4 * Copyright (C) International Business Machines Corp., 2002,2011
6 * Author(s): Steve French (sfrench@us.ibm.com)
7 * Pavel Shilovsky (pshilovsky@samba.org) 2012
9 * This library is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU Lesser General Public License as published
11 * by the Free Software Foundation; either version 2.1 of the License, or
12 * (at your option) any later version.
14 * This library is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
17 * the GNU Lesser General Public License for more details.
19 * You should have received a copy of the GNU Lesser General Public License
20 * along with this library; if not, write to the Free Software
21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
23 #include <linux/ctype.h>
26 #include "cifsproto.h"
27 #include "smb2proto.h"
28 #include "cifs_debug.h"
29 #include "cifs_unicode.h"
30 #include "smb2status.h"
33 check_smb2_hdr(struct smb2_hdr *hdr, __u64 mid)
35 __u64 wire_mid = le64_to_cpu(hdr->MessageId);
38 * Make sure that this really is an SMB, that it is a response,
39 * and that the message ids match.
41 if ((hdr->ProtocolId == SMB2_PROTO_NUMBER) &&
43 if (hdr->Flags & SMB2_FLAGS_SERVER_TO_REDIR)
46 /* only one valid case where server sends us request */
47 if (hdr->Command == SMB2_OPLOCK_BREAK)
50 cifs_dbg(VFS, "Received Request not response\n");
52 } else { /* bad signature or mid */
53 if (hdr->ProtocolId != SMB2_PROTO_NUMBER)
54 cifs_dbg(VFS, "Bad protocol string signature header %x\n",
55 le32_to_cpu(hdr->ProtocolId));
57 cifs_dbg(VFS, "Mids do not match: %llu and %llu\n",
60 cifs_dbg(VFS, "Bad SMB detected. The Mid=%llu\n", wire_mid);
65 * The following table defines the expected "StructureSize" of SMB2 responses
66 * in order by SMB2 command. This is similar to "wct" in SMB/CIFS responses.
68 * Note that commands are defined in smb2pdu.h in le16 but the array below is
69 * indexed by command in host byte order
71 static const __le16 smb2_rsp_struct_sizes[NUMBER_OF_SMB2_COMMANDS] = {
72 /* SMB2_NEGOTIATE */ cpu_to_le16(65),
73 /* SMB2_SESSION_SETUP */ cpu_to_le16(9),
74 /* SMB2_LOGOFF */ cpu_to_le16(4),
75 /* SMB2_TREE_CONNECT */ cpu_to_le16(16),
76 /* SMB2_TREE_DISCONNECT */ cpu_to_le16(4),
77 /* SMB2_CREATE */ cpu_to_le16(89),
78 /* SMB2_CLOSE */ cpu_to_le16(60),
79 /* SMB2_FLUSH */ cpu_to_le16(4),
80 /* SMB2_READ */ cpu_to_le16(17),
81 /* SMB2_WRITE */ cpu_to_le16(17),
82 /* SMB2_LOCK */ cpu_to_le16(4),
83 /* SMB2_IOCTL */ cpu_to_le16(49),
84 /* BB CHECK this ... not listed in documentation */
85 /* SMB2_CANCEL */ cpu_to_le16(0),
86 /* SMB2_ECHO */ cpu_to_le16(4),
87 /* SMB2_QUERY_DIRECTORY */ cpu_to_le16(9),
88 /* SMB2_CHANGE_NOTIFY */ cpu_to_le16(9),
89 /* SMB2_QUERY_INFO */ cpu_to_le16(9),
90 /* SMB2_SET_INFO */ cpu_to_le16(2),
91 /* BB FIXME can also be 44 for lease break */
92 /* SMB2_OPLOCK_BREAK */ cpu_to_le16(24)
96 smb2_check_message(char *buf, unsigned int length, struct TCP_Server_Info *srvr)
98 struct smb2_hdr *hdr = (struct smb2_hdr *)buf;
99 struct smb2_pdu *pdu = (struct smb2_pdu *)hdr;
101 __u32 len = get_rfc1002_length(buf);
102 __u32 clc_len; /* calculated length */
105 /* BB disable following printk later */
106 cifs_dbg(FYI, "%s length: 0x%x, smb_buf_length: 0x%x\n",
107 __func__, length, len);
110 * Add function to do table lookup of StructureSize by command
111 * ie Validate the wct via smb2_struct_sizes table above
114 if (hdr->ProtocolId == SMB2_TRANSFORM_PROTO_NUM) {
115 struct smb2_transform_hdr *thdr =
116 (struct smb2_transform_hdr *)buf;
117 struct cifs_ses *ses = NULL;
118 struct list_head *tmp;
120 /* decrypt frame now that it is completely read in */
121 spin_lock(&cifs_tcp_ses_lock);
122 list_for_each(tmp, &srvr->smb_ses_list) {
123 ses = list_entry(tmp, struct cifs_ses, smb_ses_list);
124 if (ses->Suid == thdr->SessionId)
129 spin_unlock(&cifs_tcp_ses_lock);
131 cifs_dbg(VFS, "no decryption - session id not found\n");
137 mid = le64_to_cpu(hdr->MessageId);
138 if (length < sizeof(struct smb2_pdu)) {
139 if ((length >= sizeof(struct smb2_hdr)) && (hdr->Status != 0)) {
140 pdu->StructureSize2 = 0;
142 * As with SMB/CIFS, on some error cases servers may
143 * not return wct properly
147 cifs_dbg(VFS, "Length less than SMB header size\n");
151 if (len > CIFSMaxBufSize + MAX_SMB2_HDR_SIZE - 4) {
152 cifs_dbg(VFS, "SMB length greater than maximum, mid=%llu\n",
157 if (check_smb2_hdr(hdr, mid))
160 if (hdr->StructureSize != SMB2_HEADER_STRUCTURE_SIZE) {
161 cifs_dbg(VFS, "Illegal structure size %u\n",
162 le16_to_cpu(hdr->StructureSize));
166 command = le16_to_cpu(hdr->Command);
167 if (command >= NUMBER_OF_SMB2_COMMANDS) {
168 cifs_dbg(VFS, "Illegal SMB2 command %d\n", command);
172 if (smb2_rsp_struct_sizes[command] != pdu->StructureSize2) {
173 if (command != SMB2_OPLOCK_BREAK_HE && (hdr->Status == 0 ||
174 pdu->StructureSize2 != SMB2_ERROR_STRUCTURE_SIZE2)) {
175 /* error packets have 9 byte structure size */
176 cifs_dbg(VFS, "Illegal response size %u for command %d\n",
177 le16_to_cpu(pdu->StructureSize2), command);
179 } else if (command == SMB2_OPLOCK_BREAK_HE && (hdr->Status == 0)
180 && (le16_to_cpu(pdu->StructureSize2) != 44)
181 && (le16_to_cpu(pdu->StructureSize2) != 36)) {
182 /* special case for SMB2.1 lease break message */
183 cifs_dbg(VFS, "Illegal response size %d for oplock break\n",
184 le16_to_cpu(pdu->StructureSize2));
189 if (4 + len != length) {
190 cifs_dbg(VFS, "Total length %u RFC1002 length %u mismatch mid %llu\n",
191 length, 4 + len, mid);
195 clc_len = smb2_calc_size(hdr);
197 if (4 + len != clc_len) {
198 cifs_dbg(FYI, "Calculated size %u length %u mismatch mid %llu\n",
199 clc_len, 4 + len, mid);
200 /* create failed on symlink */
201 if (command == SMB2_CREATE_HE &&
202 hdr->Status == STATUS_STOPPED_ON_SYMLINK)
204 /* Windows 7 server returns 24 bytes more */
205 if (clc_len + 20 == len && command == SMB2_OPLOCK_BREAK_HE)
207 /* server can return one byte more due to implied bcc[0] */
208 if (clc_len == 4 + len + 1)
212 * Some windows servers (win2016) will pad also the final
213 * PDU in a compound to 8 bytes.
215 if (((clc_len + 7) & ~7) == len)
219 * MacOS server pads after SMB2.1 write response with 3 bytes
220 * of junk. Other servers match RFC1001 len to actual
221 * SMB2/SMB3 frame length (header + smb2 response specific data)
222 * Log the server error (once), but allow it and continue
223 * since the frame is parseable.
225 if (clc_len < 4 /* RFC1001 header size */ + len) {
226 printk_once(KERN_WARNING
227 "SMB2 server sent bad RFC1001 len %d not %d\n",
238 * The size of the variable area depends on the offset and length fields
239 * located in different fields for various SMB2 responses. SMB2 responses
240 * with no variable length info, show an offset of zero for the offset field.
242 static const bool has_smb2_data_area[NUMBER_OF_SMB2_COMMANDS] = {
243 /* SMB2_NEGOTIATE */ true,
244 /* SMB2_SESSION_SETUP */ true,
245 /* SMB2_LOGOFF */ false,
246 /* SMB2_TREE_CONNECT */ false,
247 /* SMB2_TREE_DISCONNECT */ false,
248 /* SMB2_CREATE */ true,
249 /* SMB2_CLOSE */ false,
250 /* SMB2_FLUSH */ false,
251 /* SMB2_READ */ true,
252 /* SMB2_WRITE */ false,
253 /* SMB2_LOCK */ false,
254 /* SMB2_IOCTL */ true,
255 /* SMB2_CANCEL */ false, /* BB CHECK this not listed in documentation */
256 /* SMB2_ECHO */ false,
257 /* SMB2_QUERY_DIRECTORY */ true,
258 /* SMB2_CHANGE_NOTIFY */ true,
259 /* SMB2_QUERY_INFO */ true,
260 /* SMB2_SET_INFO */ false,
261 /* SMB2_OPLOCK_BREAK */ false
265 * Returns the pointer to the beginning of the data area. Length of the data
266 * area and the offset to it (from the beginning of the smb are also returned.
269 smb2_get_data_area_len(int *off, int *len, struct smb2_hdr *hdr)
274 /* error responses do not have data area */
275 if (hdr->Status && hdr->Status != STATUS_MORE_PROCESSING_REQUIRED &&
276 (((struct smb2_err_rsp *)hdr)->StructureSize) ==
277 SMB2_ERROR_STRUCTURE_SIZE2)
281 * Following commands have data areas so we have to get the location
282 * of the data buffer offset and data buffer length for the particular
285 switch (hdr->Command) {
288 ((struct smb2_negotiate_rsp *)hdr)->SecurityBufferOffset);
290 ((struct smb2_negotiate_rsp *)hdr)->SecurityBufferLength);
292 case SMB2_SESSION_SETUP:
294 ((struct smb2_sess_setup_rsp *)hdr)->SecurityBufferOffset);
296 ((struct smb2_sess_setup_rsp *)hdr)->SecurityBufferLength);
300 ((struct smb2_create_rsp *)hdr)->CreateContextsOffset);
302 ((struct smb2_create_rsp *)hdr)->CreateContextsLength);
304 case SMB2_QUERY_INFO:
306 ((struct smb2_query_info_rsp *)hdr)->OutputBufferOffset);
308 ((struct smb2_query_info_rsp *)hdr)->OutputBufferLength);
311 *off = ((struct smb2_read_rsp *)hdr)->DataOffset;
312 *len = le32_to_cpu(((struct smb2_read_rsp *)hdr)->DataLength);
314 case SMB2_QUERY_DIRECTORY:
316 ((struct smb2_query_directory_rsp *)hdr)->OutputBufferOffset);
318 ((struct smb2_query_directory_rsp *)hdr)->OutputBufferLength);
322 ((struct smb2_ioctl_rsp *)hdr)->OutputOffset);
323 *len = le32_to_cpu(((struct smb2_ioctl_rsp *)hdr)->OutputCount);
325 case SMB2_CHANGE_NOTIFY:
327 /* BB FIXME for unimplemented cases above */
328 cifs_dbg(VFS, "no length check for command\n");
333 * Invalid length or offset probably means data area is invalid, but
334 * we have little choice but to ignore the data area in this case.
337 cifs_dbg(VFS, "offset %d too large, data area ignored\n", *off);
340 } else if (*off < 0) {
341 cifs_dbg(VFS, "negative offset %d to data invalid ignore data area\n",
345 } else if (*len < 0) {
346 cifs_dbg(VFS, "negative data length %d invalid, data area ignored\n",
349 } else if (*len > 128 * 1024) {
350 cifs_dbg(VFS, "data area larger than 128K: %d\n", *len);
354 /* return pointer to beginning of data area, ie offset from SMB start */
355 if ((*off != 0) && (*len != 0))
356 return (char *)(&hdr->ProtocolId) + *off;
362 * Calculate the size of the SMB message based on the fixed header
363 * portion, the number of word parameters and the data portion of the message.
366 smb2_calc_size(void *buf)
368 struct smb2_hdr *hdr = (struct smb2_hdr *)buf;
369 struct smb2_pdu *pdu = (struct smb2_pdu *)hdr;
370 int offset; /* the offset from the beginning of SMB to data area */
371 int data_length; /* the length of the variable length data area */
372 /* Structure Size has already been checked to make sure it is 64 */
373 int len = 4 + le16_to_cpu(pdu->hdr.StructureSize);
376 * StructureSize2, ie length of fixed parameter area has already
377 * been checked to make sure it is the correct length.
379 len += le16_to_cpu(pdu->StructureSize2);
381 if (has_smb2_data_area[le16_to_cpu(hdr->Command)] == false)
384 smb2_get_data_area_len(&offset, &data_length, hdr);
385 cifs_dbg(FYI, "SMB2 data length %d offset %d\n", data_length, offset);
387 if (data_length > 0) {
389 * Check to make sure that data area begins after fixed area,
390 * Note that last byte of the fixed area is part of data area
391 * for some commands, typically those with odd StructureSize,
392 * so we must add one to the calculation (and 4 to account for
393 * the size of the RFC1001 hdr.
395 if (offset + 4 + 1 < len) {
396 cifs_dbg(VFS, "data area offset %d overlaps SMB2 header %d\n",
397 offset + 4 + 1, len);
400 len = 4 + offset + data_length;
404 cifs_dbg(FYI, "SMB2 len %d\n", len);
408 /* Note: caller must free return buffer */
410 cifs_convert_path_to_utf16(const char *from, struct cifs_sb_info *cifs_sb)
413 const char *start_of_path;
417 if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_MAP_SFM_CHR)
418 map_type = SFM_MAP_UNI_RSVD;
419 else if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_MAP_SPECIAL_CHR)
420 map_type = SFU_MAP_UNI_RSVD;
422 map_type = NO_MAP_UNI_RSVD;
424 /* Windows doesn't allow paths beginning with \ */
426 start_of_path = from + 1;
428 start_of_path = from;
429 to = cifs_strndup_to_utf16(start_of_path, PATH_MAX, &len,
430 cifs_sb->local_nls, map_type);
435 smb2_get_lease_state(struct cifsInodeInfo *cinode)
439 if (CIFS_CACHE_WRITE(cinode))
440 lease |= SMB2_LEASE_WRITE_CACHING;
441 if (CIFS_CACHE_HANDLE(cinode))
442 lease |= SMB2_LEASE_HANDLE_CACHING;
443 if (CIFS_CACHE_READ(cinode))
444 lease |= SMB2_LEASE_READ_CACHING;
448 struct smb2_lease_break_work {
449 struct work_struct lease_break;
450 struct tcon_link *tlink;
456 cifs_ses_oplock_break(struct work_struct *work)
458 struct smb2_lease_break_work *lw = container_of(work,
459 struct smb2_lease_break_work, lease_break);
462 rc = SMB2_lease_break(0, tlink_tcon(lw->tlink), lw->lease_key,
464 cifs_dbg(FYI, "Lease release rc %d\n", rc);
465 cifs_put_tlink(lw->tlink);
470 smb2_tcon_has_lease(struct cifs_tcon *tcon, struct smb2_lease_break *rsp,
471 struct smb2_lease_break_work *lw)
475 struct list_head *tmp;
476 struct cifsFileInfo *cfile;
477 struct cifs_pending_open *open;
478 struct cifsInodeInfo *cinode;
479 int ack_req = le32_to_cpu(rsp->Flags &
480 SMB2_NOTIFY_BREAK_LEASE_FLAG_ACK_REQUIRED);
482 lease_state = le32_to_cpu(rsp->NewLeaseState);
484 list_for_each(tmp, &tcon->openFileList) {
485 cfile = list_entry(tmp, struct cifsFileInfo, tlist);
486 cinode = CIFS_I(d_inode(cfile->dentry));
488 if (memcmp(cinode->lease_key, rsp->LeaseKey,
489 SMB2_LEASE_KEY_SIZE))
492 cifs_dbg(FYI, "found in the open list\n");
493 cifs_dbg(FYI, "lease key match, lease break 0x%x\n",
497 cfile->oplock_break_cancelled = false;
499 cfile->oplock_break_cancelled = true;
501 set_bit(CIFS_INODE_PENDING_OPLOCK_BREAK, &cinode->flags);
503 cfile->oplock_epoch = le16_to_cpu(rsp->Epoch);
504 cfile->oplock_level = lease_state;
506 cifs_queue_oplock_break(cfile);
512 list_for_each_entry(open, &tcon->pending_opens, olist) {
513 if (memcmp(open->lease_key, rsp->LeaseKey,
514 SMB2_LEASE_KEY_SIZE))
517 if (!found && ack_req) {
519 memcpy(lw->lease_key, open->lease_key,
520 SMB2_LEASE_KEY_SIZE);
521 lw->tlink = cifs_get_tlink(open->tlink);
522 queue_work(cifsiod_wq, &lw->lease_break);
525 cifs_dbg(FYI, "found in the pending open list\n");
526 cifs_dbg(FYI, "lease key match, lease break 0x%x\n",
529 open->oplock = lease_state;
535 smb2_is_valid_lease_break(char *buffer)
537 struct smb2_lease_break *rsp = (struct smb2_lease_break *)buffer;
538 struct list_head *tmp, *tmp1, *tmp2;
539 struct TCP_Server_Info *server;
540 struct cifs_ses *ses;
541 struct cifs_tcon *tcon;
542 struct smb2_lease_break_work *lw;
544 lw = kmalloc(sizeof(struct smb2_lease_break_work), GFP_KERNEL);
548 INIT_WORK(&lw->lease_break, cifs_ses_oplock_break);
549 lw->lease_state = rsp->NewLeaseState;
551 cifs_dbg(FYI, "Checking for lease break\n");
553 /* look up tcon based on tid & uid */
554 spin_lock(&cifs_tcp_ses_lock);
555 list_for_each(tmp, &cifs_tcp_ses_list) {
556 server = list_entry(tmp, struct TCP_Server_Info, tcp_ses_list);
558 list_for_each(tmp1, &server->smb_ses_list) {
559 ses = list_entry(tmp1, struct cifs_ses, smb_ses_list);
561 list_for_each(tmp2, &ses->tcon_list) {
562 tcon = list_entry(tmp2, struct cifs_tcon,
564 spin_lock(&tcon->open_file_lock);
566 &tcon->stats.cifs_stats.num_oplock_brks);
567 if (smb2_tcon_has_lease(tcon, rsp, lw)) {
568 spin_unlock(&tcon->open_file_lock);
569 spin_unlock(&cifs_tcp_ses_lock);
572 spin_unlock(&tcon->open_file_lock);
576 spin_unlock(&cifs_tcp_ses_lock);
578 cifs_dbg(FYI, "Can not process lease break - no lease matched\n");
583 smb2_is_valid_oplock_break(char *buffer, struct TCP_Server_Info *server)
585 struct smb2_oplock_break *rsp = (struct smb2_oplock_break *)buffer;
586 struct list_head *tmp, *tmp1, *tmp2;
587 struct cifs_ses *ses;
588 struct cifs_tcon *tcon;
589 struct cifsInodeInfo *cinode;
590 struct cifsFileInfo *cfile;
592 cifs_dbg(FYI, "Checking for oplock break\n");
594 if (rsp->hdr.Command != SMB2_OPLOCK_BREAK)
597 if (rsp->StructureSize !=
598 smb2_rsp_struct_sizes[SMB2_OPLOCK_BREAK_HE]) {
599 if (le16_to_cpu(rsp->StructureSize) == 44)
600 return smb2_is_valid_lease_break(buffer);
605 cifs_dbg(FYI, "oplock level 0x%x\n", rsp->OplockLevel);
607 /* look up tcon based on tid & uid */
608 spin_lock(&cifs_tcp_ses_lock);
609 list_for_each(tmp, &server->smb_ses_list) {
610 ses = list_entry(tmp, struct cifs_ses, smb_ses_list);
612 list_for_each(tmp1, &ses->tcon_list) {
613 tcon = list_entry(tmp1, struct cifs_tcon, tcon_list);
615 spin_lock(&tcon->open_file_lock);
616 list_for_each(tmp2, &tcon->openFileList) {
617 cfile = list_entry(tmp2, struct cifsFileInfo,
619 if (rsp->PersistentFid !=
620 cfile->fid.persistent_fid ||
622 cfile->fid.volatile_fid)
625 cifs_dbg(FYI, "file id match, oplock break\n");
627 &tcon->stats.cifs_stats.num_oplock_brks);
628 cinode = CIFS_I(d_inode(cfile->dentry));
629 spin_lock(&cfile->file_info_lock);
630 if (!CIFS_CACHE_WRITE(cinode) &&
631 rsp->OplockLevel == SMB2_OPLOCK_LEVEL_NONE)
632 cfile->oplock_break_cancelled = true;
634 cfile->oplock_break_cancelled = false;
636 set_bit(CIFS_INODE_PENDING_OPLOCK_BREAK,
639 cfile->oplock_epoch = 0;
640 cfile->oplock_level = rsp->OplockLevel;
642 spin_unlock(&cfile->file_info_lock);
644 cifs_queue_oplock_break(cfile);
646 spin_unlock(&tcon->open_file_lock);
647 spin_unlock(&cifs_tcp_ses_lock);
650 spin_unlock(&tcon->open_file_lock);
653 spin_unlock(&cifs_tcp_ses_lock);
654 cifs_dbg(FYI, "No file id matched, oplock break ignored\n");
659 smb2_cancelled_close_fid(struct work_struct *work)
661 struct close_cancelled_open *cancelled = container_of(work,
662 struct close_cancelled_open, work);
664 cifs_dbg(VFS, "Close unmatched open\n");
666 SMB2_close(0, cancelled->tcon, cancelled->fid.persistent_fid,
667 cancelled->fid.volatile_fid);
668 cifs_put_tcon(cancelled->tcon);
673 smb2_handle_cancelled_mid(char *buffer, struct TCP_Server_Info *server)
675 struct smb2_hdr *hdr = (struct smb2_hdr *)buffer;
676 struct smb2_create_rsp *rsp = (struct smb2_create_rsp *)buffer;
677 struct cifs_tcon *tcon;
678 struct close_cancelled_open *cancelled;
680 if (hdr->Command != SMB2_CREATE || hdr->Status != STATUS_SUCCESS)
683 cancelled = kzalloc(sizeof(*cancelled), GFP_KERNEL);
687 tcon = smb2_find_smb_tcon(server, hdr->SessionId, hdr->TreeId);
693 cancelled->fid.persistent_fid = rsp->PersistentFileId;
694 cancelled->fid.volatile_fid = rsp->VolatileFileId;
695 cancelled->tcon = tcon;
696 INIT_WORK(&cancelled->work, smb2_cancelled_close_fid);
697 queue_work(cifsiod_wq, &cancelled->work);