1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License, Version 1.0 only
6 * (the "License"). You may not use this file except in compliance
7 * with the License.
8 *
9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10 * or http://www.opensolaris.org/os/licensing.
11 * See the License for the specific language governing permissions
12 * and limitations under the License.
13 *
14 * When distributing Covered Code, include this CDDL HEADER in each
15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16 * If applicable, add the following below this CDDL HEADER, with the
17 * fields enclosed by brackets "[]" replaced with your own identifying
18 * information: Portions Copyright [yyyy] [name of copyright owner]
19 *
20 * CDDL HEADER END
21 */
22 /*
23 * Copyright 2004 Sun Microsystems, Inc. All rights reserved.
24 * Use is subject to license terms.
25 */
26
27 /*
28 * This module implements the "fast path" processing for the telnet protocol.
29 * Since it only knows a very small number of the telnet protocol options,
30 * the daemon is required to assist this module. This module must be run
31 * underneath logindmux, which handles switching messages between the
32 * daemon and the pty master stream appropriately. When an unknown telnet
33 * option is received it is handled as a stop-and-wait operation. The
34 * module refuses to forward data in either direction, and waits for the
35 * daemon to deal with the option, and forward any unprocessed data back
36 * to the daemon.
37 */
38
39 #include <sys/types.h>
40 #include <sys/param.h>
41 #include <sys/stream.h>
42 #include <sys/stropts.h>
43 #include <sys/strsun.h>
44 #include <sys/kmem.h>
45 #include <sys/errno.h>
46 #include <sys/ddi.h>
47 #include <sys/sunddi.h>
48 #include <sys/tihdr.h>
49 #include <sys/ptem.h>
50 #include <sys/logindmux.h>
51 #include <sys/telioctl.h>
52 #include <sys/termios.h>
53 #include <sys/debug.h>
54 #include <sys/conf.h>
55 #include <sys/modctl.h>
56 #include <sys/cmn_err.h>
57 #include <sys/cryptmod.h>
58
59 #define IAC 255
60
61 extern struct streamtab telmodinfo;
62
63 #define TELMOD_ID 105
64 #define SIMWAIT (1*hz)
65
66 /*
67 * Module state flags
68 */
69 #define TEL_IOCPASSTHRU 0x100
70 #define TEL_STOPPED 0x80
71 #define TEL_CRRCV 0x40
72 #define TEL_CRSND 0x20
73 #define TEL_GETBLK 0x10
74
75 /*
76 * NOTE: values TEL_BINARY_IN and TEL_BINARY_OUT are defined in
77 * telioctl.h, passed in the TEL_IOC_MODE ioctl and stored (bitwise)
78 * in the module state flag. So those values are not available
79 * even though they are not defined here.
80 */
81
82
83
84 /*
85 * Per queue instances are single-threaded since the q_ptr
86 * field of queues need to be shared among threads.
87 */
88 static struct fmodsw fsw = {
89 "telmod",
90 &telmodinfo,
91 D_MTQPAIR | D_MP
92 };
93
94 /*
95 * Module linkage information for the kernel.
96 */
97
98 static struct modlstrmod modlstrmod = {
99 &mod_strmodops,
100 "telnet module",
101 &fsw
102 };
103
104 static struct modlinkage modlinkage = {
105 MODREV_1, { &modlstrmod, NULL }
106 };
107
108 int
109 _init()
110 {
111 return (mod_install(&modlinkage));
112 }
113
114 int
115 _fini()
116 {
117 return (mod_remove(&modlinkage));
118 }
119
120 int
121 _info(struct modinfo *modinfop)
122 {
123 return (mod_info(&modlinkage, modinfop));
124 }
125
126 static int telmodopen(queue_t *, dev_t *, int, int, cred_t *);
127 static int telmodclose(queue_t *, int, cred_t *);
128 static void telmodrput(queue_t *, mblk_t *);
129 static void telmodrsrv(queue_t *);
130 static void telmodwput(queue_t *, mblk_t *);
131 static void telmodwsrv(queue_t *);
132 static int rcv_parse(queue_t *q, mblk_t *mp);
133 static int snd_parse(queue_t *q, mblk_t *mp);
134 static void telmod_timer(void *);
135 static void telmod_buffer(void *);
136 static void recover(queue_t *, mblk_t *, size_t);
137
138 static struct module_info telmodoinfo = {
139 TELMOD_ID, /* module id number */
140 "telmod", /* module name */
141 0, /* minimum packet size */
142 INFPSZ, /* maximum packet size */
143 512, /* hi-water mark */
144 256 /* lo-water mark */
145 };
146
147 static struct qinit telmodrinit = {
148 (int (*)())telmodrput,
149 (int (*)())telmodrsrv,
150 telmodopen,
151 telmodclose,
152 nulldev,
153 &telmodoinfo,
154 NULL
155 };
156
157 static struct qinit telmodwinit = {
158 (int (*)())telmodwput,
159 (int (*)())telmodwsrv,
160 NULL,
161 NULL,
162 nulldev,
163 &telmodoinfo,
164 NULL
165 };
166
167 struct streamtab telmodinfo = {
168 &telmodrinit,
169 &telmodwinit,
170 NULL,
171 NULL
172 };
173
174 /*
175 * Per-instance state struct for the telnet module.
176 */
177 struct telmod_info {
178 int flags;
179 bufcall_id_t wbufcid;
180 bufcall_id_t rbufcid;
181 timeout_id_t wtimoutid;
182 timeout_id_t rtimoutid;
183 mblk_t *unbind_mp;
184
185 };
186
187 /*ARGSUSED*/
188 static void
189 dummy_callback(void *arg)
190 {}
191
192 /*
193 * telmodopen -
194 * A variety of telnet options can never really be processed in the
195 * kernel. For example, TELOPT_TTYPE, must be based in the TERM
196 * environment variable to the login process. Also, data may already
197 * have reached the stream head before telmod was pushed on the stream.
198 * So when telmod is opened, it begins in stopped state, preventing
199 * further data passing either direction through it. It sends a
200 * T_DATA_REQ messages up toward the daemon. This is so the daemon
201 * can be sure that all data which was not processed by telmod
202 * (because it wasn't yet pushed) has been received at the stream head.
203 */
204 /*ARGSUSED*/
205 static int
206 telmodopen(queue_t *q, dev_t *devp, int oflag, int sflag, cred_t *credp)
207 {
208 struct telmod_info *tmip;
209 mblk_t *bp;
210 union T_primitives *tp;
211 int error;
212
213 if (sflag != MODOPEN)
214 return (EINVAL);
215
216 if (q->q_ptr != NULL) {
217 /* It's already attached. */
218 return (0);
219 }
220 /*
221 * Allocate state structure.
222 */
223 tmip = kmem_zalloc(sizeof (*tmip), KM_SLEEP);
224
225 /*
226 * Cross-link.
227 */
228 q->q_ptr = tmip;
229 WR(q)->q_ptr = tmip;
230
231 noenable(q);
232 tmip->flags |= TEL_STOPPED;
233 qprocson(q);
234
235 /*
236 * Since TCP operates in the TLI-inspired brain-dead fashion,
237 * the connection will revert to bound state if the connection
238 * is reset by the client. We must send a T_UNBIND_REQ in
239 * that case so the port doesn't get "wedged" (preventing
240 * inetd from being able to restart the listener). Allocate
241 * it here, so that we don't need to worry about allocb()
242 * failures later.
243 */
244 while ((tmip->unbind_mp = allocb(sizeof (union T_primitives),
245 BPRI_HI)) == NULL) {
246 bufcall_id_t id = qbufcall(q, sizeof (union T_primitives),
247 BPRI_HI, dummy_callback, NULL);
248 if (!qwait_sig(q)) {
249 qunbufcall(q, id);
250 error = EINTR;
251 goto fail;
252 }
253 qunbufcall(q, id);
254 }
255 tmip->unbind_mp->b_wptr = tmip->unbind_mp->b_rptr +
256 sizeof (struct T_unbind_req);
257 tmip->unbind_mp->b_datap->db_type = M_PROTO;
258 tp = (union T_primitives *)tmip->unbind_mp->b_rptr;
259 tp->type = T_UNBIND_REQ;
260 /*
261 * Send a M_PROTO msg of type T_DATA_REQ (this is unique for
262 * read queue since only write queue can get T_DATA_REQ).
263 * Readstream routine in telnet daemon will do a getmsg() till
264 * it receives this proto message
265 */
266 while ((bp = allocb(sizeof (union T_primitives), BPRI_HI)) == NULL) {
267 bufcall_id_t id = qbufcall(q, sizeof (union T_primitives),
268 BPRI_HI, dummy_callback, NULL);
269 if (!qwait_sig(q)) {
270 qunbufcall(q, id);
271 error = EINTR;
272 goto fail;
273 }
274 qunbufcall(q, id);
275 }
276 bp->b_datap->db_type = M_PROTO;
277 bp->b_wptr = bp->b_rptr + sizeof (union T_primitives);
278 tp = (union T_primitives *)bp->b_rptr;
279 tp->type = T_DATA_REQ;
280 tp->data_req.MORE_flag = 0;
281
282 putnext(q, bp);
283 return (0);
284
285 fail:
286 qprocsoff(q);
287 if (tmip->unbind_mp != NULL) {
288 freemsg(tmip->unbind_mp);
289 }
290 kmem_free(tmip, sizeof (struct telmod_info));
291 q->q_ptr = NULL;
292 WR(q)->q_ptr = NULL;
293 return (error);
294 }
295
296
297 /*
298 * telmodclose - just the normal streams clean-up is required.
299 */
300
301 /*ARGSUSED*/
302 static int
303 telmodclose(queue_t *q, int flag, cred_t *credp)
304 {
305 struct telmod_info *tmip = (struct telmod_info *)q->q_ptr;
306 mblk_t *mp;
307
308 /*
309 * Flush any write-side data downstream. Ignoring flow
310 * control at this point is known to be safe because the
311 * M_HANGUP below poisons the stream such that no modules can
312 * be pushed again.
313 */
314 while (mp = getq(WR(q)))
315 putnext(WR(q), mp);
316
317 /* Poison the stream head so that we can't be pushed again. */
318 (void) putnextctl(q, M_HANGUP);
319
320 qprocsoff(q);
321 if (tmip->wbufcid) {
322 qunbufcall(q, tmip->wbufcid);
323 tmip->wbufcid = 0;
324 }
325 if (tmip->rbufcid) {
326 qunbufcall(q, tmip->rbufcid);
327 tmip->rbufcid = 0;
328 }
329 if (tmip->wtimoutid) {
330 (void) quntimeout(q, tmip->wtimoutid);
331 tmip->wtimoutid = 0;
332 }
333 if (tmip->rtimoutid) {
334 (void) quntimeout(q, tmip->rtimoutid);
335 tmip->rtimoutid = 0;
336 }
337 if (tmip->unbind_mp != NULL) {
338 freemsg(tmip->unbind_mp);
339 }
340
341 kmem_free(q->q_ptr, sizeof (struct telmod_info));
342 q->q_ptr = WR(q)->q_ptr = NULL;
343 return (0);
344 }
345
346 /*
347 * telmodrput:
348 * Be sure to preserve data order. If the daemon is waiting for additional
349 * data (TEL_GETBLK state) forward new data. Otherwise, apply normal
350 * telnet protocol processing to M_DATA. Take notice of TLI messages
351 * indicating connection tear-down, and change them into M_HANGUP's.
352 */
353 static void
354 telmodrput(queue_t *q, mblk_t *mp)
355 {
356 mblk_t *newmp;
357 struct telmod_info *tmip = (struct telmod_info *)q->q_ptr;
358 union T_primitives *tip;
359
360 if ((mp->b_datap->db_type < QPCTL) &&
361 ((q->q_first) || ((tmip->flags & TEL_STOPPED) &&
362 !(tmip->flags & TEL_GETBLK)) || !canputnext(q))) {
363 (void) putq(q, mp);
364 return;
365 }
366
367 switch (mp->b_datap->db_type) {
368 case M_DATA:
369
370 /*
371 * If the user level daemon requests for 1 more
372 * block of data (needs more data for protocol processing)
373 * create a M_CTL message block with the mp.
374 */
375 is_mdata:
376 if (tmip->flags & TEL_GETBLK) {
377 if ((newmp = allocb(sizeof (char), BPRI_MED)) == NULL) {
378 recover(q, mp, msgdsize(mp));
379 return;
380 }
381 newmp->b_datap->db_type = M_CTL;
382 newmp->b_wptr = newmp->b_rptr + 1;
383 *(newmp->b_rptr) = M_CTL_MAGIC_NUMBER;
384 newmp->b_cont = mp;
385 tmip->flags &= ~TEL_GETBLK;
386 noenable(q);
387 tmip->flags |= TEL_STOPPED;
388
389 putnext(q, newmp);
390
391 break;
392 }
393 /*
394 * call the protocol parsing routine which processes
395 * the data part of the message block first. Then it
396 * handles protocol and CR/LF processing.
397 * If an error is found inside allocb/dupb, recover
398 * routines inside rcv_parse will queue up the
399 * original message block in its service queue.
400 */
401 (void) rcv_parse(q, mp);
402 break;
403
404 case M_FLUSH:
405 /*
406 * Since M_FLUSH came from TCP, we mark it bound for
407 * daemon, not tty. This only happens when TCP expects
408 * to do a connection reset.
409 */
410 mp->b_flag |= MSGMARK;
411 if (*mp->b_rptr & FLUSHR)
412 flushq(q, FLUSHALL);
413 putnext(q, mp);
414 break;
415
416 case M_PCSIG:
417 case M_ERROR:
418 if (tmip->flags & TEL_GETBLK)
419 tmip->flags &= ~TEL_GETBLK;
420 /* FALLTHRU */
421 case M_IOCACK:
422 case M_IOCNAK:
423 case M_SETOPTS:
424 putnext(q, mp);
425 break;
426
427 case M_PROTO:
428 case M_PCPROTO:
429 if (tmip->flags & TEL_GETBLK)
430 tmip->flags &= ~TEL_GETBLK;
431
432 tip = (union T_primitives *)mp->b_rptr;
433 switch (tip->type) {
434
435 case T_ORDREL_IND:
436 case T_DISCON_IND:
437 /* Make into M_HANGUP and putnext */
438 ASSERT(mp->b_cont == NULL);
439 mp->b_datap->db_type = M_HANGUP;
440 mp->b_wptr = mp->b_rptr;
441 if (mp->b_cont) {
442 freemsg(mp->b_cont);
443 mp->b_cont = NULL;
444 }
445 /*
446 * If we haven't already, send T_UNBIND_REQ to prevent
447 * TCP from going into "BOUND" state and locking up the
448 * port.
449 */
450 if (tip->type == T_DISCON_IND && tmip->unbind_mp !=
451 NULL) {
452 putnext(q, mp);
453 qreply(q, tmip->unbind_mp);
454 tmip->unbind_mp = NULL;
455 } else {
456 putnext(q, mp);
457 }
458 break;
459
460 case T_EXDATA_IND:
461 case T_DATA_IND: /* conform to TPI, but never happens */
462 newmp = mp->b_cont;
463 freeb(mp);
464 mp = newmp;
465 if (mp) {
466 ASSERT(mp->b_datap->db_type == M_DATA);
467 if (msgdsize(mp) != 0) {
468 goto is_mdata;
469 }
470 freemsg(mp);
471 }
472 break;
473
474 /*
475 * We only get T_OK_ACK when we issue the unbind, and it can
476 * be ignored safely.
477 */
478 case T_OK_ACK:
479 ASSERT(tmip->unbind_mp == NULL);
480 freemsg(mp);
481 break;
482
483 default:
484 #ifdef DEBUG
485 cmn_err(CE_NOTE,
486 "telmodrput: unexpected TLI primitive msg "
487 "type 0x%x", tip->type);
488 #endif
489 freemsg(mp);
490 }
491 break;
492
493 default:
494 #ifdef DEBUG
495 cmn_err(CE_NOTE,
496 "telmodrput: unexpected msg type 0x%x",
497 mp->b_datap->db_type);
498 #endif
499 freemsg(mp);
500 }
501 }
502
503 /*
504 * telmodrsrv:
505 * Mostly we end up here because of M_DATA processing delayed due to flow
506 * control or lack of memory. XXX.sparker: TLI primitives here?
507 */
508 static void
509 telmodrsrv(queue_t *q)
510 {
511 mblk_t *mp, *newmp;
512 struct telmod_info *tmip = (struct telmod_info *)q->q_ptr;
513 union T_primitives *tip;
514
515 while ((mp = getq(q)) != NULL) {
516 if (((tmip->flags & TEL_STOPPED) &&
517 !(tmip->flags & TEL_GETBLK)) || !canputnext(q)) {
518 (void) putbq(q, mp);
519 return;
520 }
521 switch (mp->b_datap->db_type) {
522
523 case M_DATA:
524 is_mdata:
525 if (tmip->flags & TEL_GETBLK) {
526 if ((newmp = allocb(sizeof (char),
527 BPRI_MED)) == NULL) {
528 recover(q, mp, msgdsize(mp));
529 return;
530 }
531 newmp->b_datap->db_type = M_CTL;
532 newmp->b_wptr = newmp->b_rptr + 1;
533 *(newmp->b_rptr) = M_CTL_MAGIC_NUMBER;
534 newmp->b_cont = mp;
535 tmip->flags &= ~TEL_GETBLK;
536 noenable(q);
537 tmip->flags |= TEL_STOPPED;
538
539 putnext(q, newmp);
540
541 break;
542 }
543 if (!rcv_parse(q, mp)) {
544 return;
545 }
546 break;
547
548 case M_PROTO:
549
550 tip = (union T_primitives *)mp->b_rptr;
551
552 /*
553 * Unless the M_PROTO message indicates data, clear
554 * TEL_GETBLK so that we stop passing our messages
555 * up to the telnet daemon.
556 */
557 if (tip->type != T_DATA_IND &&
558 tip->type != T_EXDATA_IND)
559 tmip->flags &= ~TEL_GETBLK;
560
561 switch (tip->type) {
562 case T_ORDREL_IND:
563 case T_DISCON_IND:
564 /* Make into M_HANGUP and putnext */
565 ASSERT(mp->b_cont == NULL);
566 mp->b_datap->db_type = M_HANGUP;
567 mp->b_wptr = mp->b_rptr;
568 if (mp->b_cont) {
569 freemsg(mp->b_cont);
570 mp->b_cont = NULL;
571 }
572 /*
573 * If we haven't already, send T_UNBIND_REQ
574 * to prevent TCP from going into "BOUND"
575 * state and locking up the port.
576 */
577 if (tip->type == T_DISCON_IND &&
578 tmip->unbind_mp != NULL) {
579 putnext(q, mp);
580 qreply(q, tmip->unbind_mp);
581 tmip->unbind_mp = NULL;
582 } else {
583 putnext(q, mp);
584 }
585 break;
586
587 case T_DATA_IND: /* conform to TPI, but never happens */
588 case T_EXDATA_IND:
589 newmp = mp->b_cont;
590 freeb(mp);
591 mp = newmp;
592 if (mp) {
593 ASSERT(mp->b_datap->db_type == M_DATA);
594 if (msgdsize(mp) != 0) {
595 goto is_mdata;
596 }
597 freemsg(mp);
598 }
599 break;
600
601 /*
602 * We only get T_OK_ACK when we issue the unbind, and
603 * it can be ignored safely.
604 */
605 case T_OK_ACK:
606 ASSERT(tmip->unbind_mp == NULL);
607 freemsg(mp);
608 break;
609
610 default:
611 #ifdef DEBUG
612 cmn_err(CE_NOTE,
613 "telmodrsrv: unexpected TLI primitive "
614 "msg type 0x%x", tip->type);
615 #endif
616 freemsg(mp);
617 }
618 break;
619
620 case M_SETOPTS:
621 putnext(q, mp);
622 break;
623
624 default:
625 #ifdef DEBUG
626 cmn_err(CE_NOTE,
627 "telmodrsrv: unexpected msg type 0x%x",
628 mp->b_datap->db_type);
629 #endif
630 freemsg(mp);
631 }
632 }
633 }
634
635 /*
636 * telmodwput:
637 * M_DATA is processed and forwarded if we aren't stopped awaiting the daemon
638 * to process something. M_CTL's are data from the daemon bound for the
639 * network. We forward them immediately. There are two classes of ioctl's
640 * we must handle here also. One is ioctl's forwarded by ptem which we
641 * ignore. The other is ioctl's issued by the daemon to control us.
642 * Process them appropriately. M_PROTO's we pass along, figuring they are
643 * are TPI operations for TCP. M_FLUSH requires careful processing, since
644 * telnet cannot tolerate flushing its protocol requests. Also the flushes
645 * can be running either daemon<->TCP or application<->telmod. We must
646 * carefully deal with this.
647 */
648 static void
649 telmodwput(
650 queue_t *q, /* Pointer to the read queue */
651 mblk_t *mp) /* Pointer to current message block */
652 {
653 struct telmod_info *tmip;
654 struct iocblk *ioc;
655 mblk_t *savemp;
656 int rw;
657 int error;
658
659 tmip = (struct telmod_info *)q->q_ptr;
660
661 switch (mp->b_datap->db_type) {
662 case M_DATA:
663 if (!canputnext(q) || (tmip->flags & TEL_STOPPED) ||
664 (q->q_first)) {
665 noenable(q);
666 (void) putq(q, mp);
667 break;
668 }
669 /*
670 * This routine parses data generating from ptm side.
671 * Insert a null character if carraige return
672 * is not followed by line feed unless we are in binary mode.
673 * Also, duplicate IAC if found in the data.
674 */
675 (void) snd_parse(q, mp);
676 break;
677
678 case M_CTL:
679 if (((mp->b_wptr - mp->b_rptr) == 1) &&
680 (*(mp->b_rptr) == M_CTL_MAGIC_NUMBER)) {
681 savemp = mp->b_cont;
682 freeb(mp);
683 mp = savemp;
684 }
685 putnext(q, mp);
686 break;
687
688 case M_IOCTL:
689 ioc = (struct iocblk *)mp->b_rptr;
690 switch (ioc->ioc_cmd) {
691
692 /*
693 * This ioctl is issued by user level daemon to
694 * request one more message block to process protocol
695 */
696 case TEL_IOC_GETBLK:
697 if (!(tmip->flags & TEL_STOPPED)) {
698 miocnak(q, mp, 0, EINVAL);
699 break;
700 }
701 tmip->flags |= TEL_GETBLK;
702 qenable(RD(q));
703 enableok(RD(q));
704
705 miocack(q, mp, 0, 0);
706 break;
707
708 /*
709 * This ioctl is issued by user level daemon to reenable the
710 * read and write queues. This is issued during startup time
711 * after setting up the mux links and also after processing
712 * the protocol. It is also issued after each time an
713 * an unrecognized telnet option is forwarded to the daemon.
714 */
715 case TEL_IOC_ENABLE:
716
717 /*
718 * Send negative ack if TEL_STOPPED flag is not set
719 */
720 if (!(tmip->flags & TEL_STOPPED)) {
721 miocnak(q, mp, 0, EINVAL);
722 break;
723 }
724 tmip->flags &= ~TEL_STOPPED;
725 if (mp->b_cont) {
726 (void) putbq(RD(q), mp->b_cont);
727 mp->b_cont = 0;
728 }
729
730 qenable(RD(q));
731 enableok(RD(q));
732 qenable(q);
733 enableok(q);
734
735 miocack(q, mp, 0, 0);
736 break;
737
738 /*
739 * Set binary/normal mode for input and output
740 * according to the instructions from the daemon.
741 */
742 case TEL_IOC_MODE:
743 error = miocpullup(mp, sizeof (uchar_t));
744 if (error != 0) {
745 miocnak(q, mp, 0, error);
746 break;
747 }
748 tmip->flags |= *(mp->b_cont->b_rptr) &
749 (TEL_BINARY_IN|TEL_BINARY_OUT);
750 miocack(q, mp, 0, 0);
751 break;
752
753 #ifdef DEBUG
754 case TCSETAF:
755 case TCSETSF:
756 case TCSETA:
757 case TCSETAW:
758 case TCSETS:
759 case TCSETSW:
760 case TCSBRK:
761 case TIOCSTI:
762 case TIOCSWINSZ:
763 miocnak(q, mp, 0, EINVAL);
764 break;
765 #endif
766 case CRYPTPASSTHRU:
767 error = miocpullup(mp, sizeof (uchar_t));
768 if (error != 0) {
769 miocnak(q, mp, 0, error);
770 break;
771 }
772 if (*(mp->b_cont->b_rptr) == 0x01)
773 tmip->flags |= TEL_IOCPASSTHRU;
774 else
775 tmip->flags &= ~TEL_IOCPASSTHRU;
776
777 miocack(q, mp, 0, 0);
778 break;
779
780 default:
781 if (tmip->flags & TEL_IOCPASSTHRU) {
782 putnext(q, mp);
783 } else {
784 #ifdef DEBUG
785 cmn_err(CE_NOTE,
786 "telmodwput: unexpected ioctl type 0x%x",
787 ioc->ioc_cmd);
788 #endif
789 miocnak(q, mp, 0, EINVAL);
790 }
791 break;
792 }
793 break;
794
795 case M_FLUSH:
796 /*
797 * Flushing is tricky: We try to flush all we can, but certain
798 * data cannot be flushed. Telnet protocol sequences cannot
799 * be flushed. So, TCP's queues cannot be flushed since we
800 * cannot tell what might be telnet protocol data. Then we
801 * must take care to create and forward out-of-band data
802 * indicating the flush to the far side.
803 */
804 rw = *mp->b_rptr;
805 if (rw & FLUSHR) {
806 /*
807 * We cannot flush our read queue, since there may
808 * be telnet protocol bits in the queue, awaiting
809 * processing. However, once it leaves this module
810 * it's guaranteed that all protocol data is in
811 * M_CTL, so we do flush read data beyond us, expecting
812 * them (actually logindmux) to do FLUSHDATAs also.
813 */
814 *mp->b_rptr = rw & ~FLUSHW;
815 qreply(q, mp);
816 } else {
817 freemsg(mp);
818 }
819 if (rw & FLUSHW) {
820 /*
821 * Since all telnet protocol data comes from the
822 * daemon, stored as M_CTL messages, flushq will
823 * do exactly what's needed: Flush bytes which do
824 * not have telnet protocol data.
825 */
826 flushq(q, FLUSHDATA);
827 }
828 break;
829
830 case M_PCPROTO:
831 putnext(q, mp);
832 break;
833
834 case M_PROTO:
835 /* We may receive T_DISCON_REQ from the mux */
836 if (!canputnext(q) || q->q_first != NULL)
837 (void) putq(q, mp);
838 else
839 putnext(q, mp);
840 break;
841
842 default:
843 #ifdef DEBUG
844 cmn_err(CE_NOTE,
845 "telmodwput: unexpected msg type 0x%x",
846 mp->b_datap->db_type);
847 #endif
848 freemsg(mp);
849 break;
850 }
851 }
852
853 /*
854 * telmodwsrv - module write service procedure
855 */
856 static void
857 telmodwsrv(queue_t *q)
858 {
859 mblk_t *mp, *savemp;
860
861 struct telmod_info *tmip = (struct telmod_info *)q->q_ptr;
862
863 while ((mp = getq(q)) != NULL) {
864 if (!canputnext(q)) {
865 ASSERT(mp->b_datap->db_type < QPCTL);
866 (void) putbq(q, mp);
867 return;
868 }
869 switch (mp->b_datap->db_type) {
870
871 case M_DATA:
872 if (tmip->flags & TEL_STOPPED) {
873 (void) putbq(q, mp);
874 return;
875 }
876 /*
877 * Insert a null character if carraige return
878 * is not followed by line feed
879 */
880 if (!snd_parse(q, mp)) {
881 return;
882 }
883 break;
884
885 case M_CTL:
886 if (((mp->b_wptr - mp->b_rptr) == 1) &&
887 (*(mp->b_rptr) == M_CTL_MAGIC_NUMBER)) {
888 savemp = mp->b_cont;
889 freeb(mp);
890 mp = savemp;
891 }
892 putnext(q, mp);
893 break;
894
895 case M_PROTO:
896 putnext(q, mp);
897 break;
898
899 default:
900 #ifdef DEBUG
901 cmn_err(CE_NOTE,
902 "telmodwsrv: unexpected msg type 0x%x",
903 mp->b_datap->db_type);
904 #endif
905 freemsg(mp);
906 }
907
908 }
909 }
910
911 /*
912 * This routine is called from read put/service procedure and parses
913 * message block to check for telnet protocol by detecting an IAC.
914 * The routine processes the data part of the message block first and
915 * then sends protocol followed after IAC to the telnet daemon. The
916 * routine also processes CR/LF by eliminating LF/NULL followed after CR.
917 *
918 * Since the code to do this with streams mblks is complicated, some
919 * explanations are in order. If an IAC is found, a dupb() is done,
920 * and the pointers are adjusted to create two streams message. The
921 * (possibly empty) first message contains preceeding data, and the
922 * second begins with the IAC and contains the rest of the streams
923 * message.
924 *
925 * The variables:
926 * datamp: Points to the head of a chain of mblks containing data
927 * which requires no expansion, and can be forwarded directly
928 * to the pty.
929 * prevmp: Points to the last mblk on the datamp chain, used to add
930 * to the chain headed by datamp.
931 * newmp: When an M_CTL header is required, this pointer references
932 * that "header" mblk.
933 * protomp: When an IAC is discovered, a dupb() is done on the first mblk
934 * containing an IAC. protomp points to this dup'ed mblk.
935 * This mblk is eventually forwarded to the daemon.
936 */
937 static int
938 rcv_parse(queue_t *q, mblk_t *mp)
939 {
940 mblk_t *protomp, *newmp, *datamp, *prevmp;
941 unsigned char *tmp;
942 size_t msgsize;
943
944 struct telmod_info *tmip = (struct telmod_info *)q->q_ptr;
945
946 datamp = mp;
947 prevmp = protomp = 0;
948
949 while (mp) {
950 /*
951 * If the mblk is empty, just continue scanning.
952 */
953 if (mp->b_rptr == mp->b_wptr) {
954 prevmp = mp;
955 mp = mp->b_cont;
956 continue;
957 }
958 /*
959 * First check to see if we have received CR and are checking
960 * for a following LF/NULL. If so, do what's necessary to
961 * trim the LF/NULL. This case is for when the LF/NULL is
962 * at the beginning of a subsequent mblk.
963 */
964 if (!(tmip->flags & TEL_BINARY_IN) &&
965 (tmip->flags & TEL_CRRCV)) {
966 if ((*mp->b_rptr == '\n') || (*mp->b_rptr == NULL)) {
967 if (mp->b_wptr == (mp->b_rptr + 1)) {
968 tmip->flags &= ~TEL_CRRCV;
969 if (prevmp) {
970 prevmp->b_cont = mp->b_cont;
971 freeb(mp);
972 mp = prevmp->b_cont;
973 continue;
974 } else {
975 datamp = mp->b_cont;
976 freeb(mp);
977 if (datamp == NULL) {
978 /*
979 * Message contained
980 * only a '\0' after
981 * a '\r' in a previous
982 * message, so we can
983 * read more, even
984 * though we have
985 * nothing to putnext.
986 */
987 return (1);
988 } else {
989 mp = datamp;
990 continue;
991 }
992 }
993 }
994 mp->b_rptr += 1;
995 }
996 tmip->flags &= ~TEL_CRRCV;
997 }
998 tmp = mp->b_rptr;
999 /*
1000 * Now scan through the entire message block, for IACs
1001 * and CR characters, which need processing.
1002 */
1003 while (tmp < mp->b_wptr) {
1004
1005 if (tmp[0] == IAC) {
1006 /*
1007 * Telnet protocol - parse it now
1008 * process data part of mblk
1009 * before sending the protocol.
1010 */
1011 if (tmp > mp->b_rptr) {
1012 if ((protomp = dupb(mp)) == NULL) {
1013 msgsize = msgdsize(datamp);
1014 recover(q, datamp, msgsize);
1015 return (0);
1016 }
1017 ASSERT(tmp >= mp->b_datap->db_base);
1018 ASSERT(tmp <= mp->b_datap->db_lim);
1019 ASSERT(tmp >=
1020 protomp->b_datap->db_base);
1021 ASSERT(tmp <= protomp->b_datap->db_lim);
1022 mp->b_wptr = tmp;
1023 protomp->b_rptr = tmp;
1024 protomp->b_cont = mp->b_cont;
1025 mp->b_cont = 0;
1026
1027 if (prevmp)
1028 prevmp->b_cont = mp;
1029
1030 } else {
1031 protomp = mp;
1032
1033 if (prevmp)
1034 prevmp->b_cont = 0;
1035 else
1036 datamp = 0;
1037 }
1038 if (datamp) {
1039 putnext(q, datamp);
1040 }
1041 /*
1042 * create a 1 byte M_CTL message block with
1043 * protomp and send it down.
1044 */
1045
1046 if ((newmp = allocb(sizeof (char),
1047 BPRI_MED)) == NULL) {
1048 /*
1049 * Save the dup'ed mp containing
1050 * the protocol information which
1051 * we couldn't get an M_CTL header
1052 * for.
1053 */
1054 msgsize = msgdsize(protomp);
1055 recover(q, protomp, msgsize);
1056 return (0);
1057 }
1058 newmp->b_datap->db_type = M_CTL;
1059 newmp->b_wptr = newmp->b_rptr + 1;
1060 *(newmp->b_rptr) = M_CTL_MAGIC_NUMBER;
1061 newmp->b_cont = protomp;
1062 noenable(q);
1063 tmip->flags |= TEL_STOPPED;
1064 putnext(q, newmp);
1065
1066 return (0);
1067 }
1068 if (!(tmip->flags & TEL_BINARY_IN)) {
1069 /*
1070 * Set TEL_CRRCV flag if last character is CR
1071 */
1072 if ((tmp == (mp->b_wptr - 1)) &&
1073 (tmp[0] == '\r')) {
1074 tmip->flags |= TEL_CRRCV;
1075 break;
1076 }
1077
1078 /*
1079 * If CR is followed by LF/NULL, get rid of
1080 * LF/NULL and realign the message block.
1081 */
1082 if ((tmp[0] == '\r') && ((tmp[1] == '\n') ||
1083 (tmp[1] == NULL))) {
1084 /*
1085 * If CR is in the middle of a block,
1086 * we need to get rid of LF and join
1087 * the two pieces together.
1088 */
1089 if (mp->b_wptr > (tmp + 2)) {
1090 bcopy(tmp + 2, tmp + 1,
1091 (mp->b_wptr - tmp - 2));
1092 mp->b_wptr -= 1;
1093 } else {
1094 mp->b_wptr = tmp + 1;
1095 }
1096
1097 if (prevmp)
1098 prevmp->b_cont = mp;
1099 }
1100 }
1101 tmp++;
1102 }
1103 prevmp = mp;
1104 mp = mp->b_cont;
1105 }
1106 putnext(q, datamp);
1107
1108 return (1);
1109 }
1110
1111 /*
1112 * This routine is called from write put/service procedures and processes
1113 * CR-LF. If CR is not followed by LF, it inserts a NULL character if we are
1114 * in non binary mode. Also, duplicate IAC(0xFF) if found in the mblk.
1115 * This routine is pessimistic: It pre-allocates a buffer twice the size
1116 * of the incoming message, which is the maximum size a message can become
1117 * after IAC expansion.
1118 *
1119 * savemp: Points at the original message, so it can be freed when
1120 * processing is complete.
1121 * mp: The current point of scanning the message.
1122 * newmp: New message being created with the processed output.
1123 */
1124 static int
1125 snd_parse(queue_t *q, mblk_t *mp)
1126 {
1127 unsigned char *tmp, *tmp1;
1128 mblk_t *newmp, *savemp;
1129 struct telmod_info *tmip = (struct telmod_info *)q->q_ptr;
1130 size_t size = msgdsize(mp);
1131
1132 savemp = mp;
1133
1134 if (size == 0) {
1135 putnext(q, mp);
1136 return (1);
1137 }
1138
1139 /*
1140 * Extra byte to allocb() takes care of the case when there was
1141 * a '\r' at the end of the previous message and there's a '\r'
1142 * at the beginning of the current message.
1143 */
1144 if ((newmp = allocb((2 * size)+1, BPRI_MED)) == NULL) {
1145 recover(q, mp, (2 * size)+1);
1146 return (0);
1147 }
1148 newmp->b_datap->db_type = M_DATA;
1149
1150 tmp1 = newmp->b_rptr;
1151 while (mp) {
1152 if (!(tmip->flags & TEL_BINARY_OUT) &&
1153 (tmip->flags & TEL_CRSND)) {
1154 if (*(mp->b_rptr) != '\n')
1155 *tmp1++ = NULL;
1156 tmip->flags &= ~TEL_CRSND;
1157 }
1158 tmp = mp->b_rptr;
1159 while (tmp < mp->b_wptr) {
1160 if (!(tmip->flags & TEL_BINARY_OUT)) {
1161 *tmp1++ = *tmp;
1162 if ((tmp == (mp->b_wptr - 1)) &&
1163 (tmp[0] == '\r')) {
1164 tmip->flags |= TEL_CRSND;
1165 break;
1166 }
1167 if ((tmp[0] == '\r') &&
1168 (tmp1 == newmp->b_wptr)) {
1169 /* XXX.sparker: can't happen */
1170 tmip->flags |= TEL_CRSND;
1171 break;
1172 }
1173 if ((tmp[0] == '\r') && (tmp[1] != '\n')) {
1174 *tmp1++ = NULL;
1175 }
1176 } else
1177 *tmp1++ = *tmp;
1178
1179 if (tmp[0] == IAC) {
1180 *tmp1++ = IAC;
1181 }
1182 tmp++;
1183 }
1184 mp = mp->b_cont;
1185 }
1186
1187 newmp->b_wptr = tmp1;
1188
1189 putnext(q, newmp);
1190 freemsg(savemp);
1191 return (1);
1192 }
1193
1194 static void
1195 telmod_timer(void *arg)
1196 {
1197 queue_t *q = arg;
1198 struct telmod_info *tmip = (struct telmod_info *)q->q_ptr;
1199
1200 ASSERT(tmip);
1201
1202 if (q->q_flag & QREADR) {
1203 ASSERT(tmip->rtimoutid);
1204 tmip->rtimoutid = 0;
1205 } else {
1206 ASSERT(tmip->wtimoutid);
1207 tmip->wtimoutid = 0;
1208 }
1209 enableok(q);
1210 qenable(q);
1211 }
1212
1213 static void
1214 telmod_buffer(void *arg)
1215 {
1216 queue_t *q = arg;
1217 struct telmod_info *tmip = (struct telmod_info *)q->q_ptr;
1218
1219 ASSERT(tmip);
1220
1221 if (q->q_flag & QREADR) {
1222 ASSERT(tmip->rbufcid);
1223 tmip->rbufcid = 0;
1224 } else {
1225 ASSERT(tmip->wbufcid);
1226 tmip->wbufcid = 0;
1227 }
1228 enableok(q);
1229 qenable(q);
1230 }
1231
1232 static void
1233 recover(queue_t *q, mblk_t *mp, size_t size)
1234 {
1235 bufcall_id_t bid;
1236 timeout_id_t tid;
1237 struct telmod_info *tmip = (struct telmod_info *)q->q_ptr;
1238
1239 ASSERT(mp->b_datap->db_type < QPCTL);
1240 noenable(q);
1241 (void) putbq(q, mp);
1242
1243 /*
1244 * Make sure there is at most one outstanding request per queue.
1245 */
1246 if (q->q_flag & QREADR) {
1247 if (tmip->rtimoutid || tmip->rbufcid) {
1248 return;
1249 }
1250 } else {
1251 if (tmip->wtimoutid || tmip->wbufcid) {
1252 return;
1253 }
1254 }
1255 if (!(bid = qbufcall(RD(q), size, BPRI_MED, telmod_buffer, q))) {
1256 tid = qtimeout(RD(q), telmod_timer, q, SIMWAIT);
1257 if (q->q_flag & QREADR)
1258 tmip->rtimoutid = tid;
1259 else
1260 tmip->wtimoutid = tid;
1261 } else {
1262 if (q->q_flag & QREADR)
1263 tmip->rbufcid = bid;
1264 else
1265 tmip->wbufcid = bid;
1266 }
1267 }