1 /*
   2  * This file and its contents are supplied under the terms of the
   3  * Common Development and Distribution License ("CDDL"), version 1.0.
   4  * You may only use this file in accordance with the terms of version
   5  * 1.0 of the CDDL.
   6  *
   7  * A full copy of the text of the CDDL should have accompanied this
   8  * source.  A copy of the CDDL is also available via the Internet at
   9  * http://www.illumos.org/license/CDDL.
  10  */
  11 
  12 /*
  13  * Copyright 2019 Nexenta Systems, Inc.  All rights reserved.
  14  * Copyright 2020 RackTop Systems, Inc.
  15  */
  16 
  17 
  18 #include <smbsrv/smb2_kproto.h>
  19 #include <smbsrv/smb_kstat.h>
  20 #include <smbsrv/smb2.h>
  21 
  22 #define SMB2_ASYNCID(sr) (sr->smb2_messageid ^ (1ULL << 62))
  23 
  24 smb_sdrc_t smb2_invalid_cmd(smb_request_t *);
  25 static void smb2_tq_work(void *);
  26 static void smb2sr_run_postwork(smb_request_t *);
  27 static int smb3_decrypt_msg(smb_request_t *);
  28 
  29 static const smb_disp_entry_t
  30 smb2_disp_table[SMB2__NCMDS] = {
  31 
  32         /* text-name, pre, func, post, cmd-code, dialect, flags */
  33 
  34         {  "smb2_negotiate", NULL,
  35             smb2_negotiate, NULL, 0, 0,
  36             SDDF_SUPPRESS_TID | SDDF_SUPPRESS_UID },
  37 
  38         {  "smb2_session_setup", NULL,
  39             smb2_session_setup, NULL, 0, 0,
  40             SDDF_SUPPRESS_TID | SDDF_SUPPRESS_UID },
  41 
  42         {  "smb2_logoff", NULL,
  43             smb2_logoff, NULL, 0, 0,
  44             SDDF_SUPPRESS_TID },
  45 
  46         {  "smb2_tree_connect", NULL,
  47             smb2_tree_connect, NULL, 0, 0,
  48             SDDF_SUPPRESS_TID },
  49 
  50         {  "smb2_tree_disconn", NULL,
  51             smb2_tree_disconn, NULL, 0, 0 },
  52 
  53         {  "smb2_create", NULL,
  54             smb2_create, NULL, 0, 0 },
  55 
  56         {  "smb2_close", NULL,
  57             smb2_close, NULL, 0, 0 },
  58 
  59         {  "smb2_flush", NULL,
  60             smb2_flush, NULL, 0, 0 },
  61 
  62         {  "smb2_read", NULL,
  63             smb2_read, NULL, 0, 0 },
  64 
  65         {  "smb2_write", NULL,
  66             smb2_write, NULL, 0, 0 },
  67 
  68         {  "smb2_lock", NULL,
  69             smb2_lock, NULL, 0, 0 },
  70 
  71         {  "smb2_ioctl", NULL,
  72             smb2_ioctl, NULL, 0, 0 },
  73 
  74         {  "smb2_cancel", NULL,
  75             smb2_cancel, NULL, 0, 0,
  76             SDDF_SUPPRESS_UID | SDDF_SUPPRESS_TID },
  77 
  78         {  "smb2_echo", NULL,
  79             smb2_echo, NULL, 0, 0,
  80             SDDF_SUPPRESS_UID | SDDF_SUPPRESS_TID },
  81 
  82         {  "smb2_query_dir", NULL,
  83             smb2_query_dir, NULL, 0, 0 },
  84 
  85         {  "smb2_change_notify", NULL,
  86             smb2_change_notify, NULL, 0, 0 },
  87 
  88         {  "smb2_query_info", NULL,
  89             smb2_query_info, NULL, 0, 0 },
  90 
  91         {  "smb2_set_info", NULL,
  92             smb2_set_info, NULL, 0, 0 },
  93 
  94         {  "smb2_oplock_break_ack", NULL,
  95             smb2_oplock_break_ack, NULL, 0, 0 },
  96 
  97         {  "smb2_invalid_cmd", NULL,
  98             smb2_invalid_cmd, NULL, 0, 0,
  99             SDDF_SUPPRESS_UID | SDDF_SUPPRESS_TID },
 100 };
 101 
 102 smb_sdrc_t
 103 smb2_invalid_cmd(smb_request_t *sr)
 104 {
 105 #ifdef  DEBUG
 106         cmn_err(CE_NOTE, "clnt %s bad SMB2 cmd code",
 107             sr->session->ip_addr_str);
 108 #endif
 109         sr->smb2_status = NT_STATUS_INVALID_PARAMETER;
 110         return (SDRC_DROP_VC);
 111 }
 112 
 113 /*
 114  * This is the SMB2 handler for new smb requests, called from
 115  * smb_session_reader after SMB negotiate is done.  For most SMB2
 116  * requests, we just enqueue them for the smb_session_worker to
 117  * execute via the task queue, so they can block for resources
 118  * without stopping the reader thread.  A few protocol messages
 119  * are special cases and are handled directly here in the reader
 120  * thread so they don't wait for taskq scheduling.
 121  *
 122  * This function must either enqueue the new request for
 123  * execution via the task queue, or execute it directly
 124  * and then free it.  If this returns non-zero, the caller
 125  * will drop the session.
 126  */
 127 int
 128 smb2sr_newrq(smb_request_t *sr)
 129 {
 130         struct mbuf_chain *mbc = &sr->command;
 131         uint32_t magic;
 132         int rc, skip;
 133 
 134         if (smb_mbc_peek(mbc, 0, "l", &magic) != 0)
 135                 goto drop;
 136 
 137         /* 0xFD S M B */
 138         if (magic == SMB3_ENCRYPTED_MAGIC) {
 139                 if (smb3_decrypt_msg(sr) != 0)
 140                         goto drop;
 141                 /*
 142                  * Should now be looking at an un-encrypted
 143                  * SMB2 message header.
 144                  */
 145                 if (smb_mbc_peek(mbc, 0, "l", &magic) != 0)
 146                         goto drop;
 147         }
 148 
 149         if (magic != SMB2_PROTOCOL_MAGIC)
 150                 goto drop;
 151 
 152         /*
 153          * Walk the SMB2 commands in this compound message and
 154          * keep track of the range of message IDs it uses.
 155          */
 156         for (;;) {
 157                 if (smb2_decode_header(sr) != 0)
 158                         goto drop;
 159 
 160                 /*
 161                  * Cancel requests are special:  They refer to
 162                  * an earlier message ID (or an async. ID),
 163                  * never a new ID, and are never compounded.
 164                  * This is intentionally not "goto drop"
 165                  * because rc may be zero (success).
 166                  */
 167                 if (sr->smb2_cmd_code == SMB2_CANCEL) {
 168                         rc = smb2_newrq_cancel(sr);
 169                         smb_request_free(sr);
 170                         return (rc);
 171                 }
 172 
 173                 /*
 174                  * Keep track of the total credits in this compound
 175                  * and the first (real) message ID (not: 0, -1)
 176                  * While we're looking, verify that all (real) IDs
 177                  * are (first <= ID < (first + msg_credits))
 178                  */
 179                 if (sr->smb2_credit_charge == 0)
 180                         sr->smb2_credit_charge = 1;
 181                 sr->smb2_total_credits += sr->smb2_credit_charge;
 182 
 183                 if (sr->smb2_messageid != 0 &&
 184                     sr->smb2_messageid != UINT64_MAX) {
 185 
 186                         if (sr->smb2_first_msgid == 0)
 187                                 sr->smb2_first_msgid = sr->smb2_messageid;
 188 
 189                         if (sr->smb2_messageid < sr->smb2_first_msgid ||
 190                             sr->smb2_messageid >= (sr->smb2_first_msgid +
 191                             sr->smb2_total_credits)) {
 192                                 long long id = (long long) sr->smb2_messageid;
 193                                 cmn_err(CE_WARN, "clnt %s msg ID 0x%llx "
 194                                     "out of sequence in compound",
 195                                     sr->session->ip_addr_str, id);
 196                         }
 197                 }
 198 
 199                 /* Normal loop exit on next == zero */
 200                 if (sr->smb2_next_command == 0)
 201                         break;
 202 
 203                 /* Abundance of caution... */
 204                 if (sr->smb2_next_command < SMB2_HDR_SIZE)
 205                         goto drop;
 206 
 207                 /* Advance to the next header. */
 208                 skip = sr->smb2_next_command - SMB2_HDR_SIZE;
 209                 if (MBC_ROOM_FOR(mbc, skip) == 0)
 210                         goto drop;
 211                 mbc->chain_offset += skip;
 212         }
 213         /* Rewind back to the top. */
 214         mbc->chain_offset = 0;
 215 
 216         /*
 217          * Submit the request to the task queue, which calls
 218          * smb2_tq_work when the workload permits.
 219          */
 220         sr->sr_time_submitted = gethrtime();
 221         sr->sr_state = SMB_REQ_STATE_SUBMITTED;
 222         smb_srqueue_waitq_enter(sr->session->s_srqueue);
 223         (void) taskq_dispatch(sr->sr_server->sv_worker_pool,
 224             smb2_tq_work, sr, TQ_SLEEP);
 225         return (0);
 226 
 227 drop:
 228         smb_request_free(sr);
 229         return (-1);
 230 }
 231 
 232 static void
 233 smb2_tq_work(void *arg)
 234 {
 235         smb_request_t   *sr;
 236         smb_srqueue_t   *srq;
 237 
 238         sr = (smb_request_t *)arg;
 239         SMB_REQ_VALID(sr);
 240 
 241         srq = sr->session->s_srqueue;
 242         smb_srqueue_waitq_to_runq(srq);
 243         sr->sr_worker = curthread;
 244         sr->sr_time_active = gethrtime();
 245 
 246         /*
 247          * Always dispatch to the work function, because cancelled
 248          * requests need an error reply (NT_STATUS_CANCELLED).
 249          */
 250         mutex_enter(&sr->sr_mutex);
 251         if (sr->sr_state == SMB_REQ_STATE_SUBMITTED)
 252                 sr->sr_state = SMB_REQ_STATE_ACTIVE;
 253         mutex_exit(&sr->sr_mutex);
 254 
 255         smb2sr_work(sr);
 256 
 257         smb_srqueue_runq_exit(srq);
 258 }
 259 
 260 static int
 261 smb3_decrypt_msg(smb_request_t *sr)
 262 {
 263         int save_offset;
 264 
 265         if (sr->session->dialect < SMB_VERS_3_0) {
 266                 cmn_err(CE_WARN, "encrypted message in SMB 2.x");
 267                 return (-1);
 268         }
 269 
 270         sr->encrypted = B_TRUE;
 271         save_offset = sr->command.chain_offset;
 272         if (smb3_decode_tform_header(sr) != 0) {
 273                 cmn_err(CE_WARN, "bad transform header");
 274                 return (-1);
 275         }
 276         sr->command.chain_offset = save_offset;
 277 
 278         sr->tform_ssn = smb_session_lookup_ssnid(sr->session,
 279             sr->smb3_tform_ssnid);
 280         if (sr->tform_ssn == NULL) {
 281                 cmn_err(CE_WARN, "transform header: session not found");
 282                 return (-1);
 283         }
 284 
 285         if (smb3_decrypt_sr(sr) != 0) {
 286                 cmn_err(CE_WARN, "smb3 decryption failed");
 287                 return (-1);
 288         }
 289 
 290         return (0);
 291 }
 292 
 293 /*
 294  * SMB2 credits determine how many simultaneous commands the
 295  * client may issue, and bounds the range of message IDs those
 296  * commands may use.  With multi-credit support, commands may
 297  * use ranges of message IDs, where the credits used by each
 298  * command are proportional to their data transfer size.
 299  *
 300  * Every command may request an increase or decrease of
 301  * the currently granted credits, based on the difference
 302  * between the credit request and the credit charge.
 303  * [MS-SMB2] 3.3.1.2 Algorithm for the Granting of Credits
 304  *
 305  * Most commands have credit_request=1, credit_charge=1,
 306  * which keeps the credit grant unchanged.
 307  *
 308  * All we're really doing here (for now) is reducing the
 309  * credit_response if the client requests a credit increase
 310  * that would take their credit over the maximum, and
 311  * limiting the decrease so they don't run out of credits.
 312  *
 313  * Later, this could do something dynamic based on load.
 314  *
 315  * One other non-obvious bit about credits: We keep the
 316  * session s_max_credits low until the 1st authentication,
 317  * at which point we'll set the normal maximum_credits.
 318  * Some clients ask for more credits with session setup,
 319  * and we need to handle that requested increase _after_
 320  * the command-specific handler returns so it won't be
 321  * restricted to the lower (pre-auth) limit.
 322  */
 323 static inline void
 324 smb2_credit_decrease(smb_request_t *sr)
 325 {
 326         smb_session_t *session = sr->session;
 327         uint16_t cur, d;
 328 
 329         mutex_enter(&session->s_credits_mutex);
 330         cur = session->s_cur_credits;
 331 
 332         /* Handle credit decrease. */
 333         d = sr->smb2_credit_charge - sr->smb2_credit_request;
 334         cur -= d;
 335         if (cur & 0x8000) {
 336                 /*
 337                  * underflow (bad credit charge or request)
 338                  * leave credits unchanged (response=charge)
 339                  */
 340                 cur = session->s_cur_credits;
 341                 sr->smb2_credit_response = sr->smb2_credit_charge;
 342                 DTRACE_PROBE1(smb2__credit__neg, smb_request_t *, sr);
 343         }
 344 
 345         /*
 346          * The server MUST ensure that the number of credits
 347          * held by the client is never reduced to zero.
 348          * [MS-SMB2] 3.3.1.2
 349          */
 350         if (cur == 0) {
 351                 cur = 1;
 352                 sr->smb2_credit_response += 1;
 353                 DTRACE_PROBE1(smb2__credit__min, smb_request_t *, sr);
 354         }
 355 
 356         DTRACE_PROBE3(smb2__credit__decrease,
 357             smb_request_t *, sr, int, (int)cur,
 358             int, (int)session->s_cur_credits);
 359 
 360         session->s_cur_credits = cur;
 361         mutex_exit(&session->s_credits_mutex);
 362 }
 363 
 364 /*
 365  * Second half of SMB2 credit handling (increases)
 366  */
 367 static inline void
 368 smb2_credit_increase(smb_request_t *sr)
 369 {
 370         smb_session_t *session = sr->session;
 371         uint16_t cur, d;
 372 
 373         mutex_enter(&session->s_credits_mutex);
 374         cur = session->s_cur_credits;
 375 
 376         /* Handle credit increase. */
 377         d = sr->smb2_credit_request - sr->smb2_credit_charge;
 378         cur += d;
 379 
 380         /*
 381          * If new credits would be above max,
 382          * reduce the credit grant.
 383          */
 384         if (cur > session->s_max_credits) {
 385                 d = cur - session->s_max_credits;
 386                 cur = session->s_max_credits;
 387                 sr->smb2_credit_response -= d;
 388                 DTRACE_PROBE1(smb2__credit__max, smb_request_t, sr);
 389         }
 390 
 391         DTRACE_PROBE3(smb2__credit__increase,
 392             smb_request_t *, sr, int, (int)cur,
 393             int, (int)session->s_cur_credits);
 394 
 395         session->s_cur_credits = cur;
 396         mutex_exit(&session->s_credits_mutex);
 397 }
 398 
 399 /*
 400  * Record some statistics:  latency, rx bytes, tx bytes
 401  * per:  server, session & kshare.
 402  */
 403 static inline void
 404 smb2_record_stats(smb_request_t *sr, smb_disp_stats_t *sds, boolean_t tx_only)
 405 {
 406         hrtime_t        dt;
 407         int64_t         rxb;
 408         int64_t         txb;
 409 
 410         dt = gethrtime() - sr->sr_time_start;
 411         rxb = (int64_t)(sr->command.chain_offset - sr->smb2_cmd_hdr);
 412         txb = (int64_t)(sr->reply.chain_offset - sr->smb2_reply_hdr);
 413 
 414         if (!tx_only) {
 415                 smb_server_inc_req(sr->sr_server);
 416                 smb_latency_add_sample(&sds->sdt_lat, dt);
 417                 atomic_add_64(&sds->sdt_rxb, rxb);
 418         }
 419         atomic_add_64(&sds->sdt_txb, txb);
 420 }
 421 
 422 /*
 423  * smb2sr_work
 424  *
 425  * This function processes each SMB command in the current request
 426  * (which may be a compound request) building a reply containing
 427  * SMB reply messages, one-to-one with the SMB commands.  Some SMB
 428  * commands (change notify, blocking locks) may require both an
 429  * "interim response" and a later "async response" at completion.
 430  * In such cases, we'll encode the interim response in the reply
 431  * compound we're building, and put the (now async) command on a
 432  * list of commands that need further processing.  After we've
 433  * finished processing the commands in this compound and building
 434  * the compound reply, we'll send the compound reply, and finally
 435  * process the list of async commands.
 436  *
 437  * As we work our way through the compound request and reply,
 438  * we need to keep track of the bounds of the current request
 439  * and reply.  For the request, this uses an MBC_SHADOW_CHAIN
 440  * that begins at smb2_cmd_hdr.  The reply is appended to the
 441  * sr->reply chain starting at smb2_reply_hdr.
 442  *
 443  * This function must always free the smb request, or arrange
 444  * for it to be completed and free'd later (if SDRC_SR_KEPT).
 445  */
 446 void
 447 smb2sr_work(struct smb_request *sr)
 448 {
 449         const smb_disp_entry_t  *sdd;
 450         smb_disp_stats_t        *sds;
 451         smb_session_t           *session;
 452         uint32_t                msg_len;
 453         uint16_t                cmd_idx;
 454         int                     rc = 0;
 455         boolean_t               disconnect = B_FALSE;
 456         boolean_t               related;
 457 
 458         session = sr->session;
 459 
 460         ASSERT(sr->smb2_async == B_FALSE);
 461         ASSERT(sr->tid_tree == 0);
 462         ASSERT(sr->uid_user == 0);
 463         ASSERT(sr->fid_ofile == 0);
 464         sr->smb_fid = (uint16_t)-1;
 465         sr->smb2_status = 0;
 466 
 467         /* temporary until we identify a user */
 468         sr->user_cr = zone_kcred();
 469 
 470 cmd_start:
 471         /*
 472          * Note that we don't check sr_state here and abort the
 473          * compound if cancelled (etc.) because some SMB2 command
 474          * handlers need to do work even when cancelled.
 475          *
 476          * We treat some status codes as if "sticky", meaning
 477          * once they're set after some command handler returns,
 478          * all remaining commands get this status without even
 479          * calling the command-specific handler.
 480          */
 481         if (sr->smb2_status != NT_STATUS_CANCELLED &&
 482             sr->smb2_status != NT_STATUS_INSUFFICIENT_RESOURCES)
 483                 sr->smb2_status = 0;
 484 
 485         /*
 486          * Decode the request header
 487          *
 488          * Most problems with decoding will result in the error
 489          * STATUS_INVALID_PARAMETER.  If the decoding problem
 490          * prevents continuing, we'll close the connection.
 491          * [MS-SMB2] 3.3.5.2.6 Handling Incorrectly Formatted...
 492          */
 493         sr->smb2_cmd_hdr = sr->command.chain_offset;
 494         if ((rc = smb2_decode_header(sr)) != 0) {
 495                 cmn_err(CE_WARN, "clnt %s bad SMB2 header",
 496                     session->ip_addr_str);
 497                 disconnect = B_TRUE;
 498                 goto cleanup;
 499         }
 500 
 501         /*
 502          * The SMB2_FLAGS_SERVER_TO_REDIR should only appear
 503          * in messages from the server back to the client.
 504          */
 505         if ((sr->smb2_hdr_flags & SMB2_FLAGS_SERVER_TO_REDIR) != 0) {
 506                 cmn_err(CE_WARN, "clnt %s bad SMB2 flags",
 507                     session->ip_addr_str);
 508                 disconnect = B_TRUE;
 509                 goto cleanup;
 510         }
 511         related = (sr->smb2_hdr_flags & SMB2_FLAGS_RELATED_OPERATIONS);
 512         sr->smb2_hdr_flags |= SMB2_FLAGS_SERVER_TO_REDIR;
 513         if (sr->smb2_hdr_flags & SMB2_FLAGS_ASYNC_COMMAND) {
 514                 /* Probably an async cancel. */
 515                 DTRACE_PROBE1(smb2__dispatch__async, smb_request_t *, sr);
 516         } else if (sr->smb2_async) {
 517                 /* Previous command in compound went async. */
 518                 sr->smb2_hdr_flags |= SMB2_FLAGS_ASYNC_COMMAND;
 519                 sr->smb2_async_id = SMB2_ASYNCID(sr);
 520         }
 521 
 522         /*
 523          * In case we bail out with an error before we get to the
 524          * section that computes the credit grant, initialize the
 525          * response header fields so that credits won't change.
 526          * Note: SMB 2.02 clients may send credit charge zero.
 527          */
 528         if (sr->smb2_credit_charge == 0)
 529                 sr->smb2_credit_charge = 1;
 530         sr->smb2_credit_response = sr->smb2_credit_charge;
 531 
 532         /*
 533          * Write a tentative reply header.
 534          *
 535          * We could just leave this blank, but if we're using the
 536          * mdb module feature that extracts packets, it's useful
 537          * to have the header mostly correct here.
 538          *
 539          * If we have already exhausted the output space, then the
 540          * client is trying something funny.  Log it and kill 'em.
 541          */
 542         sr->smb2_next_reply = 0;
 543         ASSERT((sr->reply.chain_offset & 7) == 0);
 544         sr->smb2_reply_hdr = sr->reply.chain_offset;
 545         if ((rc = smb2_encode_header(sr, B_FALSE)) != 0) {
 546                 cmn_err(CE_WARN, "clnt %s excessive reply",
 547                     session->ip_addr_str);
 548                 disconnect = B_TRUE;
 549                 goto cleanup;
 550         }
 551 
 552         /*
 553          * Figure out the length of data following the SMB2 header.
 554          * It ends at either the next SMB2 header if there is one
 555          * (smb2_next_command != 0) or at the end of the message.
 556          */
 557         if (sr->smb2_next_command != 0) {
 558                 /* [MS-SMB2] says this is 8-byte aligned */
 559                 msg_len = sr->smb2_next_command;
 560                 if ((msg_len & 7) != 0 || (msg_len < SMB2_HDR_SIZE) ||
 561                     ((sr->smb2_cmd_hdr + msg_len) > sr->command.max_bytes)) {
 562                         cmn_err(CE_WARN, "clnt %s bad SMB2 next cmd",
 563                             session->ip_addr_str);
 564                         disconnect = B_TRUE;
 565                         goto cleanup;
 566                 }
 567         } else {
 568                 msg_len = sr->command.max_bytes - sr->smb2_cmd_hdr;
 569         }
 570 
 571         /*
 572          * Setup a shadow chain for this SMB2 command, starting
 573          * with the header and ending at either the next command
 574          * or the end of the message.  The signing check below
 575          * needs the entire SMB2 command.  After that's done, we
 576          * advance chain_offset to the end of the header where
 577          * the command specific handlers continue decoding.
 578          */
 579         (void) MBC_SHADOW_CHAIN(&sr->smb_data, &sr->command,
 580             sr->smb2_cmd_hdr, msg_len);
 581 
 582         /*
 583          * We will consume the data for this request from smb_data.
 584          * That effectively consumes msg_len bytes from sr->command
 585          * but doesn't update its chain_offset, so we need to update
 586          * that here to make later received bytes accounting work.
 587          */
 588         sr->command.chain_offset = sr->smb2_cmd_hdr + msg_len;
 589         ASSERT(sr->command.chain_offset <= sr->command.max_bytes);
 590 
 591         /*
 592          * Validate the commmand code, get dispatch table entries.
 593          * [MS-SMB2] 3.3.5.2.6 Handling Incorrectly Formatted...
 594          *
 595          * The last slot in the dispatch table is used to handle
 596          * invalid commands.  Same for statistics.
 597          */
 598         if (sr->smb2_cmd_code < SMB2_INVALID_CMD)
 599                 cmd_idx = sr->smb2_cmd_code;
 600         else
 601                 cmd_idx = SMB2_INVALID_CMD;
 602         sdd = &smb2_disp_table[cmd_idx];
 603         sds = &session->s_server->sv_disp_stats2[cmd_idx];
 604 
 605         /*
 606          * If this command is NOT "related" to the previous,
 607          * clear out the UID, TID, FID state that might be
 608          * left over from the previous command.
 609          *
 610          * If the command IS related, any new IDs are ignored,
 611          * and we simply continue with the previous user, tree,
 612          * and open file.
 613          */
 614         if (!related) {
 615                 /*
 616                  * Drop user, tree, file; carefully ordered to
 617                  * avoid dangling references: file, tree, user
 618                  */
 619                 if (sr->fid_ofile != NULL) {
 620                         smb_ofile_release(sr->fid_ofile);
 621                         sr->fid_ofile = NULL;
 622                 }
 623                 if (sr->tid_tree != NULL) {
 624                         smb_tree_release(sr->tid_tree);
 625                         sr->tid_tree = NULL;
 626                 }
 627                 if (sr->uid_user != NULL) {
 628                         smb_user_release(sr->uid_user);
 629                         sr->uid_user = NULL;
 630                         sr->user_cr = zone_kcred();
 631                 }
 632         }
 633 
 634         /*
 635          * Make sure we have a user and tree as needed
 636          * according to the flags for the this command.
 637          * Note that we may have inherited these.
 638          */
 639         if ((sdd->sdt_flags & SDDF_SUPPRESS_UID) == 0) {
 640                 /*
 641                  * This command requires a user session.
 642                  */
 643                 if (related) {
 644                         /*
 645                          * Previous command should have given us a user.
 646                          * [MS-SMB2] 3.3.5.2 Handling Related Requests
 647                          */
 648                         if (sr->uid_user == NULL) {
 649                                 smb2sr_put_error(sr,
 650                                     NT_STATUS_INVALID_PARAMETER);
 651                                 goto cmd_done;
 652                         }
 653                         sr->smb2_ssnid = sr->uid_user->u_ssnid;
 654                 } else {
 655                         /*
 656                          * Lookup the UID
 657                          * [MS-SMB2] 3.3.5.2 Verifying the Session
 658                          */
 659                         ASSERT(sr->uid_user == NULL);
 660                         /*
 661                          * [MS-SMB2] 3.3.5.2.7 Handling Compounded Requests
 662                          *
 663                          * If this is an encrypted compound request,
 664                          * ensure that the ssnid in the request
 665                          * is the same as the tform ssnid if this
 666                          * message is not related.
 667                          *
 668                          * The reasons this is done seem to apply equally
 669                          * to uncompounded requests, so we apply it to all.
 670                          */
 671 
 672                         if (sr->encrypted &&
 673                             sr->smb2_ssnid != sr->smb3_tform_ssnid) {
 674                                 disconnect = B_TRUE;
 675                                 goto cleanup; /* just do this for now */
 676                         }
 677 
 678                         sr->uid_user = smb_session_lookup_ssnid(session,
 679                             sr->smb2_ssnid);
 680                         if (sr->uid_user == NULL) {
 681                                 smb2sr_put_error(sr,
 682                                     NT_STATUS_USER_SESSION_DELETED);
 683                                 goto cmd_done;
 684                         }
 685 
 686                         /*
 687                          * [MS-SMB2] 3.3.5.2.9 Verifying the Session
 688                          *
 689                          * If we're talking 3.x,
 690                          * RejectUnencryptedAccess is TRUE,
 691                          * Session.EncryptData is TRUE,
 692                          * and the message wasn't encrypted,
 693                          * return ACCESS_DENIED.
 694                          *
 695                          * Note that Session.EncryptData can only be TRUE when
 696                          * we're talking 3.x.
 697                          */
 698 
 699                         if (sr->uid_user->u_encrypt ==
 700                             SMB_CONFIG_REQUIRED &&
 701                             !sr->encrypted) {
 702                                 smb2sr_put_error(sr,
 703                                     NT_STATUS_ACCESS_DENIED);
 704                                 goto cmd_done;
 705                         }
 706 
 707                         sr->user_cr = smb_user_getcred(sr->uid_user);
 708                 }
 709                 ASSERT(sr->uid_user != NULL);
 710 
 711                 /*
 712                  * Encrypt if:
 713                  * - The cmd is not SESSION_SETUP or NEGOTIATE; AND
 714                  * - Session.EncryptData is TRUE
 715                  *
 716                  * Those commands suppress UID, so they can't be the cmd here.
 717                  */
 718                 if (sr->uid_user->u_encrypt != SMB_CONFIG_DISABLED &&
 719                     sr->tform_ssn == NULL) {
 720                         smb_user_hold_internal(sr->uid_user);
 721                         sr->tform_ssn = sr->uid_user;
 722                         sr->smb3_tform_ssnid = sr->smb2_ssnid;
 723                 }
 724         }
 725 
 726         if ((sdd->sdt_flags & SDDF_SUPPRESS_TID) == 0) {
 727                 /*
 728                  * This command requires a tree connection.
 729                  */
 730                 if (related) {
 731                         /*
 732                          * Previous command should have given us a tree.
 733                          * [MS-SMB2] 3.3.5.2 Handling Related Requests
 734                          */
 735                         if (sr->tid_tree == NULL) {
 736                                 smb2sr_put_error(sr,
 737                                     NT_STATUS_INVALID_PARAMETER);
 738                                 goto cmd_done;
 739                         }
 740                         sr->smb_tid = sr->tid_tree->t_tid;
 741                 } else {
 742                         /*
 743                          * Lookup the TID
 744                          * [MS-SMB2] 3.3.5.2 Verifying the Tree Connect
 745                          */
 746                         ASSERT(sr->tid_tree == NULL);
 747                         sr->tid_tree = smb_session_lookup_tree(session,
 748                             sr->smb_tid);
 749                         if (sr->tid_tree == NULL) {
 750                                 smb2sr_put_error(sr,
 751                                     NT_STATUS_NETWORK_NAME_DELETED);
 752                                 goto cmd_done;
 753                         }
 754 
 755                         /*
 756                          * [MS-SMB2] 3.3.5.2.11 Verifying the Tree Connect
 757                          *
 758                          * If we support 3.x, RejectUnencryptedAccess is TRUE,
 759                          * if Tcon.EncryptData is TRUE or
 760                          * global EncryptData is TRUE and
 761                          * the message wasn't encrypted, or
 762                          * if Tcon.EncryptData is TRUE or
 763                          * global EncryptData is TRUE or
 764                          * the request was encrypted and
 765                          * the connection doesn't support encryption,
 766                          * return ACCESS_DENIED.
 767                          *
 768                          * If RejectUnencryptedAccess is TRUE, we force
 769                          * max_protocol to at least 3.0. Additionally,
 770                          * if the tree requires encryption, we don't care
 771                          * what we support, we still enforce encryption.
 772                          */
 773                         if (sr->tid_tree->t_encrypt == SMB_CONFIG_REQUIRED &&
 774                             (!sr->encrypted ||
 775                             (session->srv_cap & SMB2_CAP_ENCRYPTION) == 0)) {
 776                                 smb2sr_put_error(sr,
 777                                     NT_STATUS_ACCESS_DENIED);
 778                                 goto cmd_done;
 779                         }
 780                 }
 781                 ASSERT(sr->tid_tree != NULL);
 782 
 783                 /*
 784                  * Encrypt if:
 785                  * - The cmd is not TREE_CONNECT; AND
 786                  * - Tree.EncryptData is TRUE
 787                  *
 788                  * TREE_CONNECT suppresses TID, so that can't be the cmd here.
 789                  * NOTE: assumes we can't have a tree without a user
 790                  */
 791                 if (sr->tid_tree->t_encrypt != SMB_CONFIG_DISABLED &&
 792                     sr->tform_ssn == NULL) {
 793                         smb_user_hold_internal(sr->uid_user);
 794                         sr->tform_ssn = sr->uid_user;
 795                         sr->smb3_tform_ssnid = sr->smb2_ssnid;
 796                 }
 797         }
 798 
 799         /*
 800          * SMB2 signature verification, two parts:
 801          * (a) Require SMB2_FLAGS_SIGNED (for most request types)
 802          * (b) If SMB2_FLAGS_SIGNED is set, check the signature.
 803          * [MS-SMB2] 3.3.5.2.4 Verifying the Signature
 804          */
 805 
 806         /*
 807          * No user session means no signature check.  That's OK,
 808          * i.e. for commands marked SDDF_SUPPRESS_UID above.
 809          * Note, this also means we won't sign the reply.
 810          */
 811         if (sr->uid_user == NULL)
 812                 sr->smb2_hdr_flags &= ~SMB2_FLAGS_SIGNED;
 813 
 814         /*
 815          * The SDDF_SUPPRESS_UID dispatch is set for requests that
 816          * don't need a UID (user).  These also don't require a
 817          * signature check here.
 818          *
 819          * [MS-SMB2] 3.3.5.2.4 Verifying the Signature
 820          *
 821          * If the packet was successfully decrypted, the message
 822          * signature has already been verified, so we can skip this.
 823          */
 824         if ((sdd->sdt_flags & SDDF_SUPPRESS_UID) == 0 &&
 825             !sr->encrypted && sr->uid_user != NULL &&
 826             (sr->uid_user->u_sign_flags & SMB_SIGNING_ENABLED) != 0) {
 827                 /*
 828                  * If the request is signed, check the signature.
 829                  * Otherwise, if signing is required, deny access.
 830                  */
 831                 if ((sr->smb2_hdr_flags & SMB2_FLAGS_SIGNED) != 0) {
 832                         rc = smb2_sign_check_request(sr);
 833                         if (rc != 0) {
 834                                 DTRACE_PROBE1(smb2__sign__check,
 835                                     smb_request_t *, sr);
 836                                 smb2sr_put_error(sr, NT_STATUS_ACCESS_DENIED);
 837                                 goto cmd_done;
 838                         }
 839                 } else if (
 840                     (sr->uid_user->u_sign_flags & SMB_SIGNING_CHECK) != 0) {
 841                         smb2sr_put_error(sr, NT_STATUS_ACCESS_DENIED);
 842                         goto cmd_done;
 843                 }
 844         }
 845 
 846         /*
 847          * Now that the signing check is done with smb_data,
 848          * advance past the SMB2 header we decoded earlier.
 849          * This leaves sr->smb_data correctly positioned
 850          * for command-specific decoding in the dispatch
 851          * function called next.
 852          */
 853         sr->smb_data.chain_offset = sr->smb2_cmd_hdr + SMB2_HDR_SIZE;
 854 
 855         /*
 856          * Credit adjustments (decrease)
 857          *
 858          * If we've gone async, credit adjustments were done
 859          * when we sent the interim reply.
 860          */
 861         if (!sr->smb2_async) {
 862                 sr->smb2_credit_response = sr->smb2_credit_request;
 863                 if (sr->smb2_credit_request < sr->smb2_credit_charge) {
 864                         smb2_credit_decrease(sr);
 865                 }
 866         }
 867 
 868         /*
 869          * The real work: call the SMB2 command handler
 870          * (except for "sticky" smb2_status - see above)
 871          */
 872         sr->sr_time_start = gethrtime();
 873         rc = SDRC_SUCCESS;
 874         if (sr->smb2_status == 0) {
 875                 /* NB: not using pre_op */
 876                 rc = (*sdd->sdt_function)(sr);
 877                 /* NB: not using post_op */
 878         } else {
 879                 smb2sr_put_error(sr, sr->smb2_status);
 880         }
 881 
 882         /*
 883          * When the sdt_function returns SDRC_SR_KEPT, it means
 884          * this SR may have been passed to another thread so we
 885          * MUST NOT touch it anymore.
 886          */
 887         if (rc == SDRC_SR_KEPT)
 888                 return;
 889 
 890         MBC_FLUSH(&sr->raw_data);
 891 
 892         /*
 893          * Credit adjustments (increase)
 894          */
 895         if (!sr->smb2_async) {
 896                 if (sr->smb2_credit_request > sr->smb2_credit_charge) {
 897                         smb2_credit_increase(sr);
 898                 }
 899         }
 900 
 901 cmd_done:
 902         switch (rc) {
 903         case SDRC_SUCCESS:
 904                 break;
 905         default:
 906                 /*
 907                  * SMB2 does not use the other dispatch return codes.
 908                  * If we see something else, log an event so we'll
 909                  * know something is returning bogus status codes.
 910                  * If you see these in the log, use dtrace to find
 911                  * the code returning something else.
 912                  */
 913 #ifdef  DEBUG
 914                 cmn_err(CE_NOTE, "handler for %u returned 0x%x",
 915                     sr->smb2_cmd_code, rc);
 916 #endif
 917                 smb2sr_put_error(sr, NT_STATUS_INTERNAL_ERROR);
 918                 break;
 919         case SDRC_ERROR:
 920                 /*
 921                  * Many command handlers return SDRC_ERROR for any
 922                  * problems decoding the request, and don't bother
 923                  * setting smb2_status.  For those cases, the best
 924                  * status return would be "invalid parameter".
 925                  */
 926                 if (sr->smb2_status == 0)
 927                         sr->smb2_status = NT_STATUS_INVALID_PARAMETER;
 928                 smb2sr_put_error(sr, sr->smb2_status);
 929                 break;
 930         case SDRC_DROP_VC:
 931                 disconnect = B_TRUE;
 932                 goto cleanup;
 933 
 934         case SDRC_NO_REPLY:
 935                 /* will free sr */
 936                 goto cleanup;
 937         }
 938 
 939         /*
 940          * Pad the reply to align(8) if there will be another.
 941          * (We don't compound async replies.)
 942          */
 943         if (!sr->smb2_async && sr->smb2_next_command != 0)
 944                 (void) smb_mbc_put_align(&sr->reply, 8);
 945 
 946         /*
 947          * Record some statistics.  Uses:
 948          *   rxb = command.chain_offset - smb2_cmd_hdr;
 949          *   txb = reply.chain_offset - smb2_reply_hdr;
 950          * which at this point represent the current cmd/reply.
 951          *
 952          * Note: If async, this does txb only, and
 953          * skips the smb_latency_add_sample() calls.
 954          */
 955         smb2_record_stats(sr, sds, sr->smb2_async);
 956 
 957         /*
 958          * If there's a next command, figure out where it starts,
 959          * and fill in the next header offset for the reply.
 960          * Note: We sanity checked smb2_next_command above.
 961          */
 962         if (sr->smb2_next_command != 0) {
 963                 sr->command.chain_offset =
 964                     sr->smb2_cmd_hdr + sr->smb2_next_command;
 965                 sr->smb2_next_reply =
 966                     sr->reply.chain_offset - sr->smb2_reply_hdr;
 967         } else {
 968                 ASSERT(sr->smb2_next_reply == 0);
 969         }
 970 
 971         /*
 972          * Overwrite the (now final) SMB2 header for this response.
 973          */
 974         (void) smb2_encode_header(sr, B_TRUE);
 975 
 976         /*
 977          * Cannot move this into smb2_session_setup() - encoded header required.
 978          */
 979         if (session->dialect >= SMB_VERS_3_11 &&
 980             sr->smb2_cmd_code == SMB2_SESSION_SETUP &&
 981             sr->smb2_status == NT_STATUS_MORE_PROCESSING_REQUIRED) {
 982                 (void) smb31_preauth_sha512_calc(sr, &sr->reply,
 983                     session->smb31_preauth_hashval);
 984         }
 985 
 986         /* Don't sign if we're going to encrypt */
 987         if (sr->tform_ssn == NULL &&
 988             (sr->smb2_hdr_flags & SMB2_FLAGS_SIGNED) != 0)
 989                 smb2_sign_reply(sr);
 990 
 991         /*
 992          * Non-async runs the whole compound before send.
 993          * When we've gone async, send each individually.
 994          */
 995         if (!sr->smb2_async && sr->smb2_next_command != 0)
 996                 goto cmd_start;
 997 
 998         /*
 999          * If we have a durable handle, and this operation updated
1000          * the nvlist, write it out (before smb2_send_reply).
1001          */
1002         if (sr->dh_nvl_dirty) {
1003                 sr->dh_nvl_dirty = B_FALSE;
1004                 smb2_dh_update_nvfile(sr);
1005         }
1006 
1007         smb2_send_reply(sr);
1008         if (sr->smb2_async && sr->smb2_next_command != 0) {
1009                 MBC_FLUSH(&sr->reply);   /* New reply buffer. */
1010                 ASSERT(sr->reply.max_bytes == sr->session->reply_max_bytes);
1011                 goto cmd_start;
1012         }
1013 
1014 cleanup:
1015         if (disconnect)
1016                 smb_session_disconnect(session);
1017 
1018         /*
1019          * Do "postwork" for oplock (and maybe other things)
1020          */
1021         if (sr->sr_postwork != NULL)
1022                 smb2sr_run_postwork(sr);
1023 
1024         mutex_enter(&sr->sr_mutex);
1025         sr->sr_state = SMB_REQ_STATE_COMPLETED;
1026         mutex_exit(&sr->sr_mutex);
1027 
1028         smb_request_free(sr);
1029 }
1030 
1031 /*
1032  * Build interim responses for the current and all following
1033  * requests in this compound, then send the compound response,
1034  * leaving the SR state so that smb2sr_work() can continue its
1035  * processing of this compound in "async mode".
1036  *
1037  * If we agree to "go async", this should return STATUS_SUCCESS.
1038  * Otherwise return STATUS_INSUFFICIENT_RESOURCES for this and
1039  * all requests following this request.  (See the comments re.
1040  * "sticky" smb2_status values in smb2sr_work).
1041  *
1042  * Note: the Async ID we assign here is arbitrary, and need only
1043  * be unique among pending async responses on this connection, so
1044  * this just uses a modified messageID, which is already unique.
1045  *
1046  * Credits:  All credit changes should happen via the interim
1047  * responses, so we have to manage credits here.  After this
1048  * returns to smb2sr_work, the final replies for all these
1049  * commands will have smb2_credit_response = smb2_credit_charge
1050  * (meaning no further changes to the clients' credits).
1051  */
1052 uint32_t
1053 smb2sr_go_async(smb_request_t *sr)
1054 {
1055         smb_session_t *session;
1056         smb_disp_stats_t *sds;
1057         uint16_t cmd_idx;
1058         int32_t saved_com_offset;
1059         uint32_t saved_cmd_hdr;
1060         uint16_t saved_cred_resp;
1061         uint32_t saved_hdr_flags;
1062         uint32_t saved_reply_hdr;
1063         uint32_t msg_len;
1064         boolean_t disconnect = B_FALSE;
1065 
1066         if (sr->smb2_async) {
1067                 /* already went async in some previous cmd. */
1068                 return (NT_STATUS_SUCCESS);
1069         }
1070         sr->smb2_async = B_TRUE;
1071 
1072         /* The "server" session always runs async. */
1073         session = sr->session;
1074         if (session->sock == NULL)
1075                 return (NT_STATUS_SUCCESS);
1076 
1077         sds = NULL;
1078         saved_com_offset = sr->command.chain_offset;
1079         saved_cmd_hdr = sr->smb2_cmd_hdr;
1080         saved_cred_resp = sr->smb2_credit_response;
1081         saved_hdr_flags = sr->smb2_hdr_flags;
1082         saved_reply_hdr = sr->smb2_reply_hdr;
1083 
1084         /*
1085          * The command-specific handler should not yet have put any
1086          * data in the reply except for the (place holder) header.
1087          */
1088         if (sr->reply.chain_offset != sr->smb2_reply_hdr + SMB2_HDR_SIZE) {
1089                 ASSERT3U(sr->reply.chain_offset, ==,
1090                     sr->smb2_reply_hdr + SMB2_HDR_SIZE);
1091                 return (NT_STATUS_INTERNAL_ERROR);
1092         }
1093 
1094         /*
1095          * Rewind to the start of the current header in both the
1096          * command and reply bufers, so the loop below can just
1097          * decode/encode just in every pass.  This means the
1098          * current command header is decoded again, but that
1099          * avoids having to special-case the first loop pass.
1100          */
1101         sr->command.chain_offset = sr->smb2_cmd_hdr;
1102         sr->reply.chain_offset = sr->smb2_reply_hdr;
1103 
1104         /*
1105          * This command processing loop is a simplified version of
1106          * smb2sr_work() that just puts an "interim response" for
1107          * every command in the compound (NT_STATUS_PENDING).
1108          */
1109 cmd_start:
1110         sr->smb2_status = NT_STATUS_PENDING;
1111 
1112         /*
1113          * Decode the request header
1114          */
1115         sr->smb2_cmd_hdr = sr->command.chain_offset;
1116         if ((smb2_decode_header(sr)) != 0) {
1117                 cmn_err(CE_WARN, "clnt %s bad SMB2 header",
1118                     session->ip_addr_str);
1119                 disconnect = B_TRUE;
1120                 goto cleanup;
1121         }
1122         sr->smb2_hdr_flags |= (SMB2_FLAGS_SERVER_TO_REDIR |
1123             SMB2_FLAGS_ASYNC_COMMAND);
1124         sr->smb2_async_id = SMB2_ASYNCID(sr);
1125 
1126         /*
1127          * In case we bail out...
1128          */
1129         if (sr->smb2_credit_charge == 0)
1130                 sr->smb2_credit_charge = 1;
1131         sr->smb2_credit_response = sr->smb2_credit_charge;
1132 
1133         /*
1134          * Write a tentative reply header.
1135          */
1136         sr->smb2_next_reply = 0;
1137         ASSERT((sr->reply.chain_offset & 7) == 0);
1138         sr->smb2_reply_hdr = sr->reply.chain_offset;
1139         if ((smb2_encode_header(sr, B_FALSE)) != 0) {
1140                 cmn_err(CE_WARN, "clnt %s excessive reply",
1141                     session->ip_addr_str);
1142                 disconnect = B_TRUE;
1143                 goto cleanup;
1144         }
1145 
1146         /*
1147          * Figure out the length of data...
1148          */
1149         if (sr->smb2_next_command != 0) {
1150                 /* [MS-SMB2] says this is 8-byte aligned */
1151                 msg_len = sr->smb2_next_command;
1152                 if ((msg_len & 7) != 0 || (msg_len < SMB2_HDR_SIZE) ||
1153                     ((sr->smb2_cmd_hdr + msg_len) > sr->command.max_bytes)) {
1154                         cmn_err(CE_WARN, "clnt %s bad SMB2 next cmd",
1155                             session->ip_addr_str);
1156                         disconnect = B_TRUE;
1157                         goto cleanup;
1158                 }
1159         } else {
1160                 msg_len = sr->command.max_bytes - sr->smb2_cmd_hdr;
1161         }
1162 
1163         /*
1164          * We just skip any data, so no shadow chain etc.
1165          */
1166         sr->command.chain_offset = sr->smb2_cmd_hdr + msg_len;
1167         ASSERT(sr->command.chain_offset <= sr->command.max_bytes);
1168 
1169         /*
1170          * Validate the commmand code...
1171          */
1172         if (sr->smb2_cmd_code < SMB2_INVALID_CMD)
1173                 cmd_idx = sr->smb2_cmd_code;
1174         else
1175                 cmd_idx = SMB2_INVALID_CMD;
1176         sds = &session->s_server->sv_disp_stats2[cmd_idx];
1177 
1178         /*
1179          * Don't change (user, tree, file) because we want them
1180          * exactly as they were when we entered.  That also means
1181          * we may not have the right user in sr->uid_user for
1182          * signature checks, so leave that until smb2sr_work
1183          * runs these commands "for real".  Therefore, here
1184          * we behave as if: (sr->uid_user == NULL)
1185          */
1186         sr->smb2_hdr_flags &= ~SMB2_FLAGS_SIGNED;
1187 
1188         /*
1189          * Credit adjustments (decrease)
1190          *
1191          * NOTE: interim responses are not signed.
1192          * Any attacker can modify the credit grant
1193          * in the response. Because of this property,
1194          * it is no worse to assume the credit charge and grant
1195          * are sane without verifying the signature,
1196          * and that saves us a whole lot of work.
1197          * If the credits WERE modified, we'll find out
1198          * when we verify the signature later,
1199          * which nullifies any changes caused here.
1200          *
1201          * Skip this on the first command, because the
1202          * credit decrease was done by the caller.
1203          */
1204         if (sr->smb2_cmd_hdr != saved_cmd_hdr) {
1205                 sr->smb2_credit_response = sr->smb2_credit_request;
1206                 if (sr->smb2_credit_request < sr->smb2_credit_charge) {
1207                         smb2_credit_decrease(sr);
1208                 }
1209         }
1210 
1211         /*
1212          * The real work: ... (would be here)
1213          */
1214         smb2sr_put_error(sr, sr->smb2_status);
1215 
1216         /*
1217          * Credit adjustments (increase)
1218          */
1219         if (sr->smb2_credit_request > sr->smb2_credit_charge) {
1220                 smb2_credit_increase(sr);
1221         }
1222 
1223         /* cmd_done: label */
1224 
1225         /*
1226          * Pad the reply to align(8) if there will be another.
1227          * This (interim) reply uses compounding.
1228          */
1229         if (sr->smb2_next_command != 0)
1230                 (void) smb_mbc_put_align(&sr->reply, 8);
1231 
1232         /*
1233          * Record some statistics.  Uses:
1234          *   rxb = command.chain_offset - smb2_cmd_hdr;
1235          *   txb = reply.chain_offset - smb2_reply_hdr;
1236          * which at this point represent the current cmd/reply.
1237          *
1238          * Note: We're doing smb_latency_add_sample() for all
1239          * remaining commands NOW, which means we won't include
1240          * the async part of their work in latency statistics.
1241          * That's intentional, as the async part of a command
1242          * would otherwise skew our latency statistics.
1243          */
1244         smb2_record_stats(sr, sds, B_FALSE);
1245 
1246         /*
1247          * If there's a next command, figure out where it starts,
1248          * and fill in the next header offset for the reply.
1249          * Note: We sanity checked smb2_next_command above.
1250          */
1251         if (sr->smb2_next_command != 0) {
1252                 sr->command.chain_offset =
1253                     sr->smb2_cmd_hdr + sr->smb2_next_command;
1254                 sr->smb2_next_reply =
1255                     sr->reply.chain_offset - sr->smb2_reply_hdr;
1256         } else {
1257                 ASSERT(sr->smb2_next_reply == 0);
1258         }
1259 
1260         /*
1261          * Overwrite the (now final) SMB2 header for this response.
1262          */
1263         (void) smb2_encode_header(sr, B_TRUE);
1264 
1265         /*
1266          * Process whole compound before sending.
1267          */
1268         if (sr->smb2_next_command != 0)
1269                 goto cmd_start;
1270         smb2_send_reply(sr);
1271 
1272         ASSERT(!disconnect);
1273 
1274 cleanup:
1275         /*
1276          * Restore caller's command processing state.
1277          */
1278         sr->smb2_cmd_hdr = saved_cmd_hdr;
1279         sr->command.chain_offset = saved_cmd_hdr;
1280         (void) smb2_decode_header(sr);
1281         sr->command.chain_offset = saved_com_offset;
1282 
1283         sr->smb2_credit_response = saved_cred_resp;
1284         sr->smb2_hdr_flags = saved_hdr_flags;
1285         sr->smb2_status = NT_STATUS_SUCCESS;
1286 
1287         /*
1288          * In here, the "disconnect" flag just means we had an
1289          * error decoding or encoding something.  Rather than
1290          * actually disconnect here, let's assume whatever
1291          * problem we encountered will be seen by the caller
1292          * as they continue processing the compound, and just
1293          * restore everything and return an error.
1294          */
1295         if (disconnect) {
1296                 sr->smb2_async = B_FALSE;
1297                 sr->smb2_reply_hdr = saved_reply_hdr;
1298                 sr->reply.chain_offset = sr->smb2_reply_hdr;
1299                 (void) smb2_encode_header(sr, B_FALSE);
1300                 return (NT_STATUS_INVALID_PARAMETER);
1301         }
1302 
1303         /*
1304          * The compound reply buffer we sent is now gone.
1305          * Setup a new reply buffer for the caller.
1306          */
1307         sr->smb2_hdr_flags |= SMB2_FLAGS_ASYNC_COMMAND;
1308         sr->smb2_async_id = SMB2_ASYNCID(sr);
1309         sr->smb2_next_reply = 0;
1310         MBC_FLUSH(&sr->reply);
1311         ASSERT(sr->reply.max_bytes == sr->session->reply_max_bytes);
1312         ASSERT(sr->reply.chain_offset == 0);
1313         sr->smb2_reply_hdr = 0;
1314         (void) smb2_encode_header(sr, B_FALSE);
1315 
1316         return (NT_STATUS_SUCCESS);
1317 }
1318 
1319 int
1320 smb3_decode_tform_header(smb_request_t *sr)
1321 {
1322         uint16_t flags;
1323         int rc;
1324         uint32_t protocolid;
1325 
1326         rc = smb_mbc_decodef(
1327             &sr->command, "l16c16cl..wq",
1328             &protocolid,    /*  l  */
1329             sr->smb2_sig,    /* 16c */
1330             sr->nonce,       /* 16c */
1331             &sr->msgsize,        /* l */
1332             /* reserved   .. */
1333             &flags,         /* w */
1334             &sr->smb3_tform_ssnid); /* q */
1335         if (rc)
1336                 return (rc);
1337 
1338         ASSERT3U(protocolid, ==, SMB3_ENCRYPTED_MAGIC);
1339 
1340         if (flags != 1) {
1341 #ifdef DEBUG
1342                 cmn_err(CE_NOTE, "flags field not 1: %x", flags);
1343 #endif
1344                 return (-1);
1345         }
1346 
1347         /*
1348          * MsgSize is the amount of data the client tell us to decrypt.
1349          * Make sure this value is not too big and not too small.
1350          */
1351         if (sr->msgsize < SMB2_HDR_SIZE ||
1352             sr->msgsize > sr->session->cmd_max_bytes ||
1353             sr->msgsize > sr->command.max_bytes - SMB3_TFORM_HDR_SIZE)
1354                 return (-1);
1355 
1356         return (rc);
1357 }
1358 
1359 int
1360 smb3_encode_tform_header(smb_request_t *sr, struct mbuf_chain *mbc)
1361 {
1362         int rc;
1363 
1364         /* Signature and Nonce are added in smb3_encrypt_sr */
1365         rc = smb_mbc_encodef(
1366             mbc, "l32.lwwq",
1367             SMB3_ENCRYPTED_MAGIC, /* l */
1368             /* signature(16), nonce(16) 32. */
1369             sr->msgsize,     /* l */
1370             0, /* reserved         w */
1371             1, /* flags            w */
1372             sr->smb3_tform_ssnid); /* q */
1373 
1374         return (rc);
1375 }
1376 
1377 int
1378 smb2_decode_header(smb_request_t *sr)
1379 {
1380         uint32_t pid, tid;
1381         uint16_t hdr_len;
1382         int rc;
1383 
1384         rc = smb_mbc_decodef(
1385             &sr->command, "Nwww..wwllqllq16c",
1386             &hdr_len,                       /* w */
1387             &sr->smb2_credit_charge,     /* w */
1388             &sr->smb2_chan_seq,          /* w */
1389             /* reserved                   .. */
1390             &sr->smb2_cmd_code,          /* w */
1391             &sr->smb2_credit_request,    /* w */
1392             &sr->smb2_hdr_flags, /* l */
1393             &sr->smb2_next_command,      /* l */
1394             &sr->smb2_messageid, /* q */
1395             &pid,                   /* l */
1396             &tid,                   /* l */
1397             &sr->smb2_ssnid,             /* q */
1398             sr->smb2_sig);           /* 16c */
1399         if (rc)
1400                 return (rc);
1401 
1402         if (hdr_len != SMB2_HDR_SIZE)
1403                 return (-1);
1404 
1405         if (sr->smb2_hdr_flags & SMB2_FLAGS_ASYNC_COMMAND) {
1406                 sr->smb2_async_id = pid |
1407                     ((uint64_t)tid) << 32;
1408                 sr->smb_pid = 0;
1409                 sr->smb_tid = 0;
1410         } else {
1411                 sr->smb2_async_id = 0;
1412                 sr->smb_pid = pid;
1413                 sr->smb_tid = (uint16_t)tid; /* XXX wide TIDs */
1414         }
1415 
1416         return (rc);
1417 }
1418 
1419 int
1420 smb2_encode_header(smb_request_t *sr, boolean_t overwrite)
1421 {
1422         uint64_t pid_tid_aid; /* pid+tid, or async id */
1423         int rc;
1424 
1425         if (sr->smb2_hdr_flags & SMB2_FLAGS_ASYNC_COMMAND) {
1426                 pid_tid_aid = sr->smb2_async_id;
1427         } else {
1428                 pid_tid_aid = sr->smb_pid |
1429                     ((uint64_t)sr->smb_tid) << 32;
1430         }
1431 
1432         if (overwrite) {
1433                 rc = smb_mbc_poke(&sr->reply,
1434                     sr->smb2_reply_hdr,
1435                     "Nwwlwwllqqq16c",
1436                     SMB2_HDR_SIZE,              /* w */
1437                     sr->smb2_credit_charge,  /* w */
1438                     sr->smb2_status,         /* l */
1439                     sr->smb2_cmd_code,               /* w */
1440                     sr->smb2_credit_response,        /* w */
1441                     sr->smb2_hdr_flags,              /* l */
1442                     sr->smb2_next_reply,     /* l */
1443                     sr->smb2_messageid,              /* q */
1444                     pid_tid_aid,                /* q */
1445                     sr->smb2_ssnid,          /* q */
1446                     sr->smb2_sig);           /* 16c */
1447         } else {
1448                 rc = smb_mbc_encodef(&sr->reply,
1449                     "Nwwlwwllqqq16c",
1450                     SMB2_HDR_SIZE,              /* w */
1451                     sr->smb2_credit_charge,  /* w */
1452                     sr->smb2_status,         /* l */
1453                     sr->smb2_cmd_code,               /* w */
1454                     sr->smb2_credit_response,        /* w */
1455                     sr->smb2_hdr_flags,              /* l */
1456                     sr->smb2_next_reply,     /* l */
1457                     sr->smb2_messageid,              /* q */
1458                     pid_tid_aid,                /* q */
1459                     sr->smb2_ssnid,          /* q */
1460                     sr->smb2_sig);           /* 16c */
1461         }
1462 
1463         return (rc);
1464 }
1465 
1466 void
1467 smb2_send_reply(smb_request_t *sr)
1468 {
1469         struct mbuf_chain enc_reply;
1470         smb_session_t *session = sr->session;
1471         void *tmpbuf;
1472         size_t buflen;
1473         struct mbuf_chain tmp;
1474 
1475         /*
1476          * [MS-SMB2] 3.3.4.1.4 Encrypting the Message
1477          *
1478          * When the connection supports encryption and the dialect
1479          * is 3.x, encrypt if:
1480          * - The request was encrypted OR
1481          * - The cmd is not SESSION_SETUP or NEGOTIATE AND
1482          * -- Session.EncryptData is TRUE OR
1483          * -- The cmd is not TREE_CONNECT AND
1484          * --- Tree.EncryptData is TRUE
1485          *
1486          * This boils down to sr->tform_ssn != NULL, and the rest
1487          * is enforced when tform_ssn is set.
1488          */
1489 
1490         if ((session->capabilities & SMB2_CAP_ENCRYPTION) == 0 ||
1491             sr->tform_ssn == NULL) {
1492                 if (smb_session_send(sr->session, 0, &sr->reply) == 0)
1493                         sr->reply.chain = 0;
1494                 return;
1495         }
1496 
1497         sr->msgsize = sr->reply.chain_offset;
1498         (void) MBC_SHADOW_CHAIN(&tmp, &sr->reply,
1499             0, sr->msgsize);
1500 
1501         buflen = SMB3_TFORM_HDR_SIZE + sr->msgsize;
1502 
1503         /* taken from smb_request_init_command_mbuf */
1504         tmpbuf = kmem_alloc(buflen, KM_SLEEP);
1505         MBC_ATTACH_BUF(&enc_reply, tmpbuf, buflen);
1506         enc_reply.flags = 0;
1507         enc_reply.shadow_of = NULL;
1508 
1509         if (smb3_encode_tform_header(sr, &enc_reply) != 0) {
1510                 cmn_err(CE_WARN, "couldn't encode transform header");
1511                 goto errout;
1512         }
1513         if (smb3_encrypt_sr(sr, &tmp, &enc_reply) != 0) {
1514                 cmn_err(CE_WARN, "smb3 encryption failed");
1515                 goto errout;
1516         }
1517 
1518         if (smb_session_send(sr->session, 0, &enc_reply) == 0)
1519                 enc_reply.chain = 0;
1520         return;
1521 
1522 errout:
1523         kmem_free(tmpbuf, buflen);
1524         smb_session_disconnect(sr->session);
1525 }
1526 
1527 /*
1528  * This wrapper function exists to help catch calls to smbsr_status()
1529  * (which is SMB1-specific) in common code.  See smbsr_status().
1530  * If the log message below is seen, put a dtrace probe on this
1531  * function with a stack() action to see who is calling the SMB1
1532  * "put error" from common code, and fix it.
1533  */
1534 void
1535 smbsr_status_smb2(smb_request_t *sr, DWORD status)
1536 {
1537         const char *name;
1538 
1539         if (sr->smb2_cmd_code < SMB2__NCMDS)
1540                 name = smb2_disp_table[sr->smb2_cmd_code].sdt_name;
1541         else
1542                 name = "<unknown>";
1543 #ifdef  DEBUG
1544         cmn_err(CE_NOTE, "smbsr_status called for %s", name);
1545 #endif
1546 
1547         smb2sr_put_error_data(sr, status, NULL);
1548 }
1549 
1550 void
1551 smb2sr_put_errno(struct smb_request *sr, int errnum)
1552 {
1553         uint32_t status = smb_errno2status(errnum);
1554         smb2sr_put_error_data(sr, status, NULL);
1555 }
1556 
1557 void
1558 smb2sr_put_error(smb_request_t *sr, uint32_t status)
1559 {
1560         smb2sr_put_error_data(sr, status, NULL);
1561 }
1562 
1563 /*
1564  * Build an SMB2 error response.  [MS-SMB2] 2.2.2
1565  */
1566 void
1567 smb2sr_put_error_data(smb_request_t *sr, uint32_t status, mbuf_chain_t *mbc)
1568 {
1569         DWORD len;
1570 
1571         /*
1572          * The common dispatch code writes this when it
1573          * updates the SMB2 header before sending.
1574          */
1575         sr->smb2_status = status;
1576 
1577         /* Rewind to the end of the SMB header. */
1578         sr->reply.chain_offset = sr->smb2_reply_hdr + SMB2_HDR_SIZE;
1579 
1580         /*
1581          * NB: Must provide at least one byte of error data,
1582          * per [MS-SMB2] 2.2.2
1583          */
1584         if (mbc != NULL && (len = MBC_LENGTH(mbc)) != 0) {
1585                 (void) smb_mbc_encodef(
1586                     &sr->reply,
1587                     "wwlC",
1588                     9,  /* StructSize */        /* w */
1589                     0,  /* reserved */          /* w */
1590                     len,                        /* l */
1591                     mbc);                       /* C */
1592         } else {
1593                 (void) smb_mbc_encodef(
1594                     &sr->reply,
1595                     "wwl.",
1596                     9,  /* StructSize */        /* w */
1597                     0,  /* reserved */          /* w */
1598                     0);                         /* l. */
1599         }
1600 }
1601 
1602 /*
1603  * smb2sr_lookup_fid
1604  *
1605  * Setup sr->fid_ofile, either inherited from a related command,
1606  * or obtained via FID lookup.  Similar inheritance logic as in
1607  * smb2sr_work.
1608  */
1609 uint32_t
1610 smb2sr_lookup_fid(smb_request_t *sr, smb2fid_t *fid)
1611 {
1612         boolean_t related = sr->smb2_hdr_flags &
1613             SMB2_FLAGS_RELATED_OPERATIONS;
1614 
1615         if (related) {
1616                 if (sr->fid_ofile == NULL)
1617                         return (NT_STATUS_INVALID_PARAMETER);
1618                 sr->smb_fid = sr->fid_ofile->f_fid;
1619                 return (0);
1620         }
1621 
1622         /*
1623          * If we could be sure this is called only once per cmd,
1624          * we could simply ASSERT(sr->fid_ofile == NULL) here.
1625          * However, there are cases where it can be called again
1626          * handling the same command, so let's tolerate that.
1627          */
1628         if (sr->fid_ofile == NULL) {
1629                 sr->smb_fid = (uint16_t)fid->temporal;
1630                 sr->fid_ofile = smb_ofile_lookup_by_fid(sr, sr->smb_fid);
1631         }
1632         if (sr->fid_ofile == NULL ||
1633             sr->fid_ofile->f_persistid != fid->persistent)
1634                 return (NT_STATUS_FILE_CLOSED);
1635 
1636         return (0);
1637 }
1638 
1639 /*
1640  * smb2_dispatch_stats_init
1641  *
1642  * Initializes dispatch statistics for SMB2.
1643  * See also smb_dispatch_stats_init(), which fills in
1644  * the lower part of the statistics array, from zero
1645  * through SMB_COM_NUM;
1646  */
1647 void
1648 smb2_dispatch_stats_init(smb_server_t *sv)
1649 {
1650         smb_disp_stats_t *sds = sv->sv_disp_stats2;
1651         smb_kstat_req_t *ksr;
1652         int             i;
1653 
1654         ksr = ((smbsrv_kstats_t *)sv->sv_ksp->ks_data)->ks_reqs2;
1655 
1656         for (i = 0; i < SMB2__NCMDS; i++, ksr++) {
1657                 smb_latency_init(&sds[i].sdt_lat);
1658                 (void) strlcpy(ksr->kr_name, smb2_disp_table[i].sdt_name,
1659                     sizeof (ksr->kr_name));
1660         }
1661 }
1662 
1663 /*
1664  * smb2_dispatch_stats_fini
1665  *
1666  * Frees and destroyes the resources used for statistics.
1667  */
1668 void
1669 smb2_dispatch_stats_fini(smb_server_t *sv)
1670 {
1671         smb_disp_stats_t *sds = sv->sv_disp_stats2;
1672         int     i;
1673 
1674         for (i = 0; i < SMB2__NCMDS; i++)
1675                 smb_latency_destroy(&sds[i].sdt_lat);
1676 }
1677 
1678 void
1679 smb2_dispatch_stats_update(smb_server_t *sv,
1680     smb_kstat_req_t *ksr, int first, int nreq)
1681 {
1682         smb_disp_stats_t *sds = sv->sv_disp_stats2;
1683         int     i;
1684         int     last;
1685 
1686         last = first + nreq - 1;
1687 
1688         if ((first < SMB2__NCMDS) && (last < SMB2__NCMDS))  {
1689                 for (i = first; i <= last; i++, ksr++) {
1690                         ksr->kr_rxb = sds[i].sdt_rxb;
1691                         ksr->kr_txb = sds[i].sdt_txb;
1692                         mutex_enter(&sds[i].sdt_lat.ly_mutex);
1693                         ksr->kr_nreq = sds[i].sdt_lat.ly_a_nreq;
1694                         ksr->kr_sum = sds[i].sdt_lat.ly_a_sum;
1695                         ksr->kr_a_mean = sds[i].sdt_lat.ly_a_mean;
1696                         ksr->kr_a_stddev =
1697                             sds[i].sdt_lat.ly_a_stddev;
1698                         ksr->kr_d_mean = sds[i].sdt_lat.ly_d_mean;
1699                         ksr->kr_d_stddev =
1700                             sds[i].sdt_lat.ly_d_stddev;
1701                         sds[i].sdt_lat.ly_d_mean = 0;
1702                         sds[i].sdt_lat.ly_d_nreq = 0;
1703                         sds[i].sdt_lat.ly_d_stddev = 0;
1704                         sds[i].sdt_lat.ly_d_sum = 0;
1705                         mutex_exit(&sds[i].sdt_lat.ly_mutex);
1706                 }
1707         }
1708 }
1709 
1710 /*
1711  * Append new_sr to the postwork queue.  sr->smb2_cmd_code encodes
1712  * the action that should be run by this sr.
1713  *
1714  * This queue is rarely used (and normally empty) so we're OK
1715  * using a simple "walk to tail and insert" here.
1716  */
1717 void
1718 smb2sr_append_postwork(smb_request_t *top_sr, smb_request_t *new_sr)
1719 {
1720         smb_request_t *last_sr;
1721 
1722         ASSERT(top_sr->session->dialect >= SMB_VERS_2_BASE);
1723 
1724         last_sr = top_sr;
1725         while (last_sr->sr_postwork != NULL)
1726                 last_sr = last_sr->sr_postwork;
1727 
1728         last_sr->sr_postwork = new_sr;
1729 }
1730 
1731 /*
1732  * Run any "post work" that was appended to the main SR while it
1733  * was running.  This is called after the request has been sent
1734  * for the main SR, and used in cases i.e. the oplock code, where
1735  * we need to send something to the client only _after_ the main
1736  * sr request has gone out.
1737  */
1738 static void
1739 smb2sr_run_postwork(smb_request_t *top_sr)
1740 {
1741         smb_request_t *post_sr; /* the one we're running */
1742         smb_request_t *next_sr;
1743 
1744         while ((post_sr = top_sr->sr_postwork) != NULL) {
1745                 next_sr = post_sr->sr_postwork;
1746                 top_sr->sr_postwork = next_sr;
1747                 post_sr->sr_postwork = NULL;
1748 
1749                 post_sr->sr_worker = top_sr->sr_worker;
1750                 post_sr->sr_state = SMB_REQ_STATE_ACTIVE;
1751 
1752                 switch (post_sr->smb2_cmd_code) {
1753                 case SMB2_OPLOCK_BREAK:
1754                         smb_oplock_send_brk(post_sr);
1755                         break;
1756                 default:
1757                         ASSERT(0);
1758                 }
1759 
1760                 /*
1761                  * If we have a durable handle, and this operation
1762                  * updated the nvlist, write it out.
1763                  */
1764                 if (post_sr->dh_nvl_dirty) {
1765                         post_sr->dh_nvl_dirty = B_FALSE;
1766                         smb2_dh_update_nvfile(post_sr);
1767                 }
1768 
1769                 post_sr->sr_state = SMB_REQ_STATE_COMPLETED;
1770                 smb_request_free(post_sr);
1771         }
1772 }