search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
tests: Check symlinks are readable as reparse points
[samba.git] / source3 / smbd / smbXsrv_session.c
blobc074bb851de0c9f47e27504f60bfb7e20ecaee66
1 /*
2 Unix SMB/CIFS implementation.
3
4 Copyright (C) Stefan Metzmacher 2011-2012
5 Copyright (C) Michael Adam 2012
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include "smbXsrv_session.h"
23 #include "system/filesys.h"
24 #include <tevent.h>
25 #include "lib/util/server_id.h"
26 #include "smbd/smbd.h"
27 #include "smbd/globals.h"
28 #include "dbwrap/dbwrap.h"
29 #include "dbwrap/dbwrap_rbt.h"
30 #include "dbwrap/dbwrap_open.h"
31 #include "dbwrap/dbwrap_watch.h"
32 #include "session.h"
33 #include "auth.h"
34 #include "auth/gensec/gensec.h"
35 #include "../lib/tsocket/tsocket.h"
36 #include "../libcli/security/security.h"
37 #include "messages.h"
38 #include "lib/util/util_tdb.h"
39 #include "librpc/gen_ndr/ndr_smbXsrv.h"
40 #include "serverid.h"
41 #include "lib/util/tevent_ntstatus.h"
42 #include "lib/global_contexts.h"
43 #include "source3/include/util_tdb.h"
44
45 struct smbXsrv_session_table {
46 struct {
47 struct db_context *db_ctx;
48 uint32_t lowest_id;
49 uint32_t highest_id;
50 uint32_t max_sessions;
51 uint32_t num_sessions;
52 } local;
53 struct {
54 struct db_context *db_ctx;
55 } global;
56 };
57
58 static struct db_context *smbXsrv_session_global_db_ctx = NULL;
59
60 NTSTATUS smbXsrv_session_global_init(struct messaging_context *msg_ctx)
61 {
62 char *global_path = NULL;
63 struct db_context *backend = NULL;
64 struct db_context *db_ctx = NULL;
65
66 if (smbXsrv_session_global_db_ctx != NULL) {
67 return NT_STATUS_OK;
68 }
69
70 /*
71 * This contains secret information like session keys!
72 */
73 global_path = lock_path(talloc_tos(), "smbXsrv_session_global.tdb");
74 if (global_path == NULL) {
75 return NT_STATUS_NO_MEMORY;
76 }
77
78 backend = db_open(NULL, global_path,
79 SMBD_VOLATILE_TDB_HASH_SIZE,
80 SMBD_VOLATILE_TDB_FLAGS,
81 O_RDWR | O_CREAT, 0600,
82 DBWRAP_LOCK_ORDER_1,
83 DBWRAP_FLAG_NONE);
84 TALLOC_FREE(global_path);
85 if (backend == NULL) {
86 NTSTATUS status;
87
88 status = map_nt_error_from_unix_common(errno);
89
90 return status;
91 }
92
93 db_ctx = db_open_watched(NULL, &backend, global_messaging_context());
94 if (db_ctx == NULL) {
95 TALLOC_FREE(backend);
96 return NT_STATUS_NO_MEMORY;
97 }
98
99 smbXsrv_session_global_db_ctx = db_ctx;
100
101 return NT_STATUS_OK;
102 }
103
104 /*
105 * NOTE:
106 * We need to store the keys in big endian so that dbwrap_rbt's memcmp
107 * has the same result as integer comparison between the uint32_t
108 * values.
109 *
110 * TODO: implement string based key
111 */
112
113 #define SMBXSRV_SESSION_GLOBAL_TDB_KEY_SIZE sizeof(uint32_t)
114
115 static TDB_DATA smbXsrv_session_global_id_to_key(uint32_t id,
116 uint8_t *key_buf)
117 {
118 TDB_DATA key;
119
120 RSIVAL(key_buf, 0, id);
121
122 key = make_tdb_data(key_buf, SMBXSRV_SESSION_GLOBAL_TDB_KEY_SIZE);
123
124 return key;
125 }
126
127 #if 0
128 static NTSTATUS smbXsrv_session_global_key_to_id(TDB_DATA key, uint32_t *id)
129 {
130 if (id == NULL) {
131 return NT_STATUS_INVALID_PARAMETER;
132 }
133
134 if (key.dsize != SMBXSRV_SESSION_GLOBAL_TDB_KEY_SIZE) {
135 return NT_STATUS_INTERNAL_DB_CORRUPTION;
136 }
137
138 *id = RIVAL(key.dptr, 0);
139
140 return NT_STATUS_OK;
141 }
142 #endif
143
144 #define SMBXSRV_SESSION_LOCAL_TDB_KEY_SIZE sizeof(uint32_t)
145
146 static TDB_DATA smbXsrv_session_local_id_to_key(uint32_t id,
147 uint8_t *key_buf)
148 {
149 TDB_DATA key;
150
151 RSIVAL(key_buf, 0, id);
152
153 key = make_tdb_data(key_buf, SMBXSRV_SESSION_LOCAL_TDB_KEY_SIZE);
154
155 return key;
156 }
157
158 static NTSTATUS smbXsrv_session_local_key_to_id(TDB_DATA key, uint32_t *id)
159 {
160 if (id == NULL) {
161 return NT_STATUS_INVALID_PARAMETER;
162 }
163
164 if (key.dsize != SMBXSRV_SESSION_LOCAL_TDB_KEY_SIZE) {
165 return NT_STATUS_INTERNAL_DB_CORRUPTION;
166 }
167
168 *id = RIVAL(key.dptr, 0);
169
170 return NT_STATUS_OK;
171 }
172
173 static struct db_record *smbXsrv_session_global_fetch_locked(
174 struct db_context *db,
175 uint32_t id,
176 TALLOC_CTX *mem_ctx)
177 {
178 TDB_DATA key;
179 uint8_t key_buf[SMBXSRV_SESSION_GLOBAL_TDB_KEY_SIZE];
180 struct db_record *rec = NULL;
181
182 key = smbXsrv_session_global_id_to_key(id, key_buf);
183
184 rec = dbwrap_fetch_locked(db, mem_ctx, key);
185
186 if (rec == NULL) {
187 DBG_DEBUG("Failed to lock global id 0x%08x, key '%s'\n", id,
188 tdb_data_dbg(key));
189 }
190
191 return rec;
192 }
193
194 static struct db_record *smbXsrv_session_local_fetch_locked(
195 struct db_context *db,
196 uint32_t id,
197 TALLOC_CTX *mem_ctx)
198 {
199 TDB_DATA key;
200 uint8_t key_buf[SMBXSRV_SESSION_LOCAL_TDB_KEY_SIZE];
201 struct db_record *rec = NULL;
202
203 key = smbXsrv_session_local_id_to_key(id, key_buf);
204
205 rec = dbwrap_fetch_locked(db, mem_ctx, key);
206
207 if (rec == NULL) {
208 DBG_DEBUG("Failed to lock local id 0x%08x, key '%s'\n", id,
209 tdb_data_dbg(key));
210 }
211
212 return rec;
213 }
214
215 static void smbXsrv_session_close_loop(struct tevent_req *subreq);
216
217 static NTSTATUS smbXsrv_session_table_init(struct smbXsrv_connection *conn,
218 uint32_t lowest_id,
219 uint32_t highest_id,
220 uint32_t max_sessions)
221 {
222 struct smbXsrv_client *client = conn->client;
223 struct smbXsrv_session_table *table;
224 NTSTATUS status;
225 struct tevent_req *subreq;
226 uint64_t max_range;
227
228 if (lowest_id > highest_id) {
229 return NT_STATUS_INTERNAL_ERROR;
230 }
231
232 max_range = highest_id;
233 max_range -= lowest_id;
234 max_range += 1;
235
236 if (max_sessions > max_range) {
237 return NT_STATUS_INTERNAL_ERROR;
238 }
239
240 table = talloc_zero(client, struct smbXsrv_session_table);
241 if (table == NULL) {
242 return NT_STATUS_NO_MEMORY;
243 }
244
245 table->local.db_ctx = db_open_rbt(table);
246 if (table->local.db_ctx == NULL) {
247 TALLOC_FREE(table);
248 return NT_STATUS_NO_MEMORY;
249 }
250 table->local.lowest_id = lowest_id;
251 table->local.highest_id = highest_id;
252 table->local.max_sessions = max_sessions;
253
254 status = smbXsrv_session_global_init(client->msg_ctx);
255 if (!NT_STATUS_IS_OK(status)) {
256 TALLOC_FREE(table);
257 return status;
258 }
259
260 table->global.db_ctx = smbXsrv_session_global_db_ctx;
261
262 subreq = messaging_read_send(table,
263 client->raw_ev_ctx,
264 client->msg_ctx,
265 MSG_SMBXSRV_SESSION_CLOSE);
266 if (subreq == NULL) {
267 TALLOC_FREE(table);
268 return NT_STATUS_NO_MEMORY;
269 }
270 tevent_req_set_callback(subreq, smbXsrv_session_close_loop, client);
271
272 client->session_table = table;
273 return NT_STATUS_OK;
274 }
275
276 static void smbXsrv_session_close_shutdown_done(struct tevent_req *subreq);
277
278 static void smbXsrv_session_close_loop(struct tevent_req *subreq)
279 {
280 struct smbXsrv_client *client =
281 tevent_req_callback_data(subreq,
282 struct smbXsrv_client);
283 struct smbXsrv_session_table *table = client->session_table;
284 int ret;
285 struct messaging_rec *rec = NULL;
286 struct smbXsrv_session_closeB close_blob;
287 enum ndr_err_code ndr_err;
288 struct smbXsrv_session_close0 *close_info0 = NULL;
289 struct smbXsrv_session *session = NULL;
290 NTSTATUS status;
291 struct timeval tv = timeval_current();
292 NTTIME now = timeval_to_nttime(&tv);
293
294 ret = messaging_read_recv(subreq, talloc_tos(), &rec);
295 TALLOC_FREE(subreq);
296 if (ret != 0) {
297 goto next;
298 }
299
300 ndr_err = ndr_pull_struct_blob(&rec->buf, rec, &close_blob,
301 (ndr_pull_flags_fn_t)ndr_pull_smbXsrv_session_closeB);
302 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
303 status = ndr_map_error2ntstatus(ndr_err);
304 DBG_WARNING("ndr_pull_struct_blob - %s\n", nt_errstr(status));
305 goto next;
306 }
307
308 DBG_DEBUG("MSG_SMBXSRV_SESSION_CLOSE\n");
309 if (DEBUGLVL(DBGLVL_DEBUG)) {
310 NDR_PRINT_DEBUG(smbXsrv_session_closeB, &close_blob);
311 }
312
313 if (close_blob.version != SMBXSRV_VERSION_0) {
314 DBG_ERR("ignore invalid version %u\n", close_blob.version);
315 NDR_PRINT_DEBUG(smbXsrv_session_closeB, &close_blob);
316 goto next;
317 }
318
319 close_info0 = close_blob.info.info0;
320 if (close_info0 == NULL) {
321 DBG_ERR("ignore NULL info %u\n", close_blob.version);
322 NDR_PRINT_DEBUG(smbXsrv_session_closeB, &close_blob);
323 goto next;
324 }
325
326 status = smb2srv_session_lookup_client(client,
327 close_info0->old_session_wire_id,
328 now, &session);
329 if (NT_STATUS_EQUAL(status, NT_STATUS_USER_SESSION_DELETED)) {
330 DBG_INFO("old_session_wire_id %" PRIu64 " not found\n",
331 close_info0->old_session_wire_id);
332 if (DEBUGLVL(DBGLVL_INFO)) {
333 NDR_PRINT_DEBUG(smbXsrv_session_closeB, &close_blob);
334 }
335 goto next;
336 }
337 if (!NT_STATUS_IS_OK(status) &&
338 !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) &&
339 !NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED)) {
340 DBG_WARNING("old_session_wire_id %" PRIu64 " - %s\n",
341 close_info0->old_session_wire_id,
342 nt_errstr(status));
343 if (DEBUGLVL(DBGLVL_WARNING)) {
344 NDR_PRINT_DEBUG(smbXsrv_session_closeB, &close_blob);
345 }
346 goto next;
347 }
348
349 if (session->global->session_global_id != close_info0->old_session_global_id) {
350 DBG_WARNING("old_session_wire_id %" PRIu64 " - "
351 "global %" PRIu32 " != %" PRIu32 "\n",
352 close_info0->old_session_wire_id,
353 session->global->session_global_id,
354 close_info0->old_session_global_id);
355 if (DEBUGLVL(DBGLVL_WARNING)) {
356 NDR_PRINT_DEBUG(smbXsrv_session_closeB, &close_blob);
357 }
358 goto next;
359 }
360
361 if (session->global->creation_time != close_info0->old_creation_time) {
362 DBG_WARNING("old_session_wire_id %" PRIu64 " - "
363 "creation %s (%" PRIu64 ") != %s (%" PRIu64 ")\n",
364 close_info0->old_session_wire_id,
365 nt_time_string(rec,
366 session->global->creation_time),
367 session->global->creation_time,
368 nt_time_string(rec,
369 close_info0->old_creation_time),
370 close_info0->old_creation_time);
371 if (DEBUGLVL(DBGLVL_WARNING)) {
372 NDR_PRINT_DEBUG(smbXsrv_session_closeB, &close_blob);
373 }
374 goto next;
375 }
376
377 subreq = smb2srv_session_shutdown_send(session, client->raw_ev_ctx,
378 session, NULL);
379 if (subreq == NULL) {
380 status = NT_STATUS_NO_MEMORY;
381 DBG_ERR("smb2srv_session_shutdown_send(%" PRIu64
382 ") failed: %s\n",
383 session->global->session_wire_id,
384 nt_errstr(status));
385 if (DEBUGLVL(DBGLVL_WARNING)) {
386 NDR_PRINT_DEBUG(smbXsrv_session_closeB, &close_blob);
387 }
388 goto next;
389 }
390 tevent_req_set_callback(subreq,
391 smbXsrv_session_close_shutdown_done,
392 session);
393
394 next:
395 TALLOC_FREE(rec);
396
397 subreq = messaging_read_send(table,
398 client->raw_ev_ctx,
399 client->msg_ctx,
400 MSG_SMBXSRV_SESSION_CLOSE);
401 if (subreq == NULL) {
402 const char *r;
403 r = "messaging_read_send(MSG_SMBXSRV_SESSION_CLOSE) failed";
404 exit_server_cleanly(r);
405 return;
406 }
407 tevent_req_set_callback(subreq, smbXsrv_session_close_loop, client);
408 }
409
410 static void smbXsrv_session_close_shutdown_done(struct tevent_req *subreq)
411 {
412 struct smbXsrv_session *session =
413 tevent_req_callback_data(subreq,
414 struct smbXsrv_session);
415 NTSTATUS status;
416
417 status = smb2srv_session_shutdown_recv(subreq);
418 TALLOC_FREE(subreq);
419 if (!NT_STATUS_IS_OK(status)) {
420 DBG_ERR("smb2srv_session_shutdown_recv(%" PRIu64
421 ") failed: %s\n",
422 session->global->session_wire_id,
423 nt_errstr(status));
424 }
425
426 status = smbXsrv_session_logoff(session);
427 if (!NT_STATUS_IS_OK(status)) {
428 DBG_ERR("smbXsrv_session_logoff(%" PRIu64 ") failed: %s\n",
429 session->global->session_wire_id,
430 nt_errstr(status));
431 }
432
433 TALLOC_FREE(session);
434 }
435
436 struct smb1srv_session_local_allocate_state {
437 const uint32_t lowest_id;
438 const uint32_t highest_id;
439 uint32_t last_id;
440 uint32_t useable_id;
441 NTSTATUS status;
442 };
443
444 static int smb1srv_session_local_allocate_traverse(struct db_record *rec,
445 void *private_data)
446 {
447 struct smb1srv_session_local_allocate_state *state =
448 (struct smb1srv_session_local_allocate_state *)private_data;
449 TDB_DATA key = dbwrap_record_get_key(rec);
450 uint32_t id = 0;
451 NTSTATUS status;
452
453 status = smbXsrv_session_local_key_to_id(key, &id);
454 if (!NT_STATUS_IS_OK(status)) {
455 state->status = status;
456 return -1;
457 }
458
459 if (id <= state->last_id) {
460 state->status = NT_STATUS_INTERNAL_DB_CORRUPTION;
461 return -1;
462 }
463 state->last_id = id;
464
465 if (id > state->useable_id) {
466 state->status = NT_STATUS_OK;
467 return -1;
468 }
469
470 if (state->useable_id == state->highest_id) {
471 state->status = NT_STATUS_INSUFFICIENT_RESOURCES;
472 return -1;
473 }
474
475 state->useable_id +=1;
476 return 0;
477 }
478
479 static NTSTATUS smb1srv_session_local_allocate_id(struct db_context *db,
480 uint32_t lowest_id,
481 uint32_t highest_id,
482 TALLOC_CTX *mem_ctx,
483 struct db_record **_rec,
484 uint32_t *_id)
485 {
486 struct smb1srv_session_local_allocate_state state = {
487 .lowest_id = lowest_id,
488 .highest_id = highest_id,
489 .last_id = 0,
490 .useable_id = lowest_id,
491 .status = NT_STATUS_INTERNAL_ERROR,
492 };
493 uint32_t i;
494 uint32_t range;
495 NTSTATUS status;
496 int count = 0;
497
498 *_rec = NULL;
499 *_id = 0;
500
501 if (lowest_id > highest_id) {
502 return NT_STATUS_INSUFFICIENT_RESOURCES;
503 }
504
505 /*
506 * first we try randomly
507 */
508 range = (highest_id - lowest_id) + 1;
509
510 for (i = 0; i < (range / 2); i++) {
511 uint32_t id;
512 TDB_DATA val;
513 struct db_record *rec = NULL;
514
515 id = generate_random() % range;
516 id += lowest_id;
517
518 if (id < lowest_id) {
519 id = lowest_id;
520 }
521 if (id > highest_id) {
522 id = highest_id;
523 }
524
525 rec = smbXsrv_session_local_fetch_locked(db, id, mem_ctx);
526 if (rec == NULL) {
527 return NT_STATUS_INSUFFICIENT_RESOURCES;
528 }
529
530 val = dbwrap_record_get_value(rec);
531 if (val.dsize != 0) {
532 TALLOC_FREE(rec);
533 continue;
534 }
535
536 *_rec = rec;
537 *_id = id;
538 return NT_STATUS_OK;
539 }
540
541 /*
542 * if the range is almost full,
543 * we traverse the whole table
544 * (this relies on sorted behavior of dbwrap_rbt)
545 */
546 status = dbwrap_traverse_read(db, smb1srv_session_local_allocate_traverse,
547 &state, &count);
548 if (NT_STATUS_IS_OK(status)) {
549 if (NT_STATUS_IS_OK(state.status)) {
550 return NT_STATUS_INTERNAL_ERROR;
551 }
552
553 if (!NT_STATUS_EQUAL(state.status, NT_STATUS_INTERNAL_ERROR)) {
554 return state.status;
555 }
556
557 if (state.useable_id <= state.highest_id) {
558 state.status = NT_STATUS_OK;
559 } else {
560 return NT_STATUS_INSUFFICIENT_RESOURCES;
561 }
562 } else if (!NT_STATUS_EQUAL(status, NT_STATUS_INTERNAL_DB_CORRUPTION)) {
563 /*
564 * Here we really expect NT_STATUS_INTERNAL_DB_CORRUPTION!
565 *
566 * If we get anything else it is an error, because it
567 * means we did not manage to find a free slot in
568 * the db.
569 */
570 return NT_STATUS_INSUFFICIENT_RESOURCES;
571 }
572
573 if (NT_STATUS_IS_OK(state.status)) {
574 uint32_t id;
575 TDB_DATA val;
576 struct db_record *rec = NULL;
577
578 id = state.useable_id;
579
580 rec = smbXsrv_session_local_fetch_locked(db, id, mem_ctx);
581 if (rec == NULL) {
582 return NT_STATUS_INSUFFICIENT_RESOURCES;
583 }
584
585 val = dbwrap_record_get_value(rec);
586 if (val.dsize != 0) {
587 TALLOC_FREE(rec);
588 return NT_STATUS_INTERNAL_DB_CORRUPTION;
589 }
590
591 *_rec = rec;
592 *_id = id;
593 return NT_STATUS_OK;
594 }
595
596 return state.status;
597 }
598
599 struct smbXsrv_session_local_fetch_state {
600 struct smbXsrv_session *session;
601 NTSTATUS status;
602 };
603
604 static void smbXsrv_session_local_fetch_parser(TDB_DATA key, TDB_DATA data,
605 void *private_data)
606 {
607 struct smbXsrv_session_local_fetch_state *state =
608 (struct smbXsrv_session_local_fetch_state *)private_data;
609 void *ptr;
610
611 if (data.dsize != sizeof(ptr)) {
612 state->status = NT_STATUS_INTERNAL_DB_ERROR;
613 return;
614 }
615
616 memcpy(&ptr, data.dptr, data.dsize);
617 state->session = talloc_get_type_abort(ptr, struct smbXsrv_session);
618 state->status = NT_STATUS_OK;
619 }
620
621 static NTSTATUS smbXsrv_session_local_lookup(struct smbXsrv_session_table *table,
622 /* conn: optional */
623 struct smbXsrv_connection *conn,
624 uint32_t session_local_id,
625 NTTIME now,
626 struct smbXsrv_session **_session)
627 {
628 struct smbXsrv_session_local_fetch_state state = {
629 .session = NULL,
630 .status = NT_STATUS_INTERNAL_ERROR,
631 };
632 uint8_t key_buf[SMBXSRV_SESSION_LOCAL_TDB_KEY_SIZE];
633 TDB_DATA key;
634 NTSTATUS status;
635
636 *_session = NULL;
637
638 if (session_local_id == 0) {
639 return NT_STATUS_USER_SESSION_DELETED;
640 }
641
642 if (table == NULL) {
643 /* this might happen before the end of negprot */
644 return NT_STATUS_USER_SESSION_DELETED;
645 }
646
647 if (table->local.db_ctx == NULL) {
648 return NT_STATUS_INTERNAL_ERROR;
649 }
650
651 key = smbXsrv_session_local_id_to_key(session_local_id, key_buf);
652
653 status = dbwrap_parse_record(table->local.db_ctx, key,
654 smbXsrv_session_local_fetch_parser,
655 &state);
656 if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
657 return NT_STATUS_USER_SESSION_DELETED;
658 } else if (!NT_STATUS_IS_OK(status)) {
659 return status;
660 }
661 if (!NT_STATUS_IS_OK(state.status)) {
662 return state.status;
663 }
664
665 if (NT_STATUS_EQUAL(state.session->status, NT_STATUS_USER_SESSION_DELETED)) {
666 return NT_STATUS_USER_SESSION_DELETED;
667 }
668
669 /*
670 * If a connection is specified check if the session is
671 * valid on the channel.
672 */
673 if (conn != NULL) {
674 struct smbXsrv_channel_global0 *c = NULL;
675
676 status = smbXsrv_session_find_channel(state.session, conn, &c);
677 if (!NT_STATUS_IS_OK(status)) {
678 return status;
679 }
680 }
681
682 state.session->idle_time = now;
683
684 if (!NT_STATUS_IS_OK(state.session->status)) {
685 *_session = state.session;
686 return state.session->status;
687 }
688
689 if (now > state.session->global->expiration_time) {
690 state.session->status = NT_STATUS_NETWORK_SESSION_EXPIRED;
691 }
692
693 *_session = state.session;
694 return state.session->status;
695 }
696
697 static int smbXsrv_session_global_destructor(struct smbXsrv_session_global0 *global)
698 {
699 return 0;
700 }
701
702 static void smbXsrv_session_global_verify_record(struct db_record *db_rec,
703 bool *is_free,
704 bool *was_free,
705 TALLOC_CTX *mem_ctx,
706 struct smbXsrv_session_global0 **_g,
707 uint32_t *pseqnum);
708
709 static NTSTATUS smbXsrv_session_global_allocate(struct db_context *db,
710 TALLOC_CTX *mem_ctx,
711 struct smbXsrv_session_global0 **_global)
712 {
713 uint32_t i;
714 struct smbXsrv_session_global0 *global = NULL;
715 uint32_t last_free = 0;
716 const uint32_t min_tries = 3;
717
718 *_global = NULL;
719
720 global = talloc_zero(mem_ctx, struct smbXsrv_session_global0);
721 if (global == NULL) {
722 return NT_STATUS_NO_MEMORY;
723 }
724 talloc_set_destructor(global, smbXsrv_session_global_destructor);
725
726 /*
727 * Here we just randomly try the whole 32-bit space
728 *
729 * We use just 32-bit, because we want to reuse the
730 * ID for SRVSVC.
731 */
732 for (i = 0; i < UINT32_MAX; i++) {
733 bool is_free = false;
734 bool was_free = false;
735 uint32_t id;
736
737 if (i >= min_tries && last_free != 0) {
738 id = last_free;
739 } else {
740 id = generate_random();
741 }
742 if (id == 0) {
743 id++;
744 }
745 if (id == UINT32_MAX) {
746 id--;
747 }
748
749 global->db_rec = smbXsrv_session_global_fetch_locked(db, id,
750 mem_ctx);
751 if (global->db_rec == NULL) {
752 talloc_free(global);
753 return NT_STATUS_INSUFFICIENT_RESOURCES;
754 }
755
756 smbXsrv_session_global_verify_record(global->db_rec,
757 &is_free,
758 &was_free,
759 NULL, NULL, NULL);
760
761 if (!is_free) {
762 TALLOC_FREE(global->db_rec);
763 continue;
764 }
765
766 if (!was_free && i < min_tries) {
767 /*
768 * The session_id is free now,
769 * but was not free before.
770 *
771 * This happens if a smbd crashed
772 * and did not cleanup the record.
773 *
774 * If this is one of our first tries,
775 * then we try to find a real free one.
776 */
777 if (last_free == 0) {
778 last_free = id;
779 }
780 TALLOC_FREE(global->db_rec);
781 continue;
782 }
783
784 global->session_global_id = id;
785
786 *_global = global;
787 return NT_STATUS_OK;
788 }
789
790 /* should not be reached */
791 talloc_free(global);
792 return NT_STATUS_INTERNAL_ERROR;
793 }
794
795 static void smbXsrv_session_global_verify_record(struct db_record *db_rec,
796 bool *is_free,
797 bool *was_free,
798 TALLOC_CTX *mem_ctx,
799 struct smbXsrv_session_global0 **_g,
800 uint32_t *pseqnum)
801 {
802 TDB_DATA key;
803 TDB_DATA val;
804 DATA_BLOB blob;
805 struct smbXsrv_session_globalB global_blob;
806 enum ndr_err_code ndr_err;
807 struct smbXsrv_session_global0 *global = NULL;
808 bool exists;
809 TALLOC_CTX *frame = talloc_stackframe();
810
811 *is_free = false;
812
813 if (was_free) {
814 *was_free = false;
815 }
816 if (_g) {
817 *_g = NULL;
818 }
819 if (pseqnum) {
820 *pseqnum = 0;
821 }
822
823 key = dbwrap_record_get_key(db_rec);
824
825 val = dbwrap_record_get_value(db_rec);
826 if (val.dsize == 0) {
827 TALLOC_FREE(frame);
828 *is_free = true;
829 if (was_free) {
830 *was_free = true;
831 }
832 return;
833 }
834
835 blob = data_blob_const(val.dptr, val.dsize);
836
837 ndr_err = ndr_pull_struct_blob(&blob, frame, &global_blob,
838 (ndr_pull_flags_fn_t)ndr_pull_smbXsrv_session_globalB);
839 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
840 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
841 DBG_WARNING("key '%s' ndr_pull_struct_blob - %s\n",
842 tdb_data_dbg(key),
843 nt_errstr(status));
844 TALLOC_FREE(frame);
845 *is_free = true;
846 if (was_free) {
847 *was_free = true;
848 }
849 return;
850 }
851
852 DBG_DEBUG("smbXsrv_session_global_verify_record\n");
853 if (DEBUGLVL(DBGLVL_DEBUG)) {
854 NDR_PRINT_DEBUG(smbXsrv_session_globalB, &global_blob);
855 }
856
857 if (global_blob.version != SMBXSRV_VERSION_0) {
858 DBG_ERR("key '%s' use unsupported version %u\n",
859 tdb_data_dbg(key),
860 global_blob.version);
861 NDR_PRINT_DEBUG(smbXsrv_session_globalB, &global_blob);
862 TALLOC_FREE(frame);
863 *is_free = true;
864 if (was_free) {
865 *was_free = true;
866 }
867 return;
868 }
869
870 global = global_blob.info.info0;
871
872 #define __BLOB_KEEP_SECRET(__blob) do { \
873 if ((__blob).length != 0) { \
874 talloc_keep_secret((__blob).data); \
875 } \
876 } while(0)
877 {
878 uint32_t i;
879 __BLOB_KEEP_SECRET(global->application_key_blob);
880 __BLOB_KEEP_SECRET(global->signing_key_blob);
881 __BLOB_KEEP_SECRET(global->encryption_key_blob);
882 __BLOB_KEEP_SECRET(global->decryption_key_blob);
883 for (i = 0; i < global->num_channels; i++) {
884 __BLOB_KEEP_SECRET(global->channels[i].signing_key_blob);
885 }
886 }
887 #undef __BLOB_KEEP_SECRET
888
889 exists = serverid_exists(&global->channels[0].server_id);
890 if (!exists) {
891 struct server_id_buf idbuf;
892 DBG_NOTICE("key '%s' server_id %s does not exist.\n",
893 tdb_data_dbg(key),
894 server_id_str_buf(global->channels[0].server_id,
895 &idbuf));
896 if (DEBUGLVL(DBGLVL_NOTICE)) {
897 NDR_PRINT_DEBUG(smbXsrv_session_globalB, &global_blob);
898 }
899 TALLOC_FREE(frame);
900 dbwrap_record_delete(db_rec);
901 *is_free = true;
902 return;
903 }
904
905 if (_g) {
906 *_g = talloc_move(mem_ctx, &global);
907 }
908 if (pseqnum) {
909 *pseqnum = global_blob.seqnum;
910 }
911 TALLOC_FREE(frame);
912 }
913
914 static NTSTATUS smbXsrv_session_global_store(struct smbXsrv_session_global0 *global)
915 {
916 struct smbXsrv_session_globalB global_blob;
917 DATA_BLOB blob = data_blob_null;
918 TDB_DATA key;
919 TDB_DATA val;
920 NTSTATUS status;
921 enum ndr_err_code ndr_err;
922
923 /*
924 * TODO: if we use other versions than '0'
925 * we would add glue code here, that would be able to
926 * store the information in the old format.
927 */
928
929 key = dbwrap_record_get_key(global->db_rec);
930 val = dbwrap_record_get_value(global->db_rec);
931
932 global_blob = (struct smbXsrv_session_globalB){
933 .version = smbXsrv_version_global_current(),
934 .info.info0 = global,
935 };
936
937 if (val.dsize >= 8) {
938 global_blob.seqnum = IVAL(val.dptr, 4);
939 }
940 global_blob.seqnum += 1;
941
942 ndr_err = ndr_push_struct_blob(
943 &blob,
944 talloc_tos(),
945 &global_blob,
946 (ndr_push_flags_fn_t)ndr_push_smbXsrv_session_globalB);
947 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
948 status = ndr_map_error2ntstatus(ndr_err);
949 DBG_WARNING("key '%s' ndr_push - %s\n",
950 tdb_data_dbg(key),
951 nt_errstr(status));
952 TALLOC_FREE(global->db_rec);
953 return status;
954 }
955
956 val = make_tdb_data(blob.data, blob.length);
957 status = dbwrap_record_store(global->db_rec, val, TDB_REPLACE);
958 TALLOC_FREE(blob.data);
959 if (!NT_STATUS_IS_OK(status)) {
960 DBG_WARNING("key '%s' store - %s\n",
961 tdb_data_dbg(key),
962 nt_errstr(status));
963 TALLOC_FREE(global->db_rec);
964 return status;
965 }
966
967 if (DEBUGLVL(DBGLVL_DEBUG)) {
968 DBG_DEBUG("key '%s' stored\n", tdb_data_dbg(key));
969 NDR_PRINT_DEBUG(smbXsrv_session_globalB, &global_blob);
970 }
971
972 TALLOC_FREE(global->db_rec);
973
974 return NT_STATUS_OK;
975 }
976
977 struct smb2srv_session_close_previous_state {
978 struct tevent_context *ev;
979 struct smbXsrv_connection *connection;
980 struct dom_sid *current_sid;
981 uint64_t previous_session_id;
982 uint64_t current_session_id;
983 struct db_record *db_rec;
984 uint64_t watch_instance;
985 uint32_t last_seqnum;
986 };
987
988 static void smb2srv_session_close_previous_cleanup(struct tevent_req *req,
989 enum tevent_req_state req_state)
990 {
991 struct smb2srv_session_close_previous_state *state =
992 tevent_req_data(req,
993 struct smb2srv_session_close_previous_state);
994
995 if (state->db_rec != NULL) {
996 dbwrap_watched_watch_remove_instance(state->db_rec,
997 state->watch_instance);
998 state->watch_instance = 0;
999 TALLOC_FREE(state->db_rec);
1000 }
1001 }
1002
1003 static void smb2srv_session_close_previous_check(struct tevent_req *req);
1004 static void smb2srv_session_close_previous_modified(struct tevent_req *subreq);
1005
1006 struct tevent_req *smb2srv_session_close_previous_send(TALLOC_CTX *mem_ctx,
1007 struct tevent_context *ev,
1008 struct smbXsrv_connection *conn,
1009 struct auth_session_info *session_info,
1010 uint64_t previous_session_id,
1011 uint64_t current_session_id)
1012 {
1013 struct tevent_req *req = NULL;
1014 struct smb2srv_session_close_previous_state *state = NULL;
1015 uint32_t global_id = previous_session_id & UINT32_MAX;
1016 uint64_t global_zeros = previous_session_id & 0xFFFFFFFF00000000LLU;
1017 struct smbXsrv_session_table *table = conn->client->session_table;
1018 struct security_token *current_token = NULL;
1019
1020 req = tevent_req_create(mem_ctx, &state,
1021 struct smb2srv_session_close_previous_state);
1022 if (req == NULL) {
1023 return NULL;
1024 }
1025 state->ev = ev;
1026 state->connection = conn;
1027 state->previous_session_id = previous_session_id;
1028 state->current_session_id = current_session_id;
1029
1030 tevent_req_set_cleanup_fn(req, smb2srv_session_close_previous_cleanup);
1031
1032 if (global_zeros != 0) {
1033 tevent_req_done(req);
1034 return tevent_req_post(req, ev);
1035 }
1036
1037 if (session_info == NULL) {
1038 tevent_req_done(req);
1039 return tevent_req_post(req, ev);
1040 }
1041 current_token = session_info->security_token;
1042
1043 if (current_token->num_sids <= PRIMARY_USER_SID_INDEX) {
1044 tevent_req_done(req);
1045 return tevent_req_post(req, ev);
1046 }
1047 state->current_sid = &current_token->sids[PRIMARY_USER_SID_INDEX];
1048
1049 if (!security_token_has_nt_authenticated_users(current_token)) {
1050 /* TODO */
1051 tevent_req_done(req);
1052 return tevent_req_post(req, ev);
1053 }
1054
1055 state->db_rec = smbXsrv_session_global_fetch_locked(
1056 table->global.db_ctx,
1057 global_id,
1058 state /* TALLOC_CTX */);
1059 if (state->db_rec == NULL) {
1060 tevent_req_nterror(req, NT_STATUS_UNSUCCESSFUL);
1061 return tevent_req_post(req, ev);
1062 }
1063
1064 smb2srv_session_close_previous_check(req);
1065 if (!tevent_req_is_in_progress(req)) {
1066 return tevent_req_post(req, ev);
1067 }
1068
1069 return req;
1070 }
1071
1072 static void smb2srv_session_close_previous_check(struct tevent_req *req)
1073 {
1074 struct smb2srv_session_close_previous_state *state =
1075 tevent_req_data(req,
1076 struct smb2srv_session_close_previous_state);
1077 struct smbXsrv_connection *conn = state->connection;
1078 DATA_BLOB blob;
1079 struct security_token *previous_token = NULL;
1080 struct smbXsrv_session_global0 *global = NULL;
1081 enum ndr_err_code ndr_err;
1082 struct smbXsrv_session_close0 close_info0;
1083 struct smbXsrv_session_closeB close_blob;
1084 struct tevent_req *subreq = NULL;
1085 NTSTATUS status;
1086 bool is_free = false;
1087 uint32_t seqnum = 0;
1088
1089 smbXsrv_session_global_verify_record(state->db_rec,
1090 &is_free,
1091 NULL,
1092 state,
1093 &global,
1094 &seqnum);
1095
1096 if (is_free) {
1097 tevent_req_done(req);
1098 return;
1099 }
1100
1101 if (global->auth_session_info == NULL) {
1102 tevent_req_done(req);
1103 return;
1104 }
1105
1106 previous_token = global->auth_session_info->security_token;
1107
1108 if (!security_token_is_sid(previous_token, state->current_sid)) {
1109 tevent_req_done(req);
1110 return;
1111 }
1112
1113 /*
1114 * If the record changed, but we are not happy with the change yet,
1115 * we better remove ourself from the waiter list
1116 * (most likely the first position)
1117 * and re-add us at the end of the list.
1118 *
1119 * This gives other waiters a change
1120 * to make progress.
1121 *
1122 * Otherwise we'll keep our waiter instance alive,
1123 * keep waiting (most likely at first position).
1124 * It means the order of watchers stays fair.
1125 */
1126 if (state->last_seqnum != seqnum) {
1127 state->last_seqnum = seqnum;
1128 dbwrap_watched_watch_remove_instance(state->db_rec,
1129 state->watch_instance);
1130 state->watch_instance =
1131 dbwrap_watched_watch_add_instance(state->db_rec);
1132 }
1133
1134 subreq = dbwrap_watched_watch_send(state, state->ev, state->db_rec,
1135 state->watch_instance,
1136 (struct server_id){0});
1137 if (tevent_req_nomem(subreq, req)) {
1138 return;
1139 }
1140 tevent_req_set_callback(subreq,
1141 smb2srv_session_close_previous_modified,
1142 req);
1143
1144 close_info0 = (struct smbXsrv_session_close0){
1145 .old_session_global_id = global->session_global_id,
1146 .old_session_wire_id = global->session_wire_id,
1147 .old_creation_time = global->creation_time,
1148 .new_session_wire_id = state->current_session_id,
1149 };
1150
1151 close_blob = (struct smbXsrv_session_closeB){
1152 .version = smbXsrv_version_global_current(),
1153 .info.info0 = &close_info0,
1154 };
1155
1156 ndr_err = ndr_push_struct_blob(&blob, state, &close_blob,
1157 (ndr_push_flags_fn_t)ndr_push_smbXsrv_session_closeB);
1158 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1159 status = ndr_map_error2ntstatus(ndr_err);
1160 DBG_WARNING("old_session[%" PRIu64 "] "
1161 "new_session[%" PRIu64 "] ndr_push - %s\n",
1162 close_info0.old_session_wire_id,
1163 close_info0.new_session_wire_id,
1164 nt_errstr(status));
1165 tevent_req_nterror(req, status);
1166 return;
1167 }
1168
1169 status = messaging_send(conn->client->msg_ctx,
1170 global->channels[0].server_id,
1171 MSG_SMBXSRV_SESSION_CLOSE, &blob);
1172 TALLOC_FREE(global);
1173 if (tevent_req_nterror(req, status)) {
1174 return;
1175 }
1176
1177 TALLOC_FREE(state->db_rec);
1178 return;
1179 }
1180
1181 static void smb2srv_session_close_previous_modified(struct tevent_req *subreq)
1182 {
1183 struct tevent_req *req =
1184 tevent_req_callback_data(subreq,
1185 struct tevent_req);
1186 struct smb2srv_session_close_previous_state *state =
1187 tevent_req_data(req,
1188 struct smb2srv_session_close_previous_state);
1189 uint32_t global_id;
1190 NTSTATUS status;
1191 uint64_t instance = 0;
1192
1193 status = dbwrap_watched_watch_recv(subreq, &instance, NULL, NULL);
1194 TALLOC_FREE(subreq);
1195 if (tevent_req_nterror(req, status)) {
1196 return;
1197 }
1198
1199 state->watch_instance = instance;
1200
1201 global_id = state->previous_session_id & UINT32_MAX;
1202
1203 state->db_rec = smbXsrv_session_global_fetch_locked(
1204 state->connection->client->session_table->global.db_ctx,
1205 global_id, state /* TALLOC_CTX */);
1206 if (state->db_rec == NULL) {
1207 tevent_req_nterror(req, NT_STATUS_UNSUCCESSFUL);
1208 return;
1209 }
1210
1211 smb2srv_session_close_previous_check(req);
1212 }
1213
1214 NTSTATUS smb2srv_session_close_previous_recv(struct tevent_req *req)
1215 {
1216 NTSTATUS status;
1217
1218 if (tevent_req_is_nterror(req, &status)) {
1219 tevent_req_received(req);
1220 return status;
1221 }
1222
1223 tevent_req_received(req);
1224 return NT_STATUS_OK;
1225 }
1226
1227 static NTSTATUS smbXsrv_session_clear_and_logoff(struct smbXsrv_session *session)
1228 {
1229 NTSTATUS status;
1230 struct smbXsrv_connection *xconn = NULL;
1231
1232 if (session->client != NULL) {
1233 xconn = session->client->connections;
1234 }
1235
1236 for (; xconn != NULL; xconn = xconn->next) {
1237 struct smbd_smb2_request *preq;
1238
1239 for (preq = xconn->smb2.requests; preq != NULL; preq = preq->next) {
1240 if (preq->session != session) {
1241 continue;
1242 }
1243
1244 preq->session = NULL;
1245 /*
1246 * If we no longer have a session we can't
1247 * sign or encrypt replies.
1248 */
1249 preq->do_signing = false;
1250 preq->do_encryption = false;
1251 preq->preauth = NULL;
1252 }
1253 }
1254
1255 status = smbXsrv_session_logoff(session);
1256 return status;
1257 }
1258
1259 static int smbXsrv_session_destructor(struct smbXsrv_session *session)
1260 {
1261 NTSTATUS status;
1262
1263 DBG_DEBUG("destructing session(%" PRIu64 ")\n",
1264 session->global->session_wire_id);
1265
1266 status = smbXsrv_session_clear_and_logoff(session);
1267 if (!NT_STATUS_IS_OK(status)) {
1268 DBG_ERR("smbXsrv_session_logoff() failed: %s\n",
1269 nt_errstr(status));
1270 }
1271
1272 TALLOC_FREE(session->global);
1273
1274 return 0;
1275 }
1276
1277 NTSTATUS smbXsrv_session_create(struct smbXsrv_connection *conn,
1278 NTTIME now,
1279 struct smbXsrv_session **_session)
1280 {
1281 struct smbXsrv_session_table *table = conn->client->session_table;
1282 struct db_record *local_rec = NULL;
1283 struct smbXsrv_session *session = NULL;
1284 void *ptr = NULL;
1285 TDB_DATA val;
1286 struct smbXsrv_session_global0 *global = NULL;
1287 struct smbXsrv_channel_global0 *channel = NULL;
1288 NTSTATUS status;
1289
1290 if (table->local.num_sessions >= table->local.max_sessions) {
1291 return NT_STATUS_INSUFFICIENT_RESOURCES;
1292 }
1293
1294 session = talloc_zero(table, struct smbXsrv_session);
1295 if (session == NULL) {
1296 return NT_STATUS_NO_MEMORY;
1297 }
1298 session->table = table;
1299 session->idle_time = now;
1300 session->status = NT_STATUS_MORE_PROCESSING_REQUIRED;
1301 session->client = conn->client;
1302 session->homes_snum = -1;
1303
1304 status = smbXsrv_session_global_allocate(table->global.db_ctx,
1305 session,
1306 &global);
1307 if (!NT_STATUS_IS_OK(status)) {
1308 TALLOC_FREE(session);
1309 return status;
1310 }
1311 session->global = global;
1312
1313 if (conn->protocol >= PROTOCOL_SMB2_02) {
1314 uint64_t id = global->session_global_id;
1315
1316 global->connection_dialect = conn->smb2.server.dialect;
1317 global->client_guid = conn->smb2.client.guid;
1318
1319 global->session_wire_id = id;
1320
1321 status = smb2srv_tcon_table_init(session);
1322 if (!NT_STATUS_IS_OK(status)) {
1323 TALLOC_FREE(session);
1324 return status;
1325 }
1326
1327 session->local_id = global->session_global_id;
1328
1329 local_rec = smbXsrv_session_local_fetch_locked(
1330 table->local.db_ctx,
1331 session->local_id,
1332 session /* TALLOC_CTX */);
1333 if (local_rec == NULL) {
1334 TALLOC_FREE(session);
1335 return NT_STATUS_NO_MEMORY;
1336 }
1337
1338 val = dbwrap_record_get_value(local_rec);
1339 if (val.dsize != 0) {
1340 TALLOC_FREE(session);
1341 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1342 }
1343 } else {
1344
1345 status = smb1srv_session_local_allocate_id(table->local.db_ctx,
1346 table->local.lowest_id,
1347 table->local.highest_id,
1348 session,
1349 &local_rec,
1350 &session->local_id);
1351 if (!NT_STATUS_IS_OK(status)) {
1352 TALLOC_FREE(session);
1353 return status;
1354 }
1355
1356 global->session_wire_id = session->local_id;
1357 }
1358
1359 global->creation_time = now;
1360 global->expiration_time = GENSEC_EXPIRE_TIME_INFINITY;
1361
1362 status = smbXsrv_session_add_channel(session, conn, now, &channel);
1363 if (!NT_STATUS_IS_OK(status)) {
1364 TALLOC_FREE(session);
1365 return status;
1366 }
1367
1368 ptr = session;
1369 val = make_tdb_data((uint8_t const *)&ptr, sizeof(ptr));
1370 status = dbwrap_record_store(local_rec, val, TDB_REPLACE);
1371 TALLOC_FREE(local_rec);
1372 if (!NT_STATUS_IS_OK(status)) {
1373 TALLOC_FREE(session);
1374 return status;
1375 }
1376 table->local.num_sessions += 1;
1377
1378 talloc_set_destructor(session, smbXsrv_session_destructor);
1379
1380 status = smbXsrv_session_global_store(global);
1381 if (!NT_STATUS_IS_OK(status)) {
1382 DBG_ERR("global_id (0x%08x) store failed - %s\n",
1383 session->global->session_global_id,
1384 nt_errstr(status));
1385 TALLOC_FREE(session);
1386 return status;
1387 }
1388
1389 if (DEBUGLVL(DBGLVL_DEBUG)) {
1390 struct smbXsrv_sessionB session_blob = {
1391 .version = SMBXSRV_VERSION_0,
1392 .info.info0 = session,
1393 };
1394
1395 DBG_DEBUG("global_id (0x%08x) stored\n",
1396 session->global->session_global_id);
1397 NDR_PRINT_DEBUG(smbXsrv_sessionB, &session_blob);
1398 }
1399
1400 *_session = session;
1401 return NT_STATUS_OK;
1402 }
1403
1404 NTSTATUS smbXsrv_session_add_channel(struct smbXsrv_session *session,
1405 struct smbXsrv_connection *conn,
1406 NTTIME now,
1407 struct smbXsrv_channel_global0 **_c)
1408 {
1409 struct smbXsrv_session_global0 *global = session->global;
1410 struct smbXsrv_channel_global0 *c = NULL;
1411
1412 if (global->num_channels > 31) {
1413 /*
1414 * Windows allow up to 32 channels
1415 */
1416 return NT_STATUS_INSUFFICIENT_RESOURCES;
1417 }
1418
1419 c = talloc_realloc(global,
1420 global->channels,
1421 struct smbXsrv_channel_global0,
1422 global->num_channels + 1);
1423 if (c == NULL) {
1424 return NT_STATUS_NO_MEMORY;
1425 }
1426 global->channels = c;
1427
1428 c = &global->channels[global->num_channels];
1429
1430 *c = (struct smbXsrv_channel_global0){
1431 .server_id = messaging_server_id(conn->client->msg_ctx),
1432 .channel_id = conn->channel_id,
1433 .creation_time = now,
1434 .connection = conn,
1435 };
1436
1437 c->local_address = tsocket_address_string(conn->local_address,
1438 global->channels);
1439 if (c->local_address == NULL) {
1440 return NT_STATUS_NO_MEMORY;
1441 }
1442 c->remote_address = tsocket_address_string(conn->remote_address,
1443 global->channels);
1444 if (c->remote_address == NULL) {
1445 return NT_STATUS_NO_MEMORY;
1446 }
1447 c->remote_name = talloc_strdup(global->channels,
1448 conn->remote_hostname);
1449 if (c->remote_name == NULL) {
1450 return NT_STATUS_NO_MEMORY;
1451 }
1452
1453 global->num_channels += 1;
1454
1455 *_c = c;
1456 return NT_STATUS_OK;
1457 }
1458
1459 NTSTATUS smbXsrv_session_update(struct smbXsrv_session *session)
1460 {
1461 struct smbXsrv_session_table *table = session->table;
1462 NTSTATUS status;
1463
1464 if (session->global->db_rec != NULL) {
1465 DBG_ERR("smbXsrv_session_update(0x%08x): "
1466 "Called with db_rec != NULL'\n",
1467 session->global->session_global_id);
1468 return NT_STATUS_INTERNAL_ERROR;
1469 }
1470
1471 if (table == NULL) {
1472 DBG_ERR("smbXsrv_session_update(0x%08x): "
1473 "Called with table == NULL'\n",
1474 session->global->session_global_id);
1475 return NT_STATUS_INTERNAL_ERROR;
1476 }
1477
1478 session->global->db_rec = smbXsrv_session_global_fetch_locked(
1479 table->global.db_ctx,
1480 session->global->session_global_id,
1481 session->global /* TALLOC_CTX */);
1482 if (session->global->db_rec == NULL) {
1483 return NT_STATUS_INTERNAL_DB_ERROR;
1484 }
1485
1486 status = smbXsrv_session_global_store(session->global);
1487 if (!NT_STATUS_IS_OK(status)) {
1488 DBG_ERR("global_id (0x%08x) store failed - %s\n",
1489 session->global->session_global_id,
1490 nt_errstr(status));
1491 return status;
1492 }
1493
1494 if (DEBUGLVL(DBGLVL_DEBUG)) {
1495 struct smbXsrv_sessionB session_blob = {
1496 .version = SMBXSRV_VERSION_0,
1497 .info.info0 = session,
1498 };
1499
1500 DBG_DEBUG("global_id (0x%08x) stored\n",
1501 session->global->session_global_id);
1502 NDR_PRINT_DEBUG(smbXsrv_sessionB, &session_blob);
1503 }
1504
1505 return NT_STATUS_OK;
1506 }
1507
1508 NTSTATUS smbXsrv_session_find_channel(const struct smbXsrv_session *session,
1509 const struct smbXsrv_connection *conn,
1510 struct smbXsrv_channel_global0 **_c)
1511 {
1512 uint32_t i;
1513
1514 for (i=0; i < session->global->num_channels; i++) {
1515 struct smbXsrv_channel_global0 *c = &session->global->channels[i];
1516
1517 if (c->channel_id != conn->channel_id) {
1518 continue;
1519 }
1520
1521 if (c->connection != conn) {
1522 continue;
1523 }
1524
1525 *_c = c;
1526 return NT_STATUS_OK;
1527 }
1528
1529 return NT_STATUS_USER_SESSION_DELETED;
1530 }
1531
1532 NTSTATUS smbXsrv_session_find_auth(const struct smbXsrv_session *session,
1533 const struct smbXsrv_connection *conn,
1534 NTTIME now,
1535 struct smbXsrv_session_auth0 **_a)
1536 {
1537 struct smbXsrv_session_auth0 *a;
1538
1539 for (a = session->pending_auth; a != NULL; a = a->next) {
1540 if (a->channel_id != conn->channel_id) {
1541 continue;
1542 }
1543
1544 if (a->connection == conn) {
1545 if (now != 0) {
1546 a->idle_time = now;
1547 }
1548 *_a = a;
1549 return NT_STATUS_OK;
1550 }
1551 }
1552
1553 return NT_STATUS_USER_SESSION_DELETED;
1554 }
1555
1556 static int smbXsrv_session_auth0_destructor(struct smbXsrv_session_auth0 *a)
1557 {
1558 if (a->session == NULL) {
1559 return 0;
1560 }
1561
1562 DLIST_REMOVE(a->session->pending_auth, a);
1563 a->session = NULL;
1564 return 0;
1565 }
1566
1567 NTSTATUS smbXsrv_session_create_auth(struct smbXsrv_session *session,
1568 struct smbXsrv_connection *conn,
1569 NTTIME now,
1570 uint8_t in_flags,
1571 uint8_t in_security_mode,
1572 struct smbXsrv_session_auth0 **_a)
1573 {
1574 struct smbXsrv_session_auth0 *a;
1575 NTSTATUS status;
1576
1577 status = smbXsrv_session_find_auth(session, conn, 0, &a);
1578 if (NT_STATUS_IS_OK(status)) {
1579 return NT_STATUS_INTERNAL_ERROR;
1580 }
1581
1582 a = talloc(session, struct smbXsrv_session_auth0);
1583 if (a == NULL) {
1584 return NT_STATUS_NO_MEMORY;
1585 }
1586
1587 *a = (struct smbXsrv_session_auth0){
1588 .session = session,
1589 .connection = conn,
1590 .in_flags = in_flags,
1591 .in_security_mode = in_security_mode,
1592 .creation_time = now,
1593 .idle_time = now,
1594 .channel_id = conn->channel_id,
1595 };
1596
1597 if (conn->protocol >= PROTOCOL_SMB3_11) {
1598 a->preauth = talloc(a, struct smbXsrv_preauth);
1599 if (a->preauth == NULL) {
1600 TALLOC_FREE(session);
1601 return NT_STATUS_NO_MEMORY;
1602 }
1603 *a->preauth = conn->smb2.preauth;
1604 }
1605
1606 talloc_set_destructor(a, smbXsrv_session_auth0_destructor);
1607 DLIST_ADD_END(session->pending_auth, a);
1608
1609 *_a = a;
1610 return NT_STATUS_OK;
1611 }
1612
1613 static void smbXsrv_session_remove_channel_done(struct tevent_req *subreq);
1614
1615 NTSTATUS smbXsrv_session_remove_channel(struct smbXsrv_session *session,
1616 struct smbXsrv_connection *xconn)
1617 {
1618 struct smbXsrv_session_auth0 *a = NULL;
1619 struct smbXsrv_channel_global0 *c = NULL;
1620 NTSTATUS status;
1621 bool need_update = false;
1622
1623 status = smbXsrv_session_find_auth(session, xconn, 0, &a);
1624 if (!NT_STATUS_IS_OK(status)) {
1625 a = NULL;
1626 }
1627 status = smbXsrv_session_find_channel(session, xconn, &c);
1628 if (!NT_STATUS_IS_OK(status)) {
1629 c = NULL;
1630 }
1631
1632 if (a != NULL) {
1633 smbXsrv_session_auth0_destructor(a);
1634 a->connection = NULL;
1635 need_update = true;
1636 }
1637
1638 if (c != NULL) {
1639 struct smbXsrv_session_global0 *global = session->global;
1640 ptrdiff_t n;
1641
1642 n = (c - global->channels);
1643 if (n >= global->num_channels || n < 0) {
1644 return NT_STATUS_INTERNAL_ERROR;
1645 }
1646 ARRAY_DEL_ELEMENT(global->channels, n, global->num_channels);
1647 global->num_channels--;
1648 if (global->num_channels == 0) {
1649 struct smbXsrv_client *client = session->client;
1650 struct tevent_queue *xconn_wait_queue =
1651 xconn->transport.shutdown_wait_queue;
1652 struct tevent_req *subreq = NULL;
1653
1654 /*
1655 * Let the connection wait until the session is
1656 * destroyed.
1657 *
1658 * We don't set a callback, as we just want to block the
1659 * wait queue and the talloc_free() of the session will
1660 * remove the item from the wait queue in order
1661 * to remove allow the connection to disappear.
1662 */
1663 if (xconn_wait_queue != NULL) {
1664 subreq = tevent_queue_wait_send(session,
1665 client->raw_ev_ctx,
1666 xconn_wait_queue);
1667 if (subreq == NULL) {
1668 status = NT_STATUS_NO_MEMORY;
1669 DBG_ERR("tevent_queue_wait_send() "
1670 "session(%" PRIu64
1671 ") failed: %s\n",
1672 session->global
1673 ->session_wire_id,
1674 nt_errstr(status));
1675 return status;
1676 }
1677 }
1678
1679 /*
1680 * This is guaranteed to set
1681 * session->status = NT_STATUS_USER_SESSION_DELETED
1682 * even if NULL is returned.
1683 */
1684 subreq = smb2srv_session_shutdown_send(session,
1685 client->raw_ev_ctx,
1686 session,
1687 NULL);
1688 if (subreq == NULL) {
1689 status = NT_STATUS_NO_MEMORY;
1690 DBG_ERR("smb2srv_session_shutdown_send("
1691 "%" PRIu64 " failed: %s\n",
1692 session->global->session_wire_id,
1693 nt_errstr(status));
1694 return status;
1695 }
1696 tevent_req_set_callback(subreq,
1697 smbXsrv_session_remove_channel_done,
1698 session);
1699 }
1700 need_update = true;
1701 }
1702
1703 if (!need_update) {
1704 return NT_STATUS_OK;
1705 }
1706
1707 return smbXsrv_session_update(session);
1708 }
1709
1710 static void smbXsrv_session_remove_channel_done(struct tevent_req *subreq)
1711 {
1712 struct smbXsrv_session *session =
1713 tevent_req_callback_data(subreq,
1714 struct smbXsrv_session);
1715 NTSTATUS status;
1716
1717 status = smb2srv_session_shutdown_recv(subreq);
1718 TALLOC_FREE(subreq);
1719 if (!NT_STATUS_IS_OK(status)) {
1720 DBG_ERR("smb2srv_session_shutdown_recv(%" PRIu64
1721 ") failed: %s\n",
1722 session->global->session_wire_id,
1723 nt_errstr(status));
1724 }
1725
1726 status = smbXsrv_session_logoff(session);
1727 if (!NT_STATUS_IS_OK(status)) {
1728 DBG_ERR("smbXsrv_session_logoff(%" PRIu64 ") failed: %s\n",
1729 session->global->session_wire_id,
1730 nt_errstr(status));
1731 }
1732
1733 TALLOC_FREE(session);
1734 }
1735
1736 struct smb2srv_session_shutdown_state {
1737 struct tevent_queue *wait_queue;
1738 };
1739
1740 static void smb2srv_session_shutdown_wait_done(struct tevent_req *subreq);
1741
1742 struct check_for_lease_break_fsp_cmp_state {
1743 struct smbXsrv_session *session;
1744 };
1745
1746 static bool check_for_lease_break_fsp_cmp_fn(struct files_struct *fsp,
1747 void *private_data)
1748 {
1749 struct check_for_lease_break_fsp_cmp_state *state =
1750 (struct check_for_lease_break_fsp_cmp_state *)private_data;
1751
1752 return (fsp->vuid == state->session->global->session_wire_id);
1753 }
1754
1755 struct tevent_req *smb2srv_session_shutdown_send(TALLOC_CTX *mem_ctx,
1756 struct tevent_context *ev,
1757 struct smbXsrv_session *session,
1758 struct smbd_smb2_request *current_req)
1759 {
1760 struct tevent_req *req = NULL;
1761 struct smb2srv_session_shutdown_state *state = NULL;
1762 struct tevent_req *subreq = NULL;
1763 struct smbXsrv_connection *xconn = NULL;
1764 struct check_for_lease_break_fsp_cmp_state fsp_cmp_state;
1765 size_t len = 0;
1766
1767 /*
1768 * Make sure that no new request will be able to use this session.
1769 */
1770 session->status = NT_STATUS_USER_SESSION_DELETED;
1771
1772 req = tevent_req_create(mem_ctx, &state,
1773 struct smb2srv_session_shutdown_state);
1774 if (req == NULL) {
1775 return NULL;
1776 }
1777
1778 state->wait_queue = tevent_queue_create(state, "smb2srv_session_shutdown_queue");
1779 if (tevent_req_nomem(state->wait_queue, req)) {
1780 return tevent_req_post(req, ev);
1781 }
1782
1783 for (xconn = session->client->connections; xconn != NULL; xconn = xconn->next) {
1784 struct smbd_smb2_request *preq;
1785
1786 for (preq = xconn->smb2.requests; preq != NULL; preq = preq->next) {
1787 if (preq == current_req) {
1788 /* Can't cancel current request. */
1789 continue;
1790 }
1791 if (preq->session != session) {
1792 /* Request on different session. */
1793 continue;
1794 }
1795
1796 if (preq->subreq != NULL) {
1797 tevent_req_cancel(preq->subreq);
1798 }
1799
1800 /*
1801 * Now wait until the request is finished.
1802 *
1803 * We don't set a callback, as we just want to block the
1804 * wait queue and the talloc_free() of the request will
1805 * remove the item from the wait queue.
1806 */
1807 subreq = tevent_queue_wait_send(preq, ev, state->wait_queue);
1808 if (tevent_req_nomem(subreq, req)) {
1809 return tevent_req_post(req, ev);
1810 }
1811 }
1812 }
1813
1814 fsp_cmp_state = (struct check_for_lease_break_fsp_cmp_state) {
1815 .session = session,
1816 };
1817
1818 smbXsrv_wait_for_handle_lease_break(
1819 req,
1820 ev,
1821 session->client,
1822 state->wait_queue,
1823 check_for_lease_break_fsp_cmp_fn,
1824 &fsp_cmp_state);
1825 if (!tevent_req_is_in_progress(req)) {
1826 return tevent_req_post(req, ev);
1827 }
1828
1829 len = tevent_queue_length(state->wait_queue);
1830 if (len == 0) {
1831 tevent_req_done(req);
1832 return tevent_req_post(req, ev);
1833 }
1834
1835 /*
1836 * Now we add our own waiter to the end of the queue,
1837 * this way we get notified when all pending requests are finished
1838 * and send to the socket.
1839 */
1840 subreq = tevent_queue_wait_send(state, ev, state->wait_queue);
1841 if (tevent_req_nomem(subreq, req)) {
1842 return tevent_req_post(req, ev);
1843 }
1844 tevent_req_set_callback(subreq, smb2srv_session_shutdown_wait_done, req);
1845
1846 return req;
1847 }
1848
1849 static void smb2srv_session_shutdown_wait_done(struct tevent_req *subreq)
1850 {
1851 struct tevent_req *req =
1852 tevent_req_callback_data(subreq,
1853 struct tevent_req);
1854
1855 tevent_queue_wait_recv(subreq);
1856 TALLOC_FREE(subreq);
1857
1858 tevent_req_done(req);
1859 }
1860
1861 NTSTATUS smb2srv_session_shutdown_recv(struct tevent_req *req)
1862 {
1863 return tevent_req_simple_recv_ntstatus(req);
1864 }
1865
1866 NTSTATUS smbXsrv_session_logoff(struct smbXsrv_session *session)
1867 {
1868 struct smbXsrv_session_table *table;
1869 struct db_record *local_rec = NULL;
1870 struct db_record *global_rec = NULL;
1871 struct smbd_server_connection *sconn = NULL;
1872 NTSTATUS status;
1873 NTSTATUS error = NT_STATUS_OK;
1874
1875 if (session->table == NULL) {
1876 return NT_STATUS_OK;
1877 }
1878
1879 table = session->table;
1880 session->table = NULL;
1881
1882 sconn = session->client->sconn;
1883 session->client = NULL;
1884 session->status = NT_STATUS_USER_SESSION_DELETED;
1885
1886 /*
1887 * For SMB2 this is a bit redundant as files are also close
1888 * below via smb2srv_tcon_disconnect_all() -> ... ->
1889 * smbXsrv_tcon_disconnect() -> close_cnum() ->
1890 * file_close_conn().
1891 */
1892 file_close_user(sconn, session->global->session_wire_id);
1893
1894 if (session->tcon_table != NULL) {
1895 /*
1896 * Note: We only have a tcon_table for SMB2.
1897 */
1898 status = smb2srv_tcon_disconnect_all(session);
1899 if (!NT_STATUS_IS_OK(status)) {
1900 DBG_ERR("smbXsrv_session_logoff(0x%08x): "
1901 "smb2srv_tcon_disconnect_all() failed: %s\n",
1902 session->global->session_global_id,
1903 nt_errstr(status));
1904 error = status;
1905 }
1906 }
1907
1908 invalidate_vuid(sconn, session->global->session_wire_id);
1909
1910 global_rec = session->global->db_rec;
1911 session->global->db_rec = NULL;
1912 if (global_rec == NULL) {
1913 global_rec = smbXsrv_session_global_fetch_locked(
1914 table->global.db_ctx,
1915 session->global->session_global_id,
1916 session->global /* TALLOC_CTX */);
1917 if (global_rec == NULL) {
1918 error = NT_STATUS_INTERNAL_ERROR;
1919 }
1920 }
1921
1922 if (global_rec != NULL) {
1923 status = dbwrap_record_delete(global_rec);
1924 if (!NT_STATUS_IS_OK(status)) {
1925 TDB_DATA key = dbwrap_record_get_key(global_rec);
1926
1927 DBG_ERR("smbXsrv_session_logoff(0x%08x): "
1928 "failed to delete global key '%s': %s\n",
1929 session->global->session_global_id,
1930 tdb_data_dbg(key),
1931 nt_errstr(status));
1932 error = status;
1933 }
1934 }
1935 TALLOC_FREE(global_rec);
1936
1937 local_rec = session->db_rec;
1938 if (local_rec == NULL) {
1939 local_rec = smbXsrv_session_local_fetch_locked(
1940 table->local.db_ctx,
1941 session->local_id,
1942 session /* TALLOC_CTX */);
1943 if (local_rec == NULL) {
1944 error = NT_STATUS_INTERNAL_ERROR;
1945 }
1946 }
1947
1948 if (local_rec != NULL) {
1949 status = dbwrap_record_delete(local_rec);
1950 if (!NT_STATUS_IS_OK(status)) {
1951 TDB_DATA key = dbwrap_record_get_key(local_rec);
1952
1953 DBG_ERR("smbXsrv_session_logoff(0x%08x): "
1954 "failed to delete local key '%s': %s\n",
1955 session->global->session_global_id,
1956 tdb_data_dbg(key),
1957 nt_errstr(status));
1958 error = status;
1959 }
1960 table->local.num_sessions -= 1;
1961 }
1962 if (session->db_rec == NULL) {
1963 TALLOC_FREE(local_rec);
1964 }
1965 session->db_rec = NULL;
1966
1967 return error;
1968 }
1969
1970 struct smbXsrv_session_logoff_all_state {
1971 NTSTATUS first_status;
1972 int errors;
1973 };
1974
1975 static int smbXsrv_session_logoff_all_callback(struct db_record *local_rec,
1976 void *private_data);
1977
1978 NTSTATUS smbXsrv_session_logoff_all(struct smbXsrv_client *client)
1979 {
1980 struct smbXsrv_session_table *table = client->session_table;
1981 struct smbXsrv_session_logoff_all_state state = {};
1982 NTSTATUS status;
1983 int count = 0;
1984
1985 if (table == NULL) {
1986 DBG_DEBUG("empty session_table, nothing to do.\n");
1987 return NT_STATUS_OK;
1988 }
1989
1990 status = dbwrap_traverse(table->local.db_ctx,
1991 smbXsrv_session_logoff_all_callback,
1992 &state, &count);
1993 if (!NT_STATUS_IS_OK(status)) {
1994 DBG_ERR("dbwrap_traverse() failed: %s\n", nt_errstr(status));
1995 return status;
1996 }
1997
1998 if (!NT_STATUS_IS_OK(state.first_status)) {
1999 DBG_ERR("count[%d] errors[%d] first[%s]\n",
2000 count,
2001 state.errors,
2002 nt_errstr(state.first_status));
2003 return state.first_status;
2004 }
2005
2006 return NT_STATUS_OK;
2007 }
2008
2009 static int smbXsrv_session_logoff_all_callback(struct db_record *local_rec,
2010 void *private_data)
2011 {
2012 struct smbXsrv_session_logoff_all_state *state =
2013 (struct smbXsrv_session_logoff_all_state *)private_data;
2014 TDB_DATA val;
2015 void *ptr = NULL;
2016 struct smbXsrv_session *session = NULL;
2017 NTSTATUS status;
2018
2019 val = dbwrap_record_get_value(local_rec);
2020 if (val.dsize != sizeof(ptr)) {
2021 status = NT_STATUS_INTERNAL_ERROR;
2022 if (NT_STATUS_IS_OK(state->first_status)) {
2023 state->first_status = status;
2024 }
2025 state->errors++;
2026 return 0;
2027 }
2028
2029 memcpy(&ptr, val.dptr, val.dsize);
2030 session = talloc_get_type_abort(ptr, struct smbXsrv_session);
2031
2032 session->db_rec = local_rec;
2033 status = smbXsrv_session_clear_and_logoff(session);
2034 session->db_rec = NULL;
2035 if (!NT_STATUS_IS_OK(status)) {
2036 if (NT_STATUS_IS_OK(state->first_status)) {
2037 state->first_status = status;
2038 }
2039 state->errors++;
2040 return 0;
2041 }
2042
2043 return 0;
2044 }
2045
2046 struct smbXsrv_session_local_trav_state {
2047 NTSTATUS status;
2048 int (*caller_cb)(struct smbXsrv_session *session,
2049 void *caller_data);
2050 void *caller_data;
2051 };
2052
2053 static int smbXsrv_session_local_traverse_cb(struct db_record *local_rec,
2054 void *private_data);
2055
2056 NTSTATUS smbXsrv_session_local_traverse(
2057 struct smbXsrv_client *client,
2058 int (*caller_cb)(struct smbXsrv_session *session,
2059 void *caller_data),
2060 void *caller_data)
2061 {
2062 struct smbXsrv_session_table *table = client->session_table;
2063 struct smbXsrv_session_local_trav_state state;
2064 NTSTATUS status;
2065 int count = 0;
2066
2067 state = (struct smbXsrv_session_local_trav_state) {
2068 .status = NT_STATUS_OK,
2069 .caller_cb = caller_cb,
2070 .caller_data = caller_data,
2071 };
2072
2073 if (table == NULL) {
2074 DBG_DEBUG("empty session_table, nothing to do.\n");
2075 return NT_STATUS_OK;
2076 }
2077
2078 status = dbwrap_traverse(table->local.db_ctx,
2079 smbXsrv_session_local_traverse_cb,
2080 &state,
2081 &count);
2082 if (!NT_STATUS_IS_OK(status)) {
2083 DBG_ERR("dbwrap_traverse() failed: %s\n", nt_errstr(status));
2084 return status;
2085 }
2086 if (!NT_STATUS_IS_OK(state.status)) {
2087 DBG_ERR("count[%d] status[%s]\n",
2088 count, nt_errstr(state.status));
2089 return state.status;
2090 }
2091
2092 return NT_STATUS_OK;
2093 }
2094
2095 static int smbXsrv_session_local_traverse_cb(struct db_record *local_rec,
2096 void *private_data)
2097 {
2098 struct smbXsrv_session_local_trav_state *state =
2099 (struct smbXsrv_session_local_trav_state *)private_data;
2100 TDB_DATA val;
2101 void *ptr = NULL;
2102 struct smbXsrv_session *session = NULL;
2103 int ret;
2104
2105 val = dbwrap_record_get_value(local_rec);
2106 if (val.dsize != sizeof(ptr)) {
2107 state->status = NT_STATUS_INTERNAL_ERROR;
2108 return -1;
2109 }
2110
2111 memcpy(&ptr, val.dptr, val.dsize);
2112 session = talloc_get_type_abort(ptr, struct smbXsrv_session);
2113
2114 session->db_rec = local_rec;
2115 ret = state->caller_cb(session, state->caller_data);
2116 session->db_rec = NULL;
2117
2118 return ret;
2119 }
2120
2121 struct smbXsrv_session_disconnect_xconn_state {
2122 struct smbXsrv_connection *xconn;
2123 NTSTATUS first_status;
2124 int errors;
2125 };
2126
2127 static int smbXsrv_session_disconnect_xconn_callback(struct db_record *local_rec,
2128 void *private_data);
2129
2130 NTSTATUS smbXsrv_session_disconnect_xconn(struct smbXsrv_connection *xconn)
2131 {
2132 struct smbXsrv_client *client = xconn->client;
2133 struct smbXsrv_session_table *table = client->session_table;
2134 struct smbXsrv_session_disconnect_xconn_state state = {
2135 .xconn = xconn,
2136 };
2137 NTSTATUS status;
2138 int count = 0;
2139
2140 if (table == NULL) {
2141 DBG_ERR("empty session_table, nothing to do.\n");
2142 return NT_STATUS_OK;
2143 }
2144
2145 status = dbwrap_traverse(table->local.db_ctx,
2146 smbXsrv_session_disconnect_xconn_callback,
2147 &state, &count);
2148 if (!NT_STATUS_IS_OK(status)) {
2149 DBG_ERR("dbwrap_traverse() failed: %s\n",
2150 nt_errstr(status));
2151 return status;
2152 }
2153
2154 if (!NT_STATUS_IS_OK(state.first_status)) {
2155 DBG_ERR("count[%d] errors[%d] first[%s]\n",
2156 count, state.errors,
2157 nt_errstr(state.first_status));
2158 return state.first_status;
2159 }
2160
2161 return NT_STATUS_OK;
2162 }
2163
2164 static int smbXsrv_session_disconnect_xconn_callback(struct db_record *local_rec,
2165 void *private_data)
2166 {
2167 struct smbXsrv_session_disconnect_xconn_state *state =
2168 (struct smbXsrv_session_disconnect_xconn_state *)private_data;
2169 TDB_DATA val;
2170 void *ptr = NULL;
2171 struct smbXsrv_session *session = NULL;
2172 NTSTATUS status;
2173
2174 val = dbwrap_record_get_value(local_rec);
2175 if (val.dsize != sizeof(ptr)) {
2176 status = NT_STATUS_INTERNAL_ERROR;
2177 if (NT_STATUS_IS_OK(state->first_status)) {
2178 state->first_status = status;
2179 }
2180 state->errors++;
2181 return 0;
2182 }
2183
2184 memcpy(&ptr, val.dptr, val.dsize);
2185 session = talloc_get_type_abort(ptr, struct smbXsrv_session);
2186
2187 session->db_rec = local_rec;
2188 status = smbXsrv_session_remove_channel(session, state->xconn);
2189 session->db_rec = NULL;
2190 if (!NT_STATUS_IS_OK(status)) {
2191 if (NT_STATUS_IS_OK(state->first_status)) {
2192 state->first_status = status;
2193 }
2194 state->errors++;
2195 }
2196
2197 return 0;
2198 }
2199
2200 NTSTATUS smb1srv_session_table_init(struct smbXsrv_connection *conn)
2201 {
2202 /*
2203 * Allow a range from 1..65534 with 65534 values.
2204 */
2205 return smbXsrv_session_table_init(conn, 1, UINT16_MAX - 1,
2206 UINT16_MAX - 1);
2207 }
2208
2209 NTSTATUS smb1srv_session_lookup(struct smbXsrv_connection *conn,
2210 uint16_t vuid, NTTIME now,
2211 struct smbXsrv_session **session)
2212 {
2213 struct smbXsrv_session_table *table = conn->client->session_table;
2214 uint32_t local_id = vuid;
2215
2216 return smbXsrv_session_local_lookup(table, conn, local_id, now,
2217 session);
2218 }
2219
2220 NTSTATUS smbXsrv_session_info_lookup(struct smbXsrv_client *client,
2221 uint64_t session_wire_id,
2222 struct auth_session_info **si)
2223 {
2224 struct smbXsrv_session_table *table = client->session_table;
2225 uint8_t key_buf[SMBXSRV_SESSION_LOCAL_TDB_KEY_SIZE];
2226 struct smbXsrv_session_local_fetch_state state = {
2227 .status = NT_STATUS_INTERNAL_ERROR,
2228 };
2229 TDB_DATA key;
2230 NTSTATUS status;
2231
2232 if (session_wire_id == 0) {
2233 return NT_STATUS_USER_SESSION_DELETED;
2234 }
2235
2236 if (table == NULL) {
2237 /* this might happen before the end of negprot */
2238 return NT_STATUS_USER_SESSION_DELETED;
2239 }
2240
2241 if (table->local.db_ctx == NULL) {
2242 return NT_STATUS_INTERNAL_ERROR;
2243 }
2244
2245 key = smbXsrv_session_local_id_to_key(session_wire_id, key_buf);
2246
2247 status = dbwrap_parse_record(table->local.db_ctx, key,
2248 smbXsrv_session_local_fetch_parser,
2249 &state);
2250 if (!NT_STATUS_IS_OK(status)) {
2251 return status;
2252 }
2253 if (!NT_STATUS_IS_OK(state.status)) {
2254 return state.status;
2255 }
2256 if (state.session->global->auth_session_info == NULL) {
2257 return NT_STATUS_USER_SESSION_DELETED;
2258 }
2259
2260 *si = state.session->global->auth_session_info;
2261 return NT_STATUS_OK;
2262 }
2263
2264 /*
2265 * In memory of get_valid_user_struct()
2266 *
2267 * This function is similar to smbXsrv_session_local_lookup() and it's wrappers,
2268 * but it doesn't implement the state checks of
2269 * those. get_valid_smbXsrv_session() is NOT meant to be called to validate the
2270 * session wire-id of incoming SMB requests, it MUST only be used in later
2271 * internal processing where the session wire-id has already been validated.
2272 */
2273 NTSTATUS get_valid_smbXsrv_session(struct smbXsrv_client *client,
2274 uint64_t session_wire_id,
2275 struct smbXsrv_session **session)
2276 {
2277 struct smbXsrv_session_table *table = client->session_table;
2278 uint8_t key_buf[SMBXSRV_SESSION_LOCAL_TDB_KEY_SIZE];
2279 struct smbXsrv_session_local_fetch_state state = {
2280 .status = NT_STATUS_INTERNAL_ERROR,
2281 };
2282 TDB_DATA key;
2283 NTSTATUS status;
2284
2285 if (session_wire_id == 0) {
2286 return NT_STATUS_USER_SESSION_DELETED;
2287 }
2288
2289 if (table == NULL) {
2290 /* this might happen before the end of negprot */
2291 return NT_STATUS_USER_SESSION_DELETED;
2292 }
2293
2294 if (table->local.db_ctx == NULL) {
2295 return NT_STATUS_INTERNAL_ERROR;
2296 }
2297
2298 key = smbXsrv_session_local_id_to_key(session_wire_id, key_buf);
2299
2300 status = dbwrap_parse_record(table->local.db_ctx, key,
2301 smbXsrv_session_local_fetch_parser,
2302 &state);
2303 if (!NT_STATUS_IS_OK(status)) {
2304 return status;
2305 }
2306 if (!NT_STATUS_IS_OK(state.status)) {
2307 return state.status;
2308 }
2309 if (state.session->global->auth_session_info == NULL) {
2310 return NT_STATUS_USER_SESSION_DELETED;
2311 }
2312
2313 *session = state.session;
2314 return NT_STATUS_OK;
2315 }
2316
2317 NTSTATUS smb2srv_session_lookup_global(struct smbXsrv_client *client,
2318 uint64_t session_wire_id,
2319 TALLOC_CTX *mem_ctx,
2320 struct smbXsrv_session **_session)
2321 {
2322 TALLOC_CTX *frame = talloc_stackframe();
2323 struct smbXsrv_session_table *table = client->session_table;
2324 uint32_t global_id = session_wire_id & UINT32_MAX;
2325 uint64_t global_zeros = session_wire_id & 0xFFFFFFFF00000000LLU;
2326 struct smbXsrv_session *session = NULL;
2327 struct db_record *global_rec = NULL;
2328 bool is_free = false;
2329 NTSTATUS status;
2330
2331 if (global_id == 0) {
2332 TALLOC_FREE(frame);
2333 return NT_STATUS_USER_SESSION_DELETED;
2334 }
2335 if (global_zeros != 0) {
2336 TALLOC_FREE(frame);
2337 return NT_STATUS_USER_SESSION_DELETED;
2338 }
2339
2340 if (table == NULL) {
2341 /* this might happen before the end of negprot */
2342 TALLOC_FREE(frame);
2343 return NT_STATUS_USER_SESSION_DELETED;
2344 }
2345
2346 if (table->global.db_ctx == NULL) {
2347 TALLOC_FREE(frame);
2348 return NT_STATUS_INTERNAL_ERROR;
2349 }
2350
2351 session = talloc_zero(mem_ctx, struct smbXsrv_session);
2352 if (session == NULL) {
2353 TALLOC_FREE(frame);
2354 return NT_STATUS_NO_MEMORY;
2355 }
2356 talloc_steal(frame, session);
2357
2358 session->client = client;
2359 session->status = NT_STATUS_BAD_LOGON_SESSION_STATE;
2360 session->local_id = global_id;
2361
2362 /*
2363 * This means smb2_get_new_nonce() will return
2364 * NT_STATUS_ENCRYPTION_FAILED.
2365 *
2366 * But we initialize some random parts just in case...
2367 */
2368 session->nonce_high_max = session->nonce_high = 0;
2369 generate_nonce_buffer((uint8_t *)&session->nonce_high_random,
2370 sizeof(session->nonce_high_random));
2371 generate_nonce_buffer((uint8_t *)&session->nonce_low,
2372 sizeof(session->nonce_low));
2373
2374 global_rec = smbXsrv_session_global_fetch_locked(table->global.db_ctx,
2375 global_id,
2376 frame);
2377 if (global_rec == NULL) {
2378 TALLOC_FREE(frame);
2379 return NT_STATUS_INTERNAL_DB_ERROR;
2380 }
2381
2382 smbXsrv_session_global_verify_record(global_rec,
2383 &is_free,
2384 NULL,
2385 session,
2386 &session->global,
2387 NULL);
2388 if (is_free) {
2389 TALLOC_FREE(frame);
2390 return NT_STATUS_USER_SESSION_DELETED;
2391 }
2392
2393 /*
2394 * We don't have channels on this session
2395 * and only the main signing key
2396 */
2397 session->global->num_channels = 0;
2398 status = smb2_signing_key_sign_create(session->global,
2399 session->global->signing_algo,
2400 NULL, /* no master key */
2401 NULL, /* derivations */
2402 &session->global->signing_key);
2403 if (!NT_STATUS_IS_OK(status)) {
2404 TALLOC_FREE(frame);
2405 return NT_STATUS_NO_MEMORY;
2406 }
2407 session->global->signing_key->blob = session->global->signing_key_blob;
2408 session->global->signing_flags = 0;
2409
2410 status = smb2_signing_key_cipher_create(session->global,
2411 session->global->encryption_cipher,
2412 NULL, /* no master key */
2413 NULL, /* derivations */
2414 &session->global->decryption_key);
2415 if (!NT_STATUS_IS_OK(status)) {
2416 TALLOC_FREE(frame);
2417 return NT_STATUS_NO_MEMORY;
2418 }
2419 session->global->decryption_key->blob = session->global->decryption_key_blob;
2420 session->global->encryption_flags = 0;
2421
2422 *_session = talloc_move(mem_ctx, &session);
2423 TALLOC_FREE(frame);
2424 return NT_STATUS_OK;
2425 }
2426
2427 NTSTATUS smb2srv_session_table_init(struct smbXsrv_connection *conn)
2428 {
2429 /*
2430 * Allow a range from 1..4294967294 with 65534 (same as SMB1) values.
2431 */
2432 return smbXsrv_session_table_init(conn, 1, UINT32_MAX - 1,
2433 UINT16_MAX - 1);
2434 }
2435
2436 static NTSTATUS smb2srv_session_lookup_raw(struct smbXsrv_session_table *table,
2437 /* conn: optional */
2438 struct smbXsrv_connection *conn,
2439 uint64_t session_id, NTTIME now,
2440 struct smbXsrv_session **session)
2441 {
2442 uint32_t local_id = session_id & UINT32_MAX;
2443 uint64_t local_zeros = session_id & 0xFFFFFFFF00000000LLU;
2444
2445 if (local_zeros != 0) {
2446 return NT_STATUS_USER_SESSION_DELETED;
2447 }
2448
2449 return smbXsrv_session_local_lookup(table, conn, local_id, now,
2450 session);
2451 }
2452
2453 NTSTATUS smb2srv_session_lookup_conn(struct smbXsrv_connection *conn,
2454 uint64_t session_id, NTTIME now,
2455 struct smbXsrv_session **session)
2456 {
2457 struct smbXsrv_session_table *table = conn->client->session_table;
2458 return smb2srv_session_lookup_raw(table, conn, session_id, now,
2459 session);
2460 }
2461
2462 NTSTATUS smb2srv_session_lookup_client(struct smbXsrv_client *client,
2463 uint64_t session_id, NTTIME now,
2464 struct smbXsrv_session **session)
2465 {
2466 struct smbXsrv_session_table *table = client->session_table;
2467 return smb2srv_session_lookup_raw(table, NULL, session_id, now,
2468 session);
2469 }
2470
2471 struct smbXsrv_session_global_traverse_state {
2472 int (*fn)(struct smbXsrv_session_global0 *, void *);
2473 void *private_data;
2474 };
2475
2476 static int smbXsrv_session_global_traverse_fn(struct db_record *rec, void *data)
2477 {
2478 int ret = -1;
2479 struct smbXsrv_session_global_traverse_state *state =
2480 (struct smbXsrv_session_global_traverse_state*)data;
2481 TDB_DATA key = dbwrap_record_get_key(rec);
2482 TDB_DATA val = dbwrap_record_get_value(rec);
2483 DATA_BLOB blob = data_blob_const(val.dptr, val.dsize);
2484 struct smbXsrv_session_globalB global_blob;
2485 enum ndr_err_code ndr_err;
2486 TALLOC_CTX *frame = talloc_stackframe();
2487
2488 ndr_err = ndr_pull_struct_blob(&blob, frame, &global_blob,
2489 (ndr_pull_flags_fn_t)ndr_pull_smbXsrv_session_globalB);
2490 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
2491 DBG_WARNING("Invalid record in smbXsrv_session_global.tdb:"
2492 "key '%s' ndr_pull_struct_blob - %s\n",
2493 tdb_data_dbg(key),
2494 ndr_errstr(ndr_err));
2495 goto done;
2496 }
2497
2498 if (global_blob.version != SMBXSRV_VERSION_0) {
2499 DBG_WARNING("Invalid record in smbXsrv_session_global.tdb:"
2500 "key '%s' unsupported version - %d\n",
2501 tdb_data_dbg(key),
2502 (int)global_blob.version);
2503 goto done;
2504 }
2505
2506 if (global_blob.info.info0 == NULL) {
2507 DBG_WARNING("Invalid record in smbXsrv_tcon_global.tdb:"
2508 "key '%s' info0 NULL pointer\n",
2509 tdb_data_dbg(key));
2510 goto done;
2511 }
2512
2513 global_blob.info.info0->db_rec = rec;
2514 ret = state->fn(global_blob.info.info0, state->private_data);
2515 done:
2516 TALLOC_FREE(frame);
2517 return ret;
2518 }
2519
2520 NTSTATUS smbXsrv_session_global_traverse(
2521 int (*fn)(struct smbXsrv_session_global0 *, void *),
2522 void *private_data)
2523 {
2524
2525 NTSTATUS status;
2526 int count = 0;
2527 struct smbXsrv_session_global_traverse_state state = {
2528 .fn = fn,
2529 .private_data = private_data,
2530 };
2531
2532 become_root();
2533 status = smbXsrv_session_global_init(NULL);
2534 if (!NT_STATUS_IS_OK(status)) {
2535 unbecome_root();
2536 DBG_ERR("Failed to initialize session_global: %s\n",
2537 nt_errstr(status));
2538 return status;
2539 }
2540
2541 status = dbwrap_traverse_read(smbXsrv_session_global_db_ctx,
2542 smbXsrv_session_global_traverse_fn,
2543 &state,
2544 &count);
2545 unbecome_root();
2546
2547 return status;
2548 }
2549
2550 static struct files_struct *smbXsrv_wait_for_handle_lease_break_fn(
2551 struct files_struct *fsp,
2552 void *private_data);
2553 static void smbXsrv_wait_for_handle_lease_break_done(
2554 struct tevent_req *subreq);
2555
2556 struct delay_for_handle_lease_break_state {
2557 struct tevent_req *req;
2558 struct tevent_context *ev;
2559 struct smbXsrv_client *client;
2560 struct tevent_queue *wait_queue;
2561 bool (*fsp_cmp_fn)(struct files_struct *fsp,
2562 void *private_data);
2563 void *fsp_cmp_private_data;
2564 };
2565
2566 void smbXsrv_wait_for_handle_lease_break(
2567 struct tevent_req *req,
2568 struct tevent_context *ev,
2569 struct smbXsrv_client *client,
2570 struct tevent_queue *wait_queue,
2571 bool (*fsp_cmp_fn)(struct files_struct *fsp,
2572 void *private_data),
2573 void *fsp_cmp_private_data)
2574 {
2575 struct delay_for_handle_lease_break_state state;
2576
2577 state = (struct delay_for_handle_lease_break_state) {
2578 .req = req,
2579 .ev = ev,
2580 .client = client,
2581 .wait_queue = wait_queue,
2582 .fsp_cmp_fn = fsp_cmp_fn,
2583 .fsp_cmp_private_data = fsp_cmp_private_data,
2584 };
2585
2586 files_forall(client->sconn,
2587 smbXsrv_wait_for_handle_lease_break_fn,
2588 &state);
2589 }
2590
2591 static struct files_struct *smbXsrv_wait_for_handle_lease_break_fn(
2592 struct files_struct *fsp,
2593 void *private_data)
2594 {
2595 struct delay_for_handle_lease_break_state *state = private_data;
2596 struct tevent_req *subreq = NULL;
2597 struct share_mode_lock *lck = NULL;
2598 struct timeval timeout = timeval_current_ofs(OPLOCK_BREAK_TIMEOUT, 0);
2599 bool match;
2600 NTSTATUS status;
2601
2602 match = state->fsp_cmp_fn(fsp, state->fsp_cmp_private_data);
2603 if (!match) {
2604 return NULL;
2605 }
2606
2607 if (!fsp->fsp_flags.initial_delete_on_close) {
2608 return NULL;
2609 }
2610
2611 lck = get_existing_share_mode_lock(fsp, fsp->file_id);
2612 if (lck == NULL) {
2613 /* No opens on this file */
2614 return NULL;
2615 }
2616
2617 subreq = delay_for_handle_lease_break_send(fsp,
2618 state->ev,
2619 timeout,
2620 fsp,
2621 false,
2622 &lck);
2623 if (tevent_req_nomem(subreq, state->req)) {
2624 TALLOC_FREE(lck);
2625 /* Reminder: returning != NULL means STOP traverse */
2626 return fsp;
2627 }
2628 if (tevent_req_is_in_progress(subreq)) {
2629 struct tevent_req *wait_subreq = NULL;
2630
2631 tevent_req_set_callback(
2632 subreq,
2633 smbXsrv_wait_for_handle_lease_break_done,
2634 state->req);
2635
2636 /*
2637 * This just adds a blocker that unblocks when subreq is
2638 * completed and goes away.
2639 */
2640 wait_subreq = tevent_queue_wait_send(subreq,
2641 state->ev,
2642 state->wait_queue);
2643 if (wait_subreq == NULL) {
2644 exit_server("tevent_queue_wait_send failed");
2645 }
2646 return NULL;
2647 }
2648
2649 status = delay_for_handle_lease_break_recv(subreq, state->req, &lck);
2650 TALLOC_FREE(subreq);
2651 TALLOC_FREE(lck);
2652 if (tevent_req_nterror(state->req, status)) {
2653 DBG_ERR("delay_for_handle_lease_break_recv failed %s\n",
2654 nt_errstr(status));
2655 return fsp;
2656 }
2657 return NULL;
2658 }
2659
2660 static void smbXsrv_wait_for_handle_lease_break_done(
2661 struct tevent_req *subreq)
2662 {
2663 struct tevent_req *req = tevent_req_callback_data(
2664 subreq, struct tevent_req);
2665 struct share_mode_lock *lck = NULL;
2666 NTSTATUS status;
2667
2668 status = delay_for_handle_lease_break_recv(subreq,
2669 req,
2670 &lck);
2671 TALLOC_FREE(subreq);
2672 TALLOC_FREE(lck);
2673 if (tevent_req_nterror(req, status)) {
2674 DBG_ERR("delay_for_handle_lease_break_recv failed %s\n",
2675 nt_errstr(status));
2676 return;
2677 }
2678 }
Samba git mirror