1 /*
2 * This file and its contents are supplied under the terms of the
3 * Common Development and Distribution License ("CDDL"), version 1.0.
4 * You may only use this file in accordance with the terms of version
5 * 1.0 of the CDDL.
6 *
7 * A full copy of the text of the CDDL should have accompanied this
8 * source. A copy of the CDDL is also available via the Internet at
9 * http://www.illumos.org/license/CDDL.
10 */
11
12 /*
13 * Copyright 2015 Nexenta Systems, Inc. All rights reserved.
14 */
15
16
17 #include <smbsrv/smb2_kproto.h>
18 #include <smbsrv/smb_kstat.h>
19 #include <smbsrv/smb2.h>
20
21 /*
22 * Saved state for a command that "goes async". When a compound request
23 * contains a command that may block indefinitely, the compound reply is
24 * composed with an "interim response" for that command, and information
25 * needed to actually dispatch that command is saved on a list of "async"
26 * commands for this compound request. After the compound reply is sent,
27 * the list of async commands is processed, and those may block as long
28 * as they need to without affecting the initial compound request.
29 *
30 * Now interestingly, this "async" mechanism is not used with the full
31 * range of asynchrony that one might imagine. The design of async
32 * request processing can be drastically simplified if we can assume
33 * that there's no need to run more than one async command at a time.
34 * With that simplifying assumption, we can continue using the current
35 * "one worker thread per request message" model, which has very simple
36 * locking rules etc. The same worker thread that handles the initial
37 * compound request can handle the list of async requests.
38 *
39 * As it turns out, SMB2 clients do not try to use more than one "async"
40 * command in a compound. If they were to do so, the [MS-SMB2] spec.
41 * allows us to decline additional async requests with an error.
42 *
43 * smb_async_req_t is the struct used to save an "async" request on
44 * the list of requests that had an interim reply in the initial
45 * compound reply. This includes everything needed to restart
46 * processing at the async command.
47 */
48
49 typedef struct smb2_async_req {
50
51 smb_sdrc_t (*ar_func)(smb_request_t *);
52
53 int ar_cmd_hdr; /* smb2_cmd_hdr offset */
54 int ar_cmd_len; /* length from hdr */
55
56 /*
57 * SMB2 header fields.
58 */
59 uint16_t ar_cmd_code;
60 uint16_t ar_uid;
61 uint16_t ar_tid;
62 uint32_t ar_pid;
63 uint32_t ar_hdr_flags;
64 uint64_t ar_messageid;
65 } smb2_async_req_t;
66
67 void smb2sr_do_async(smb_request_t *);
68 smb_sdrc_t smb2_invalid_cmd(smb_request_t *);
69 static void smb2_tq_work(void *);
70
71 static const smb_disp_entry_t const
72 smb2_disp_table[SMB2__NCMDS] = {
73
74 /* text-name, pre, func, post, cmd-code, dialect, flags */
75
76 { "smb2_negotiate", NULL,
77 smb2_negotiate, NULL, 0, 0,
78 SDDF_SUPPRESS_TID | SDDF_SUPPRESS_UID },
79
80 { "smb2_session_setup", NULL,
81 smb2_session_setup, NULL, 0, 0,
82 SDDF_SUPPRESS_TID | SDDF_SUPPRESS_UID },
83
84 { "smb2_logoff", NULL,
85 smb2_logoff, NULL, 0, 0,
86 SDDF_SUPPRESS_TID },
87
88 { "smb2_tree_connect", NULL,
89 smb2_tree_connect, NULL, 0, 0,
96 smb2_create, NULL, 0, 0 },
97
98 { "smb2_close", NULL,
99 smb2_close, NULL, 0, 0 },
100
101 { "smb2_flush", NULL,
102 smb2_flush, NULL, 0, 0 },
103
104 { "smb2_read", NULL,
105 smb2_read, NULL, 0, 0 },
106
107 { "smb2_write", NULL,
108 smb2_write, NULL, 0, 0 },
109
110 { "smb2_lock", NULL,
111 smb2_lock, NULL, 0, 0 },
112
113 { "smb2_ioctl", NULL,
114 smb2_ioctl, NULL, 0, 0 },
115
116 /*
117 * Note: Cancel gets the "invalid command" handler because
118 * that's always handled directly in the reader. We should
119 * never get to the function using this table, but note:
120 * We CAN get here if a nasty client adds cancel to some
121 * compound message, which is a protocol violation.
122 */
123 { "smb2_cancel", NULL,
124 smb2_invalid_cmd, NULL, 0, 0 },
125
126 { "smb2_echo", NULL,
127 smb2_echo, NULL, 0, 0,
128 SDDF_SUPPRESS_UID | SDDF_SUPPRESS_TID },
129
130 { "smb2_query_dir", NULL,
131 smb2_query_dir, NULL, 0, 0 },
132
133 { "smb2_change_notify", NULL,
134 smb2_change_notify, NULL, 0, 0 },
135
136 { "smb2_query_info", NULL,
137 smb2_query_info, NULL, 0, 0 },
138
139 { "smb2_set_info", NULL,
140 smb2_set_info, NULL, 0, 0 },
141
142 { "smb2_oplock_break_ack", NULL,
143 smb2_oplock_break_ack, NULL, 0, 0 },
144
158 return (SDRC_DROP_VC);
159 }
160
161 /*
162 * This is the SMB2 handler for new smb requests, called from
163 * smb_session_reader after SMB negotiate is done. For most SMB2
164 * requests, we just enqueue them for the smb_session_worker to
165 * execute via the task queue, so they can block for resources
166 * without stopping the reader thread. A few protocol messages
167 * are special cases and are handled directly here in the reader
168 * thread so they don't wait for taskq scheduling.
169 *
170 * This function must either enqueue the new request for
171 * execution via the task queue, or execute it directly
172 * and then free it. If this returns non-zero, the caller
173 * will drop the session.
174 */
175 int
176 smb2sr_newrq(smb_request_t *sr)
177 {
178 uint32_t magic;
179 uint16_t command;
180 int rc;
181
182 magic = LE_IN32(sr->sr_request_buf);
183 if (magic != SMB2_PROTOCOL_MAGIC) {
184 smb_request_free(sr);
185 /* will drop the connection */
186 return (EPROTO);
187 }
188
189 /*
190 * Execute Cancel requests immediately, (here in the
191 * reader thread) so they won't wait for any other
192 * commands we might already have in the task queue.
193 * Cancel also skips signature verification and
194 * does not consume a sequence number.
195 * [MS-SMB2] 3.2.4.24 Cancellation...
196 */
197 command = LE_IN16((uint8_t *)sr->sr_request_buf + 12);
198 if (command == SMB2_CANCEL) {
199 rc = smb2sr_newrq_cancel(sr);
200 smb_request_free(sr);
201 return (rc);
202 }
203
204 /*
205 * Submit the request to the task queue, which calls
206 * smb2_tq_work when the workload permits.
207 */
208 sr->sr_time_submitted = gethrtime();
209 sr->sr_state = SMB_REQ_STATE_SUBMITTED;
210 smb_srqueue_waitq_enter(sr->session->s_srqueue);
211 (void) taskq_dispatch(sr->sr_server->sv_worker_pool,
212 smb2_tq_work, sr, TQ_SLEEP);
213
214 return (0);
215 }
216
217 static void
218 smb2_tq_work(void *arg)
219 {
220 smb_request_t *sr;
221 smb_srqueue_t *srq;
222
223 sr = (smb_request_t *)arg;
224 SMB_REQ_VALID(sr);
225
226 srq = sr->session->s_srqueue;
227 smb_srqueue_waitq_to_runq(srq);
228 sr->sr_worker = curthread;
229 sr->sr_time_active = gethrtime();
230
231 /*
232 * In contrast with SMB1, SMB2 must _always_ dispatch to
233 * the handler function, because cancelled requests need
234 * an error reply (NT_STATUS_CANCELLED).
235 */
236 smb2sr_work(sr);
237
238 smb_srqueue_runq_exit(srq);
239 }
240
241 /*
242 * smb2sr_work
243 *
244 * This function processes each SMB command in the current request
245 * (which may be a compound request) building a reply containing
246 * SMB reply messages, one-to-one with the SMB commands. Some SMB
247 * commands (change notify, blocking locks) may require both an
248 * "interim response" and a later "async response" at completion.
249 * In such cases, we'll encode the interim response in the reply
250 * compound we're building, and put the (now async) command on a
251 * list of commands that need further processing. After we've
252 * finished processing the commands in this compound and building
253 * the compound reply, we'll send the compound reply, and finally
254 * process the list of async commands.
255 *
256 * As we work our way through the compound request and reply,
257 * we need to keep track of the bounds of the current request
258 * and reply. For the request, this uses an MBC_SHADOW_CHAIN
259 * that begins at smb2_cmd_hdr. The reply is appended to the
260 * sr->reply chain starting at smb2_reply_hdr.
261 *
262 * This function must always free the smb request.
263 */
264 void
265 smb2sr_work(struct smb_request *sr)
266 {
267 const smb_disp_entry_t *sdd;
268 smb_disp_stats_t *sds;
269 smb_session_t *session;
270 uint32_t msg_len;
271 uint16_t cmd_idx;
272 int rc = 0;
273 boolean_t disconnect = B_FALSE;
274 boolean_t related;
275
276 session = sr->session;
277
278 ASSERT(sr->tid_tree == 0);
279 ASSERT(sr->uid_user == 0);
280 ASSERT(sr->fid_ofile == 0);
281 sr->smb_fid = (uint16_t)-1;
282 sr->smb2_status = 0;
283
284 /* temporary until we identify a user */
285 sr->user_cr = zone_kcred();
286
287 mutex_enter(&sr->sr_mutex);
288 switch (sr->sr_state) {
289 case SMB_REQ_STATE_SUBMITTED:
290 case SMB_REQ_STATE_CLEANED_UP:
291 sr->sr_state = SMB_REQ_STATE_ACTIVE;
292 break;
293 default:
294 ASSERT(0);
295 /* FALLTHROUGH */
296 case SMB_REQ_STATE_CANCELED:
297 sr->smb2_status = NT_STATUS_CANCELLED;
298 break;
299 }
300 mutex_exit(&sr->sr_mutex);
301
302 cmd_start:
303 /*
304 * Decode the request header
305 *
306 * Most problems with decoding will result in the error
307 * STATUS_INVALID_PARAMETER. If the decoding problem
308 * prevents continuing, we'll close the connection.
309 * [MS-SMB2] 3.3.5.2.6 Handling Incorrectly Formatted...
310 *
311 * We treat some status codes as if "sticky", meaning
312 * once they're set after some command handler returns,
313 * all remaining commands get this status without even
314 * calling the command-specific handler. The cancelled
315 * status is used above, and insufficient_resources is
316 * used when smb2sr_go_async declines to "go async".
317 * Otherwise initialize to zero (success).
318 */
319 if (sr->smb2_status != NT_STATUS_CANCELLED &&
320 sr->smb2_status != NT_STATUS_INSUFFICIENT_RESOURCES)
321 sr->smb2_status = 0;
322
323 sr->smb2_cmd_hdr = sr->command.chain_offset;
324 if ((rc = smb2_decode_header(sr)) != 0) {
325 cmn_err(CE_WARN, "clnt %s bad SMB2 header",
326 session->ip_addr_str);
327 disconnect = B_TRUE;
328 goto cleanup;
329 }
330
331 /*
332 * The SMB2_FLAGS_SERVER_TO_REDIR should only appear
333 * in messages from the server back to the client.
334 */
335 if ((sr->smb2_hdr_flags & SMB2_FLAGS_SERVER_TO_REDIR) != 0) {
336 cmn_err(CE_WARN, "clnt %s bad SMB2 flags",
337 session->ip_addr_str);
338 disconnect = B_TRUE;
339 goto cleanup;
340 }
341 related = (sr->smb2_hdr_flags & SMB2_FLAGS_RELATED_OPERATIONS);
342
343 /*
344 * In case we bail out with an error before we get to the
345 * section that computes the credit grant, initialize the
346 * response header fields so that credits won't change.
347 * Note: SMB 2.02 clients may send credit charge zero.
348 */
349 if (sr->smb2_credit_charge == 0)
350 sr->smb2_credit_charge = 1;
351 sr->smb2_credit_response = sr->smb2_credit_charge;
352
353 /*
354 * Reserve space for the reply header, and save the offset.
355 * The reply header will be overwritten later. If we have
356 * already exhausted the output space, then this client is
357 * trying something funny. Log it and kill 'em.
358 */
359 sr->smb2_reply_hdr = sr->reply.chain_offset;
360 if ((rc = smb2_encode_header(sr, B_FALSE)) != 0) {
361 cmn_err(CE_WARN, "clnt %s excessive reply",
362 session->ip_addr_str);
363 disconnect = B_TRUE;
364 goto cleanup;
365 }
366
367 /*
368 * Figure out the length of data following the SMB2 header.
369 * It ends at either the next SMB2 header if there is one
370 * (smb2_next_command != 0) or at the end of the message.
371 */
372 if (sr->smb2_next_command != 0) {
373 /* [MS-SMB2] says this is 8-byte aligned */
374 msg_len = sr->smb2_next_command;
375 if ((msg_len & 7) != 0 || (msg_len < SMB2_HDR_SIZE) ||
376 ((sr->smb2_cmd_hdr + msg_len) > sr->command.max_bytes)) {
377 cmn_err(CE_WARN, "clnt %s bad SMB2 next cmd",
378 session->ip_addr_str);
379 disconnect = B_TRUE;
380 goto cleanup;
381 }
382 } else {
383 msg_len = sr->command.max_bytes - sr->smb2_cmd_hdr;
384 }
385
386 /*
387 * Setup a shadow chain for this SMB2 command, starting
388 * with the header and ending at either the next command
389 * or the end of the message. The signing check below
390 * needs the entire SMB2 command. After that's done, we
391 * advance chain_offset to the end of the header where
392 * the command specific handlers continue decoding.
393 */
394 (void) MBC_SHADOW_CHAIN(&sr->smb_data, &sr->command,
395 sr->smb2_cmd_hdr, msg_len);
396
397 /*
398 * Validate the commmand code, get dispatch table entries.
399 * [MS-SMB2] 3.3.5.2.6 Handling Incorrectly Formatted...
400 *
401 * The last slot in the dispatch table is used to handle
402 * invalid commands. Same for statistics.
403 */
404 if (sr->smb2_cmd_code < SMB2_INVALID_CMD)
405 cmd_idx = sr->smb2_cmd_code;
406 else
407 cmd_idx = SMB2_INVALID_CMD;
408 sdd = &smb2_disp_table[cmd_idx];
409 sds = &session->s_server->sv_disp_stats2[cmd_idx];
410
411 /*
412 * If this command is NOT "related" to the previous,
413 * clear out the UID, TID, FID state that might be
414 * left over from the previous command.
415 *
416 * If the command IS related, any new IDs are ignored,
417 * and we simply continue with the previous user, tree,
418 * and open file.
419 */
420 if (!related) {
421 /*
422 * Drop user, tree, file; carefully ordered to
423 * avoid dangling references: file, tree, user
424 */
425 if (sr->fid_ofile != NULL) {
426 smb_ofile_request_complete(sr->fid_ofile);
427 smb_ofile_release(sr->fid_ofile);
428 sr->fid_ofile = NULL;
429 }
430 if (sr->tid_tree != NULL) {
431 smb_tree_release(sr->tid_tree);
432 sr->tid_tree = NULL;
433 }
434 if (sr->uid_user != NULL) {
435 smb_user_release(sr->uid_user);
436 sr->uid_user = NULL;
437 sr->user_cr = zone_kcred();
438 }
439 }
440
441 /*
442 * Make sure we have a user and tree as needed
443 * according to the flags for the this command.
444 * Note that we may have inherited these.
445 */
446 if ((sdd->sdt_flags & SDDF_SUPPRESS_UID) == 0) {
447 /*
448 * This command requires a user session.
449 */
450 if (related) {
451 /*
452 * Previous command should have given us a user.
453 * [MS-SMB2] 3.3.5.2 Handling Related Requests
454 */
455 if (sr->uid_user == NULL) {
456 smb2sr_put_error(sr,
457 NT_STATUS_INVALID_PARAMETER);
458 goto cmd_done;
459 }
460 sr->smb_uid = sr->uid_user->u_uid;
461 } else {
462 /*
463 * Lookup the UID
464 * [MS-SMB2] 3.3.5.2 Verifying the Session
465 */
466 ASSERT(sr->uid_user == NULL);
467 sr->uid_user = smb_session_lookup_uid(session,
468 sr->smb_uid);
469 if (sr->uid_user == NULL) {
470 smb2sr_put_error(sr,
471 NT_STATUS_USER_SESSION_DELETED);
472 goto cmd_done;
473 }
474 sr->user_cr = smb_user_getcred(sr->uid_user);
475 }
476 ASSERT(sr->uid_user != NULL);
477 }
478
479 if ((sdd->sdt_flags & SDDF_SUPPRESS_TID) == 0) {
480 /*
481 * This command requires a tree connection.
482 */
483 if (related) {
484 /*
485 * Previous command should have given us a tree.
486 * [MS-SMB2] 3.3.5.2 Handling Related Requests
487 */
488 if (sr->tid_tree == NULL) {
489 smb2sr_put_error(sr,
490 NT_STATUS_INVALID_PARAMETER);
491 goto cmd_done;
492 }
493 sr->smb_tid = sr->tid_tree->t_tid;
494 } else {
495 /*
496 * Lookup the TID
497 * [MS-SMB2] 3.3.5.2 Verifying the Tree Connect
498 */
499 ASSERT(sr->tid_tree == NULL);
500 sr->tid_tree = smb_session_lookup_tree(session,
501 sr->smb_tid);
502 if (sr->tid_tree == NULL) {
503 smb2sr_put_error(sr,
504 NT_STATUS_NETWORK_NAME_DELETED);
505 goto cmd_done;
506 }
507 }
508 ASSERT(sr->tid_tree != NULL);
509 }
510
511 /*
512 * SMB2 signature verification, two parts:
513 * (a) Require SMB2_FLAGS_SIGNED (for most request types)
514 * (b) If SMB2_FLAGS_SIGNED is set, check the signature.
515 * [MS-SMB2] 3.3.5.2.4 Verifying the Signature
516 */
517
518 /*
519 * No user session means no signature check. That's OK,
520 * i.e. for commands marked SDDF_SUPPRESS_UID above.
521 * Note, this also means we won't sign the reply.
522 */
523 if (sr->uid_user == NULL)
524 sr->smb2_hdr_flags &= ~SMB2_FLAGS_SIGNED;
525
526 /*
527 * The SDDF_SUPPRESS_UID dispatch is set for requests that
528 * don't need a UID (user). These also don't require a
529 * signature check here.
530 */
531 if ((sdd->sdt_flags & SDDF_SUPPRESS_UID) == 0 &&
532 sr->uid_user != NULL &&
533 (sr->uid_user->u_sign_flags & SMB_SIGNING_CHECK) != 0) {
534 /*
535 * This request type should be signed, and
536 * we're configured to require signatures.
537 */
538 if ((sr->smb2_hdr_flags & SMB2_FLAGS_SIGNED) == 0) {
539 smb2sr_put_error(sr, NT_STATUS_ACCESS_DENIED);
540 goto cmd_done;
541 }
542 rc = smb2_sign_check_request(sr);
543 if (rc != 0) {
544 DTRACE_PROBE1(smb2__sign__check, smb_request_t, sr);
545 smb2sr_put_error(sr, NT_STATUS_ACCESS_DENIED);
546 goto cmd_done;
547 }
548 }
549
550 /*
551 * Now that the signing check is done with smb_data,
552 * advance past the SMB2 header we decoded earlier.
553 * This leaves sr->smb_data correctly positioned
554 * for command-specific decoding in the dispatch
555 * function called next.
556 */
557 sr->smb_data.chain_offset = sr->smb2_cmd_hdr + SMB2_HDR_SIZE;
558
559 /*
560 * SMB2 credits determine how many simultaneous commands the
561 * client may issue, and bounds the range of message IDs those
562 * commands may use. With multi-credit support, commands may
563 * use ranges of message IDs, where the credits used by each
564 * command are proportional to their data transfer size.
565 *
566 * Every command may request an increase or decrease of
567 * the currently granted credits, based on the difference
568 * between the credit request and the credit charge.
569 * [MS-SMB2] 3.3.1.2 Algorithm for the Granting of Credits
570 *
571 * Most commands have credit_request=1, credit_charge=1,
572 * which keeps the credit grant unchanged.
573 *
574 * All we're really doing here (for now) is reducing the
575 * credit_response if the client requests a credit increase
576 * that would take their credit over the maximum, and
577 * limiting the decrease so they don't run out of credits.
578 *
579 * Later, this could do something dynamic based on load.
580 *
581 * One other non-obvious bit about credits: We keep the
582 * session s_max_credits low until the 1st authentication,
583 * at which point we'll set the normal maximum_credits.
584 * Some clients ask for more credits with session setup,
585 * and we need to handle that requested increase _after_
586 * the command-specific handler returns so it won't be
587 * restricted to the lower (pre-auth) limit.
588 */
589 sr->smb2_credit_response = sr->smb2_credit_request;
590 if (sr->smb2_credit_request < sr->smb2_credit_charge) {
591 uint16_t cur, d;
592
593 mutex_enter(&session->s_credits_mutex);
594 cur = session->s_cur_credits;
595
596 /* Handle credit decrease. */
597 d = sr->smb2_credit_charge - sr->smb2_credit_request;
598 cur -= d;
599 if (cur & 0x8000) {
600 /*
601 * underflow (bad credit charge or request)
602 * leave credits unchanged (response=charge)
603 */
604 cur = session->s_cur_credits;
605 sr->smb2_credit_response = sr->smb2_credit_charge;
606 DTRACE_PROBE1(smb2__credit__neg, smb_request_t, sr);
607 }
608
609 /*
610 * The server MUST ensure that the number of credits
611 * held by the client is never reduced to zero.
612 * [MS-SMB2] 3.3.1.2
613 */
614 if (cur == 0) {
615 cur = 1;
616 sr->smb2_credit_response += 1;
617 DTRACE_PROBE1(smb2__credit__min, smb_request_t, sr);
618 }
619
620 DTRACE_PROBE3(smb2__credit__decrease,
621 smb_request_t, sr, int, (int)cur,
622 int, (int)session->s_cur_credits);
623
624 session->s_cur_credits = cur;
625 mutex_exit(&session->s_credits_mutex);
626 }
627
628 /*
629 * The real work: call the SMB2 command handler
630 * (except for "sticky" smb2_status - see above)
631 */
632 sr->sr_time_start = gethrtime();
633 rc = SDRC_SUCCESS;
634 if (sr->smb2_status == 0) {
635 /* NB: not using pre_op */
636 rc = (*sdd->sdt_function)(sr);
637 /* NB: not using post_op */
638 }
639
640 MBC_FLUSH(&sr->raw_data);
641
642 /*
643 * Second half of SMB2 credit handling (increases)
644 */
645 if (sr->smb2_credit_request > sr->smb2_credit_charge) {
646 uint16_t cur, d;
647
648 mutex_enter(&session->s_credits_mutex);
649 cur = session->s_cur_credits;
650
651 /* Handle credit increase. */
652 d = sr->smb2_credit_request - sr->smb2_credit_charge;
653 cur += d;
654
655 /*
656 * If new credits would be above max,
657 * reduce the credit grant.
658 */
659 if (cur > session->s_max_credits) {
660 d = cur - session->s_max_credits;
661 cur = session->s_max_credits;
662 sr->smb2_credit_response -= d;
663 DTRACE_PROBE1(smb2__credit__max, smb_request_t, sr);
664 }
665
666 DTRACE_PROBE3(smb2__credit__increase,
667 smb_request_t, sr, int, (int)cur,
668 int, (int)session->s_cur_credits);
669
670 session->s_cur_credits = cur;
671 mutex_exit(&session->s_credits_mutex);
672 }
673
674 cmd_done:
675 /*
676 * Pad the reply to align(8) if necessary.
677 */
678 if (sr->reply.chain_offset & 7) {
679 int padsz = 8 - (sr->reply.chain_offset & 7);
680 (void) smb_mbc_encodef(&sr->reply, "#.", padsz);
681 }
682 ASSERT((sr->reply.chain_offset & 7) == 0);
683
684 /*
685 * Record some statistics: latency, rx bytes, tx bytes.
686 */
687 smb_latency_add_sample(&sds->sdt_lat,
688 gethrtime() - sr->sr_time_start);
689 atomic_add_64(&sds->sdt_rxb,
690 (int64_t)(sr->command.chain_offset - sr->smb2_cmd_hdr));
691 atomic_add_64(&sds->sdt_txb,
692 (int64_t)(sr->reply.chain_offset - sr->smb2_reply_hdr));
693
694 switch (rc) {
695 case SDRC_SUCCESS:
696 break;
697 default:
698 /*
699 * SMB2 does not use the other dispatch return codes.
700 * If we see something else, log an event so we'll
701 * know something is returning bogus status codes.
702 * If you see these in the log, use dtrace to find
703 * the code returning something else.
704 */
705 #ifdef DEBUG
706 cmn_err(CE_NOTE, "handler for %u returned 0x%x",
707 sr->smb2_cmd_code, rc);
708 #endif
709 /* FALLTHROUGH */
710 case SDRC_ERROR:
711 if (sr->smb2_status == 0)
712 sr->smb2_status = NT_STATUS_INTERNAL_ERROR;
713 break;
714 case SDRC_DROP_VC:
715 disconnect = B_TRUE;
716 goto cleanup;
717 }
718
719 /*
720 * If there's a next command, figure out where it starts,
721 * and fill in the next command offset for the reply.
722 * Note: We sanity checked smb2_next_command above
723 * (the offset to the next command). Similarly set
724 * smb2_next_reply as the offset to the next reply.
725 */
726 if (sr->smb2_next_command != 0) {
727 sr->command.chain_offset =
728 sr->smb2_cmd_hdr + sr->smb2_next_command;
729 sr->smb2_next_reply =
730 sr->reply.chain_offset - sr->smb2_reply_hdr;
731 } else {
732 sr->smb2_next_reply = 0;
733 }
734
735 /*
736 * Overwrite the SMB2 header for the response of
737 * this command (possibly part of a compound).
738 * encode_header adds: SMB2_FLAGS_SERVER_TO_REDIR
739 */
740 (void) smb2_encode_header(sr, B_TRUE);
741
742 if (sr->smb2_hdr_flags & SMB2_FLAGS_SIGNED)
743 smb2_sign_reply(sr);
744
745 if (sr->smb2_next_command != 0)
746 goto cmd_start;
747
748 /*
749 * We've done all the commands in this compound.
750 * Send it out.
751 */
752 smb2_send_reply(sr);
753
754 /*
755 * If any of the requests "went async", process those now.
756 * The async. function "keeps" this sr, changing its state
757 * to completed and calling smb_request_free().
758 */
759 if (sr->sr_async_req != NULL) {
760 smb2sr_do_async(sr);
761 return;
762 }
763
764 cleanup:
765 if (disconnect) {
766 smb_rwx_rwenter(&session->s_lock, RW_WRITER);
767 switch (session->s_state) {
768 case SMB_SESSION_STATE_DISCONNECTED:
769 case SMB_SESSION_STATE_TERMINATED:
770 break;
771 default:
772 smb_soshutdown(session->sock);
773 session->s_state = SMB_SESSION_STATE_DISCONNECTED;
774 break;
775 }
776 smb_rwx_rwexit(&session->s_lock);
777 }
778
779 mutex_enter(&sr->sr_mutex);
780 sr->sr_state = SMB_REQ_STATE_COMPLETED;
781 mutex_exit(&sr->sr_mutex);
782
783 smb_request_free(sr);
784 }
785
786 /*
787 * Dispatch an async request using saved information.
788 * See smb2sr_save_async and [MS-SMB2] 3.3.4.2
789 *
790 * This is sort of a "lite" version of smb2sr_work. Initialize the
791 * command and reply areas as they were when the command-speicific
792 * handler started (in case it needs to decode anything again).
793 * Call the async function, which builds the command-specific part
794 * of the response. Finally, send the response and free the sr.
795 */
796 void
797 smb2sr_do_async(smb_request_t *sr)
798 {
799 const smb_disp_entry_t *sdd;
800 smb_disp_stats_t *sds;
801 smb2_async_req_t *ar;
802 int rc = 0;
803
804 /*
805 * Restore what smb2_decode_header found.
806 * (In lieu of decoding it again.)
807 */
808 ar = sr->sr_async_req;
809 sr->smb2_cmd_hdr = ar->ar_cmd_hdr;
810 sr->smb2_cmd_code = ar->ar_cmd_code;
811 sr->smb2_hdr_flags = ar->ar_hdr_flags;
812 sr->smb2_async_id = (uintptr_t)ar;
813 sr->smb2_messageid = ar->ar_messageid;
814 sr->smb_pid = ar->ar_pid;
815 sr->smb_tid = ar->ar_tid;
816 sr->smb_uid = ar->ar_uid;
817 sr->smb2_status = 0;
818
819 /*
820 * Async requests don't grant credits, because any credits
821 * should have gone out with the interim reply.
822 * An async reply goes alone (no next reply).
823 */
824 sr->smb2_credit_response = 0;
825 sr->smb2_next_reply = 0;
826
827 /*
828 * Setup input mbuf_chain
829 */
830 ASSERT(ar->ar_cmd_len >= SMB2_HDR_SIZE);
831 (void) MBC_SHADOW_CHAIN(&sr->smb_data, &sr->command,
832 sr->smb2_cmd_hdr + SMB2_HDR_SIZE,
833 ar->ar_cmd_len - SMB2_HDR_SIZE);
834
835 /*
836 * Setup output mbuf_chain
837 */
838 MBC_FLUSH(&sr->reply);
839 sr->smb2_reply_hdr = sr->reply.chain_offset;
840 (void) smb2_encode_header(sr, B_FALSE);
841
842 VERIFY3U(sr->smb2_cmd_code, <, SMB2_INVALID_CMD);
843 sdd = &smb2_disp_table[sr->smb2_cmd_code];
844 sds = sr->session->s_server->sv_disp_stats2;
845 sds = &sds[sr->smb2_cmd_code];
846
847 /*
848 * Keep the UID, TID, ofile we have.
849 */
850 if ((sdd->sdt_flags & SDDF_SUPPRESS_UID) == 0 &&
851 sr->uid_user == NULL) {
852 smb2sr_put_error(sr, NT_STATUS_USER_SESSION_DELETED);
853 goto cmd_done;
854 }
855 if ((sdd->sdt_flags & SDDF_SUPPRESS_TID) == 0 &&
856 sr->tid_tree == NULL) {
857 smb2sr_put_error(sr, NT_STATUS_NETWORK_NAME_DELETED);
858 goto cmd_done;
859 }
860
861 /*
862 * Signature already verified
863 * Credits handled...
864 *
865 * Just call the async handler function.
866 */
867 rc = ar->ar_func(sr);
868 if (rc != 0 && sr->smb2_status == 0)
869 sr->smb2_status = NT_STATUS_INTERNAL_ERROR;
870
871 cmd_done:
872 /*
873 * Pad the reply to align(8) if necessary.
874 */
875 if (sr->reply.chain_offset & 7) {
876 int padsz = 8 - (sr->reply.chain_offset & 7);
877 (void) smb_mbc_encodef(&sr->reply, "#.", padsz);
878 }
879 ASSERT((sr->reply.chain_offset & 7) == 0);
880
881 /*
882 * Record some statistics: (just tx bytes here)
883 */
884 atomic_add_64(&sds->sdt_txb,
885 (int64_t)(sr->reply.chain_offset - sr->smb2_reply_hdr));
886
887 /*
888 * Overwrite the SMB2 header for the response of
889 * this command (possibly part of a compound).
890 * The call adds: SMB2_FLAGS_SERVER_TO_REDIR
891 */
892 (void) smb2_encode_header(sr, B_TRUE);
893
894 if (sr->smb2_hdr_flags & SMB2_FLAGS_SIGNED)
895 smb2_sign_reply(sr);
896
897 smb2_send_reply(sr);
898
899 /*
900 * Done. Unlink and free.
901 */
902 sr->sr_async_req = NULL;
903 kmem_free(ar, sizeof (*ar));
904
905 mutex_enter(&sr->sr_mutex);
906 sr->sr_state = SMB_REQ_STATE_COMPLETED;
907 mutex_exit(&sr->sr_mutex);
908
909 smb_request_free(sr);
910 }
911
912 /*
913 * In preparation for sending an "interim response", save
914 * all the state we'll need to run an async command later,
915 * and assign an "async id" for this (now async) command.
916 * See [MS-SMB2] 3.3.4.2
917 *
918 * If more than one request in a compound request tries to
919 * "go async", we can "say no". See [MS-SMB2] 3.3.4.2
920 * If an operation would require asynchronous processing
921 * but resources are constrained, the server MAY choose to
922 * fail that operation with STATUS_INSUFFICIENT_RESOURCES.
923 *
924 * For simplicity, we further restrict the cases where we're
925 * willing to "go async", and only allow the last command in a
926 * compound to "go async". It happens that this is the only
927 * case where we're actually asked to go async anyway. This
928 * simplification also means there can be at most one command
929 * in a compound that "goes async" (the last one).
930 *
931 * If we agree to "go async", this should return STATUS_PENDING.
932 * Otherwise return STATUS_INSUFFICIENT_RESOURCES for this and
933 * all requests following this request. (See the comments re.
934 * "sticky" smb2_status values in smb2sr_work).
935 *
936 * Note: the Async ID we assign here is arbitrary, and need only
937 * be unique among pending async responses on this connection, so
938 * this just uses an object address as the Async ID.
939 *
940 * Also, the assigned worker is the ONLY thread using this
941 * async request object (sr_async_req) so no locking.
942 */
943 uint32_t
944 smb2sr_go_async(smb_request_t *sr,
945 smb_sdrc_t (*async_func)(smb_request_t *))
946 {
947 smb2_async_req_t *ar;
948
949 if (sr->smb2_next_command != 0)
950 return (NT_STATUS_INSUFFICIENT_RESOURCES);
951
952 ASSERT(sr->sr_async_req == NULL);
953 ar = kmem_zalloc(sizeof (*ar), KM_SLEEP);
954
955 /*
956 * Place an interim response in the compound reply.
957 *
958 * Turn on the "async" flag for both the (synchronous)
959 * interim response and the (later) async response,
960 * by storing that in flags before coping into ar.
961 *
962 * The "related" flag should always be off for the
963 * async part because we're no longer operating on a
964 * sequence of commands when we execute that.
965 */
966 sr->smb2_hdr_flags |= SMB2_FLAGS_ASYNC_COMMAND;
967 sr->smb2_async_id = (uintptr_t)ar;
968
969 ar->ar_func = async_func;
970 ar->ar_cmd_hdr = sr->smb2_cmd_hdr;
971 ar->ar_cmd_len = sr->smb_data.max_bytes - sr->smb2_cmd_hdr;
972
973 ar->ar_cmd_code = sr->smb2_cmd_code;
974 ar->ar_hdr_flags = sr->smb2_hdr_flags &
975 ~SMB2_FLAGS_RELATED_OPERATIONS;
976 ar->ar_messageid = sr->smb2_messageid;
977 ar->ar_pid = sr->smb_pid;
978 ar->ar_tid = sr->smb_tid;
979 ar->ar_uid = sr->smb_uid;
980
981 sr->sr_async_req = ar;
982
983 /* Interim responses are NOT signed. */
984 sr->smb2_hdr_flags &= ~SMB2_FLAGS_SIGNED;
985
986 return (NT_STATUS_PENDING);
987 }
988
989 int
990 smb2_decode_header(smb_request_t *sr)
991 {
992 uint64_t ssnid;
993 uint32_t pid, tid;
994 uint16_t hdr_len;
995 int rc;
996
997 rc = smb_mbc_decodef(
998 &sr->command, "Nwww..wwllqllq16c",
999 &hdr_len, /* w */
1000 &sr->smb2_credit_charge, /* w */
1001 &sr->smb2_chan_seq, /* w */
1002 /* reserved .. */
1003 &sr->smb2_cmd_code, /* w */
1004 &sr->smb2_credit_request, /* w */
1005 &sr->smb2_hdr_flags, /* l */
1006 &sr->smb2_next_command, /* l */
1007 &sr->smb2_messageid, /* q */
1008 &pid, /* l */
1009 &tid, /* l */
1010 &ssnid, /* q */
1011 sr->smb2_sig); /* 16c */
1012 if (rc)
1013 return (rc);
1014
1015 if (hdr_len != SMB2_HDR_SIZE)
1016 return (-1);
1017
1018 sr->smb_uid = (uint16_t)ssnid; /* XXX wide UIDs */
1019
1020 if (sr->smb2_hdr_flags & SMB2_FLAGS_ASYNC_COMMAND) {
1021 sr->smb2_async_id = pid |
1022 ((uint64_t)tid) << 32;
1023 } else {
1024 sr->smb_pid = pid;
1025 sr->smb_tid = (uint16_t)tid; /* XXX wide TIDs */
1026 }
1027
1028 return (rc);
1029 }
1030
1031 int
1032 smb2_encode_header(smb_request_t *sr, boolean_t overwrite)
1033 {
1034 uint64_t ssnid = sr->smb_uid;
1035 uint64_t pid_tid_aid; /* pid+tid, or async id */
1036 uint32_t reply_hdr_flags;
1037 int rc;
1038
1039 if (sr->smb2_hdr_flags & SMB2_FLAGS_ASYNC_COMMAND) {
1040 pid_tid_aid = sr->smb2_async_id;
1041 } else {
1042 pid_tid_aid = sr->smb_pid |
1043 ((uint64_t)sr->smb_tid) << 32;
1044 }
1045 reply_hdr_flags = sr->smb2_hdr_flags | SMB2_FLAGS_SERVER_TO_REDIR;
1046
1047 if (overwrite) {
1048 rc = smb_mbc_poke(&sr->reply,
1049 sr->smb2_reply_hdr,
1050 "Nwwlwwllqqq16c",
1051 SMB2_HDR_SIZE, /* w */
1052 sr->smb2_credit_charge, /* w */
1053 sr->smb2_status, /* l */
1054 sr->smb2_cmd_code, /* w */
1055 sr->smb2_credit_response, /* w */
1056 reply_hdr_flags, /* l */
1057 sr->smb2_next_reply, /* l */
1058 sr->smb2_messageid, /* q */
1059 pid_tid_aid, /* q */
1060 ssnid, /* q */
1061 sr->smb2_sig); /* 16c */
1062 } else {
1063 rc = smb_mbc_encodef(&sr->reply,
1064 "Nwwlwwllqqq16c",
1065 SMB2_HDR_SIZE, /* w */
1066 sr->smb2_credit_charge, /* w */
1067 sr->smb2_status, /* l */
1068 sr->smb2_cmd_code, /* w */
1069 sr->smb2_credit_response, /* w */
1070 reply_hdr_flags, /* l */
1071 sr->smb2_next_reply, /* l */
1072 sr->smb2_messageid, /* q */
1073 pid_tid_aid, /* q */
1074 ssnid, /* q */
1075 sr->smb2_sig); /* 16c */
1076 }
1077
1078 return (rc);
1079 }
1080
1081 void
1082 smb2_send_reply(smb_request_t *sr)
1083 {
1084
1085 if (smb_session_send(sr->session, 0, &sr->reply) == 0)
1086 sr->reply.chain = 0;
1087 }
1088
1089 /*
1090 * This wrapper function exists to help catch calls to smbsr_status()
1091 * (which is SMB1-specific) in common code. See smbsr_status().
1092 * If the log message below is seen, put a dtrace probe on this
1093 * function with a stack() action to see who is calling the SMB1
1094 * "put error" from common code, and fix it.
1095 */
1096 void
1097 smbsr_status_smb2(smb_request_t *sr, DWORD status)
1098 {
1099 const char *name;
1100
1101 if (sr->smb2_cmd_code < SMB2__NCMDS)
1102 name = smb2_disp_table[sr->smb2_cmd_code].sdt_name;
1103 else
1104 name = "<unknown>";
1105 #ifdef DEBUG
1106 cmn_err(CE_NOTE, "smbsr_status called for %s", name);
1174 boolean_t related = sr->smb2_hdr_flags &
1175 SMB2_FLAGS_RELATED_OPERATIONS;
1176
1177 if (related) {
1178 if (sr->fid_ofile == NULL)
1179 return (NT_STATUS_INVALID_PARAMETER);
1180 sr->smb_fid = sr->fid_ofile->f_fid;
1181 return (0);
1182 }
1183
1184 /*
1185 * If we could be sure this is called only once per cmd,
1186 * we could simply ASSERT(sr->fid_ofile == NULL) here.
1187 * However, there are cases where it can be called again
1188 * handling the same command, so let's tolerate that.
1189 */
1190 if (sr->fid_ofile == NULL) {
1191 sr->smb_fid = (uint16_t)fid->temporal;
1192 sr->fid_ofile = smb_ofile_lookup_by_fid(sr, sr->smb_fid);
1193 }
1194 if (sr->fid_ofile == NULL)
1195 return (NT_STATUS_FILE_CLOSED);
1196
1197 return (0);
1198 }
1199
1200 /*
1201 * smb2_dispatch_stats_init
1202 *
1203 * Initializes dispatch statistics for SMB2.
1204 * See also smb_dispatch_stats_init(), which fills in
1205 * the lower part of the statistics array, from zero
1206 * through SMB_COM_NUM;
1207 */
1208 void
1209 smb2_dispatch_stats_init(smb_server_t *sv)
1210 {
1211 smb_disp_stats_t *sds = sv->sv_disp_stats2;
1212 smb_kstat_req_t *ksr;
1213 int i;
1214
1250 for (i = first; i <= last; i++, ksr++) {
1251 ksr->kr_rxb = sds[i].sdt_rxb;
1252 ksr->kr_txb = sds[i].sdt_txb;
1253 mutex_enter(&sds[i].sdt_lat.ly_mutex);
1254 ksr->kr_nreq = sds[i].sdt_lat.ly_a_nreq;
1255 ksr->kr_sum = sds[i].sdt_lat.ly_a_sum;
1256 ksr->kr_a_mean = sds[i].sdt_lat.ly_a_mean;
1257 ksr->kr_a_stddev =
1258 sds[i].sdt_lat.ly_a_stddev;
1259 ksr->kr_d_mean = sds[i].sdt_lat.ly_d_mean;
1260 ksr->kr_d_stddev =
1261 sds[i].sdt_lat.ly_d_stddev;
1262 sds[i].sdt_lat.ly_d_mean = 0;
1263 sds[i].sdt_lat.ly_d_nreq = 0;
1264 sds[i].sdt_lat.ly_d_stddev = 0;
1265 sds[i].sdt_lat.ly_d_sum = 0;
1266 mutex_exit(&sds[i].sdt_lat.ly_mutex);
1267 }
1268 }
1269 }
|
1 /*
2 * This file and its contents are supplied under the terms of the
3 * Common Development and Distribution License ("CDDL"), version 1.0.
4 * You may only use this file in accordance with the terms of version
5 * 1.0 of the CDDL.
6 *
7 * A full copy of the text of the CDDL should have accompanied this
8 * source. A copy of the CDDL is also available via the Internet at
9 * http://www.illumos.org/license/CDDL.
10 */
11
12 /*
13 * Copyright 2019 Nexenta Systems, Inc. All rights reserved.
14 */
15
16
17 #include <smbsrv/smb2_kproto.h>
18 #include <smbsrv/smb_kstat.h>
19 #include <smbsrv/smb2.h>
20
21 #define SMB2_ASYNCID(sr) (sr->smb2_messageid ^ (1ULL << 62))
22
23 smb_sdrc_t smb2_invalid_cmd(smb_request_t *);
24 static void smb2_tq_work(void *);
25 static void smb2sr_run_postwork(smb_request_t *);
26 static int smb3_decrypt_msg(smb_request_t *);
27
28 static const smb_disp_entry_t const
29 smb2_disp_table[SMB2__NCMDS] = {
30
31 /* text-name, pre, func, post, cmd-code, dialect, flags */
32
33 { "smb2_negotiate", NULL,
34 smb2_negotiate, NULL, 0, 0,
35 SDDF_SUPPRESS_TID | SDDF_SUPPRESS_UID },
36
37 { "smb2_session_setup", NULL,
38 smb2_session_setup, NULL, 0, 0,
39 SDDF_SUPPRESS_TID | SDDF_SUPPRESS_UID },
40
41 { "smb2_logoff", NULL,
42 smb2_logoff, NULL, 0, 0,
43 SDDF_SUPPRESS_TID },
44
45 { "smb2_tree_connect", NULL,
46 smb2_tree_connect, NULL, 0, 0,
53 smb2_create, NULL, 0, 0 },
54
55 { "smb2_close", NULL,
56 smb2_close, NULL, 0, 0 },
57
58 { "smb2_flush", NULL,
59 smb2_flush, NULL, 0, 0 },
60
61 { "smb2_read", NULL,
62 smb2_read, NULL, 0, 0 },
63
64 { "smb2_write", NULL,
65 smb2_write, NULL, 0, 0 },
66
67 { "smb2_lock", NULL,
68 smb2_lock, NULL, 0, 0 },
69
70 { "smb2_ioctl", NULL,
71 smb2_ioctl, NULL, 0, 0 },
72
73 { "smb2_cancel", NULL,
74 smb2_cancel, NULL, 0, 0,
75 SDDF_SUPPRESS_UID | SDDF_SUPPRESS_TID },
76
77 { "smb2_echo", NULL,
78 smb2_echo, NULL, 0, 0,
79 SDDF_SUPPRESS_UID | SDDF_SUPPRESS_TID },
80
81 { "smb2_query_dir", NULL,
82 smb2_query_dir, NULL, 0, 0 },
83
84 { "smb2_change_notify", NULL,
85 smb2_change_notify, NULL, 0, 0 },
86
87 { "smb2_query_info", NULL,
88 smb2_query_info, NULL, 0, 0 },
89
90 { "smb2_set_info", NULL,
91 smb2_set_info, NULL, 0, 0 },
92
93 { "smb2_oplock_break_ack", NULL,
94 smb2_oplock_break_ack, NULL, 0, 0 },
95
109 return (SDRC_DROP_VC);
110 }
111
112 /*
113 * This is the SMB2 handler for new smb requests, called from
114 * smb_session_reader after SMB negotiate is done. For most SMB2
115 * requests, we just enqueue them for the smb_session_worker to
116 * execute via the task queue, so they can block for resources
117 * without stopping the reader thread. A few protocol messages
118 * are special cases and are handled directly here in the reader
119 * thread so they don't wait for taskq scheduling.
120 *
121 * This function must either enqueue the new request for
122 * execution via the task queue, or execute it directly
123 * and then free it. If this returns non-zero, the caller
124 * will drop the session.
125 */
126 int
127 smb2sr_newrq(smb_request_t *sr)
128 {
129 struct mbuf_chain *mbc = &sr->command;
130 uint32_t magic;
131 int rc, skip;
132
133 if (smb_mbc_peek(mbc, 0, "l", &magic) != 0)
134 goto drop;
135
136 /* 0xFD S M B */
137 if (magic == SMB3_ENCRYPTED_MAGIC) {
138 if (smb3_decrypt_msg(sr) != 0)
139 goto drop;
140 /*
141 * Should now be looking at an un-encrypted
142 * SMB2 message header.
143 */
144 if (smb_mbc_peek(mbc, 0, "l", &magic) != 0)
145 goto drop;
146 }
147
148 if (magic != SMB2_PROTOCOL_MAGIC)
149 goto drop;
150
151 /*
152 * Walk the SMB2 commands in this compound message and
153 * keep track of the range of message IDs it uses.
154 */
155 for (;;) {
156 if (smb2_decode_header(sr) != 0)
157 goto drop;
158
159 /*
160 * Cancel requests are special: They refer to
161 * an earlier message ID (or an async. ID),
162 * never a new ID, and are never compounded.
163 * This is intentionally not "goto drop"
164 * because rc may be zero (success).
165 */
166 if (sr->smb2_cmd_code == SMB2_CANCEL) {
167 rc = smb2_newrq_cancel(sr);
168 smb_request_free(sr);
169 return (rc);
170 }
171
172 /*
173 * Keep track of the total credits in this compound
174 * and the first (real) message ID (not: 0, -1)
175 * While we're looking, verify that all (real) IDs
176 * are (first <= ID < (first + msg_credits))
177 */
178 if (sr->smb2_credit_charge == 0)
179 sr->smb2_credit_charge = 1;
180 sr->smb2_total_credits += sr->smb2_credit_charge;
181
182 if (sr->smb2_messageid != 0 &&
183 sr->smb2_messageid != UINT64_MAX) {
184
185 if (sr->smb2_first_msgid == 0)
186 sr->smb2_first_msgid = sr->smb2_messageid;
187
188 if (sr->smb2_messageid < sr->smb2_first_msgid ||
189 sr->smb2_messageid >= (sr->smb2_first_msgid +
190 sr->smb2_total_credits)) {
191 long long id = (long long) sr->smb2_messageid;
192 cmn_err(CE_WARN, "clnt %s msg ID 0x%llx "
193 "out of sequence in compound",
194 sr->session->ip_addr_str, id);
195 }
196 }
197
198 /* Normal loop exit on next == zero */
199 if (sr->smb2_next_command == 0)
200 break;
201
202 /* Abundance of caution... */
203 if (sr->smb2_next_command < SMB2_HDR_SIZE)
204 goto drop;
205
206 /* Advance to the next header. */
207 skip = sr->smb2_next_command - SMB2_HDR_SIZE;
208 if (MBC_ROOM_FOR(mbc, skip) == 0)
209 goto drop;
210 mbc->chain_offset += skip;
211 }
212 /* Rewind back to the top. */
213 mbc->chain_offset = 0;
214
215 /*
216 * Submit the request to the task queue, which calls
217 * smb2_tq_work when the workload permits.
218 */
219 sr->sr_time_submitted = gethrtime();
220 sr->sr_state = SMB_REQ_STATE_SUBMITTED;
221 smb_srqueue_waitq_enter(sr->session->s_srqueue);
222 (void) taskq_dispatch(sr->sr_server->sv_worker_pool,
223 smb2_tq_work, sr, TQ_SLEEP);
224 return (0);
225
226 drop:
227 smb_request_free(sr);
228 return (-1);
229 }
230
231 static void
232 smb2_tq_work(void *arg)
233 {
234 smb_request_t *sr;
235 smb_srqueue_t *srq;
236
237 sr = (smb_request_t *)arg;
238 SMB_REQ_VALID(sr);
239
240 srq = sr->session->s_srqueue;
241 smb_srqueue_waitq_to_runq(srq);
242 sr->sr_worker = curthread;
243 sr->sr_time_active = gethrtime();
244
245 /*
246 * Always dispatch to the work function, because cancelled
247 * requests need an error reply (NT_STATUS_CANCELLED).
248 */
249 mutex_enter(&sr->sr_mutex);
250 if (sr->sr_state == SMB_REQ_STATE_SUBMITTED)
251 sr->sr_state = SMB_REQ_STATE_ACTIVE;
252 mutex_exit(&sr->sr_mutex);
253
254 smb2sr_work(sr);
255
256 smb_srqueue_runq_exit(srq);
257 }
258
259 static int
260 smb3_decrypt_msg(smb_request_t *sr)
261 {
262 int save_offset;
263
264 if (sr->session->dialect < SMB_VERS_3_0) {
265 cmn_err(CE_WARN, "encrypted message in SMB 2.x");
266 return (-1);
267 }
268
269 sr->encrypted = B_TRUE;
270 save_offset = sr->command.chain_offset;
271 if (smb3_decode_tform_header(sr) != 0) {
272 cmn_err(CE_WARN, "bad transform header");
273 return (-1);
274 }
275 sr->command.chain_offset = save_offset;
276
277 sr->tform_ssn = smb_session_lookup_ssnid(sr->session,
278 sr->smb3_tform_ssnid);
279 if (sr->tform_ssn == NULL) {
280 cmn_err(CE_WARN, "transform header: session not found");
281 return (-1);
282 }
283
284 if (smb3_decrypt_sr(sr) != 0) {
285 cmn_err(CE_WARN, "smb3 decryption failed");
286 return (-1);
287 }
288
289 return (0);
290 }
291
292 /*
293 * SMB2 credits determine how many simultaneous commands the
294 * client may issue, and bounds the range of message IDs those
295 * commands may use. With multi-credit support, commands may
296 * use ranges of message IDs, where the credits used by each
297 * command are proportional to their data transfer size.
298 *
299 * Every command may request an increase or decrease of
300 * the currently granted credits, based on the difference
301 * between the credit request and the credit charge.
302 * [MS-SMB2] 3.3.1.2 Algorithm for the Granting of Credits
303 *
304 * Most commands have credit_request=1, credit_charge=1,
305 * which keeps the credit grant unchanged.
306 *
307 * All we're really doing here (for now) is reducing the
308 * credit_response if the client requests a credit increase
309 * that would take their credit over the maximum, and
310 * limiting the decrease so they don't run out of credits.
311 *
312 * Later, this could do something dynamic based on load.
313 *
314 * One other non-obvious bit about credits: We keep the
315 * session s_max_credits low until the 1st authentication,
316 * at which point we'll set the normal maximum_credits.
317 * Some clients ask for more credits with session setup,
318 * and we need to handle that requested increase _after_
319 * the command-specific handler returns so it won't be
320 * restricted to the lower (pre-auth) limit.
321 */
322 static inline void
323 smb2_credit_decrease(smb_request_t *sr)
324 {
325 smb_session_t *session = sr->session;
326 uint16_t cur, d;
327
328 mutex_enter(&session->s_credits_mutex);
329 cur = session->s_cur_credits;
330
331 /* Handle credit decrease. */
332 d = sr->smb2_credit_charge - sr->smb2_credit_request;
333 cur -= d;
334 if (cur & 0x8000) {
335 /*
336 * underflow (bad credit charge or request)
337 * leave credits unchanged (response=charge)
338 */
339 cur = session->s_cur_credits;
340 sr->smb2_credit_response = sr->smb2_credit_charge;
341 DTRACE_PROBE1(smb2__credit__neg, smb_request_t *, sr);
342 }
343
344 /*
345 * The server MUST ensure that the number of credits
346 * held by the client is never reduced to zero.
347 * [MS-SMB2] 3.3.1.2
348 */
349 if (cur == 0) {
350 cur = 1;
351 sr->smb2_credit_response += 1;
352 DTRACE_PROBE1(smb2__credit__min, smb_request_t *, sr);
353 }
354
355 DTRACE_PROBE3(smb2__credit__decrease,
356 smb_request_t *, sr, int, (int)cur,
357 int, (int)session->s_cur_credits);
358
359 session->s_cur_credits = cur;
360 mutex_exit(&session->s_credits_mutex);
361 }
362
363 /*
364 * Second half of SMB2 credit handling (increases)
365 */
366 static inline void
367 smb2_credit_increase(smb_request_t *sr)
368 {
369 smb_session_t *session = sr->session;
370 uint16_t cur, d;
371
372 mutex_enter(&session->s_credits_mutex);
373 cur = session->s_cur_credits;
374
375 /* Handle credit increase. */
376 d = sr->smb2_credit_request - sr->smb2_credit_charge;
377 cur += d;
378
379 /*
380 * If new credits would be above max,
381 * reduce the credit grant.
382 */
383 if (cur > session->s_max_credits) {
384 d = cur - session->s_max_credits;
385 cur = session->s_max_credits;
386 sr->smb2_credit_response -= d;
387 DTRACE_PROBE1(smb2__credit__max, smb_request_t, sr);
388 }
389
390 DTRACE_PROBE3(smb2__credit__increase,
391 smb_request_t *, sr, int, (int)cur,
392 int, (int)session->s_cur_credits);
393
394 session->s_cur_credits = cur;
395 mutex_exit(&session->s_credits_mutex);
396 }
397
398 /*
399 * Record some statistics: latency, rx bytes, tx bytes
400 * per: server, session & kshare.
401 */
402 static inline void
403 smb2_record_stats(smb_request_t *sr, smb_disp_stats_t *sds, boolean_t tx_only)
404 {
405 hrtime_t dt;
406 int64_t rxb;
407 int64_t txb;
408 smb_disp_stats_t *client_sds;
409 smb_disp_stats_t *share_sds;
410 int cmd_type;
411 smb_session_t *session = sr->session;
412
413 if (sr->smb2_cmd_code == SMB2_READ) {
414 cmd_type = SMBSRV_CLSH_READ;
415 } else if (sr->smb2_cmd_code == SMB2_WRITE) {
416 cmd_type = SMBSRV_CLSH_WRITE;
417 } else {
418 cmd_type = SMBSRV_CLSH_OTHER;
419 }
420
421 dt = gethrtime() - sr->sr_time_start;
422 rxb = (int64_t)(sr->command.chain_offset - sr->smb2_cmd_hdr);
423 txb = (int64_t)(sr->reply.chain_offset - sr->smb2_reply_hdr);
424
425 if (!tx_only) {
426 smb_server_inc_req(sr->sr_server);
427 smb_latency_add_sample(&sds->sdt_lat, dt);
428 atomic_add_64(&sds->sdt_rxb, rxb);
429 }
430 atomic_add_64(&sds->sdt_txb, txb);
431
432 client_sds = &session->s_stats[cmd_type];
433 if (!tx_only) {
434 smb_latency_add_sample(&client_sds->sdt_lat, dt);
435 atomic_add_64(&client_sds->sdt_rxb, rxb);
436 }
437 atomic_add_64(&client_sds->sdt_txb, txb);
438
439 if ((sr->tid_tree != NULL) &&
440 (sr->tid_tree->t_kshare != NULL)) {
441 share_sds =
442 &sr->tid_tree->t_kshare->shr_stats[cmd_type];
443 if (!tx_only) {
444 smb_latency_add_sample(&share_sds->sdt_lat, dt);
445 atomic_add_64(&share_sds->sdt_rxb, rxb);
446 }
447 atomic_add_64(&share_sds->sdt_txb, txb);
448 }
449 }
450
451 /*
452 * smb2sr_work
453 *
454 * This function processes each SMB command in the current request
455 * (which may be a compound request) building a reply containing
456 * SMB reply messages, one-to-one with the SMB commands. Some SMB
457 * commands (change notify, blocking locks) may require both an
458 * "interim response" and a later "async response" at completion.
459 * In such cases, we'll encode the interim response in the reply
460 * compound we're building, and put the (now async) command on a
461 * list of commands that need further processing. After we've
462 * finished processing the commands in this compound and building
463 * the compound reply, we'll send the compound reply, and finally
464 * process the list of async commands.
465 *
466 * As we work our way through the compound request and reply,
467 * we need to keep track of the bounds of the current request
468 * and reply. For the request, this uses an MBC_SHADOW_CHAIN
469 * that begins at smb2_cmd_hdr. The reply is appended to the
470 * sr->reply chain starting at smb2_reply_hdr.
471 *
472 * This function must always free the smb request, or arrange
473 * for it to be completed and free'd later (if SDRC_SR_KEPT).
474 */
475 void
476 smb2sr_work(struct smb_request *sr)
477 {
478 const smb_disp_entry_t *sdd;
479 smb_disp_stats_t *sds;
480 smb_session_t *session;
481 uint32_t msg_len;
482 uint16_t cmd_idx;
483 int rc = 0;
484 boolean_t disconnect = B_FALSE;
485 boolean_t related;
486
487 session = sr->session;
488
489 ASSERT(sr->smb2_async == B_FALSE);
490 ASSERT(sr->tid_tree == 0);
491 ASSERT(sr->uid_user == 0);
492 ASSERT(sr->fid_ofile == 0);
493 sr->smb_fid = (uint16_t)-1;
494 sr->smb2_status = 0;
495
496 /* temporary until we identify a user */
497 sr->user_cr = zone_kcred();
498
499 cmd_start:
500 /*
501 * Note that we don't check sr_state here and abort the
502 * compound if cancelled (etc.) because some SMB2 command
503 * handlers need to do work even when cancelled.
504 *
505 * We treat some status codes as if "sticky", meaning
506 * once they're set after some command handler returns,
507 * all remaining commands get this status without even
508 * calling the command-specific handler.
509 */
510 if (sr->smb2_status != NT_STATUS_CANCELLED &&
511 sr->smb2_status != NT_STATUS_INSUFFICIENT_RESOURCES)
512 sr->smb2_status = 0;
513
514 /*
515 * Decode the request header
516 *
517 * Most problems with decoding will result in the error
518 * STATUS_INVALID_PARAMETER. If the decoding problem
519 * prevents continuing, we'll close the connection.
520 * [MS-SMB2] 3.3.5.2.6 Handling Incorrectly Formatted...
521 */
522 sr->smb2_cmd_hdr = sr->command.chain_offset;
523 if ((rc = smb2_decode_header(sr)) != 0) {
524 cmn_err(CE_WARN, "clnt %s bad SMB2 header",
525 session->ip_addr_str);
526 disconnect = B_TRUE;
527 goto cleanup;
528 }
529
530 /*
531 * The SMB2_FLAGS_SERVER_TO_REDIR should only appear
532 * in messages from the server back to the client.
533 */
534 if ((sr->smb2_hdr_flags & SMB2_FLAGS_SERVER_TO_REDIR) != 0) {
535 cmn_err(CE_WARN, "clnt %s bad SMB2 flags",
536 session->ip_addr_str);
537 disconnect = B_TRUE;
538 goto cleanup;
539 }
540 related = (sr->smb2_hdr_flags & SMB2_FLAGS_RELATED_OPERATIONS);
541 sr->smb2_hdr_flags |= SMB2_FLAGS_SERVER_TO_REDIR;
542 if (sr->smb2_hdr_flags & SMB2_FLAGS_ASYNC_COMMAND) {
543 /* Probably an async cancel. */
544 DTRACE_PROBE1(smb2__dispatch__async, smb_request_t *, sr);
545 } else if (sr->smb2_async) {
546 /* Previous command in compound went async. */
547 sr->smb2_hdr_flags |= SMB2_FLAGS_ASYNC_COMMAND;
548 sr->smb2_async_id = SMB2_ASYNCID(sr);
549 }
550
551 /*
552 * In case we bail out with an error before we get to the
553 * section that computes the credit grant, initialize the
554 * response header fields so that credits won't change.
555 * Note: SMB 2.02 clients may send credit charge zero.
556 */
557 if (sr->smb2_credit_charge == 0)
558 sr->smb2_credit_charge = 1;
559 sr->smb2_credit_response = sr->smb2_credit_charge;
560
561 /*
562 * Write a tentative reply header.
563 *
564 * We could just leave this blank, but if we're using the
565 * mdb module feature that extracts packets, it's useful
566 * to have the header mostly correct here.
567 *
568 * If we have already exhausted the output space, then the
569 * client is trying something funny. Log it and kill 'em.
570 */
571 sr->smb2_next_reply = 0;
572 ASSERT((sr->reply.chain_offset & 7) == 0);
573 sr->smb2_reply_hdr = sr->reply.chain_offset;
574 if ((rc = smb2_encode_header(sr, B_FALSE)) != 0) {
575 cmn_err(CE_WARN, "clnt %s excessive reply",
576 session->ip_addr_str);
577 disconnect = B_TRUE;
578 goto cleanup;
579 }
580
581 /*
582 * Figure out the length of data following the SMB2 header.
583 * It ends at either the next SMB2 header if there is one
584 * (smb2_next_command != 0) or at the end of the message.
585 */
586 if (sr->smb2_next_command != 0) {
587 /* [MS-SMB2] says this is 8-byte aligned */
588 msg_len = sr->smb2_next_command;
589 if ((msg_len & 7) != 0 || (msg_len < SMB2_HDR_SIZE) ||
590 ((sr->smb2_cmd_hdr + msg_len) > sr->command.max_bytes)) {
591 cmn_err(CE_WARN, "clnt %s bad SMB2 next cmd",
592 session->ip_addr_str);
593 disconnect = B_TRUE;
594 goto cleanup;
595 }
596 } else {
597 msg_len = sr->command.max_bytes - sr->smb2_cmd_hdr;
598 }
599
600 /*
601 * Setup a shadow chain for this SMB2 command, starting
602 * with the header and ending at either the next command
603 * or the end of the message. The signing check below
604 * needs the entire SMB2 command. After that's done, we
605 * advance chain_offset to the end of the header where
606 * the command specific handlers continue decoding.
607 */
608 (void) MBC_SHADOW_CHAIN(&sr->smb_data, &sr->command,
609 sr->smb2_cmd_hdr, msg_len);
610
611 /*
612 * We will consume the data for this request from smb_data.
613 * That effectively consumes msg_len bytes from sr->command
614 * but doesn't update its chain_offset, so we need to update
615 * that here to make later received bytes accounting work.
616 */
617 sr->command.chain_offset = sr->smb2_cmd_hdr + msg_len;
618 ASSERT(sr->command.chain_offset <= sr->command.max_bytes);
619
620 /*
621 * Validate the commmand code, get dispatch table entries.
622 * [MS-SMB2] 3.3.5.2.6 Handling Incorrectly Formatted...
623 *
624 * The last slot in the dispatch table is used to handle
625 * invalid commands. Same for statistics.
626 */
627 if (sr->smb2_cmd_code < SMB2_INVALID_CMD)
628 cmd_idx = sr->smb2_cmd_code;
629 else
630 cmd_idx = SMB2_INVALID_CMD;
631 sdd = &smb2_disp_table[cmd_idx];
632 sds = &session->s_server->sv_disp_stats2[cmd_idx];
633
634 /*
635 * If this command is NOT "related" to the previous,
636 * clear out the UID, TID, FID state that might be
637 * left over from the previous command.
638 *
639 * If the command IS related, any new IDs are ignored,
640 * and we simply continue with the previous user, tree,
641 * and open file.
642 */
643 if (!related) {
644 /*
645 * Drop user, tree, file; carefully ordered to
646 * avoid dangling references: file, tree, user
647 */
648 if (sr->fid_ofile != NULL) {
649 smb_ofile_release(sr->fid_ofile);
650 sr->fid_ofile = NULL;
651 }
652 if (sr->tid_tree != NULL) {
653 smb_tree_release(sr->tid_tree);
654 sr->tid_tree = NULL;
655 }
656 if (sr->uid_user != NULL) {
657 smb_user_release(sr->uid_user);
658 sr->uid_user = NULL;
659 sr->user_cr = zone_kcred();
660 }
661 }
662
663 /*
664 * Make sure we have a user and tree as needed
665 * according to the flags for the this command.
666 * Note that we may have inherited these.
667 */
668 if ((sdd->sdt_flags & SDDF_SUPPRESS_UID) == 0) {
669 /*
670 * This command requires a user session.
671 */
672 if (related) {
673 /*
674 * Previous command should have given us a user.
675 * [MS-SMB2] 3.3.5.2 Handling Related Requests
676 */
677 if (sr->uid_user == NULL) {
678 smb2sr_put_error(sr,
679 NT_STATUS_INVALID_PARAMETER);
680 goto cmd_done;
681 }
682 sr->smb2_ssnid = sr->uid_user->u_ssnid;
683 } else {
684 /*
685 * Lookup the UID
686 * [MS-SMB2] 3.3.5.2 Verifying the Session
687 */
688 ASSERT(sr->uid_user == NULL);
689 /*
690 * [MS-SMB2] 3.3.5.2.7 Handling Compounded Requests
691 *
692 * If this is an encrypted compound request,
693 * ensure that the ssnid in the request
694 * is the same as the tform ssnid if this
695 * message is not related.
696 *
697 * The reasons this is done seem to apply equally
698 * to uncompounded requests, so we apply it to all.
699 */
700
701 if (sr->encrypted &&
702 sr->smb2_ssnid != sr->smb3_tform_ssnid) {
703 disconnect = B_TRUE;
704 goto cleanup; /* just do this for now */
705 }
706
707 sr->uid_user = smb_session_lookup_ssnid(session,
708 sr->smb2_ssnid);
709 if (sr->uid_user == NULL) {
710 smb2sr_put_error(sr,
711 NT_STATUS_USER_SESSION_DELETED);
712 goto cmd_done;
713 }
714
715 /*
716 * [MS-SMB2] 3.3.5.2.9 Verifying the Session
717 *
718 * If we're talking 3.x,
719 * RejectUnencryptedAccess is TRUE,
720 * Session.EncryptData is TRUE,
721 * and the message wasn't encrypted,
722 * return ACCESS_DENIED.
723 *
724 * Note that Session.EncryptData can only be TRUE when
725 * we're talking 3.x.
726 */
727
728 if (sr->uid_user->u_encrypt ==
729 SMB_CONFIG_REQUIRED &&
730 !sr->encrypted) {
731 smb2sr_put_error(sr,
732 NT_STATUS_ACCESS_DENIED);
733 goto cmd_done;
734 }
735
736 sr->user_cr = smb_user_getcred(sr->uid_user);
737 }
738 ASSERT(sr->uid_user != NULL);
739
740 /*
741 * Encrypt if:
742 * - The cmd is not SESSION_SETUP or NEGOTIATE; AND
743 * - Session.EncryptData is TRUE
744 *
745 * Those commands suppress UID, so they can't be the cmd here.
746 */
747 if (sr->uid_user->u_encrypt != SMB_CONFIG_DISABLED &&
748 sr->tform_ssn == NULL) {
749 smb_user_hold_internal(sr->uid_user);
750 sr->tform_ssn = sr->uid_user;
751 sr->smb3_tform_ssnid = sr->smb2_ssnid;
752 }
753 }
754
755 if ((sdd->sdt_flags & SDDF_SUPPRESS_TID) == 0) {
756 /*
757 * This command requires a tree connection.
758 */
759 if (related) {
760 /*
761 * Previous command should have given us a tree.
762 * [MS-SMB2] 3.3.5.2 Handling Related Requests
763 */
764 if (sr->tid_tree == NULL) {
765 smb2sr_put_error(sr,
766 NT_STATUS_INVALID_PARAMETER);
767 goto cmd_done;
768 }
769 sr->smb_tid = sr->tid_tree->t_tid;
770 } else {
771 /*
772 * Lookup the TID
773 * [MS-SMB2] 3.3.5.2 Verifying the Tree Connect
774 */
775 ASSERT(sr->tid_tree == NULL);
776 sr->tid_tree = smb_session_lookup_tree(session,
777 sr->smb_tid);
778 if (sr->tid_tree == NULL) {
779 smb2sr_put_error(sr,
780 NT_STATUS_NETWORK_NAME_DELETED);
781 goto cmd_done;
782 }
783
784 /*
785 * [MS-SMB2] 3.3.5.2.11 Verifying the Tree Connect
786 *
787 * If we support 3.x, RejectUnencryptedAccess is TRUE,
788 * if Tcon.EncryptData is TRUE or
789 * global EncryptData is TRUE and
790 * the message wasn't encrypted, or
791 * if Tcon.EncryptData is TRUE or
792 * global EncryptData is TRUE or
793 * the request was encrypted and
794 * the connection doesn't support encryption,
795 * return ACCESS_DENIED.
796 *
797 * If RejectUnencryptedAccess is TRUE, we force
798 * max_protocol to at least 3.0. Additionally,
799 * if the tree requires encryption, we don't care
800 * what we support, we still enforce encryption.
801 */
802 if (sr->tid_tree->t_encrypt == SMB_CONFIG_REQUIRED &&
803 (!sr->encrypted ||
804 (session->srv_cap & SMB2_CAP_ENCRYPTION) == 0)) {
805 smb2sr_put_error(sr,
806 NT_STATUS_ACCESS_DENIED);
807 goto cmd_done;
808 }
809 }
810 ASSERT(sr->tid_tree != NULL);
811
812 /*
813 * Encrypt if:
814 * - The cmd is not TREE_CONNECT; AND
815 * - Tree.EncryptData is TRUE
816 *
817 * TREE_CONNECT suppresses TID, so that can't be the cmd here.
818 * NOTE: assumes we can't have a tree without a user
819 */
820 if (sr->tid_tree->t_encrypt != SMB_CONFIG_DISABLED &&
821 sr->tform_ssn == NULL) {
822 smb_user_hold_internal(sr->uid_user);
823 sr->tform_ssn = sr->uid_user;
824 sr->smb3_tform_ssnid = sr->smb2_ssnid;
825 }
826 }
827
828 /*
829 * SMB2 signature verification, two parts:
830 * (a) Require SMB2_FLAGS_SIGNED (for most request types)
831 * (b) If SMB2_FLAGS_SIGNED is set, check the signature.
832 * [MS-SMB2] 3.3.5.2.4 Verifying the Signature
833 */
834
835 /*
836 * No user session means no signature check. That's OK,
837 * i.e. for commands marked SDDF_SUPPRESS_UID above.
838 * Note, this also means we won't sign the reply.
839 */
840 if (sr->uid_user == NULL)
841 sr->smb2_hdr_flags &= ~SMB2_FLAGS_SIGNED;
842
843 /*
844 * The SDDF_SUPPRESS_UID dispatch is set for requests that
845 * don't need a UID (user). These also don't require a
846 * signature check here.
847 *
848 * [MS-SMB2] 3.3.5.2.4 Verifying the Signature
849 *
850 * If the packet was successfully decrypted, the message
851 * signature has already been verified, so we can skip this.
852 */
853 if ((sdd->sdt_flags & SDDF_SUPPRESS_UID) == 0 &&
854 !sr->encrypted && sr->uid_user != NULL &&
855 (sr->uid_user->u_sign_flags & SMB_SIGNING_ENABLED) != 0) {
856 /*
857 * If the request is signed, check the signature.
858 * Otherwise, if signing is required, deny access.
859 */
860 if ((sr->smb2_hdr_flags & SMB2_FLAGS_SIGNED) != 0) {
861 rc = smb2_sign_check_request(sr);
862 if (rc != 0) {
863 DTRACE_PROBE1(smb2__sign__check,
864 smb_request_t *, sr);
865 smb2sr_put_error(sr, NT_STATUS_ACCESS_DENIED);
866 goto cmd_done;
867 }
868 } else if (
869 (sr->uid_user->u_sign_flags & SMB_SIGNING_CHECK) != 0) {
870 smb2sr_put_error(sr, NT_STATUS_ACCESS_DENIED);
871 goto cmd_done;
872 }
873 }
874
875 /*
876 * Now that the signing check is done with smb_data,
877 * advance past the SMB2 header we decoded earlier.
878 * This leaves sr->smb_data correctly positioned
879 * for command-specific decoding in the dispatch
880 * function called next.
881 */
882 sr->smb_data.chain_offset = sr->smb2_cmd_hdr + SMB2_HDR_SIZE;
883
884 /*
885 * Credit adjustments (decrease)
886 *
887 * If we've gone async, credit adjustments were done
888 * when we sent the interim reply.
889 */
890 if (!sr->smb2_async) {
891 sr->smb2_credit_response = sr->smb2_credit_request;
892 if (sr->smb2_credit_request < sr->smb2_credit_charge) {
893 smb2_credit_decrease(sr);
894 }
895 }
896
897 /*
898 * The real work: call the SMB2 command handler
899 * (except for "sticky" smb2_status - see above)
900 */
901 sr->sr_time_start = gethrtime();
902 rc = SDRC_SUCCESS;
903 if (sr->smb2_status == 0) {
904 /* NB: not using pre_op */
905 rc = (*sdd->sdt_function)(sr);
906 /* NB: not using post_op */
907 } else {
908 smb2sr_put_error(sr, sr->smb2_status);
909 }
910
911 /*
912 * When the sdt_function returns SDRC_SR_KEPT, it means
913 * this SR may have been passed to another thread so we
914 * MUST NOT touch it anymore.
915 */
916 if (rc == SDRC_SR_KEPT)
917 return;
918
919 MBC_FLUSH(&sr->raw_data);
920
921 /*
922 * Credit adjustments (increase)
923 */
924 if (!sr->smb2_async) {
925 if (sr->smb2_credit_request > sr->smb2_credit_charge) {
926 smb2_credit_increase(sr);
927 }
928 }
929
930 cmd_done:
931 switch (rc) {
932 case SDRC_SUCCESS:
933 break;
934 default:
935 /*
936 * SMB2 does not use the other dispatch return codes.
937 * If we see something else, log an event so we'll
938 * know something is returning bogus status codes.
939 * If you see these in the log, use dtrace to find
940 * the code returning something else.
941 */
942 #ifdef DEBUG
943 cmn_err(CE_NOTE, "handler for %u returned 0x%x",
944 sr->smb2_cmd_code, rc);
945 #endif
946 sr->smb2_status = NT_STATUS_INTERNAL_ERROR;
947 break;
948 case SDRC_ERROR:
949 /*
950 * Many command handlers return SDRC_ERROR for any
951 * problems decoding the request, and don't bother
952 * setting smb2_status. For those cases, the best
953 * status return would be "invalid parameter".
954 */
955 if (sr->smb2_status == 0)
956 sr->smb2_status = NT_STATUS_INVALID_PARAMETER;
957 break;
958 case SDRC_DROP_VC:
959 disconnect = B_TRUE;
960 goto cleanup;
961
962 case SDRC_NO_REPLY:
963 /* will free sr */
964 goto cleanup;
965 }
966
967 /*
968 * Pad the reply to align(8) if there will be another.
969 * (We don't compound async replies.)
970 */
971 if (!sr->smb2_async && sr->smb2_next_command != 0)
972 (void) smb_mbc_put_align(&sr->reply, 8);
973
974 /*
975 * Record some statistics. Uses:
976 * rxb = command.chain_offset - smb2_cmd_hdr;
977 * txb = reply.chain_offset - smb2_reply_hdr;
978 * which at this point represent the current cmd/reply.
979 *
980 * Note: If async, this does txb only, and
981 * skips the smb_latency_add_sample() calls.
982 */
983 smb2_record_stats(sr, sds, sr->smb2_async);
984
985 /*
986 * If there's a next command, figure out where it starts,
987 * and fill in the next header offset for the reply.
988 * Note: We sanity checked smb2_next_command above.
989 */
990 if (sr->smb2_next_command != 0) {
991 sr->command.chain_offset =
992 sr->smb2_cmd_hdr + sr->smb2_next_command;
993 sr->smb2_next_reply =
994 sr->reply.chain_offset - sr->smb2_reply_hdr;
995 } else {
996 ASSERT(sr->smb2_next_reply == 0);
997 }
998
999 /*
1000 * Overwrite the (now final) SMB2 header for this response.
1001 */
1002 (void) smb2_encode_header(sr, B_TRUE);
1003
1004 /* Don't sign if we're going to encrypt */
1005 if (sr->tform_ssn == NULL &&
1006 (sr->smb2_hdr_flags & SMB2_FLAGS_SIGNED) != 0)
1007 smb2_sign_reply(sr);
1008
1009 /*
1010 * Non-async runs the whole compound before send.
1011 * When we've gone async, send each individually.
1012 */
1013 if (!sr->smb2_async && sr->smb2_next_command != 0)
1014 goto cmd_start;
1015 smb2_send_reply(sr);
1016 if (sr->smb2_async && sr->smb2_next_command != 0) {
1017 MBC_FLUSH(&sr->reply); /* New reply buffer. */
1018 ASSERT(sr->reply.max_bytes == sr->session->reply_max_bytes);
1019 goto cmd_start;
1020 }
1021
1022 cleanup:
1023 if (disconnect)
1024 smb_session_disconnect(session);
1025
1026 /*
1027 * If we have a durable handle, and this operation
1028 * updated the nvlist, write it out.
1029 */
1030 if (sr->dh_nvl_dirty) {
1031 sr->dh_nvl_dirty = B_FALSE;
1032 smb2_dh_update_nvfile(sr);
1033 }
1034
1035 /*
1036 * Do "postwork" for oplock (and maybe other things)
1037 */
1038 if (sr->sr_postwork != NULL)
1039 smb2sr_run_postwork(sr);
1040
1041 mutex_enter(&sr->sr_mutex);
1042 sr->sr_state = SMB_REQ_STATE_COMPLETED;
1043 mutex_exit(&sr->sr_mutex);
1044
1045 smb_request_free(sr);
1046 }
1047
1048 /*
1049 * Build interim responses for the current and all following
1050 * requests in this compound, then send the compound response,
1051 * leaving the SR state so that smb2sr_work() can continue its
1052 * processing of this compound in "async mode".
1053 *
1054 * If we agree to "go async", this should return STATUS_SUCCESS.
1055 * Otherwise return STATUS_INSUFFICIENT_RESOURCES for this and
1056 * all requests following this request. (See the comments re.
1057 * "sticky" smb2_status values in smb2sr_work).
1058 *
1059 * Note: the Async ID we assign here is arbitrary, and need only
1060 * be unique among pending async responses on this connection, so
1061 * this just uses a modified messageID, which is already unique.
1062 *
1063 * Credits: All credit changes should happen via the interim
1064 * responses, so we have to manage credits here. After this
1065 * returns to smb2sr_work, the final replies for all these
1066 * commands will have smb2_credit_response = smb2_credit_charge
1067 * (meaning no further changes to the clients' credits).
1068 */
1069 uint32_t
1070 smb2sr_go_async(smb_request_t *sr)
1071 {
1072 smb_session_t *session;
1073 smb_disp_stats_t *sds;
1074 uint16_t cmd_idx;
1075 int32_t saved_com_offset;
1076 uint32_t saved_cmd_hdr;
1077 uint16_t saved_cred_resp;
1078 uint32_t saved_hdr_flags;
1079 uint32_t saved_reply_hdr;
1080 uint32_t msg_len;
1081 boolean_t disconnect = B_FALSE;
1082
1083 if (sr->smb2_async) {
1084 /* already went async in some previous cmd. */
1085 return (NT_STATUS_SUCCESS);
1086 }
1087 sr->smb2_async = B_TRUE;
1088
1089 /* The "server" session always runs async. */
1090 session = sr->session;
1091 if (session->sock == NULL)
1092 return (NT_STATUS_SUCCESS);
1093
1094 sds = NULL;
1095 saved_com_offset = sr->command.chain_offset;
1096 saved_cmd_hdr = sr->smb2_cmd_hdr;
1097 saved_cred_resp = sr->smb2_credit_response;
1098 saved_hdr_flags = sr->smb2_hdr_flags;
1099 saved_reply_hdr = sr->smb2_reply_hdr;
1100
1101 /*
1102 * The command-specific handler should not yet have put any
1103 * data in the reply except for the (place holder) header.
1104 */
1105 if (sr->reply.chain_offset != sr->smb2_reply_hdr + SMB2_HDR_SIZE) {
1106 ASSERT3U(sr->reply.chain_offset, ==,
1107 sr->smb2_reply_hdr + SMB2_HDR_SIZE);
1108 return (NT_STATUS_INTERNAL_ERROR);
1109 }
1110
1111 /*
1112 * Rewind to the start of the current header in both the
1113 * command and reply bufers, so the loop below can just
1114 * decode/encode just in every pass. This means the
1115 * current command header is decoded again, but that
1116 * avoids having to special-case the first loop pass.
1117 */
1118 sr->command.chain_offset = sr->smb2_cmd_hdr;
1119 sr->reply.chain_offset = sr->smb2_reply_hdr;
1120
1121 /*
1122 * This command processing loop is a simplified version of
1123 * smb2sr_work() that just puts an "interim response" for
1124 * every command in the compound (NT_STATUS_PENDING).
1125 */
1126 cmd_start:
1127 sr->smb2_status = NT_STATUS_PENDING;
1128
1129 /*
1130 * Decode the request header
1131 */
1132 sr->smb2_cmd_hdr = sr->command.chain_offset;
1133 if ((smb2_decode_header(sr)) != 0) {
1134 cmn_err(CE_WARN, "clnt %s bad SMB2 header",
1135 session->ip_addr_str);
1136 disconnect = B_TRUE;
1137 goto cleanup;
1138 }
1139 sr->smb2_hdr_flags |= (SMB2_FLAGS_SERVER_TO_REDIR |
1140 SMB2_FLAGS_ASYNC_COMMAND);
1141 sr->smb2_async_id = SMB2_ASYNCID(sr);
1142
1143 /*
1144 * In case we bail out...
1145 */
1146 if (sr->smb2_credit_charge == 0)
1147 sr->smb2_credit_charge = 1;
1148 sr->smb2_credit_response = sr->smb2_credit_charge;
1149
1150 /*
1151 * Write a tentative reply header.
1152 */
1153 sr->smb2_next_reply = 0;
1154 ASSERT((sr->reply.chain_offset & 7) == 0);
1155 sr->smb2_reply_hdr = sr->reply.chain_offset;
1156 if ((smb2_encode_header(sr, B_FALSE)) != 0) {
1157 cmn_err(CE_WARN, "clnt %s excessive reply",
1158 session->ip_addr_str);
1159 disconnect = B_TRUE;
1160 goto cleanup;
1161 }
1162
1163 /*
1164 * Figure out the length of data...
1165 */
1166 if (sr->smb2_next_command != 0) {
1167 /* [MS-SMB2] says this is 8-byte aligned */
1168 msg_len = sr->smb2_next_command;
1169 if ((msg_len & 7) != 0 || (msg_len < SMB2_HDR_SIZE) ||
1170 ((sr->smb2_cmd_hdr + msg_len) > sr->command.max_bytes)) {
1171 cmn_err(CE_WARN, "clnt %s bad SMB2 next cmd",
1172 session->ip_addr_str);
1173 disconnect = B_TRUE;
1174 goto cleanup;
1175 }
1176 } else {
1177 msg_len = sr->command.max_bytes - sr->smb2_cmd_hdr;
1178 }
1179
1180 /*
1181 * We just skip any data, so no shadow chain etc.
1182 */
1183 sr->command.chain_offset = sr->smb2_cmd_hdr + msg_len;
1184 ASSERT(sr->command.chain_offset <= sr->command.max_bytes);
1185
1186 /*
1187 * Validate the commmand code...
1188 */
1189 if (sr->smb2_cmd_code < SMB2_INVALID_CMD)
1190 cmd_idx = sr->smb2_cmd_code;
1191 else
1192 cmd_idx = SMB2_INVALID_CMD;
1193 sds = &session->s_server->sv_disp_stats2[cmd_idx];
1194
1195 /*
1196 * Don't change (user, tree, file) because we want them
1197 * exactly as they were when we entered. That also means
1198 * we may not have the right user in sr->uid_user for
1199 * signature checks, so leave that until smb2sr_work
1200 * runs these commands "for real". Therefore, here
1201 * we behave as if: (sr->uid_user == NULL)
1202 */
1203 sr->smb2_hdr_flags &= ~SMB2_FLAGS_SIGNED;
1204
1205 /*
1206 * Credit adjustments (decrease)
1207 *
1208 * NOTE: interim responses are not signed.
1209 * Any attacker can modify the credit grant
1210 * in the response. Because of this property,
1211 * it is no worse to assume the credit charge and grant
1212 * are sane without verifying the signature,
1213 * and that saves us a whole lot of work.
1214 * If the credits WERE modified, we'll find out
1215 * when we verify the signature later,
1216 * which nullifies any changes caused here.
1217 *
1218 * Skip this on the first command, because the
1219 * credit decrease was done by the caller.
1220 */
1221 if (sr->smb2_cmd_hdr != saved_cmd_hdr) {
1222 sr->smb2_credit_response = sr->smb2_credit_request;
1223 if (sr->smb2_credit_request < sr->smb2_credit_charge) {
1224 smb2_credit_decrease(sr);
1225 }
1226 }
1227
1228 /*
1229 * The real work: ... (would be here)
1230 */
1231 smb2sr_put_error(sr, sr->smb2_status);
1232
1233 /*
1234 * Credit adjustments (increase)
1235 */
1236 if (sr->smb2_credit_request > sr->smb2_credit_charge) {
1237 smb2_credit_increase(sr);
1238 }
1239
1240 /* cmd_done: label */
1241
1242 /*
1243 * Pad the reply to align(8) if there will be another.
1244 * This (interim) reply uses compounding.
1245 */
1246 if (sr->smb2_next_command != 0)
1247 (void) smb_mbc_put_align(&sr->reply, 8);
1248
1249 /*
1250 * Record some statistics. Uses:
1251 * rxb = command.chain_offset - smb2_cmd_hdr;
1252 * txb = reply.chain_offset - smb2_reply_hdr;
1253 * which at this point represent the current cmd/reply.
1254 *
1255 * Note: We're doing smb_latency_add_sample() for all
1256 * remaining commands NOW, which means we won't include
1257 * the async part of their work in latency statistics.
1258 * That's intentional, as the async part of a command
1259 * would otherwise skew our latency statistics.
1260 */
1261 smb2_record_stats(sr, sds, B_FALSE);
1262
1263 /*
1264 * If there's a next command, figure out where it starts,
1265 * and fill in the next header offset for the reply.
1266 * Note: We sanity checked smb2_next_command above.
1267 */
1268 if (sr->smb2_next_command != 0) {
1269 sr->command.chain_offset =
1270 sr->smb2_cmd_hdr + sr->smb2_next_command;
1271 sr->smb2_next_reply =
1272 sr->reply.chain_offset - sr->smb2_reply_hdr;
1273 } else {
1274 ASSERT(sr->smb2_next_reply == 0);
1275 }
1276
1277 /*
1278 * Overwrite the (now final) SMB2 header for this response.
1279 */
1280 (void) smb2_encode_header(sr, B_TRUE);
1281
1282 /*
1283 * Process whole compound before sending.
1284 */
1285 if (sr->smb2_next_command != 0)
1286 goto cmd_start;
1287 smb2_send_reply(sr);
1288
1289 ASSERT(!disconnect);
1290
1291 cleanup:
1292 /*
1293 * Restore caller's command processing state.
1294 */
1295 sr->smb2_cmd_hdr = saved_cmd_hdr;
1296 sr->command.chain_offset = saved_cmd_hdr;
1297 (void) smb2_decode_header(sr);
1298 sr->command.chain_offset = saved_com_offset;
1299
1300 sr->smb2_credit_response = saved_cred_resp;
1301 sr->smb2_hdr_flags = saved_hdr_flags;
1302 sr->smb2_status = NT_STATUS_SUCCESS;
1303
1304 /*
1305 * In here, the "disconnect" flag just means we had an
1306 * error decoding or encoding something. Rather than
1307 * actually disconnect here, let's assume whatever
1308 * problem we encountered will be seen by the caller
1309 * as they continue processing the compound, and just
1310 * restore everything and return an error.
1311 */
1312 if (disconnect) {
1313 sr->smb2_async = B_FALSE;
1314 sr->smb2_reply_hdr = saved_reply_hdr;
1315 sr->reply.chain_offset = sr->smb2_reply_hdr;
1316 (void) smb2_encode_header(sr, B_FALSE);
1317 return (NT_STATUS_INVALID_PARAMETER);
1318 }
1319
1320 /*
1321 * The compound reply buffer we sent is now gone.
1322 * Setup a new reply buffer for the caller.
1323 */
1324 sr->smb2_hdr_flags |= SMB2_FLAGS_ASYNC_COMMAND;
1325 sr->smb2_async_id = SMB2_ASYNCID(sr);
1326 sr->smb2_next_reply = 0;
1327 MBC_FLUSH(&sr->reply);
1328 ASSERT(sr->reply.max_bytes == sr->session->reply_max_bytes);
1329 ASSERT(sr->reply.chain_offset == 0);
1330 sr->smb2_reply_hdr = 0;
1331 (void) smb2_encode_header(sr, B_FALSE);
1332
1333 return (NT_STATUS_SUCCESS);
1334 }
1335
1336 int
1337 smb3_decode_tform_header(smb_request_t *sr)
1338 {
1339 uint16_t flags;
1340 int rc;
1341 uint32_t protocolid;
1342
1343 rc = smb_mbc_decodef(
1344 &sr->command, "l16c16cl..wq",
1345 &protocolid, /* l */
1346 sr->smb2_sig, /* 16c */
1347 sr->nonce, /* 16c */
1348 &sr->msgsize, /* l */
1349 /* reserved .. */
1350 &flags, /* w */
1351 &sr->smb3_tform_ssnid); /* q */
1352 if (rc)
1353 return (rc);
1354
1355 ASSERT3U(protocolid, ==, SMB3_ENCRYPTED_MAGIC);
1356
1357 if (flags != 1) {
1358 #ifdef DEBUG
1359 cmn_err(CE_NOTE, "flags field not 1: %x", flags);
1360 #endif
1361 return (-1);
1362 }
1363
1364 /*
1365 * MsgSize is the amount of data the client tell us to decrypt.
1366 * Make sure this value is not too big and not too small.
1367 */
1368 if (sr->msgsize < SMB2_HDR_SIZE ||
1369 sr->msgsize > sr->session->cmd_max_bytes ||
1370 sr->msgsize > sr->command.max_bytes - SMB3_TFORM_HDR_SIZE)
1371 return (-1);
1372
1373 return (rc);
1374 }
1375
1376 int
1377 smb3_encode_tform_header(smb_request_t *sr, struct mbuf_chain *mbc)
1378 {
1379 int rc;
1380
1381 /* Signature and Nonce are added in smb3_encrypt_sr */
1382 rc = smb_mbc_encodef(
1383 mbc, "l32.lwwq",
1384 SMB3_ENCRYPTED_MAGIC, /* l */
1385 /* signature(16), nonce(16) 32. */
1386 sr->msgsize, /* l */
1387 0, /* reserved w */
1388 1, /* flags w */
1389 sr->smb3_tform_ssnid); /* q */
1390
1391 return (rc);
1392 }
1393
1394 int
1395 smb2_decode_header(smb_request_t *sr)
1396 {
1397 uint32_t pid, tid;
1398 uint16_t hdr_len;
1399 int rc;
1400
1401 rc = smb_mbc_decodef(
1402 &sr->command, "Nwww..wwllqllq16c",
1403 &hdr_len, /* w */
1404 &sr->smb2_credit_charge, /* w */
1405 &sr->smb2_chan_seq, /* w */
1406 /* reserved .. */
1407 &sr->smb2_cmd_code, /* w */
1408 &sr->smb2_credit_request, /* w */
1409 &sr->smb2_hdr_flags, /* l */
1410 &sr->smb2_next_command, /* l */
1411 &sr->smb2_messageid, /* q */
1412 &pid, /* l */
1413 &tid, /* l */
1414 &sr->smb2_ssnid, /* q */
1415 sr->smb2_sig); /* 16c */
1416 if (rc)
1417 return (rc);
1418
1419 if (hdr_len != SMB2_HDR_SIZE)
1420 return (-1);
1421
1422 if (sr->smb2_hdr_flags & SMB2_FLAGS_ASYNC_COMMAND) {
1423 sr->smb2_async_id = pid |
1424 ((uint64_t)tid) << 32;
1425 sr->smb_pid = 0;
1426 sr->smb_tid = 0;
1427 } else {
1428 sr->smb2_async_id = 0;
1429 sr->smb_pid = pid;
1430 sr->smb_tid = (uint16_t)tid; /* XXX wide TIDs */
1431 }
1432
1433 return (rc);
1434 }
1435
1436 int
1437 smb2_encode_header(smb_request_t *sr, boolean_t overwrite)
1438 {
1439 uint64_t pid_tid_aid; /* pid+tid, or async id */
1440 int rc;
1441
1442 if (sr->smb2_hdr_flags & SMB2_FLAGS_ASYNC_COMMAND) {
1443 pid_tid_aid = sr->smb2_async_id;
1444 } else {
1445 pid_tid_aid = sr->smb_pid |
1446 ((uint64_t)sr->smb_tid) << 32;
1447 }
1448
1449 if (overwrite) {
1450 rc = smb_mbc_poke(&sr->reply,
1451 sr->smb2_reply_hdr,
1452 "Nwwlwwllqqq16c",
1453 SMB2_HDR_SIZE, /* w */
1454 sr->smb2_credit_charge, /* w */
1455 sr->smb2_status, /* l */
1456 sr->smb2_cmd_code, /* w */
1457 sr->smb2_credit_response, /* w */
1458 sr->smb2_hdr_flags, /* l */
1459 sr->smb2_next_reply, /* l */
1460 sr->smb2_messageid, /* q */
1461 pid_tid_aid, /* q */
1462 sr->smb2_ssnid, /* q */
1463 sr->smb2_sig); /* 16c */
1464 } else {
1465 rc = smb_mbc_encodef(&sr->reply,
1466 "Nwwlwwllqqq16c",
1467 SMB2_HDR_SIZE, /* w */
1468 sr->smb2_credit_charge, /* w */
1469 sr->smb2_status, /* l */
1470 sr->smb2_cmd_code, /* w */
1471 sr->smb2_credit_response, /* w */
1472 sr->smb2_hdr_flags, /* l */
1473 sr->smb2_next_reply, /* l */
1474 sr->smb2_messageid, /* q */
1475 pid_tid_aid, /* q */
1476 sr->smb2_ssnid, /* q */
1477 sr->smb2_sig); /* 16c */
1478 }
1479
1480 return (rc);
1481 }
1482
1483 void
1484 smb2_send_reply(smb_request_t *sr)
1485 {
1486 struct mbuf_chain enc_reply;
1487 smb_session_t *session = sr->session;
1488 void *tmpbuf;
1489 size_t buflen;
1490 struct mbuf_chain tmp;
1491
1492 /*
1493 * [MS-SMB2] 3.3.4.1.4 Encrypting the Message
1494 *
1495 * When the connection supports encryption and the dialect
1496 * is 3.x, encrypt if:
1497 * - The request was encrypted OR
1498 * - The cmd is not SESSION_SETUP or NEGOTIATE AND
1499 * -- Session.EncryptData is TRUE OR
1500 * -- The cmd is not TREE_CONNECT AND
1501 * --- Tree.EncryptData is TRUE
1502 *
1503 * This boils down to sr->tform_ssn != NULL, and the rest
1504 * is enforced when tform_ssn is set.
1505 */
1506
1507 if ((session->capabilities & SMB2_CAP_ENCRYPTION) == 0 ||
1508 sr->tform_ssn == NULL) {
1509 if (smb_session_send(sr->session, 0, &sr->reply) == 0)
1510 sr->reply.chain = 0;
1511 return;
1512 }
1513
1514 sr->msgsize = sr->reply.chain_offset;
1515 (void) MBC_SHADOW_CHAIN(&tmp, &sr->reply,
1516 0, sr->msgsize);
1517
1518 buflen = SMB3_TFORM_HDR_SIZE + sr->msgsize;
1519
1520 /* taken from smb_request_init_command_mbuf */
1521 tmpbuf = kmem_alloc(buflen, KM_SLEEP);
1522 MBC_ATTACH_BUF(&enc_reply, tmpbuf, buflen);
1523 enc_reply.flags = 0;
1524 enc_reply.shadow_of = NULL;
1525
1526 if (smb3_encode_tform_header(sr, &enc_reply) != 0) {
1527 cmn_err(CE_WARN, "couldn't encode transform header");
1528 goto errout;
1529 }
1530 if (smb3_encrypt_sr(sr, &tmp, &enc_reply) != 0) {
1531 cmn_err(CE_WARN, "smb3 encryption failed");
1532 goto errout;
1533 }
1534
1535 if (smb_session_send(sr->session, 0, &enc_reply) == 0)
1536 enc_reply.chain = 0;
1537 return;
1538
1539 errout:
1540 kmem_free(tmpbuf, buflen);
1541 smb_session_disconnect(sr->session);
1542 }
1543
1544 /*
1545 * This wrapper function exists to help catch calls to smbsr_status()
1546 * (which is SMB1-specific) in common code. See smbsr_status().
1547 * If the log message below is seen, put a dtrace probe on this
1548 * function with a stack() action to see who is calling the SMB1
1549 * "put error" from common code, and fix it.
1550 */
1551 void
1552 smbsr_status_smb2(smb_request_t *sr, DWORD status)
1553 {
1554 const char *name;
1555
1556 if (sr->smb2_cmd_code < SMB2__NCMDS)
1557 name = smb2_disp_table[sr->smb2_cmd_code].sdt_name;
1558 else
1559 name = "<unknown>";
1560 #ifdef DEBUG
1561 cmn_err(CE_NOTE, "smbsr_status called for %s", name);
1629 boolean_t related = sr->smb2_hdr_flags &
1630 SMB2_FLAGS_RELATED_OPERATIONS;
1631
1632 if (related) {
1633 if (sr->fid_ofile == NULL)
1634 return (NT_STATUS_INVALID_PARAMETER);
1635 sr->smb_fid = sr->fid_ofile->f_fid;
1636 return (0);
1637 }
1638
1639 /*
1640 * If we could be sure this is called only once per cmd,
1641 * we could simply ASSERT(sr->fid_ofile == NULL) here.
1642 * However, there are cases where it can be called again
1643 * handling the same command, so let's tolerate that.
1644 */
1645 if (sr->fid_ofile == NULL) {
1646 sr->smb_fid = (uint16_t)fid->temporal;
1647 sr->fid_ofile = smb_ofile_lookup_by_fid(sr, sr->smb_fid);
1648 }
1649 if (sr->fid_ofile == NULL ||
1650 sr->fid_ofile->f_persistid != fid->persistent)
1651 return (NT_STATUS_FILE_CLOSED);
1652
1653 return (0);
1654 }
1655
1656 /*
1657 * smb2_dispatch_stats_init
1658 *
1659 * Initializes dispatch statistics for SMB2.
1660 * See also smb_dispatch_stats_init(), which fills in
1661 * the lower part of the statistics array, from zero
1662 * through SMB_COM_NUM;
1663 */
1664 void
1665 smb2_dispatch_stats_init(smb_server_t *sv)
1666 {
1667 smb_disp_stats_t *sds = sv->sv_disp_stats2;
1668 smb_kstat_req_t *ksr;
1669 int i;
1670
1706 for (i = first; i <= last; i++, ksr++) {
1707 ksr->kr_rxb = sds[i].sdt_rxb;
1708 ksr->kr_txb = sds[i].sdt_txb;
1709 mutex_enter(&sds[i].sdt_lat.ly_mutex);
1710 ksr->kr_nreq = sds[i].sdt_lat.ly_a_nreq;
1711 ksr->kr_sum = sds[i].sdt_lat.ly_a_sum;
1712 ksr->kr_a_mean = sds[i].sdt_lat.ly_a_mean;
1713 ksr->kr_a_stddev =
1714 sds[i].sdt_lat.ly_a_stddev;
1715 ksr->kr_d_mean = sds[i].sdt_lat.ly_d_mean;
1716 ksr->kr_d_stddev =
1717 sds[i].sdt_lat.ly_d_stddev;
1718 sds[i].sdt_lat.ly_d_mean = 0;
1719 sds[i].sdt_lat.ly_d_nreq = 0;
1720 sds[i].sdt_lat.ly_d_stddev = 0;
1721 sds[i].sdt_lat.ly_d_sum = 0;
1722 mutex_exit(&sds[i].sdt_lat.ly_mutex);
1723 }
1724 }
1725 }
1726
1727 /*
1728 * Append new_sr to the postwork queue. sr->smb2_cmd_code encodes
1729 * the action that should be run by this sr.
1730 *
1731 * This queue is rarely used (and normally empty) so we're OK
1732 * using a simple "walk to tail and insert" here.
1733 */
1734 void
1735 smb2sr_append_postwork(smb_request_t *top_sr, smb_request_t *new_sr)
1736 {
1737 smb_request_t *last_sr;
1738
1739 ASSERT(top_sr->session->dialect >= SMB_VERS_2_BASE);
1740
1741 last_sr = top_sr;
1742 while (last_sr->sr_postwork != NULL)
1743 last_sr = last_sr->sr_postwork;
1744
1745 last_sr->sr_postwork = new_sr;
1746 }
1747
1748 /*
1749 * Run any "post work" that was appended to the main SR while it
1750 * was running. This is called after the request has been sent
1751 * for the main SR, and used in cases i.e. the oplock code, where
1752 * we need to send something to the client only _after_ the main
1753 * sr request has gone out.
1754 */
1755 static void
1756 smb2sr_run_postwork(smb_request_t *top_sr)
1757 {
1758 smb_request_t *post_sr; /* the one we're running */
1759 smb_request_t *next_sr;
1760
1761 while ((post_sr = top_sr->sr_postwork) != NULL) {
1762 next_sr = post_sr->sr_postwork;
1763 top_sr->sr_postwork = next_sr;
1764 post_sr->sr_postwork = NULL;
1765
1766 post_sr->sr_worker = top_sr->sr_worker;
1767 post_sr->sr_state = SMB_REQ_STATE_ACTIVE;
1768
1769 switch (post_sr->smb2_cmd_code) {
1770 case SMB2_OPLOCK_BREAK:
1771 smb_oplock_send_brk(post_sr);
1772 break;
1773 default:
1774 ASSERT(0);
1775 }
1776
1777 /*
1778 * If we have a durable handle, and this operation
1779 * updated the nvlist, write it out.
1780 */
1781 if (post_sr->dh_nvl_dirty) {
1782 post_sr->dh_nvl_dirty = B_FALSE;
1783 smb2_dh_update_nvfile(post_sr);
1784 }
1785
1786 post_sr->sr_state = SMB_REQ_STATE_COMPLETED;
1787 smb_request_free(post_sr);
1788 }
1789 }
|