reason.negotiate |=
1072 : DCERPC_BIND_TIME_SECURITY_CONTEXT_MULTIPLEXING;
1073 : }
1074 : }
1075 14494 : if (features & DCERPC_BIND_TIME_KEEP_CONNECTION_ON_ORPHAN) {
1076 14485 : a->reason.negotiate |=
1077 : DCERPC_BIND_TIME_KEEP_CONNECTION_ON_ORPHAN;
1078 : }
1079 :
1080 14494 : conn->assoc_group->bind_time_features = a->reason.negotiate;
1081 : }
1082 :
1083 : /*
1084 : * Try to negotiate one new presentation context.
1085 : *
1086 : * Deep in here we locate the iface (by uuid) that the client
1087 : * requested, from the list of interfaces on the
1088 : * call->conn->endpoint, and call iface->bind() on that iface.
1089 : *
1090 : * call->conn was set up at the accept() of the socket, and
1091 : * call->conn->endpoint has a list of interfaces restricted to
1092 : * this port or pipe.
1093 : */
1094 16922 : status = dcesrv_negotiate_contexts(call, &call->pkt.u.bind, ack_ctx_list);
1095 16922 : if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROTOCOL_ERROR)) {
1096 0 : return dcesrv_bind_nak(call, 0);
1097 : }
1098 16922 : if (!NT_STATUS_IS_OK(status)) {
1099 0 : return status;
1100 : }
1101 :
1102 : /*
1103 : * At this point we still don't know which interface (eg
1104 : * netlogon, lsa, drsuapi) the caller requested in this bind!
1105 : * The most recently added context is available as the first
1106 : * element in the linked list at call->conn->contexts, that is
1107 : * call->conn->contexts->iface, but they may not have
1108 : * requested one at all!
1109 : */
1110 :
1111 16999 : if ((call->pkt.pfc_flags & DCERPC_PFC_FLAG_CONC_MPX) &&
1112 111 : (call->state_flags & DCESRV_CALL_STATE_FLAG_MULTIPLEXED)) {
1113 111 : call->conn->state_flags |= DCESRV_CALL_STATE_FLAG_MULTIPLEXED;
1114 111 : extra_flags |= DCERPC_PFC_FLAG_CONC_MPX;
1115 : }
1116 :
1117 16922 : if (call->state_flags & DCESRV_CALL_STATE_FLAG_PROCESS_PENDING_CALL) {
1118 0 : conn->state_flags |= DCESRV_CALL_STATE_FLAG_PROCESS_PENDING_CALL;
1119 : }
1120 :
1121 : /*
1122 : * After finding the interface and setting up the NDR
1123 : * transport negotiation etc, handle any authentication that
1124 : * is being requested.
1125 : */
1126 16922 : if (!dcesrv_auth_bind(call)) {
1127 :
1128 45 : if (auth->auth_level == DCERPC_AUTH_LEVEL_NONE) {
1129 : /*
1130 : * With DCERPC_AUTH_LEVEL_NONE, we get the
1131 : * reject_reason in auth->auth_context_id.
1132 : */
1133 45 : return dcesrv_bind_nak(call, auth->auth_context_id);
1134 : }
1135 :
1136 : /*
1137 : * This must a be a temporary failure e.g. talloc or invalid
1138 : * configuration, e.g. no machine account.
1139 : */
1140 0 : return dcesrv_bind_nak(call,
1141 : DCERPC_BIND_NAK_REASON_TEMPORARY_CONGESTION);
1142 : }
1143 :
1144 : /* setup a bind_ack */
1145 16877 : dcesrv_init_hdr(pkt, lpcfg_rpc_big_endian(dce_ctx->lp_ctx));
1146 16877 : pkt->auth_length = 0;
1147 16877 : pkt->call_id = call->pkt.call_id;
1148 16877 : pkt->ptype = DCERPC_PKT_BIND_ACK;
1149 16877 : pkt->pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST | extra_flags;
1150 16877 : pkt->u.bind_ack.max_xmit_frag = conn->max_xmit_frag;
1151 16877 : pkt->u.bind_ack.max_recv_frag = conn->max_recv_frag;
1152 16877 : pkt->u.bind_ack.assoc_group_id = conn->assoc_group->id;
1153 :
1154 16877 : ep_2nd_description = conn->endpoint->ep_2nd_description;
1155 16877 : if (ep_2nd_description == NULL) {
1156 13901 : ep_2nd_description = conn->endpoint->ep_description;
1157 : }
1158 :
1159 16877 : endpoint = dcerpc_binding_get_string_option(
1160 : ep_2nd_description,
1161 : "endpoint");
1162 16877 : if (endpoint == NULL) {
1163 0 : endpoint = "";
1164 : }
1165 :
1166 16877 : pkt->u.bind_ack.secondary_address = endpoint;
1167 16877 : pkt->u.bind_ack.num_results = call->pkt.u.bind.num_contexts;
1168 16877 : pkt->u.bind_ack.ctx_list = ack_ctx_list;
1169 16877 : pkt->u.bind_ack.auth_info = data_blob_null;
1170 :
1171 16877 : status = dcesrv_auth_prepare_bind_ack(call, pkt);
1172 16877 : if (!NT_STATUS_IS_OK(status)) {
1173 0 : return dcesrv_bind_nak(call, 0);
1174 : }
1175 :
1176 16877 : if (auth->auth_finished) {
1177 10018 : return dcesrv_auth_reply(call);
1178 : }
1179 :
1180 6859 : cb->auth.become_root();
1181 6859 : subreq = gensec_update_send(call, call->event_ctx,
1182 : auth->gensec_security,
1183 : call->in_auth_info.credentials);
1184 6859 : cb->auth.unbecome_root();
1185 6859 : if (subreq == NULL) {
1186 0 : return NT_STATUS_NO_MEMORY;
1187 : }
1188 6859 : tevent_req_set_callback(subreq, dcesrv_bind_done, call);
1189 :
1190 6859 : return dcesrv_conn_auth_wait_setup(conn);
1191 : }
1192 :
1193 6859 : static void dcesrv_bind_done(struct tevent_req *subreq)
1194 : {
1195 5931 : struct dcesrv_call_state *call =
1196 6859 : tevent_req_callback_data(subreq,
1197 : struct dcesrv_call_state);
1198 6859 : struct dcesrv_connection *conn = call->conn;
1199 6859 : struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
1200 : NTSTATUS status;
1201 :
1202 6859 : cb->auth.become_root();
1203 6859 : status = gensec_update_recv(subreq, call,
1204 6859 : &call->out_auth_info->credentials);
1205 6859 : cb->auth.unbecome_root();
1206 6859 : TALLOC_FREE(subreq);
1207 :
1208 6859 : status = dcesrv_auth_complete(call, status);
1209 6859 : if (!NT_STATUS_IS_OK(status)) {
1210 11 : status = dcesrv_bind_nak(call, 0);
1211 11 : dcesrv_conn_auth_wait_finished(conn, status);
1212 11 : return;
1213 : }
1214 :
1215 6848 : status = dcesrv_auth_reply(call);
1216 6848 : dcesrv_conn_auth_wait_finished(conn, status);
1217 6848 : return;
1218 : }
1219 :
1220 22526 : static NTSTATUS dcesrv_auth_reply(struct dcesrv_call_state *call)
1221 : {
1222 22526 : struct ncacn_packet *pkt = &call->ack_pkt;
1223 22526 : struct data_blob_list_item *rep = NULL;
1224 : NTSTATUS status;
1225 :
1226 22526 : rep = talloc_zero(call, struct data_blob_list_item);
1227 22526 : if (!rep) {
1228 0 : return NT_STATUS_NO_MEMORY;
1229 : }
1230 :
1231 22526 : status = dcerpc_ncacn_push_auth(&rep->blob,
1232 : call,
1233 : pkt,
1234 : call->out_auth_info);
1235 22526 : if (!NT_STATUS_IS_OK(status)) {
1236 0 : return status;
1237 : }
1238 :
1239 22526 : dcerpc_set_frag_length(&rep->blob, rep->blob.length);
1240 :
1241 22526 : DLIST_ADD_END(call->replies, rep);
1242 22526 : dcesrv_call_set_list(call, DCESRV_LIST_CALL_LIST);
1243 :
1244 22526 : if (call->conn->call_list && call->conn->call_list->replies) {
1245 22526 : if (call->conn->transport.report_output_data) {
1246 22526 : call->conn->transport.report_output_data(call->conn);
1247 : }
1248 : }
1249 :
1250 22526 : return NT_STATUS_OK;
1251 : }
1252 :
1253 :
1254 : static void dcesrv_auth3_done(struct tevent_req *subreq);
1255 :
1256 : /*
1257 : handle a auth3 request
1258 : */
1259 135 : static NTSTATUS dcesrv_auth3(struct dcesrv_call_state *call)
1260 : {
1261 135 : struct dcesrv_connection *conn = call->conn;
1262 135 : struct dcesrv_auth *auth = call->auth_state;
1263 135 : struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
1264 135 : struct tevent_req *subreq = NULL;
1265 : NTSTATUS status;
1266 :
1267 135 : if (!auth->auth_started) {
1268 0 : return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
1269 : }
1270 :
1271 135 : if (auth->auth_finished) {
1272 3 : return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
1273 : }
1274 :
1275 132 : status = dcerpc_verify_ncacn_packet_header(&call->pkt,
1276 : DCERPC_PKT_AUTH3,
1277 : call->pkt.u.auth3.auth_info.length,
1278 : 0, /* required flags */
1279 : DCERPC_PFC_FLAG_FIRST |
1280 : DCERPC_PFC_FLAG_LAST |
1281 : DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN |
1282 : 0x08 | /* this is not defined, but should be ignored */
1283 : DCERPC_PFC_FLAG_CONC_MPX |
1284 : DCERPC_PFC_FLAG_DID_NOT_EXECUTE |
1285 : DCERPC_PFC_FLAG_MAYBE |
1286 : DCERPC_PFC_FLAG_OBJECT_UUID);
1287 132 : if (!NT_STATUS_IS_OK(status)) {
1288 0 : return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
1289 : }
1290 :
1291 : /* handle the auth3 in the auth code */
1292 132 : if (!dcesrv_auth_prepare_auth3(call)) {
1293 : /*
1294 : * we don't send a reply to a auth3 request,
1295 : * except by a fault.
1296 : *
1297 : * In anycase we mark the connection as
1298 : * invalid.
1299 : */
1300 3 : auth->auth_invalid = true;
1301 3 : if (call->fault_code != 0) {
1302 3 : return dcesrv_fault_disconnect(call, call->fault_code);
1303 : }
1304 0 : TALLOC_FREE(call);
1305 0 : return NT_STATUS_OK;
1306 : }
1307 :
1308 129 : cb->auth.become_root();
1309 129 : subreq = gensec_update_send(call, call->event_ctx,
1310 : auth->gensec_security,
1311 : call->in_auth_info.credentials);
1312 129 : cb->auth.unbecome_root();
1313 129 : if (subreq == NULL) {
1314 0 : return NT_STATUS_NO_MEMORY;
1315 : }
1316 129 : tevent_req_set_callback(subreq, dcesrv_auth3_done, call);
1317 :
1318 129 : return dcesrv_conn_auth_wait_setup(conn);
1319 : }
1320 :
1321 129 : static void dcesrv_auth3_done(struct tevent_req *subreq)
1322 : {
1323 83 : struct dcesrv_call_state *call =
1324 129 : tevent_req_callback_data(subreq,
1325 : struct dcesrv_call_state);
1326 129 : struct dcesrv_connection *conn = call->conn;
1327 129 : struct dcesrv_auth *auth = call->auth_state;
1328 129 : struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
1329 : NTSTATUS status;
1330 :
1331 129 : cb->auth.become_root();
1332 129 : status = gensec_update_recv(subreq, call,
1333 129 : &call->out_auth_info->credentials);
1334 129 : cb->auth.unbecome_root();
1335 129 : TALLOC_FREE(subreq);
1336 :
1337 129 : status = dcesrv_auth_complete(call, status);
1338 129 : if (!NT_STATUS_IS_OK(status)) {
1339 : /*
1340 : * we don't send a reply to a auth3 request,
1341 : * except by a fault.
1342 : *
1343 : * In anycase we mark the connection as
1344 : * invalid.
1345 : */
1346 3 : auth->auth_invalid = true;
1347 3 : if (call->fault_code != 0) {
1348 0 : status = dcesrv_fault_disconnect(call, call->fault_code);
1349 0 : dcesrv_conn_auth_wait_finished(conn, status);
1350 0 : return;
1351 : }
1352 3 : TALLOC_FREE(call);
1353 3 : dcesrv_conn_auth_wait_finished(conn, NT_STATUS_OK);
1354 3 : return;
1355 : }
1356 :
1357 : /*
1358 : * we don't send a reply to a auth3 request.
1359 : */
1360 126 : TALLOC_FREE(call);
1361 126 : dcesrv_conn_auth_wait_finished(conn, NT_STATUS_OK);
1362 126 : return;
1363 : }
1364 :
1365 :
1366 37100 : static NTSTATUS dcesrv_check_or_create_context(struct dcesrv_call_state *call,
1367 : const struct dcerpc_bind *b,
1368 : const struct dcerpc_ctx_list *ctx,
1369 : struct dcerpc_ack_ctx *ack,
1370 : bool validate_only,
1371 : const struct ndr_syntax_id *supported_transfer)
1372 : {
1373 : struct dcesrv_connection_context *context;
1374 : const struct dcesrv_interface *iface;
1375 : NTSTATUS status;
1376 37100 : const struct ndr_syntax_id *selected_transfer = NULL;
1377 : size_t i;
1378 : bool ok;
1379 :
1380 37100 : if (b == NULL) {
1381 0 : return NT_STATUS_INTERNAL_ERROR;
1382 : }
1383 37100 : if (ctx == NULL) {
1384 0 : return NT_STATUS_INTERNAL_ERROR;
1385 : }
1386 37100 : if (ctx->num_transfer_syntaxes < 1) {
1387 0 : return NT_STATUS_INTERNAL_ERROR;
1388 : }
1389 37100 : if (ack == NULL) {
1390 0 : return NT_STATUS_INTERNAL_ERROR;
1391 : }
1392 37100 : if (supported_transfer == NULL) {
1393 0 : return NT_STATUS_INTERNAL_ERROR;
1394 : }
1395 :
1396 37100 : switch (ack->result) {
1397 14491 : case DCERPC_BIND_ACK_RESULT_ACCEPTANCE:
1398 : case DCERPC_BIND_ACK_RESULT_NEGOTIATE_ACK:
1399 : /*
1400 : * We is already completed.
1401 : */
1402 14491 : return NT_STATUS_OK;
1403 22609 : default:
1404 22609 : break;
1405 : }
1406 :
1407 22609 : ack->result = DCERPC_BIND_ACK_RESULT_PROVIDER_REJECTION;
1408 22609 : ack->reason.value = DCERPC_BIND_ACK_REASON_ABSTRACT_SYNTAX_NOT_SUPPORTED;
1409 :
1410 41653 : iface = find_interface_by_syntax_id(
1411 22609 : call->conn->endpoint, &ctx->abstract_syntax);
1412 22609 : if (iface == NULL) {
1413 : struct ndr_syntax_id_buf buf;
1414 21 : DBG_NOTICE("Request for unknown dcerpc interface %s\n",
1415 : ndr_syntax_id_buf_string(
1416 : &ctx->abstract_syntax, &buf));
1417 : /*
1418 : * We report this only via ack->result
1419 : */
1420 21 : return NT_STATUS_OK;
1421 : }
1422 :
1423 22588 : ack->result = DCERPC_BIND_ACK_RESULT_PROVIDER_REJECTION;
1424 22588 : ack->reason.value = DCERPC_BIND_ACK_REASON_TRANSFER_SYNTAXES_NOT_SUPPORTED;
1425 :
1426 22588 : if (validate_only) {
1427 : /*
1428 : * We report this only via ack->result
1429 : */
1430 15 : return NT_STATUS_OK;
1431 : }
1432 :
1433 22606 : for (i = 0; i < ctx->num_transfer_syntaxes; i++) {
1434 : /*
1435 : * we only do NDR encoded dcerpc for now.
1436 : */
1437 22600 : ok = ndr_syntax_id_equal(&ctx->transfer_syntaxes[i],
1438 : supported_transfer);
1439 22600 : if (ok) {
1440 22567 : selected_transfer = supported_transfer;
1441 22567 : break;
1442 : }
1443 : }
1444 :
1445 22573 : context = dcesrv_find_context(call->conn, ctx->context_id);
1446 22573 : if (context != NULL) {
1447 5648 : ok = ndr_syntax_id_equal(&context->iface->syntax_id,
1448 : &ctx->abstract_syntax);
1449 5648 : if (!ok) {
1450 9 : return NT_STATUS_RPC_PROTOCOL_ERROR;
1451 : }
1452 :
1453 5639 : if (selected_transfer != NULL) {
1454 5633 : ok = ndr_syntax_id_equal(&context->transfer_syntax,
1455 : selected_transfer);
1456 5633 : if (!ok) {
1457 0 : return NT_STATUS_RPC_PROTOCOL_ERROR;
1458 : }
1459 :
1460 5633 : ack->result = DCERPC_BIND_ACK_RESULT_ACCEPTANCE;
1461 5633 : ack->reason.value = DCERPC_BIND_ACK_REASON_NOT_SPECIFIED;
1462 5633 : ack->syntax = context->transfer_syntax;
1463 : }
1464 :
1465 : /*
1466 : * We report this only via ack->result
1467 : */
1468 5639 : return NT_STATUS_OK;
1469 : }
1470 :
1471 16925 : if (selected_transfer == NULL) {
1472 : /*
1473 : * We report this only via ack->result
1474 : */
1475 0 : return NT_STATUS_OK;
1476 : }
1477 :
1478 16925 : ack->result = DCERPC_BIND_ACK_RESULT_USER_REJECTION;
1479 16925 : ack->reason.value = DCERPC_BIND_ACK_REASON_LOCAL_LIMIT_EXCEEDED;
1480 :
1481 : /* add this context to the list of available context_ids */
1482 16925 : context = talloc_zero(call->conn, struct dcesrv_connection_context);
1483 16925 : if (context == NULL) {
1484 0 : return NT_STATUS_NO_MEMORY;
1485 : }
1486 16925 : context->conn = call->conn;
1487 16925 : context->context_id = ctx->context_id;
1488 16925 : context->iface = iface;
1489 16925 : context->transfer_syntax = *selected_transfer;
1490 16925 : DLIST_ADD(call->conn->contexts, context);
1491 16925 : call->context = context;
1492 16925 : talloc_set_destructor(context, dcesrv_connection_context_destructor);
1493 :
1494 16925 : dcesrv_prepare_context_auth(call);
1495 :
1496 : /*
1497 : * Multiplex is supported by default
1498 : */
1499 16925 : call->state_flags |= DCESRV_CALL_STATE_FLAG_MULTIPLEXED;
1500 :
1501 16925 : status = iface->bind(context, iface);
1502 16925 : call->context = NULL;
1503 16925 : if (!NT_STATUS_IS_OK(status)) {
1504 : /* we don't want to trigger the iface->unbind() hook */
1505 0 : context->iface = NULL;
1506 0 : talloc_free(context);
1507 : /*
1508 : * We report this only via ack->result
1509 : */
1510 0 : return NT_STATUS_OK;
1511 : }
1512 :
1513 16925 : ack->result = DCERPC_BIND_ACK_RESULT_ACCEPTANCE;
1514 16925 : ack->reason.value = DCERPC_BIND_ACK_REASON_NOT_SPECIFIED;
1515 16925 : ack->syntax = context->transfer_syntax;
1516 16925 : return NT_STATUS_OK;
1517 : }
1518 :
1519 22609 : static NTSTATUS dcesrv_negotiate_contexts(struct dcesrv_call_state *call,
1520 : const struct dcerpc_bind *b,
1521 : struct dcerpc_ack_ctx *ack_ctx_list)
1522 : {
1523 : NTSTATUS status;
1524 : size_t i;
1525 22609 : bool validate_only = false;
1526 : bool preferred_ndr32;
1527 :
1528 : /*
1529 : * Try to negotiate one new presentation context,
1530 : * using our preferred transfer syntax.
1531 : */
1532 59700 : for (i = 0; i < b->num_contexts; i++) {
1533 37100 : const struct dcerpc_ctx_list *c = &b->ctx_list[i];
1534 37100 : struct dcerpc_ack_ctx *a = &ack_ctx_list[i];
1535 :
1536 37100 : status = dcesrv_check_or_create_context(call, b, c, a,
1537 : validate_only,
1538 37100 : call->conn->preferred_transfer);
1539 37100 : if (!NT_STATUS_IS_OK(status)) {
1540 9 : return status;
1541 : }
1542 :
1543 37091 : if (a->result == DCERPC_BIND_ACK_RESULT_ACCEPTANCE) {
1544 : /*
1545 : * We managed to negotiate one context.
1546 : *
1547 : * => we're done.
1548 : */
1549 22558 : validate_only = true;
1550 : }
1551 : }
1552 :
1553 22600 : preferred_ndr32 = ndr_syntax_id_equal(&ndr_transfer_syntax_ndr,
1554 22600 : call->conn->preferred_transfer);
1555 22600 : if (preferred_ndr32) {
1556 : /*
1557 : * We're done.
1558 : */
1559 22600 : return NT_STATUS_OK;
1560 : }
1561 :
1562 : /*
1563 : * Try to negotiate one new presentation context,
1564 : * using NDR 32 as fallback.
1565 : */
1566 0 : for (i = 0; i < b->num_contexts; i++) {
1567 0 : const struct dcerpc_ctx_list *c = &b->ctx_list[i];
1568 0 : struct dcerpc_ack_ctx *a = &ack_ctx_list[i];
1569 :
1570 0 : status = dcesrv_check_or_create_context(call, b, c, a,
1571 : validate_only,
1572 : &ndr_transfer_syntax_ndr);
1573 0 : if (!NT_STATUS_IS_OK(status)) {
1574 0 : return status;
1575 : }
1576 :
1577 0 : if (a->result == DCERPC_BIND_ACK_RESULT_ACCEPTANCE) {
1578 : /*
1579 : * We managed to negotiate one context.
1580 : *
1581 : * => we're done.
1582 : */
1583 0 : validate_only = true;
1584 : }
1585 : }
1586 :
1587 0 : return NT_STATUS_OK;
1588 : }
1589 :
1590 : static void dcesrv_alter_done(struct tevent_req *subreq);
1591 :
1592 : /*
1593 : handle a alter context request
1594 : */
1595 5702 : static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call)
1596 : {
1597 5702 : struct dcesrv_connection *conn = call->conn;
1598 : NTSTATUS status;
1599 5702 : bool auth_ok = false;
1600 5702 : struct ncacn_packet *pkt = &call->ack_pkt;
1601 5702 : uint32_t extra_flags = 0;
1602 5702 : struct dcesrv_auth *auth = call->auth_state;
1603 5702 : struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
1604 5702 : struct dcerpc_ack_ctx *ack_ctx_list = NULL;
1605 5702 : struct tevent_req *subreq = NULL;
1606 : size_t i;
1607 :
1608 5702 : if (!call->conn->allow_alter) {
1609 0 : return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
1610 : }
1611 :
1612 5702 : status = dcerpc_verify_ncacn_packet_header(&call->pkt,
1613 : DCERPC_PKT_ALTER,
1614 : call->pkt.u.alter.auth_info.length,
1615 : 0, /* required flags */
1616 : DCERPC_PFC_FLAG_FIRST |
1617 : DCERPC_PFC_FLAG_LAST |
1618 : DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN |
1619 : 0x08 | /* this is not defined, but should be ignored */
1620 : DCERPC_PFC_FLAG_CONC_MPX |
1621 : DCERPC_PFC_FLAG_DID_NOT_EXECUTE |
1622 : DCERPC_PFC_FLAG_MAYBE |
1623 : DCERPC_PFC_FLAG_OBJECT_UUID);
1624 5702 : if (!NT_STATUS_IS_OK(status)) {
1625 0 : return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
1626 : }
1627 :
1628 5702 : auth_ok = dcesrv_auth_alter(call);
1629 5702 : if (!auth_ok) {
1630 24 : if (call->fault_code != 0) {
1631 9 : return dcesrv_fault_disconnect(call, call->fault_code);
1632 : }
1633 : }
1634 :
1635 5693 : if (call->pkt.u.alter.num_contexts < 1) {
1636 3 : return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
1637 : }
1638 :
1639 5690 : ack_ctx_list = talloc_zero_array(call, struct dcerpc_ack_ctx,
1640 : call->pkt.u.alter.num_contexts);
1641 5690 : if (ack_ctx_list == NULL) {
1642 0 : return NT_STATUS_NO_MEMORY;
1643 : }
1644 :
1645 : /*
1646 : * Set some sane defaults (required by dcesrv_negotiate_contexts()/
1647 : * dcesrv_check_or_create_context()) and do some protocol validation
1648 : * and set sane defaults.
1649 : */
1650 11392 : for (i = 0; i < call->pkt.u.alter.num_contexts; i++) {
1651 5705 : const struct dcerpc_ctx_list *c = &call->pkt.u.alter.ctx_list[i];
1652 5705 : struct dcerpc_ack_ctx *a = &ack_ctx_list[i];
1653 :
1654 5705 : if (c->num_transfer_syntaxes == 0) {
1655 3 : return dcesrv_fault_disconnect(call,
1656 : DCERPC_NCA_S_PROTO_ERROR);
1657 : }
1658 :
1659 5702 : a->result = DCERPC_BIND_ACK_RESULT_PROVIDER_REJECTION;
1660 5702 : a->reason.value = DCERPC_BIND_ACK_REASON_ABSTRACT_SYNTAX_NOT_SUPPORTED;
1661 : }
1662 :
1663 : /*
1664 : * Try to negotiate one new presentation context.
1665 : */
1666 5687 : status = dcesrv_negotiate_contexts(call, &call->pkt.u.alter, ack_ctx_list);
1667 5687 : if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROTOCOL_ERROR)) {
1668 9 : return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
1669 : }
1670 5678 : if (!NT_STATUS_IS_OK(status)) {
1671 0 : return status;
1672 : }
1673 :
1674 5687 : if ((call->pkt.pfc_flags & DCERPC_PFC_FLAG_CONC_MPX) &&
1675 16 : (call->state_flags & DCESRV_CALL_STATE_FLAG_MULTIPLEXED)) {
1676 10 : call->conn->state_flags |= DCESRV_CALL_STATE_FLAG_MULTIPLEXED;
1677 10 : extra_flags |= DCERPC_PFC_FLAG_CONC_MPX;
1678 : }
1679 :
1680 5678 : if (call->state_flags & DCESRV_CALL_STATE_FLAG_PROCESS_PENDING_CALL) {
1681 0 : call->conn->state_flags |= DCESRV_CALL_STATE_FLAG_PROCESS_PENDING_CALL;
1682 : }
1683 :
1684 : /* handle any authentication that is being requested */
1685 5678 : if (!auth_ok) {
1686 12 : if (call->in_auth_info.auth_type != auth->auth_type) {
1687 6 : return dcesrv_fault_disconnect(call,
1688 : DCERPC_FAULT_SEC_PKG_ERROR);
1689 : }
1690 6 : return dcesrv_fault_disconnect(call, DCERPC_FAULT_ACCESS_DENIED);
1691 : }
1692 :
1693 5666 : dcesrv_init_hdr(pkt, lpcfg_rpc_big_endian(call->conn->dce_ctx->lp_ctx));
1694 5666 : pkt->auth_length = 0;
1695 5666 : pkt->call_id = call->pkt.call_id;
1696 5666 : pkt->ptype = DCERPC_PKT_ALTER_RESP;
1697 5666 : pkt->pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST | extra_flags;
1698 5666 : pkt->u.alter_resp.max_xmit_frag = call->conn->max_xmit_frag;
1699 5666 : pkt->u.alter_resp.max_recv_frag = call->conn->max_recv_frag;
1700 5666 : pkt->u.alter_resp.assoc_group_id = call->conn->assoc_group->id;
1701 5666 : pkt->u.alter_resp.secondary_address = "";
1702 5666 : pkt->u.alter_resp.num_results = call->pkt.u.alter.num_contexts;
1703 5666 : pkt->u.alter_resp.ctx_list = ack_ctx_list;
1704 5666 : pkt->u.alter_resp.auth_info = data_blob_null;
1705 :
1706 5666 : status = dcesrv_auth_prepare_alter_ack(call, pkt);
1707 5666 : if (!NT_STATUS_IS_OK(status)) {
1708 0 : return dcesrv_fault_disconnect(call, DCERPC_FAULT_SEC_PKG_ERROR);
1709 : }
1710 :
1711 5666 : if (auth->auth_finished) {
1712 141 : return dcesrv_auth_reply(call);
1713 : }
1714 :
1715 5525 : cb->auth.become_root();
1716 5525 : subreq = gensec_update_send(call, call->event_ctx,
1717 : auth->gensec_security,
1718 : call->in_auth_info.credentials);
1719 5525 : cb->auth.unbecome_root();
1720 5525 : if (subreq == NULL) {
1721 0 : return NT_STATUS_NO_MEMORY;
1722 : }
1723 5525 : tevent_req_set_callback(subreq, dcesrv_alter_done, call);
1724 :
1725 5525 : return dcesrv_conn_auth_wait_setup(conn);
1726 : }
1727 :
1728 5525 : static void dcesrv_alter_done(struct tevent_req *subreq)
1729 : {
1730 4810 : struct dcesrv_call_state *call =
1731 5525 : tevent_req_callback_data(subreq,
1732 : struct dcesrv_call_state);
1733 5525 : struct dcesrv_connection *conn = call->conn;
1734 5525 : struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
1735 : NTSTATUS status;
1736 :
1737 5525 : cb->auth.become_root();
1738 5525 : status = gensec_update_recv(subreq, call,
1739 5525 : &call->out_auth_info->credentials);
1740 5525 : cb->auth.unbecome_root();
1741 5525 : TALLOC_FREE(subreq);
1742 :
1743 5525 : status = dcesrv_auth_complete(call, status);
1744 5525 : if (!NT_STATUS_IS_OK(status)) {
1745 6 : status = dcesrv_fault_disconnect(call, DCERPC_FAULT_SEC_PKG_ERROR);
1746 6 : dcesrv_conn_auth_wait_finished(conn, status);
1747 6 : return;
1748 : }
1749 :
1750 5519 : status = dcesrv_auth_reply(call);
1751 5519 : dcesrv_conn_auth_wait_finished(conn, status);
1752 5519 : return;
1753 : }
1754 :
1755 : /*
1756 : possibly save the call for inspection with ndrdump
1757 : */
1758 1792 : static void dcesrv_save_call(struct dcesrv_call_state *call, const char *why)
1759 : {
1760 : #ifdef DEVELOPER
1761 2889 : dcerpc_log_packet(call->conn->packet_log_dir,
1762 1792 : call->context->iface->name,
1763 1792 : call->pkt.u.request.opnum,
1764 : NDR_IN,
1765 1792 : &call->pkt.u.request.stub_and_verifier,
1766 : why);
1767 : #endif
1768 1792 : }
1769 :
1770 : #ifdef DEVELOPER
1771 : /*
1772 : Save the call for use as a seed for fuzzing.
1773 :
1774 : This is only enabled in a developer build, and only has effect if the
1775 : "dcesrv fuzz directory" param is set.
1776 : */
1777 335750 : void _dcesrv_save_ndr_fuzz_seed(DATA_BLOB call_blob,
1778 : struct dcesrv_call_state *call,
1779 : int flags)
1780 : {
1781 335750 : const char *dump_dir = lpcfg_parm_string(call->conn->dce_ctx->lp_ctx,
1782 : NULL,
1783 : "dcesrv", "fuzz directory");
1784 :
1785 877426 : dcerpc_save_ndr_fuzz_seed(call,
1786 : call_blob,
1787 : dump_dir,
1788 335750 : call->context->iface->name,
1789 : flags,
1790 335750 : call->pkt.u.request.opnum,
1791 335750 : call->ndr_pull->flags & LIBNDR_FLAG_NDR64);
1792 335750 : }
1793 : #endif /*if DEVELOPER, enveloping _dcesrv_save_ndr_fuzz_seed() */
1794 :
1795 :
1796 175333 : static NTSTATUS dcesrv_check_verification_trailer(struct dcesrv_call_state *call)
1797 : {
1798 175333 : TALLOC_CTX *frame = talloc_stackframe();
1799 318171 : const uint32_t bitmask1 = call->conn->client_hdr_signing ?
1800 175333 : DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING : 0;
1801 318171 : const struct dcerpc_sec_vt_pcontext pcontext = {
1802 175333 : .abstract_syntax = call->context->iface->syntax_id,
1803 175333 : .transfer_syntax = call->context->transfer_syntax,
1804 : };
1805 142838 : const struct dcerpc_sec_vt_header2 header2 =
1806 175333 : dcerpc_sec_vt_header2_from_ncacn_packet(&call->pkt);
1807 : enum ndr_err_code ndr_err;
1808 175333 : struct dcerpc_sec_verification_trailer *vt = NULL;
1809 175333 : NTSTATUS status = NT_STATUS_OK;
1810 : bool ok;
1811 :
1812 175333 : SMB_ASSERT(call->pkt.ptype == DCERPC_PKT_REQUEST);
1813 :
1814 175333 : ndr_err = ndr_pop_dcerpc_sec_verification_trailer(call->ndr_pull,
1815 : frame, &vt);
1816 175333 : if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1817 0 : status = ndr_map_error2ntstatus(ndr_err);
1818 0 : goto done;
1819 : }
1820 :
1821 175333 : ok = dcerpc_sec_verification_trailer_check(vt, &bitmask1,
1822 : &pcontext, &header2);
1823 175333 : if (!ok) {
1824 0 : status = NT_STATUS_ACCESS_DENIED;
1825 0 : goto done;
1826 : }
1827 318171 : done:
1828 175333 : TALLOC_FREE(frame);
1829 175333 : return status;
1830 : }
1831 :
1832 : /*
1833 : handle a dcerpc request packet
1834 : */
1835 175455 : static NTSTATUS dcesrv_request(struct dcesrv_call_state *call)
1836 : {
1837 175455 : const struct dcesrv_endpoint *endpoint = call->conn->endpoint;
1838 175455 : struct dcesrv_auth *auth = call->auth_state;
1839 142958 : enum dcerpc_transport_t transport =
1840 175455 : dcerpc_binding_get_transport(endpoint->ep_description);
1841 : struct ndr_pull *pull;
1842 175455 : bool turn_winbind_on = false;
1843 : NTSTATUS status;
1844 :
1845 175455 : if (auth->auth_invalid) {
1846 0 : return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
1847 : }
1848 :
1849 175455 : if (!auth->auth_finished) {
1850 0 : return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
1851 : }
1852 :
1853 : /* if authenticated, and the mech we use can't do async replies, don't use them... */
1854 238264 : if (auth->gensec_security != NULL &&
1855 77235 : !gensec_have_feature(auth->gensec_security, GENSEC_FEATURE_ASYNC_REPLIES)) {
1856 17140 : call->state_flags &= ~DCESRV_CALL_STATE_FLAG_MAY_ASYNC;
1857 : }
1858 :
1859 175455 : if (call->context == NULL) {
1860 0 : return dcesrv_fault_with_flags(call, DCERPC_NCA_S_UNKNOWN_IF,
1861 : DCERPC_PFC_FLAG_DID_NOT_EXECUTE);
1862 : }
1863 :
1864 175455 : switch (auth->auth_level) {
1865 174266 : case DCERPC_AUTH_LEVEL_NONE:
1866 : case DCERPC_AUTH_LEVEL_PACKET:
1867 : case DCERPC_AUTH_LEVEL_INTEGRITY:
1868 : case DCERPC_AUTH_LEVEL_PRIVACY:
1869 174266 : break;
1870 1189 : default:
1871 1189 : if (!call->context->allow_connect) {
1872 : char *addr;
1873 :
1874 4 : addr = tsocket_address_string(call->conn->remote_address,
1875 : call);
1876 :
1877 4 : DEBUG(2, ("%s: restrict auth_level_connect access "
1878 : "to [%s] with auth[type=0x%x,level=0x%x] "
1879 : "on [%s] from [%s]\n",
1880 : __func__, call->context->iface->name,
1881 : auth->auth_type,
1882 : auth->auth_level,
1883 : derpc_transport_string_by_transport(transport),
1884 : addr));
1885 4 : return dcesrv_fault(call, DCERPC_FAULT_ACCESS_DENIED);
1886 : }
1887 1185 : break;
1888 : }
1889 :
1890 175451 : if (auth->auth_level < call->context->min_auth_level) {
1891 : char *addr;
1892 :
1893 118 : addr = tsocket_address_string(call->conn->remote_address, call);
1894 :
1895 118 : DEBUG(2, ("%s: restrict access by min_auth_level[0x%x] "
1896 : "to [%s] with auth[type=0x%x,level=0x%x] "
1897 : "on [%s] from [%s]\n",
1898 : __func__,
1899 : call->context->min_auth_level,
1900 : call->context->iface->name,
1901 : auth->auth_type,
1902 : auth->auth_level,
1903 : derpc_transport_string_by_transport(transport),
1904 : addr));
1905 118 : return dcesrv_fault(call, DCERPC_FAULT_ACCESS_DENIED);
1906 : }
1907 :
1908 175333 : pull = ndr_pull_init_blob(&call->pkt.u.request.stub_and_verifier, call);
1909 175333 : NT_STATUS_HAVE_NO_MEMORY(pull);
1910 :
1911 175333 : pull->flags |= LIBNDR_FLAG_REF_ALLOC;
1912 :
1913 175333 : call->ndr_pull = pull;
1914 :
1915 175333 : if (!(call->pkt.drep[0] & DCERPC_DREP_LE)) {
1916 22225 : pull->flags |= LIBNDR_FLAG_BIGENDIAN;
1917 : }
1918 :
1919 175333 : status = dcesrv_check_verification_trailer(call);
1920 175333 : if (!NT_STATUS_IS_OK(status)) {
1921 0 : uint32_t faultcode = DCERPC_FAULT_OTHER;
1922 0 : if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
1923 0 : faultcode = DCERPC_FAULT_ACCESS_DENIED;
1924 : }
1925 0 : DEBUG(10, ("dcesrv_check_verification_trailer failed: %s\n",
1926 : nt_errstr(status)));
1927 0 : return dcesrv_fault(call, faultcode);
1928 : }
1929 :
1930 : /* unravel the NDR for the packet */
1931 175333 : status = call->context->iface->ndr_pull(call, call, pull, &call->r);
1932 175333 : if (!NT_STATUS_IS_OK(status)) {
1933 54 : uint8_t extra_flags = 0;
1934 54 : if (call->fault_code == DCERPC_FAULT_OP_RNG_ERROR) {
1935 : /* we got an unknown call */
1936 54 : DEBUG(3,(__location__ ": Unknown RPC call %u on %s\n",
1937 : call->pkt.u.request.opnum,
1938 : call->context->iface->name));
1939 54 : dcesrv_save_call(call, "unknown");
1940 54 : extra_flags |= DCERPC_PFC_FLAG_DID_NOT_EXECUTE;
1941 : } else {
1942 0 : dcesrv_save_call(call, "pullfail");
1943 : }
1944 :
1945 54 : return dcesrv_fault_with_flags(call, call->fault_code, extra_flags);
1946 : }
1947 :
1948 175279 : dcesrv_save_ndr_fuzz_seed(call->pkt.u.request.stub_and_verifier,
1949 : call,
1950 : NDR_IN);
1951 :
1952 175279 : if (pull->offset != pull->data_size) {
1953 1738 : dcesrv_save_call(call, "extrabytes");
1954 1738 : DEBUG(3,("Warning: %d extra bytes in incoming RPC request\n",
1955 : pull->data_size - pull->offset));
1956 : }
1957 :
1958 175279 : if (call->state_flags & DCESRV_CALL_STATE_FLAG_WINBIND_OFF) {
1959 239 : bool winbind_active = !winbind_env_set();
1960 239 : if (winbind_active) {
1961 239 : DBG_DEBUG("turning winbind off\n");
1962 239 : (void)winbind_off();
1963 239 : turn_winbind_on = true;
1964 : }
1965 : }
1966 :
1967 : /* call the dispatch function */
1968 175279 : status = call->context->iface->dispatch(call, call, call->r);
1969 :
1970 175277 : if (turn_winbind_on) {
1971 239 : DBG_DEBUG("turning winbind on\n");
1972 239 : (void)winbind_on();
1973 : }
1974 :
1975 175277 : if (!NT_STATUS_IS_OK(status)) {
1976 14790 : DEBUG(5,("dcerpc fault in call %s:%02x - %s\n",
1977 : call->context->iface->name,
1978 : call->pkt.u.request.opnum,
1979 : dcerpc_errstr(pull, call->fault_code)));
1980 14790 : return dcesrv_fault(call, call->fault_code);
1981 : }
1982 :
1983 : /* add the call to the pending list */
1984 160487 : dcesrv_call_set_list(call, DCESRV_LIST_PENDING_CALL_LIST);
1985 :
1986 160487 : if (call->state_flags & DCESRV_CALL_STATE_FLAG_ASYNC) {
1987 13720 : return NT_STATUS_OK;
1988 : }
1989 :
1990 146767 : return dcesrv_reply(call);
1991 : }
1992 :
1993 :
1994 : /*
1995 : remove the call from the right list when freed
1996 : */
1997 214276 : static int dcesrv_call_dequeue(struct dcesrv_call_state *call)
1998 : {
1999 214276 : dcesrv_call_set_list(call, DCESRV_LIST_NONE);
2000 214276 : return 0;
2001 : }
2002 :
2003 262 : _PUBLIC_ const struct tsocket_address *dcesrv_connection_get_local_address(struct dcesrv_connection *conn)
2004 : {
2005 262 : return conn->local_address;
2006 : }
2007 :
2008 232 : _PUBLIC_ const struct tsocket_address *dcesrv_connection_get_remote_address(struct dcesrv_connection *conn)
2009 : {
2010 232 : return conn->remote_address;
2011 : }
2012 :
2013 : /*
2014 : process some input to a dcerpc endpoint server.
2015 : */
2016 214281 : static NTSTATUS dcesrv_process_ncacn_packet(struct dcesrv_connection *dce_conn,
2017 : struct ncacn_packet *pkt,
2018 : DATA_BLOB blob)
2019 : {
2020 : NTSTATUS status;
2021 : struct dcesrv_call_state *call;
2022 214281 : struct dcesrv_call_state *existing = NULL;
2023 214281 : size_t num_auth_ctx = 0;
2024 214281 : enum dcerpc_AuthType auth_type = 0;
2025 214281 : enum dcerpc_AuthLevel auth_level = 0;
2026 214281 : uint32_t auth_context_id = 0;
2027 214281 : bool auth_invalid = false;
2028 :
2029 214281 : call = talloc_zero(dce_conn, struct dcesrv_call_state);
2030 214281 : if (!call) {
2031 0 : data_blob_free(&blob);
2032 0 : talloc_free(pkt);
2033 0 : return NT_STATUS_NO_MEMORY;
2034 : }
2035 214281 : call->conn = dce_conn;
2036 214281 : call->event_ctx = dce_conn->event_ctx;
2037 214281 : call->state_flags = call->conn->state_flags;
2038 214281 : call->time = timeval_current();
2039 214281 : call->list = DCESRV_LIST_NONE;
2040 :
2041 214281 : talloc_steal(call, pkt);
2042 214281 : talloc_steal(call, blob.data);
2043 214281 : call->pkt = *pkt;
2044 :
2045 214281 : if (dce_conn->max_auth_states == 0) {
2046 16230 : call->auth_state = dce_conn->default_auth_state;
2047 198051 : } else if (call->pkt.auth_length == 0) {
2048 193823 : if (call->pkt.ptype == DCERPC_PKT_REQUEST &&
2049 100880 : dce_conn->default_auth_level_connect != NULL)
2050 : {
2051 1173 : call->auth_state = dce_conn->default_auth_level_connect;
2052 : } else {
2053 109105 : call->auth_state = dce_conn->default_auth_state;
2054 : }
2055 : }
2056 :
2057 214281 : if (call->auth_state == NULL) {
2058 87773 : struct dcesrv_auth *a = NULL;
2059 87773 : bool check_type_level = true;
2060 :
2061 87773 : auth_type = dcerpc_get_auth_type(&blob);
2062 87773 : auth_level = dcerpc_get_auth_level(&blob);
2063 87773 : auth_context_id = dcerpc_get_auth_context_id(&blob);
2064 :
2065 87773 : if (call->pkt.ptype == DCERPC_PKT_REQUEST) {
2066 76349 : if (!(call->pkt.pfc_flags & DCERPC_PFC_FLAG_FIRST)) {
2067 7651 : check_type_level = false;
2068 : }
2069 76349 : dce_conn->default_auth_level_connect = NULL;
2070 76349 : if (auth_level == DCERPC_AUTH_LEVEL_CONNECT) {
2071 58 : dce_conn->got_explicit_auth_level_connect = true;
2072 : }
2073 : }
2074 :
2075 162834 : for (a = dce_conn->auth_states; a != NULL; a = a->next) {
2076 81521 : num_auth_ctx++;
2077 :
2078 81521 : if (a->auth_context_id != auth_context_id) {
2079 266 : continue;
2080 : }
2081 :
2082 81255 : if (a->auth_type != auth_type) {
2083 15 : auth_invalid = true;
2084 : }
2085 81255 : if (a->auth_level != auth_level) {
2086 27 : auth_invalid = true;
2087 : }
2088 :
2089 81255 : if (check_type_level && auth_invalid) {
2090 30 : a->auth_invalid = true;
2091 : }
2092 :
2093 81255 : DLIST_PROMOTE(dce_conn->auth_states, a);
2094 81255 : call->auth_state = a;
2095 81255 : break;
2096 : }
2097 : }
2098 :
2099 214281 : if (call->auth_state == NULL) {
2100 6518 : struct dcesrv_auth *a = NULL;
2101 :
2102 6518 : if (num_auth_ctx >= dce_conn->max_auth_states) {
2103 3 : return dcesrv_fault_disconnect(call,
2104 : DCERPC_NCA_S_PROTO_ERROR);
2105 : }
2106 :
2107 6515 : a = dcesrv_auth_create(dce_conn);
2108 6515 : if (a == NULL) {
2109 0 : talloc_free(call);
2110 0 : return NT_STATUS_NO_MEMORY;
2111 : }
2112 6515 : DLIST_ADD(dce_conn->auth_states, a);
2113 6515 : if (call->pkt.ptype == DCERPC_PKT_REQUEST) {
2114 : /*
2115 : * This can never be valid.
2116 : */
2117 51 : auth_invalid = true;
2118 51 : a->auth_invalid = true;
2119 : }
2120 6515 : call->auth_state = a;
2121 : }
2122 :
2123 214278 : talloc_set_destructor(call, dcesrv_call_dequeue);
2124 :
2125 214278 : if (call->conn->allow_bind) {
2126 : /*
2127 : * Only one bind is possible per connection
2128 : */
2129 16962 : call->conn->allow_bind = false;
2130 16962 : return dcesrv_bind(call);
2131 : }
2132 :
2133 : /* we have to check the signing here, before combining the
2134 : pdus */
2135 197316 : if (call->pkt.ptype == DCERPC_PKT_REQUEST) {
2136 191455 : dcesrv_default_auth_state_prepare_request(call);
2137 :
2138 346465 : if (call->auth_state->auth_started &&
2139 191404 : !call->auth_state->auth_finished) {
2140 3 : return dcesrv_fault_disconnect(call,
2141 : DCERPC_NCA_S_PROTO_ERROR);
2142 : }
2143 :
2144 191452 : status = dcerpc_verify_ncacn_packet_header(&call->pkt,
2145 : DCERPC_PKT_REQUEST,
2146 : call->pkt.u.request.stub_and_verifier.length,
2147 : 0, /* required_flags */
2148 : DCERPC_PFC_FLAG_FIRST |
2149 : DCERPC_PFC_FLAG_LAST |
2150 : DCERPC_PFC_FLAG_PENDING_CANCEL |
2151 : 0x08 | /* this is not defined, but should be ignored */
2152 : DCERPC_PFC_FLAG_CONC_MPX |
2153 : DCERPC_PFC_FLAG_DID_NOT_EXECUTE |
2154 : DCERPC_PFC_FLAG_MAYBE |
2155 : DCERPC_PFC_FLAG_OBJECT_UUID);
2156 191452 : if (!NT_STATUS_IS_OK(status)) {
2157 0 : return dcesrv_fault_disconnect(call,
2158 : DCERPC_NCA_S_PROTO_ERROR);
2159 : }
2160 :
2161 191452 : if (call->pkt.frag_length > DCERPC_FRAG_MAX_SIZE) {
2162 : /*
2163 : * We don't use dcesrv_fault_disconnect()
2164 : * here, because we don't want to set
2165 : * DCERPC_PFC_FLAG_DID_NOT_EXECUTE
2166 : *
2167 : * Note that we don't check against the negotiated
2168 : * max_recv_frag, but a hard coded value.
2169 : */
2170 24 : return dcesrv_fault_disconnect0(call, DCERPC_NCA_S_PROTO_ERROR);
2171 : }
2172 :
2173 191428 : if (call->pkt.pfc_flags & DCERPC_PFC_FLAG_FIRST) {
2174 175663 : if (dce_conn->pending_call_list != NULL) {
2175 : /*
2176 : * concurrent requests are only allowed
2177 : * if DCERPC_PFC_FLAG_CONC_MPX was negotiated.
2178 : */
2179 94 : if (!(dce_conn->state_flags & DCESRV_CALL_STATE_FLAG_MULTIPLEXED)) {
2180 0 : return dcesrv_fault_disconnect0(call,
2181 : DCERPC_NCA_S_PROTO_ERROR);
2182 : }
2183 : }
2184 : /* only one request is possible in the fragmented list */
2185 175663 : if (dce_conn->incoming_fragmented_call_list != NULL) {
2186 54 : call->fault_code = DCERPC_NCA_S_PROTO_ERROR;
2187 :
2188 54 : existing = dcesrv_find_fragmented_call(dce_conn,
2189 : call->pkt.call_id);
2190 54 : if (existing != NULL && call->auth_state != existing->auth_state) {
2191 28 : call->context = dcesrv_find_context(call->conn,
2192 21 : call->pkt.u.request.context_id);
2193 :
2194 21 : if (call->pkt.auth_length != 0 && existing->context == call->context) {
2195 3 : call->fault_code = DCERPC_FAULT_SEC_PKG_ERROR;
2196 : }
2197 : }
2198 54 : if (!(dce_conn->state_flags & DCESRV_CALL_STATE_FLAG_MULTIPLEXED)) {
2199 : /*
2200 : * Without DCERPC_PFC_FLAG_CONC_MPX
2201 : * we need to return the FAULT on the
2202 : * already existing call.
2203 : *
2204 : * This is important to get the
2205 : * call_id and context_id right.
2206 : */
2207 33 : dce_conn->incoming_fragmented_call_list->fault_code = call->fault_code;
2208 33 : TALLOC_FREE(call);
2209 33 : call = dce_conn->incoming_fragmented_call_list;
2210 : }
2211 54 : if (existing != NULL) {
2212 26 : call->context = existing->context;
2213 : }
2214 54 : return dcesrv_fault_disconnect0(call, call->fault_code);
2215 : }
2216 175609 : if (call->pkt.pfc_flags & DCERPC_PFC_FLAG_PENDING_CANCEL) {
2217 1 : return dcesrv_fault_disconnect(call,
2218 : DCERPC_FAULT_NO_CALL_ACTIVE);
2219 : }
2220 208151 : call->context = dcesrv_find_context(call->conn,
2221 175608 : call->pkt.u.request.context_id);
2222 175608 : if (call->context == NULL) {
2223 10 : return dcesrv_fault_with_flags(call, DCERPC_NCA_S_UNKNOWN_IF,
2224 : DCERPC_PFC_FLAG_DID_NOT_EXECUTE);
2225 : }
2226 : } else {
2227 : int cmp;
2228 :
2229 15765 : existing = dcesrv_find_fragmented_call(dce_conn,
2230 : call->pkt.call_id);
2231 15765 : if (existing == NULL) {
2232 59 : if (!(dce_conn->state_flags & DCESRV_CALL_STATE_FLAG_MULTIPLEXED)) {
2233 : /*
2234 : * Without DCERPC_PFC_FLAG_CONC_MPX
2235 : * we need to return the FAULT on the
2236 : * already existing call.
2237 : *
2238 : * This is important to get the
2239 : * call_id and context_id right.
2240 : */
2241 32 : if (dce_conn->incoming_fragmented_call_list != NULL) {
2242 12 : TALLOC_FREE(call);
2243 12 : call = dce_conn->incoming_fragmented_call_list;
2244 : }
2245 32 : return dcesrv_fault_disconnect0(call,
2246 : DCERPC_NCA_S_PROTO_ERROR);
2247 : }
2248 27 : if (dce_conn->incoming_fragmented_call_list != NULL) {
2249 9 : return dcesrv_fault_disconnect0(call, DCERPC_NCA_S_PROTO_ERROR);
2250 : }
2251 24 : call->context = dcesrv_find_context(call->conn,
2252 18 : call->pkt.u.request.context_id);
2253 18 : if (call->context == NULL) {
2254 3 : return dcesrv_fault_with_flags(call, DCERPC_NCA_S_UNKNOWN_IF,
2255 : DCERPC_PFC_FLAG_DID_NOT_EXECUTE);
2256 : }
2257 15 : if (auth_invalid) {
2258 12 : return dcesrv_fault_disconnect0(call,
2259 : DCERPC_FAULT_ACCESS_DENIED);
2260 : }
2261 3 : return dcesrv_fault_disconnect0(call,
2262 : DCERPC_NCA_S_PROTO_ERROR);
2263 : }
2264 :
2265 15706 : if (call->pkt.ptype != existing->pkt.ptype) {
2266 : /* trying to play silly buggers are we? */
2267 0 : return dcesrv_fault_disconnect(existing,
2268 : DCERPC_NCA_S_PROTO_ERROR);
2269 : }
2270 15706 : cmp = memcmp(call->pkt.drep, existing->pkt.drep,
2271 : sizeof(pkt->drep));
2272 15706 : if (cmp != 0) {
2273 0 : return dcesrv_fault_disconnect(existing,
2274 : DCERPC_NCA_S_PROTO_ERROR);
2275 : }
2276 15706 : call->auth_state = existing->auth_state;
2277 15706 : call->context = existing->context;
2278 : }
2279 : }
2280 :
2281 197165 : if (call->pkt.ptype == DCERPC_PKT_REQUEST) {
2282 : bool ok;
2283 191304 : uint8_t payload_offset = DCERPC_REQUEST_LENGTH;
2284 :
2285 191304 : if (call->pkt.pfc_flags & DCERPC_PFC_FLAG_OBJECT_UUID) {
2286 6 : payload_offset += 16;
2287 : }
2288 :
2289 191304 : ok = dcesrv_auth_pkt_pull(call, &blob,
2290 : 0, /* required_flags */
2291 : DCERPC_PFC_FLAG_FIRST |
2292 : DCERPC_PFC_FLAG_LAST |
2293 : DCERPC_PFC_FLAG_PENDING_CANCEL |
2294 : 0x08 | /* this is not defined, but should be ignored */
2295 : DCERPC_PFC_FLAG_CONC_MPX |
2296 : DCERPC_PFC_FLAG_DID_NOT_EXECUTE |
2297 : DCERPC_PFC_FLAG_MAYBE |
2298 : DCERPC_PFC_FLAG_OBJECT_UUID,
2299 : payload_offset,
2300 : &call->pkt.u.request.stub_and_verifier);
2301 191304 : if (!ok) {
2302 : /*
2303 : * We don't use dcesrv_fault_disconnect()
2304 : * here, because we don't want to set
2305 : * DCERPC_PFC_FLAG_DID_NOT_EXECUTE
2306 : */
2307 66 : if (call->fault_code == 0) {
2308 33 : call->fault_code = DCERPC_FAULT_ACCESS_DENIED;
2309 : }
2310 66 : return dcesrv_fault_disconnect0(call, call->fault_code);
2311 : }
2312 : }
2313 :
2314 : /* see if this is a continued packet */
2315 197099 : if (existing != NULL) {
2316 15691 : struct dcerpc_request *er = &existing->pkt.u.request;
2317 15691 : const struct dcerpc_request *nr = &call->pkt.u.request;
2318 : size_t available;
2319 : size_t alloc_size;
2320 : size_t alloc_hint;
2321 :
2322 : /*
2323 : * Up to 4 MByte are allowed by all fragments
2324 : */
2325 15691 : available = dce_conn->max_total_request_size;
2326 15691 : if (er->stub_and_verifier.length > available) {
2327 0 : return dcesrv_fault_disconnect0(existing,
2328 : DCERPC_FAULT_ACCESS_DENIED);
2329 : }
2330 15691 : available -= er->stub_and_verifier.length;
2331 15691 : if (nr->alloc_hint > available) {
2332 0 : return dcesrv_fault_disconnect0(existing,
2333 : DCERPC_FAULT_ACCESS_DENIED);
2334 : }
2335 15691 : if (nr->stub_and_verifier.length > available) {
2336 1 : return dcesrv_fault_disconnect0(existing,
2337 : DCERPC_FAULT_ACCESS_DENIED);
2338 : }
2339 15690 : alloc_hint = er->stub_and_verifier.length + nr->alloc_hint;
2340 : /* allocate at least 1 byte */
2341 15690 : alloc_hint = MAX(alloc_hint, 1);
2342 27561 : alloc_size = er->stub_and_verifier.length +
2343 15690 : nr->stub_and_verifier.length;
2344 15690 : alloc_size = MAX(alloc_size, alloc_hint);
2345 :
2346 15690 : er->stub_and_verifier.data =
2347 15690 : talloc_realloc(existing,
2348 : er->stub_and_verifier.data,
2349 : uint8_t, alloc_size);
2350 15690 : if (er->stub_and_verifier.data == NULL) {
2351 0 : TALLOC_FREE(call);
2352 0 : return dcesrv_fault_with_flags(existing,
2353 : DCERPC_FAULT_OUT_OF_RESOURCES,
2354 : DCERPC_PFC_FLAG_DID_NOT_EXECUTE);
2355 : }
2356 39432 : memcpy(er->stub_and_verifier.data +
2357 15690 : er->stub_and_verifier.length,
2358 15690 : nr->stub_and_verifier.data,
2359 3819 : nr->stub_and_verifier.length);
2360 15690 : er->stub_and_verifier.length += nr->stub_and_verifier.length;
2361 :
2362 15690 : existing->pkt.pfc_flags |= (call->pkt.pfc_flags & DCERPC_PFC_FLAG_LAST);
2363 :
2364 15690 : TALLOC_FREE(call);
2365 15690 : call = existing;
2366 : }
2367 :
2368 : /* this may not be the last pdu in the chain - if its isn't then
2369 : just put it on the incoming_fragmented_call_list and wait for the rest */
2370 351991 : if (call->pkt.ptype == DCERPC_PKT_REQUEST &&
2371 191237 : !(call->pkt.pfc_flags & DCERPC_PFC_FLAG_LAST)) {
2372 : /*
2373 : * Up to 4 MByte are allowed by all fragments
2374 : */
2375 15782 : if (call->pkt.u.request.alloc_hint > dce_conn->max_total_request_size) {
2376 1 : return dcesrv_fault_disconnect0(call,
2377 : DCERPC_FAULT_ACCESS_DENIED);
2378 : }
2379 15781 : dcesrv_call_set_list(call, DCESRV_LIST_FRAGMENTED_CALL_LIST);
2380 15781 : return NT_STATUS_OK;
2381 : }
2382 :
2383 : /* This removes any fragments we may have had stashed away */
2384 181316 : dcesrv_call_set_list(call, DCESRV_LIST_NONE);
2385 :
2386 181316 : switch (call->pkt.ptype) {
2387 3 : case DCERPC_PKT_BIND:
2388 3 : status = dcesrv_bind_nak(call,
2389 : DCERPC_BIND_NAK_REASON_NOT_SPECIFIED);
2390 3 : break;
2391 135 : case DCERPC_PKT_AUTH3:
2392 135 : status = dcesrv_auth3(call);
2393 135 : break;
2394 5702 : case DCERPC_PKT_ALTER:
2395 5702 : status = dcesrv_alter(call);
2396 5702 : break;
2397 175455 : case DCERPC_PKT_REQUEST:
2398 175455 : status = dcesrv_request(call);
2399 175453 : break;
2400 21 : case DCERPC_PKT_CO_CANCEL:
2401 : case DCERPC_PKT_ORPHANED:
2402 : /*
2403 : * Window just ignores CO_CANCEL and ORPHANED,
2404 : * so we do...
2405 : */
2406 21 : status = NT_STATUS_OK;
2407 21 : TALLOC_FREE(call);
2408 21 : break;
2409 0 : case DCERPC_PKT_BIND_ACK:
2410 : case DCERPC_PKT_BIND_NAK:
2411 : case DCERPC_PKT_ALTER_RESP:
2412 : case DCERPC_PKT_RESPONSE:
2413 : case DCERPC_PKT_FAULT:
2414 : case DCERPC_PKT_SHUTDOWN:
2415 : default:
2416 0 : status = dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
2417 0 : break;
2418 : }
2419 :
2420 : /* if we are going to be sending a reply then add
2421 : it to the list of pending calls. We add it to the end to keep the call
2422 : list in the order we will answer */
2423 181314 : if (!NT_STATUS_IS_OK(status)) {
2424 0 : talloc_free(call);
2425 : }
2426 :
2427 181314 : return status;
2428 : }
2429 :
2430 238 : _PUBLIC_ NTSTATUS dcesrv_init_context(TALLOC_CTX *mem_ctx,
2431 : struct loadparm_context *lp_ctx,
2432 : struct dcesrv_context_callbacks *cb,
2433 : struct dcesrv_context **_dce_ctx)
2434 : {
2435 : struct dcesrv_context *dce_ctx;
2436 :
2437 238 : if (cb == NULL) {
2438 0 : return NT_STATUS_INVALID_PARAMETER;
2439 : }
2440 :
2441 238 : dce_ctx = talloc_zero(mem_ctx, struct dcesrv_context);
2442 238 : NT_STATUS_HAVE_NO_MEMORY(dce_ctx);
2443 :
2444 238 : if (uid_wrapper_enabled()) {
2445 238 : setenv("UID_WRAPPER_MYUID", "1", 1);
2446 : }
2447 238 : dce_ctx->initial_euid = geteuid();
2448 238 : if (uid_wrapper_enabled()) {
2449 238 : unsetenv("UID_WRAPPER_MYUID");
2450 : }
2451 :
2452 238 : dce_ctx->endpoint_list = NULL;
2453 238 : dce_ctx->lp_ctx = lp_ctx;
2454 238 : dce_ctx->assoc_groups_idr = idr_init(dce_ctx);
2455 238 : if (dce_ctx->assoc_groups_idr == NULL) {
2456 0 : TALLOC_FREE(dce_ctx);
2457 0 : return NT_STATUS_NO_MEMORY;
2458 : }
2459 238 : dce_ctx->broken_connections = NULL;
2460 238 : dce_ctx->callbacks = cb;
2461 :
2462 238 : *_dce_ctx = dce_ctx;
2463 238 : return NT_STATUS_OK;
2464 : }
2465 :
2466 : /**
2467 : * @brief Set callback functions on an existing dcesrv_context
2468 : *
2469 : * This allows to reset callbacks initially set via
2470 : * dcesrv_init_context()
2471 : *
2472 : * @param[in] dce_ctx The context to set the callbacks on
2473 : * @param[in] cb The callbacks to set on dce_ctx
2474 : */
2475 114 : _PUBLIC_ void dcesrv_context_set_callbacks(
2476 : struct dcesrv_context *dce_ctx,
2477 : struct dcesrv_context_callbacks *cb)
2478 : {
2479 114 : dce_ctx->callbacks = cb;
2480 114 : }
2481 :
2482 56 : _PUBLIC_ NTSTATUS dcesrv_init_ep_servers(struct dcesrv_context *dce_ctx,
2483 : const char **endpoint_servers)
2484 : {
2485 : NTSTATUS status;
2486 : int i;
2487 :
2488 56 : if (endpoint_servers == NULL) {
2489 0 : DBG_ERR("No endpoint servers configured\n");
2490 0 : return NT_STATUS_INTERNAL_ERROR;
2491 : }
2492 :
2493 806 : for (i=0;endpoint_servers[i];i++) {
2494 750 : status = dcesrv_init_ep_server(dce_ctx, endpoint_servers[i]);
2495 750 : if (!NT_STATUS_IS_OK(status)) {
2496 0 : DBG_ERR("failed to init endpoint server = '%s': %s\n",
2497 : endpoint_servers[i], nt_errstr(status));
2498 0 : return status;
2499 : }
2500 : }
2501 :
2502 56 : return NT_STATUS_OK;
2503 : }
2504 :
2505 : /* the list of currently registered DCERPC endpoint servers.
2506 : */
2507 : static struct ep_server {
2508 : struct dcesrv_endpoint_server *ep_server;
2509 : } *ep_servers = NULL;
2510 : static int num_ep_servers = 0;
2511 :
2512 68 : _PUBLIC_ NTSTATUS dcesrv_init_registered_ep_servers(
2513 : struct dcesrv_context *dce_ctx)
2514 : {
2515 : NTSTATUS status;
2516 : int i;
2517 :
2518 136 : for (i = 0; i < num_ep_servers; i++) {
2519 68 : status = dcesrv_init_ep_server(dce_ctx,
2520 68 : ep_servers[i].ep_server->name);
2521 68 : if (!NT_STATUS_IS_OK(status)) {
2522 0 : return status;
2523 : }
2524 : }
2525 :
2526 68 : return NT_STATUS_OK;
2527 : }
2528 :
2529 1188 : _PUBLIC_ NTSTATUS dcesrv_init_ep_server(struct dcesrv_context *dce_ctx,
2530 : const char *ep_server_name)
2531 : {
2532 1188 : struct dcesrv_endpoint_server *ep_server = NULL;
2533 : NTSTATUS status;
2534 :
2535 1188 : ep_server = discard_const_p(struct dcesrv_endpoint_server,
2536 : dcesrv_ep_server_byname(ep_server_name));
2537 1188 : if (ep_server == NULL) {
2538 0 : DBG_ERR("Failed to find endpoint server '%s'\n",
2539 : ep_server_name);
2540 0 : return NT_STATUS_INTERNAL_ERROR;
2541 : }
2542 :
2543 1188 : if (ep_server->initialized) {
2544 0 : return NT_STATUS_OK;
2545 : }
2546 :
2547 1188 : status = ep_server->init_server(dce_ctx, ep_server);
2548 1188 : if (!NT_STATUS_IS_OK(status)) {
2549 0 : DBG_ERR("Failed to init endpoint server '%s': %s\n",
2550 : ep_server_name, nt_errstr(status));
2551 0 : return status;
2552 : }
2553 :
2554 1188 : ep_server->initialized = true;
2555 :
2556 1188 : return NT_STATUS_OK;
2557 : }
2558 :
2559 112 : _PUBLIC_ NTSTATUS dcesrv_shutdown_registered_ep_servers(
2560 : struct dcesrv_context *dce_ctx)
2561 : {
2562 : NTSTATUS status;
2563 : int i;
2564 :
2565 475 : for (i = 0; i < num_ep_servers; i++) {
2566 363 : status = dcesrv_shutdown_ep_server(dce_ctx,
2567 363 : ep_servers[i].ep_server->name);
2568 363 : if (!NT_STATUS_IS_OK(status)) {
2569 0 : return status;
2570 : }
2571 : }
2572 :
2573 112 : return NT_STATUS_OK;
2574 : }
2575 :
2576 363 : _PUBLIC_ NTSTATUS dcesrv_shutdown_ep_server(struct dcesrv_context *dce_ctx,
2577 : const char *ep_server_name)
2578 : {
2579 363 : struct dcesrv_endpoint_server *ep_server = NULL;
2580 : NTSTATUS status;
2581 :
2582 363 : ep_server = discard_const_p(struct dcesrv_endpoint_server,
2583 : dcesrv_ep_server_byname(ep_server_name));
2584 363 : if (ep_server == NULL) {
2585 0 : DBG_ERR("Failed to find endpoint server '%s'\n",
2586 : ep_server_name);
2587 0 : return NT_STATUS_INTERNAL_ERROR;
2588 : }
2589 :
2590 363 : if (!ep_server->initialized) {
2591 0 : return NT_STATUS_OK;
2592 : }
2593 :
2594 363 : DBG_INFO("Shutting down DCE/RPC endpoint server '%s'\n",
2595 : ep_server_name);
2596 :
2597 363 : status = ep_server->shutdown_server(dce_ctx, ep_server);
2598 363 : if (!NT_STATUS_IS_OK(status)) {
2599 0 : DBG_ERR("Failed to shutdown endpoint server '%s': %s\n",
2600 : ep_server_name, nt_errstr(status));
2601 0 : return status;
2602 : }
2603 :
2604 363 : ep_server->initialized = false;
2605 :
2606 363 : return NT_STATUS_OK;
2607 : }
2608 :
2609 : /*
2610 : register a DCERPC endpoint server.
2611 :
2612 : The 'name' can be later used by other backends to find the operations
2613 : structure for this backend.
2614 :
2615 : */
2616 1304 : _PUBLIC_ NTSTATUS dcerpc_register_ep_server(const struct dcesrv_endpoint_server *ep_server)
2617 : {
2618 :
2619 1304 : if (dcesrv_ep_server_byname(ep_server->name) != NULL) {
2620 : /* its already registered! */
2621 0 : DEBUG(0,("DCERPC endpoint server '%s' already registered\n",
2622 : ep_server->name));
2623 0 : return NT_STATUS_OBJECT_NAME_COLLISION;
2624 : }
2625 :
2626 1304 : ep_servers = realloc_p(ep_servers, struct ep_server, num_ep_servers+1);
2627 1304 : if (!ep_servers) {
2628 0 : smb_panic("out of memory in dcerpc_register");
2629 : }
2630 :
2631 1304 : ep_servers[num_ep_servers].ep_server = smb_xmemdup(ep_server, sizeof(*ep_server));
2632 1304 : ep_servers[num_ep_servers].ep_server->name = smb_xstrdup(ep_server->name);
2633 :
2634 1304 : num_ep_servers++;
2635 :
2636 1304 : DEBUG(3,("DCERPC endpoint server '%s' registered\n",
2637 : ep_server->name));
2638 :
2639 1304 : return NT_STATUS_OK;
2640 : }
2641 :
2642 : /*
2643 : return the operations structure for a named backend of the specified type
2644 : */
2645 2855 : _PUBLIC_ const struct dcesrv_endpoint_server *dcesrv_ep_server_byname(const char *name)
2646 : {
2647 : int i;
2648 :
2649 17412 : for (i=0;i<num_ep_servers;i++) {
2650 16108 : if (strcmp(ep_servers[i].ep_server->name, name) == 0) {
2651 1551 : return ep_servers[i].ep_server;
2652 : }
2653 : }
2654 :
2655 1304 : return NULL;
2656 : }
2657 :
2658 : /*
2659 : return the DCERPC module version, and the size of some critical types
2660 : This can be used by endpoint server modules to either detect compilation errors, or provide
2661 : multiple implementations for different smbd compilation options in one module
2662 : */
2663 0 : const struct dcesrv_critical_sizes *dcerpc_module_version(void)
2664 : {
2665 : static const struct dcesrv_critical_sizes critical_sizes = {
2666 : DCERPC_MODULE_VERSION,
2667 : sizeof(struct dcesrv_context),
2668 : sizeof(struct dcesrv_endpoint),
2669 : sizeof(struct dcesrv_endpoint_server),
2670 : sizeof(struct dcesrv_interface),
2671 : sizeof(struct dcesrv_if_list),
2672 : sizeof(struct dcesrv_connection),
2673 : sizeof(struct dcesrv_call_state),
2674 : sizeof(struct dcesrv_auth),
2675 : sizeof(struct dcesrv_handle)
2676 : };
2677 :
2678 0 : return &critical_sizes;
2679 : }
2680 :
2681 16961 : _PUBLIC_ void dcesrv_terminate_connection(struct dcesrv_connection *dce_conn, const char *reason)
2682 : {
2683 16961 : struct dcesrv_context *dce_ctx = dce_conn->dce_ctx;
2684 16961 : struct dcesrv_auth *a = NULL;
2685 :
2686 16961 : dce_conn->wait_send = NULL;
2687 16961 : dce_conn->wait_recv = NULL;
2688 16961 : dce_conn->wait_private = NULL;
2689 :
2690 16961 : dce_conn->allow_bind = false;
2691 16961 : dce_conn->allow_alter = false;
2692 :
2693 16961 : dce_conn->default_auth_state->auth_invalid = true;
2694 :
2695 23457 : for (a = dce_conn->auth_states; a != NULL; a = a->next) {
2696 6496 : a->auth_invalid = true;
2697 : }
2698 :
2699 16961 : if (dce_conn->pending_call_list == NULL) {
2700 16961 : char *full_reason = talloc_asprintf(dce_conn, "dcesrv: %s", reason);
2701 :
2702 16961 : DLIST_REMOVE(dce_ctx->broken_connections, dce_conn);
2703 16961 : dce_conn->transport.terminate_connection(dce_conn,
2704 : full_reason ? full_reason : reason);
2705 16655 : return;
2706 : }
2707 :
2708 0 : if (dce_conn->terminate != NULL) {
2709 0 : return;
2710 : }
2711 :
2712 0 : DEBUG(3,("dcesrv: terminating connection due to '%s' deferred due to pending calls\n",
2713 : reason));
2714 0 : dce_conn->terminate = talloc_strdup(dce_conn, reason);
2715 0 : if (dce_conn->terminate == NULL) {
2716 0 : dce_conn->terminate = "dcesrv: deferred terminating connection - no memory";
2717 : }
2718 0 : DLIST_ADD_END(dce_ctx->broken_connections, dce_conn);
2719 : }
2720 :
2721 259086 : _PUBLIC_ void dcesrv_cleanup_broken_connections(struct dcesrv_context *dce_ctx)
2722 : {
2723 : struct dcesrv_connection *cur, *next;
2724 :
2725 259086 : next = dce_ctx->broken_connections;
2726 471507 : while (next != NULL) {
2727 0 : cur = next;
2728 0 : next = cur->next;
2729 :
2730 0 : if (cur->state_flags & DCESRV_CALL_STATE_FLAG_PROCESS_PENDING_CALL) {
2731 : struct dcesrv_connection_context *context_cur, *context_next;
2732 :
2733 0 : context_next = cur->contexts;
2734 0 : while (context_next != NULL) {
2735 0 : context_cur = context_next;
2736 0 : context_next = context_cur->next;
2737 :
2738 0 : dcesrv_connection_context_destructor(context_cur);
2739 : }
2740 : }
2741 :
2742 0 : dcesrv_terminate_connection(cur, cur->terminate);
2743 : }
2744 259086 : }
2745 :
2746 : struct dcesrv_sock_reply_state {
2747 : struct dcesrv_connection *dce_conn;
2748 : struct dcesrv_call_state *call;
2749 : struct iovec iov;
2750 : };
2751 :
2752 : static void dcesrv_sock_reply_done(struct tevent_req *subreq);
2753 : static void dcesrv_call_terminate_step1(struct tevent_req *subreq);
2754 :
2755 198348 : _PUBLIC_ void dcesrv_sock_report_output_data(struct dcesrv_connection *dce_conn)
2756 : {
2757 : struct dcesrv_call_state *call;
2758 :
2759 198348 : call = dce_conn->call_list;
2760 198348 : if (!call || !call->replies) {
2761 0 : return;
2762 : }
2763 :
2764 789580 : while (call->replies) {
2765 429029 : struct data_blob_list_item *rep = call->replies;
2766 : struct dcesrv_sock_reply_state *substate;
2767 : struct tevent_req *subreq;
2768 :
2769 429029 : substate = talloc_zero(call, struct dcesrv_sock_reply_state);
2770 429029 : if (!substate) {
2771 0 : dcesrv_terminate_connection(dce_conn, "no memory");
2772 0 : return;
2773 : }
2774 :
2775 429029 : substate->dce_conn = dce_conn;
2776 429029 : substate->call = NULL;
2777 :
2778 429029 : DLIST_REMOVE(call->replies, rep);
2779 :
2780 429029 : if (call->replies == NULL && call->terminate_reason == NULL) {
2781 197992 : substate->call = call;
2782 : }
2783 :
2784 429029 : substate->iov.iov_base = (void *) rep->blob.data;
2785 429029 : substate->iov.iov_len = rep->blob.length;
2786 :
2787 429029 : subreq = tstream_writev_queue_send(substate,
2788 : dce_conn->event_ctx,
2789 : dce_conn->stream,
2790 : dce_conn->send_queue,
2791 429029 : &substate->iov, 1);
2792 429029 : if (!subreq) {
2793 0 : dcesrv_terminate_connection(dce_conn, "no memory");
2794 0 : return;
2795 : }
2796 429029 : tevent_req_set_callback(subreq, dcesrv_sock_reply_done,
2797 : substate);
2798 : }
2799 :
2800 198348 : if (call->terminate_reason != NULL) {
2801 : struct tevent_req *subreq;
2802 :
2803 356 : subreq = tevent_queue_wait_send(call,
2804 : dce_conn->event_ctx,
2805 : dce_conn->send_queue);
2806 356 : if (!subreq) {
2807 0 : dcesrv_terminate_connection(dce_conn, __location__);
2808 0 : return;
2809 : }
2810 356 : tevent_req_set_callback(subreq, dcesrv_call_terminate_step1,
2811 : call);
2812 : }
2813 :
2814 198348 : DLIST_REMOVE(call->conn->call_list, call);
2815 198348 : call->list = DCESRV_LIST_NONE;
2816 : }
2817 :
2818 429023 : static void dcesrv_sock_reply_done(struct tevent_req *subreq)
2819 : {
2820 429023 : struct dcesrv_sock_reply_state *substate = tevent_req_callback_data(subreq,
2821 : struct dcesrv_sock_reply_state);
2822 : int ret;
2823 : int sys_errno;
2824 : NTSTATUS status;
2825 429023 : struct dcesrv_call_state *call = substate->call;
2826 :
2827 429023 : ret = tstream_writev_queue_recv(subreq, &sys_errno);
2828 429023 : TALLOC_FREE(subreq);
2829 429023 : if (ret == -1) {
2830 0 : status = map_nt_error_from_unix_common(sys_errno);
2831 0 : dcesrv_terminate_connection(substate->dce_conn, nt_errstr(status));
2832 0 : return;
2833 : }
2834 :
2835 429023 : talloc_free(substate);
2836 429023 : if (call) {
2837 197992 : talloc_free(call);
2838 : }
2839 : }
2840 :
2841 : static void dcesrv_call_terminate_step2(struct tevent_req *subreq);
2842 :
2843 350 : static void dcesrv_call_terminate_step1(struct tevent_req *subreq)
2844 : {
2845 350 : struct dcesrv_call_state *call = tevent_req_callback_data(subreq,
2846 : struct dcesrv_call_state);
2847 : bool ok;
2848 : struct timeval tv;
2849 :
2850 : /* make sure we stop send queue before removing subreq */
2851 350 : tevent_queue_stop(call->conn->send_queue);
2852 :
2853 350 : ok = tevent_queue_wait_recv(subreq);
2854 350 : TALLOC_FREE(subreq);
2855 350 : if (!ok) {
2856 0 : dcesrv_terminate_connection(call->conn, __location__);
2857 0 : return;
2858 : }
2859 :
2860 : /* disconnect after 200 usecs */
2861 350 : tv = timeval_current_ofs_usec(200);
2862 350 : subreq = tevent_wakeup_send(call, call->conn->event_ctx, tv);
2863 350 : if (subreq == NULL) {
2864 0 : dcesrv_terminate_connection(call->conn, __location__);
2865 0 : return;
2866 : }
2867 350 : tevent_req_set_callback(subreq, dcesrv_call_terminate_step2,
2868 : call);
2869 : }
2870 :
2871 304 : static void dcesrv_call_terminate_step2(struct tevent_req *subreq)
2872 : {
2873 304 : struct dcesrv_call_state *call = tevent_req_callback_data(subreq,
2874 : struct dcesrv_call_state);
2875 : bool ok;
2876 :
2877 304 : ok = tevent_wakeup_recv(subreq);
2878 304 : TALLOC_FREE(subreq);
2879 304 : if (!ok) {
2880 0 : dcesrv_terminate_connection(call->conn, __location__);
2881 0 : return;
2882 : }
2883 :
2884 304 : dcesrv_terminate_connection(call->conn, call->terminate_reason);
2885 : }
2886 :
2887 : static void dcesrv_conn_wait_done(struct tevent_req *subreq);
2888 :
2889 230263 : static void dcesrv_read_fragment_done(struct tevent_req *subreq)
2890 : {
2891 230263 : struct dcesrv_connection *dce_conn = tevent_req_callback_data(subreq,
2892 : struct dcesrv_connection);
2893 230263 : struct dcesrv_context *dce_ctx = dce_conn->dce_ctx;
2894 : struct ncacn_packet *pkt;
2895 : DATA_BLOB buffer;
2896 : NTSTATUS status;
2897 :
2898 230263 : if (dce_conn->terminate) {
2899 : /*
2900 : * if the current connection is broken
2901 : * we need to clean it up before any other connection
2902 : */
2903 0 : dcesrv_terminate_connection(dce_conn, dce_conn->terminate);
2904 0 : dcesrv_cleanup_broken_connections(dce_ctx);
2905 2671 : return;
2906 : }
2907 :
2908 230263 : dcesrv_cleanup_broken_connections(dce_ctx);
2909 :
2910 230263 : status = dcerpc_read_ncacn_packet_recv(subreq, dce_conn,
2911 : &pkt, &buffer);
2912 230263 : TALLOC_FREE(subreq);
2913 230263 : if (!NT_STATUS_IS_OK(status)) {
2914 16657 : dcesrv_terminate_connection(dce_conn, nt_errstr(status));
2915 16361 : return;
2916 : }
2917 :
2918 213606 : dcesrv_loop_next_packet(dce_conn, pkt, buffer);
2919 : }
2920 :
2921 : /**
2922 : * @brief Start the dcesrv loop, inducing the bind as a blob
2923 : *
2924 : * Like dcesrv_connection_loop_start() but used from connections
2925 : * where the caller has already read the dcerpc bind packet from
2926 : * the socket and is available as a DATA_BLOB.
2927 : *
2928 : * @param[in] dce_conn The connection to start
2929 : * @param[in] pkt The parsed bind packet
2930 : * @param[in] buffer The full binary bind including auth data
2931 : */
2932 214281 : void dcesrv_loop_next_packet(
2933 : struct dcesrv_connection *dce_conn,
2934 : struct ncacn_packet *pkt,
2935 : DATA_BLOB buffer)
2936 : {
2937 214281 : struct tevent_req *subreq = NULL;
2938 : NTSTATUS status;
2939 :
2940 214281 : status = dcesrv_process_ncacn_packet(dce_conn, pkt, buffer);
2941 214279 : if (!NT_STATUS_IS_OK(status)) {
2942 0 : dcesrv_terminate_connection(dce_conn, nt_errstr(status));
2943 1689 : return;
2944 : }
2945 :
2946 : /*
2947 : * This is used to block the connection during
2948 : * pending authentication.
2949 : */
2950 214279 : if (dce_conn->wait_send != NULL) {
2951 12513 : subreq = dce_conn->wait_send(dce_conn,
2952 : dce_conn->event_ctx,
2953 : dce_conn->wait_private);
2954 12513 : if (!subreq) {
2955 0 : status = NT_STATUS_NO_MEMORY;
2956 0 : dcesrv_terminate_connection(dce_conn, nt_errstr(status));
2957 0 : return;
2958 : }
2959 12513 : tevent_req_set_callback(subreq, dcesrv_conn_wait_done, dce_conn);
2960 12513 : return;
2961 : }
2962 :
2963 201766 : subreq = dcerpc_read_ncacn_packet_send(dce_conn,
2964 : dce_conn->event_ctx,
2965 : dce_conn->stream);
2966 201766 : if (!subreq) {
2967 0 : status = NT_STATUS_NO_MEMORY;
2968 0 : dcesrv_terminate_connection(dce_conn, nt_errstr(status));
2969 0 : return;
2970 : }
2971 201766 : tevent_req_set_callback(subreq, dcesrv_read_fragment_done, dce_conn);
2972 : }
2973 :
2974 12513 : static void dcesrv_conn_wait_done(struct tevent_req *subreq)
2975 : {
2976 12513 : struct dcesrv_connection *dce_conn = tevent_req_callback_data(subreq,
2977 : struct dcesrv_connection);
2978 12513 : struct dcesrv_context *dce_ctx = dce_conn->dce_ctx;
2979 : NTSTATUS status;
2980 :
2981 12513 : if (dce_conn->terminate) {
2982 : /*
2983 : * if the current connection is broken
2984 : * we need to clean it up before any other connection
2985 : */
2986 0 : dcesrv_terminate_connection(dce_conn, dce_conn->terminate);
2987 0 : dcesrv_cleanup_broken_connections(dce_ctx);
2988 0 : return;
2989 : }
2990 :
2991 12513 : dcesrv_cleanup_broken_connections(dce_ctx);
2992 :
2993 12513 : status = dce_conn->wait_recv(subreq);
2994 12513 : dce_conn->wait_send = NULL;
2995 12513 : dce_conn->wait_recv = NULL;
2996 12513 : dce_conn->wait_private = NULL;
2997 12513 : TALLOC_FREE(subreq);
2998 12513 : if (!NT_STATUS_IS_OK(status)) {
2999 0 : dcesrv_terminate_connection(dce_conn, nt_errstr(status));
3000 0 : return;
3001 : }
3002 :
3003 12513 : status = dcesrv_connection_loop_start(dce_conn);
3004 12513 : if (!NT_STATUS_IS_OK(status)) {
3005 0 : dcesrv_terminate_connection(dce_conn, nt_errstr(status));
3006 0 : return;
3007 : }
3008 : }
3009 :
3010 : /**
3011 : * retrieve credentials from a dce_call
3012 : */
3013 4 : _PUBLIC_ struct cli_credentials *dcesrv_call_credentials(struct dcesrv_call_state *dce_call)
3014 : {
3015 4 : struct dcesrv_auth *auth = dce_call->auth_state;
3016 4 : SMB_ASSERT(auth->auth_finished);
3017 4 : return auth->session_info->credentials;
3018 : }
3019 :
3020 : /**
3021 : * returns true if this is an authenticated call
3022 : */
3023 0 : _PUBLIC_ bool dcesrv_call_authenticated(struct dcesrv_call_state *dce_call)
3024 : {
3025 0 : struct dcesrv_auth *auth = dce_call->auth_state;
3026 : enum security_user_level level;
3027 0 : SMB_ASSERT(auth->auth_finished);
3028 0 : level = security_session_user_level(auth->session_info, NULL);
3029 0 : return level >= SECURITY_USER;
3030 : }
3031 :
3032 : /**
3033 : * retrieve account_name for a dce_call
3034 : */
3035 0 : _PUBLIC_ const char *dcesrv_call_account_name(struct dcesrv_call_state *dce_call)
3036 : {
3037 0 : struct dcesrv_auth *auth = dce_call->auth_state;
3038 0 : SMB_ASSERT(auth->auth_finished);
3039 0 : return auth->session_info->info->account_name;
3040 : }
3041 :
3042 : /**
3043 : * retrieve session_info from a dce_call
3044 : */
3045 227759 : _PUBLIC_ struct auth_session_info *dcesrv_call_session_info(struct dcesrv_call_state *dce_call)
3046 : {
3047 227759 : struct dcesrv_auth *auth = dce_call->auth_state;
3048 227759 : SMB_ASSERT(auth->auth_finished);
3049 227759 : return auth->session_info;
3050 : }
3051 :
3052 : /**
3053 : * retrieve auth type/level from a dce_call
3054 : */
3055 30601 : _PUBLIC_ void dcesrv_call_auth_info(struct dcesrv_call_state *dce_call,
3056 : enum dcerpc_AuthType *auth_type,
3057 : enum dcerpc_AuthLevel *auth_level)
3058 : {
3059 30601 : struct dcesrv_auth *auth = dce_call->auth_state;
3060 :
3061 30601 : SMB_ASSERT(auth->auth_finished);
3062 :
3063 30601 : if (auth_type != NULL) {
3064 19659 : *auth_type = auth->auth_type;
3065 : }
3066 30601 : if (auth_level != NULL) {
3067 29076 : *auth_level = auth->auth_level;
3068 : }
3069 30601 : }
3070 :
3071 28823 : _PUBLIC_ NTSTATUS dcesrv_connection_loop_start(struct dcesrv_connection *conn)
3072 : {
3073 : struct tevent_req *subreq;
3074 :
3075 28823 : subreq = dcerpc_read_ncacn_packet_send(conn,
3076 : conn->event_ctx,
3077 : conn->stream);
3078 28823 : if (subreq == NULL) {
3079 0 : return NT_STATUS_NO_MEMORY;
3080 : }
3081 28823 : tevent_req_set_callback(subreq, dcesrv_read_fragment_done, conn);
3082 :
3083 28823 : return NT_STATUS_OK;
3084 : }
3085 :
3086 0 : _PUBLIC_ NTSTATUS dcesrv_call_dispatch_local(struct dcesrv_call_state *call)
3087 : {
3088 : NTSTATUS status;
3089 0 : struct ndr_pull *pull = NULL;
3090 0 : struct ndr_push *push = NULL;
3091 0 : struct data_blob_list_item *rep = NULL;
3092 :
3093 0 : pull = ndr_pull_init_blob(&call->pkt.u.request.stub_and_verifier,
3094 : call);
3095 0 : if (pull == NULL) {
3096 0 : return NT_STATUS_NO_MEMORY;
3097 : }
3098 :
3099 0 : pull->flags |= LIBNDR_FLAG_REF_ALLOC;
3100 :
3101 0 : call->ndr_pull = pull;
3102 :
3103 : /* unravel the NDR for the packet */
3104 0 : status = call->context->iface->ndr_pull(call, call, pull, &call->r);
3105 0 : if (!NT_STATUS_IS_OK(status)) {
3106 0 : DBG_INFO("DCE/RPC fault in call %s:%02X - %s\n",
3107 : call->context->iface->name,
3108 : call->pkt.u.request.opnum,
3109 : dcerpc_errstr(call, call->fault_code));
3110 0 : return dcerpc_fault_to_nt_status(call->fault_code);
3111 : }
3112 :
3113 0 : status = call->context->iface->local(call, call, call->r);
3114 0 : if (!NT_STATUS_IS_OK(status)) {
3115 0 : DBG_INFO("DCE/RPC fault in call %s:%02X - %s\n",
3116 : call->context->iface->name,
3117 : call->pkt.u.request.opnum,
3118 : dcerpc_errstr(call, call->fault_code));
3119 0 : return dcerpc_fault_to_nt_status(call->fault_code);
3120 : }
3121 :
3122 : /* This can never go async for now! */
3123 0 : SMB_ASSERT(!(call->state_flags & DCESRV_CALL_STATE_FLAG_ASYNC));
3124 :
3125 : /* call the reply function */
3126 0 : status = call->context->iface->reply(call, call, call->r);
3127 0 : if (!NT_STATUS_IS_OK(status)) {
3128 0 : DBG_INFO("DCE/RPC fault in call %s:%02X - %s\n",
3129 : call->context->iface->name,
3130 : call->pkt.u.request.opnum,
3131 : dcerpc_errstr(call, call->fault_code));
3132 0 : return dcerpc_fault_to_nt_status(call->fault_code);
3133 : }
3134 :
3135 0 : push = ndr_push_init_ctx(call);
3136 0 : if (push == NULL) {
3137 0 : return NT_STATUS_NO_MEMORY;
3138 : }
3139 :
3140 0 : push->ptr_count = call->ndr_pull->ptr_count;
3141 :
3142 0 : status = call->context->iface->ndr_push(call, call, push, call->r);
3143 0 : if (!NT_STATUS_IS_OK(status)) {
3144 0 : DBG_INFO("DCE/RPC fault in call %s:%02X - %s\n",
3145 : call->context->iface->name,
3146 : call->pkt.u.request.opnum,
3147 : dcerpc_errstr(call, call->fault_code));
3148 0 : return dcerpc_fault_to_nt_status(call->fault_code);
3149 : }
3150 :
3151 0 : rep = talloc_zero(call, struct data_blob_list_item);
3152 0 : if (rep == NULL) {
3153 0 : return NT_STATUS_NO_MEMORY;
3154 : }
3155 :
3156 0 : rep->blob = ndr_push_blob(push);
3157 0 : DLIST_ADD_END(call->replies, rep);
3158 :
3159 0 : return NT_STATUS_OK;
3160 : }
|
