/*
* This file and its contents are supplied under the terms of the
* Common Development and Distribution License ("CDDL"), version 1.0.
* You may only use this file in accordance with the terms of version
* 1.0 of the CDDL.
*
* A full copy of the text of the CDDL should have accompanied this
* source. A copy of the CDDL is also available via the Internet at
*/
/*
* Copyright 2015 Nexenta Systems, Inc. All rights reserved.
*/
#include <smbsrv/smb2_kproto.h>
#include <smbsrv/smb_kstat.h>
/*
* Saved state for a command that "goes async". When a compound request
* contains a command that may block indefinitely, the compound reply is
* composed with an "interim response" for that command, and information
* needed to actually dispatch that command is saved on a list of "async"
* commands for this compound request. After the compound reply is sent,
* the list of async commands is processed, and those may block as long
* as they need to without affecting the initial compound request.
*
* Now interestingly, this "async" mechanism is not used with the full
* range of asynchrony that one might imagine. The design of async
* request processing can be drastically simplified if we can assume
* that there's no need to run more than one async command at a time.
* With that simplifying assumption, we can continue using the current
* "one worker thread per request message" model, which has very simple
* locking rules etc. The same worker thread that handles the initial
* compound request can handle the list of async requests.
*
* As it turns out, SMB2 clients do not try to use more than one "async"
* command in a compound. If they were to do so, the [MS-SMB2] spec.
* allows us to decline additional async requests with an error.
*
* smb_async_req_t is the struct used to save an "async" request on
* the list of requests that had an interim reply in the initial
* compound reply. This includes everything needed to restart
* processing at the async command.
*/
typedef struct smb2_async_req {
/*
* SMB2 header fields.
*/
void smb2sr_do_async(smb_request_t *);
static void smb2_tq_work(void *);
static const smb_disp_entry_t const
/* text-name, pre, func, post, cmd-code, dialect, flags */
{ "smb2_negotiate", NULL,
smb2_negotiate, NULL, 0, 0,
{ "smb2_session_setup", NULL,
smb2_session_setup, NULL, 0, 0,
{ "smb2_logoff", NULL,
smb2_logoff, NULL, 0, 0,
{ "smb2_tree_connect", NULL,
smb2_tree_connect, NULL, 0, 0,
{ "smb2_tree_disconn", NULL,
smb2_tree_disconn, NULL, 0, 0 },
{ "smb2_create", NULL,
smb2_create, NULL, 0, 0 },
{ "smb2_close", NULL,
smb2_close, NULL, 0, 0 },
{ "smb2_flush", NULL,
smb2_flush, NULL, 0, 0 },
{ "smb2_read", NULL,
{ "smb2_write", NULL,
smb2_write, NULL, 0, 0 },
{ "smb2_lock", NULL,
{ "smb2_ioctl", NULL,
smb2_ioctl, NULL, 0, 0 },
/*
* Note: Cancel gets the "invalid command" handler because
* that's always handled directly in the reader. We should
* never get to the function using this table, but note:
* We CAN get here if a nasty client adds cancel to some
* compound message, which is a protocol violation.
*/
{ "smb2_cancel", NULL,
smb2_invalid_cmd, NULL, 0, 0 },
{ "smb2_echo", NULL,
{ "smb2_query_dir", NULL,
smb2_query_dir, NULL, 0, 0 },
{ "smb2_change_notify", NULL,
smb2_change_notify, NULL, 0, 0 },
{ "smb2_query_info", NULL,
smb2_query_info, NULL, 0, 0 },
{ "smb2_set_info", NULL,
smb2_set_info, NULL, 0, 0 },
{ "smb2_oplock_break_ack", NULL,
smb2_oplock_break_ack, NULL, 0, 0 },
{ "smb2_invalid_cmd", NULL,
smb2_invalid_cmd, NULL, 0, 0,
};
{
#ifdef DEBUG
#endif
return (SDRC_DROP_VC);
}
/*
* This is the SMB2 handler for new smb requests, called from
* smb_session_reader after SMB negotiate is done. For most SMB2
* requests, we just enqueue them for the smb_session_worker to
* execute via the task queue, so they can block for resources
* without stopping the reader thread. A few protocol messages
* are special cases and are handled directly here in the reader
* thread so they don't wait for taskq scheduling.
*
* This function must either enqueue the new request for
* execution via the task queue, or execute it directly
* and then free it. If this returns non-zero, the caller
* will drop the session.
*/
int
{
int rc;
if (magic != SMB2_PROTOCOL_MAGIC) {
/* will drop the connection */
return (EPROTO);
}
/*
* Execute Cancel requests immediately, (here in the
* reader thread) so they won't wait for any other
* commands we might already have in the task queue.
* Cancel also skips signature verification and
* does not consume a sequence number.
* [MS-SMB2] 3.2.4.24 Cancellation...
*/
if (command == SMB2_CANCEL) {
return (rc);
}
/*
* Submit the request to the task queue, which calls
* smb2_tq_work when the workload permits.
*/
return (0);
}
static void
{
/*
* In contrast with SMB1, SMB2 must _always_ dispatch to
* the handler function, because cancelled requests need
* an error reply (NT_STATUS_CANCELLED).
*/
}
/*
* smb2sr_work
*
* This function processes each SMB command in the current request
* (which may be a compound request) building a reply containing
* SMB reply messages, one-to-one with the SMB commands. Some SMB
* commands (change notify, blocking locks) may require both an
* "interim response" and a later "async response" at completion.
* In such cases, we'll encode the interim response in the reply
* compound we're building, and put the (now async) command on a
* list of commands that need further processing. After we've
* finished processing the commands in this compound and building
* the compound reply, we'll send the compound reply, and finally
* process the list of async commands.
*
* As we work our way through the compound request and reply,
* we need to keep track of the bounds of the current request
* and reply. For the request, this uses an MBC_SHADOW_CHAIN
* that begins at smb2_cmd_hdr. The reply is appended to the
* sr->reply chain starting at smb2_reply_hdr.
*
* This function must always free the smb request.
*/
void
{
int rc = 0;
sr->smb2_status = 0;
/* temporary until we identify a user */
case SMB_REQ_STATE_SUBMITTED:
case SMB_REQ_STATE_CLEANED_UP:
break;
default:
ASSERT(0);
/* FALLTHROUGH */
case SMB_REQ_STATE_CANCELED:
break;
}
/*
* Decode the request header
*
* Most problems with decoding will result in the error
* STATUS_INVALID_PARAMETER. If the decoding problem
* prevents continuing, we'll close the connection.
* [MS-SMB2] 3.3.5.2.6 Handling Incorrectly Formatted...
*
* We treat some status codes as if "sticky", meaning
* once they're set after some command handler returns,
* all remaining commands get this status without even
* calling the command-specific handler. The cancelled
* status is used above, and insufficient_resources is
* used when smb2sr_go_async declines to "go async".
* Otherwise initialize to zero (success).
*/
sr->smb2_status = 0;
disconnect = B_TRUE;
goto cleanup;
}
/*
* The SMB2_FLAGS_SERVER_TO_REDIR should only appear
* in messages from the server back to the client.
*/
disconnect = B_TRUE;
goto cleanup;
}
/*
* In case we bail out with an error before we get to the
* section that computes the credit grant, initialize the
* response header fields so that credits won't change.
* Note: SMB 2.02 clients may send credit charge zero.
*/
if (sr->smb2_credit_charge == 0)
/*
* Reserve space for the reply header, and save the offset.
* The reply header will be overwritten later. If we have
* already exhausted the output space, then this client is
* trying something funny. Log it and kill 'em.
*/
disconnect = B_TRUE;
goto cleanup;
}
/*
* Figure out the length of data following the SMB2 header.
* It ends at either the next SMB2 header if there is one
* (smb2_next_command != 0) or at the end of the message.
*/
if (sr->smb2_next_command != 0) {
/* [MS-SMB2] says this is 8-byte aligned */
disconnect = B_TRUE;
goto cleanup;
}
} else {
}
/*
* Setup a shadow chain for this SMB2 command, starting
* with the header and ending at either the next command
* or the end of the message. The signing check below
* needs the entire SMB2 command. After that's done, we
* advance chain_offset to the end of the header where
* the command specific handlers continue decoding.
*/
/*
* Validate the commmand code, get dispatch table entries.
* [MS-SMB2] 3.3.5.2.6 Handling Incorrectly Formatted...
*
* The last slot in the dispatch table is used to handle
* invalid commands. Same for statistics.
*/
else
/*
* If this command is NOT "related" to the previous,
* clear out the UID, TID, FID state that might be
* left over from the previous command.
*
* If the command IS related, any new IDs are ignored,
* and we simply continue with the previous user, tree,
* and open file.
*/
if (!related) {
/*
* Drop user, tree, file; carefully ordered to
* avoid dangling references: file, tree, user
*/
}
}
}
}
/*
* Make sure we have a user and tree as needed
* according to the flags for the this command.
* Note that we may have inherited these.
*/
/*
* This command requires a user session.
*/
if (related) {
/*
* Previous command should have given us a user.
* [MS-SMB2] 3.3.5.2 Handling Related Requests
*/
goto cmd_done;
}
} else {
/*
* Lookup the UID
* [MS-SMB2] 3.3.5.2 Verifying the Session
*/
goto cmd_done;
}
}
}
/*
* This command requires a tree connection.
*/
if (related) {
/*
* Previous command should have given us a tree.
* [MS-SMB2] 3.3.5.2 Handling Related Requests
*/
goto cmd_done;
}
} else {
/*
* Lookup the TID
* [MS-SMB2] 3.3.5.2 Verifying the Tree Connect
*/
goto cmd_done;
}
}
}
/*
* SMB2 signature verification, two parts:
* (a) Require SMB2_FLAGS_SIGNED (for most request types)
* (b) If SMB2_FLAGS_SIGNED is set, check the signature.
* [MS-SMB2] 3.3.5.2.4 Verifying the Signature
*/
/*
* No user session means no signature check. That's OK,
* i.e. for commands marked SDDF_SUPPRESS_UID above.
* Note, this also means we won't sign the reply.
*/
/*
* The SDDF_SUPPRESS_UID dispatch is set for requests that
* don't need a UID (user). These also don't require a
* signature check here.
*/
/*
* This request type should be signed, and
* we're configured to require signatures.
*/
goto cmd_done;
}
if (rc != 0) {
goto cmd_done;
}
}
/*
* Now that the signing check is done with smb_data,
* advance past the SMB2 header we decoded earlier.
* This leaves sr->smb_data correctly positioned
* for command-specific decoding in the dispatch
* function called next.
*/
/*
* SMB2 credits determine how many simultaneous commands the
* client may issue, and bounds the range of message IDs those
* commands may use. With multi-credit support, commands may
* use ranges of message IDs, where the credits used by each
* command are proportional to their data transfer size.
*
* Every command may request an increase or decrease of
* the currently granted credits, based on the difference
* between the credit request and the credit charge.
* [MS-SMB2] 3.3.1.2 Algorithm for the Granting of Credits
*
* Most commands have credit_request=1, credit_charge=1,
* which keeps the credit grant unchanged.
*
* All we're really doing here (for now) is reducing the
* credit_response if the client requests a credit increase
* that would take their credit over the maximum, and
* limiting the decrease so they don't run out of credits.
*
* Later, this could do something dynamic based on load.
*
* One other non-obvious bit about credits: We keep the
* session s_max_credits low until the 1st authentication,
* at which point we'll set the normal maximum_credits.
* Some clients ask for more credits with session setup,
* and we need to handle that requested increase _after_
* the command-specific handler returns so it won't be
* restricted to the lower (pre-auth) limit.
*/
/* Handle credit decrease. */
cur -= d;
if (cur & 0x8000) {
/*
* underflow (bad credit charge or request)
* leave credits unchanged (response=charge)
*/
}
/*
* The server MUST ensure that the number of credits
* held by the client is never reduced to zero.
* [MS-SMB2] 3.3.1.2
*/
if (cur == 0) {
cur = 1;
}
int, (int)session->s_cur_credits);
}
/*
* The real work: call the SMB2 command handler
* (except for "sticky" smb2_status - see above)
*/
rc = SDRC_SUCCESS;
if (sr->smb2_status == 0) {
/* NB: not using pre_op */
/* NB: not using post_op */
}
/*
* Second half of SMB2 credit handling (increases)
*/
/* Handle credit increase. */
cur += d;
/*
* If new credits would be above max,
* reduce the credit grant.
*/
sr->smb2_credit_response -= d;
}
int, (int)session->s_cur_credits);
}
/*
* Pad the reply to align(8) if necessary.
*/
}
/*
* Record some statistics: latency, rx bytes, tx bytes.
*/
switch (rc) {
case SDRC_SUCCESS:
break;
default:
/*
* SMB2 does not use the other dispatch return codes.
* If we see something else, log an event so we'll
* know something is returning bogus status codes.
* If you see these in the log, use dtrace to find
* the code returning something else.
*/
#ifdef DEBUG
#endif
/* FALLTHROUGH */
case SDRC_ERROR:
if (sr->smb2_status == 0)
break;
case SDRC_DROP_VC:
disconnect = B_TRUE;
goto cleanup;
}
/*
* If there's a next command, figure out where it starts,
* and fill in the next command offset for the reply.
* Note: We sanity checked smb2_next_command above
* (the offset to the next command). Similarly set
* smb2_next_reply as the offset to the next reply.
*/
if (sr->smb2_next_command != 0) {
} else {
sr->smb2_next_reply = 0;
}
/*
* Overwrite the SMB2 header for the response of
* this command (possibly part of a compound).
* encode_header adds: SMB2_FLAGS_SERVER_TO_REDIR
*/
if (sr->smb2_next_command != 0)
goto cmd_start;
/*
* We've done all the commands in this compound.
* Send it out.
*/
/*
* If any of the requests "went async", process those now.
* The async. function "keeps" this sr, changing its state
* to completed and calling smb_request_free().
*/
return;
}
if (disconnect) {
break;
default:
break;
}
}
}
/*
* Dispatch an async request using saved information.
* See smb2sr_save_async and [MS-SMB2] 3.3.4.2
*
* This is sort of a "lite" version of smb2sr_work. Initialize the
* command and reply areas as they were when the command-speicific
* handler started (in case it needs to decode anything again).
* Call the async function, which builds the command-specific part
* of the response. Finally, send the response and free the sr.
*/
void
{
int rc = 0;
/*
* Restore what smb2_decode_header found.
* (In lieu of decoding it again.)
*/
sr->smb2_status = 0;
/*
* Async requests don't grant credits, because any credits
* should have gone out with the interim reply.
* An async reply goes alone (no next reply).
*/
sr->smb2_credit_response = 0;
sr->smb2_next_reply = 0;
/*
* Setup input mbuf_chain
*/
/*
* Setup output mbuf_chain
*/
/*
* Keep the UID, TID, ofile we have.
*/
goto cmd_done;
}
goto cmd_done;
}
/*
* Signature already verified
* Credits handled...
*
* Just call the async handler function.
*/
/*
* Pad the reply to align(8) if necessary.
*/
}
/*
* Record some statistics: (just tx bytes here)
*/
/*
* Overwrite the SMB2 header for the response of
* this command (possibly part of a compound).
* The call adds: SMB2_FLAGS_SERVER_TO_REDIR
*/
/*
* Done. Unlink and free.
*/
}
/*
* In preparation for sending an "interim response", save
* all the state we'll need to run an async command later,
* and assign an "async id" for this (now async) command.
* See [MS-SMB2] 3.3.4.2
*
* If more than one request in a compound request tries to
* "go async", we can "say no". See [MS-SMB2] 3.3.4.2
* If an operation would require asynchronous processing
* but resources are constrained, the server MAY choose to
* fail that operation with STATUS_INSUFFICIENT_RESOURCES.
*
* For simplicity, we further restrict the cases where we're
* willing to "go async", and only allow the last command in a
* compound to "go async". It happens that this is the only
* case where we're actually asked to go async anyway. This
* simplification also means there can be at most one command
* in a compound that "goes async" (the last one).
*
* If we agree to "go async", this should return STATUS_PENDING.
* Otherwise return STATUS_INSUFFICIENT_RESOURCES for this and
* all requests following this request. (See the comments re.
* "sticky" smb2_status values in smb2sr_work).
*
* Note: the Async ID we assign here is arbitrary, and need only
* be unique among pending async responses on this connection, so
* this just uses an object address as the Async ID.
*
* Also, the assigned worker is the ONLY thread using this
* async request object (sr_async_req) so no locking.
*/
{
if (sr->smb2_next_command != 0)
return (NT_STATUS_INSUFFICIENT_RESOURCES);
/*
* Place an interim response in the compound reply.
*
* Turn on the "async" flag for both the (synchronous)
* interim response and the (later) async response,
* by storing that in flags before coping into ar.
*
* The "related" flag should always be off for the
* async part because we're no longer operating on a
* sequence of commands when we execute that.
*/
/* Interim responses are NOT signed. */
return (NT_STATUS_PENDING);
}
int
{
int rc;
&hdr_len, /* w */
/* reserved .. */
&pid, /* l */
&tid, /* l */
&ssnid, /* q */
if (rc)
return (rc);
if (hdr_len != SMB2_HDR_SIZE)
return (-1);
} else {
}
return (rc);
}
int
{
int rc;
} else {
}
if (overwrite) {
"Nwwlwwllqqq16c",
SMB2_HDR_SIZE, /* w */
reply_hdr_flags, /* l */
pid_tid_aid, /* q */
ssnid, /* q */
} else {
"Nwwlwwllqqq16c",
SMB2_HDR_SIZE, /* w */
reply_hdr_flags, /* l */
pid_tid_aid, /* q */
ssnid, /* q */
}
return (rc);
}
void
{
}
/*
* This wrapper function exists to help catch calls to smbsr_status()
* (which is SMB1-specific) in common code. See smbsr_status().
* If the log message below is seen, put a dtrace probe on this
* function with a stack() action to see who is calling the SMB1
* "put error" from common code, and fix it.
*/
void
{
const char *name;
else
name = "<unknown>";
#ifdef DEBUG
#endif
}
void
{
}
void
{
}
/*
* Build an SMB2 error response. [MS-SMB2] 2.2.2
*/
void
{
/*
* The common dispatch code writes this when it
* updates the SMB2 header before sending.
*/
/* Rewind to the end of the SMB header. */
/*
* NB: Must provide at least one byte of error data,
* per [MS-SMB2] 2.2.2
*/
(void) smb_mbc_encodef(
"wwlC",
9, /* StructSize */ /* w */
0, /* reserved */ /* w */
len, /* l */
mbc); /* C */
} else {
(void) smb_mbc_encodef(
"wwl.",
9, /* StructSize */ /* w */
0, /* reserved */ /* w */
0); /* l. */
}
}
/*
* smb2sr_lookup_fid
*
* Setup sr->fid_ofile, either inherited from a related command,
* or obtained via FID lookup. Similar inheritance logic as in
* smb2sr_work.
*/
{
if (related) {
return (NT_STATUS_INVALID_PARAMETER);
return (0);
}
/*
* If we could be sure this is called only once per cmd,
* we could simply ASSERT(sr->fid_ofile == NULL) here.
* However, there are cases where it can be called again
* handling the same command, so let's tolerate that.
*/
}
return (NT_STATUS_FILE_CLOSED);
return (0);
}
/*
* smb2_dispatch_stats_init
*
* Initializes dispatch statistics for SMB2.
* See also smb_dispatch_stats_init(), which fills in
* the lower part of the statistics array, from zero
* through SMB_COM_NUM;
*/
void
{
int i;
for (i = 0; i < SMB2__NCMDS; i++, ksr++) {
}
}
/*
* smb2_dispatch_stats_fini
*
* Frees and destroyes the resources used for statistics.
*/
void
{
int i;
for (i = 0; i < SMB2__NCMDS; i++)
}
void
{
int i;
int last;
ksr->kr_a_stddev =
ksr->kr_d_stddev =
}
}
}