LCOV - code coverage report
Current view: top level - source3/smbd - smbXsrv_session.c (source / functions) Hit Total Coverage
Test: coverage report for master 6248eab5 Lines: 751 1092 68.8 %
Date: 2021-08-25 13:27:56 Functions: 50 54 92.6 %

          Line data    Source code
       1             : /*
       2             :    Unix SMB/CIFS implementation.
       3             : 
       4             :    Copyright (C) Stefan Metzmacher 2011-2012
       5             :    Copyright (C) Michael Adam 2012
       6             : 
       7             :    This program is free software; you can redistribute it and/or modify
       8             :    it under the terms of the GNU General Public License as published by
       9             :    the Free Software Foundation; either version 3 of the License, or
      10             :    (at your option) any later version.
      11             : 
      12             :    This program is distributed in the hope that it will be useful,
      13             :    but WITHOUT ANY WARRANTY; without even the implied warranty of
      14             :    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
      15             :    GNU General Public License for more details.
      16             : 
      17             :    You should have received a copy of the GNU General Public License
      18             :    along with this program.  If not, see <http://www.gnu.org/licenses/>.
      19             : */
      20             : 
      21             : #include "includes.h"
      22             : #include "system/filesys.h"
      23             : #include <tevent.h>
      24             : #include "lib/util/server_id.h"
      25             : #include "smbd/smbd.h"
      26             : #include "smbd/globals.h"
      27             : #include "dbwrap/dbwrap.h"
      28             : #include "dbwrap/dbwrap_rbt.h"
      29             : #include "dbwrap/dbwrap_open.h"
      30             : #include "dbwrap/dbwrap_watch.h"
      31             : #include "session.h"
      32             : #include "auth.h"
      33             : #include "auth/gensec/gensec.h"
      34             : #include "../lib/tsocket/tsocket.h"
      35             : #include "../libcli/security/security.h"
      36             : #include "messages.h"
      37             : #include "lib/util/util_tdb.h"
      38             : #include "librpc/gen_ndr/ndr_smbXsrv.h"
      39             : #include "serverid.h"
      40             : #include "lib/util/tevent_ntstatus.h"
      41             : #include "lib/global_contexts.h"
      42             : 
      43             : struct smbXsrv_session_table {
      44             :         struct {
      45             :                 struct db_context *db_ctx;
      46             :                 uint32_t lowest_id;
      47             :                 uint32_t highest_id;
      48             :                 uint32_t max_sessions;
      49             :                 uint32_t num_sessions;
      50             :         } local;
      51             :         struct {
      52             :                 struct db_context *db_ctx;
      53             :         } global;
      54             : };
      55             : 
      56             : static struct db_context *smbXsrv_session_global_db_ctx = NULL;
      57             : 
      58       27018 : NTSTATUS smbXsrv_session_global_init(struct messaging_context *msg_ctx)
      59             : {
      60       27018 :         char *global_path = NULL;
      61       27018 :         struct db_context *backend = NULL;
      62       27018 :         struct db_context *db_ctx = NULL;
      63             : 
      64       27018 :         if (smbXsrv_session_global_db_ctx != NULL) {
      65       26932 :                 return NT_STATUS_OK;
      66             :         }
      67             : 
      68             :         /*
      69             :          * This contains secret information like session keys!
      70             :          */
      71          86 :         global_path = lock_path(talloc_tos(), "smbXsrv_session_global.tdb");
      72          86 :         if (global_path == NULL) {
      73           0 :                 return NT_STATUS_NO_MEMORY;
      74             :         }
      75             : 
      76          86 :         backend = db_open(NULL, global_path,
      77             :                           0, /* hash_size */
      78             :                           TDB_DEFAULT |
      79             :                           TDB_CLEAR_IF_FIRST |
      80             :                           TDB_INCOMPATIBLE_HASH,
      81             :                           O_RDWR | O_CREAT, 0600,
      82             :                           DBWRAP_LOCK_ORDER_1,
      83             :                           DBWRAP_FLAG_NONE);
      84          86 :         TALLOC_FREE(global_path);
      85          86 :         if (backend == NULL) {
      86             :                 NTSTATUS status;
      87             : 
      88           0 :                 status = map_nt_error_from_unix_common(errno);
      89             : 
      90           0 :                 return status;
      91             :         }
      92             : 
      93          86 :         db_ctx = db_open_watched(NULL, &backend, global_messaging_context());
      94          86 :         if (db_ctx == NULL) {
      95           0 :                 TALLOC_FREE(backend);
      96           0 :                 return NT_STATUS_NO_MEMORY;
      97             :         }
      98             : 
      99          86 :         smbXsrv_session_global_db_ctx = db_ctx;
     100             : 
     101          86 :         return NT_STATUS_OK;
     102             : }
     103             : 
     104             : /*
     105             :  * NOTE:
     106             :  * We need to store the keys in big endian so that dbwrap_rbt's memcmp
     107             :  * has the same result as integer comparison between the uint32_t
     108             :  * values.
     109             :  *
     110             :  * TODO: implement string based key
     111             :  */
     112             : 
     113             : #define SMBXSRV_SESSION_GLOBAL_TDB_KEY_SIZE sizeof(uint32_t)
     114             : 
     115      164195 : static TDB_DATA smbXsrv_session_global_id_to_key(uint32_t id,
     116             :                                                  uint8_t *key_buf)
     117             : {
     118             :         TDB_DATA key;
     119             : 
     120      166677 :         RSIVAL(key_buf, 0, id);
     121             : 
     122      166677 :         key = make_tdb_data(key_buf, SMBXSRV_SESSION_GLOBAL_TDB_KEY_SIZE);
     123             : 
     124      166677 :         return key;
     125             : }
     126             : 
     127             : #if 0
     128             : static NTSTATUS smbXsrv_session_global_key_to_id(TDB_DATA key, uint32_t *id)
     129             : {
     130             :         if (id == NULL) {
     131             :                 return NT_STATUS_INVALID_PARAMETER;
     132             :         }
     133             : 
     134             :         if (key.dsize != SMBXSRV_SESSION_GLOBAL_TDB_KEY_SIZE) {
     135             :                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
     136             :         }
     137             : 
     138             :         *id = RIVAL(key.dptr, 0);
     139             : 
     140             :         return NT_STATUS_OK;
     141             : }
     142             : #endif
     143             : 
     144             : #define SMBXSRV_SESSION_LOCAL_TDB_KEY_SIZE sizeof(uint32_t)
     145             : 
     146     3866019 : static TDB_DATA smbXsrv_session_local_id_to_key(uint32_t id,
     147             :                                                 uint8_t *key_buf)
     148             : {
     149             :         TDB_DATA key;
     150             : 
     151     3898485 :         RSIVAL(key_buf, 0, id);
     152             : 
     153     3898485 :         key = make_tdb_data(key_buf, SMBXSRV_SESSION_LOCAL_TDB_KEY_SIZE);
     154             : 
     155     3898485 :         return key;
     156             : }
     157             : 
     158           0 : static NTSTATUS smbXsrv_session_local_key_to_id(TDB_DATA key, uint32_t *id)
     159             : {
     160           0 :         if (id == NULL) {
     161           0 :                 return NT_STATUS_INVALID_PARAMETER;
     162             :         }
     163             : 
     164           0 :         if (key.dsize != SMBXSRV_SESSION_LOCAL_TDB_KEY_SIZE) {
     165           0 :                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
     166             :         }
     167             : 
     168           0 :         *id = RIVAL(key.dptr, 0);
     169             : 
     170           0 :         return NT_STATUS_OK;
     171             : }
     172             : 
     173      166677 : static struct db_record *smbXsrv_session_global_fetch_locked(
     174             :                         struct db_context *db,
     175             :                         uint32_t id,
     176             :                         TALLOC_CTX *mem_ctx)
     177             : {
     178             :         TDB_DATA key;
     179             :         uint8_t key_buf[SMBXSRV_SESSION_GLOBAL_TDB_KEY_SIZE];
     180      166677 :         struct db_record *rec = NULL;
     181             : 
     182      166677 :         key = smbXsrv_session_global_id_to_key(id, key_buf);
     183             : 
     184      166677 :         rec = dbwrap_fetch_locked(db, mem_ctx, key);
     185             : 
     186      166677 :         if (rec == NULL) {
     187           0 :                 DBG_DEBUG("Failed to lock global id 0x%08x, key '%s'\n", id,
     188             :                           hex_encode_talloc(talloc_tos(), key.dptr, key.dsize));
     189             :         }
     190             : 
     191      166677 :         return rec;
     192             : }
     193             : 
     194       28617 : static struct db_record *smbXsrv_session_local_fetch_locked(
     195             :                         struct db_context *db,
     196             :                         uint32_t id,
     197             :                         TALLOC_CTX *mem_ctx)
     198             : {
     199             :         TDB_DATA key;
     200             :         uint8_t key_buf[SMBXSRV_SESSION_LOCAL_TDB_KEY_SIZE];
     201       28617 :         struct db_record *rec = NULL;
     202             : 
     203       28617 :         key = smbXsrv_session_local_id_to_key(id, key_buf);
     204             : 
     205       28617 :         rec = dbwrap_fetch_locked(db, mem_ctx, key);
     206             : 
     207       28617 :         if (rec == NULL) {
     208           0 :                 DBG_DEBUG("Failed to lock local id 0x%08x, key '%s'\n", id,
     209             :                           hex_encode_talloc(talloc_tos(), key.dptr, key.dsize));
     210             :         }
     211             : 
     212       28617 :         return rec;
     213             : }
     214             : 
     215             : static void smbXsrv_session_close_loop(struct tevent_req *subreq);
     216             : 
     217       26908 : static NTSTATUS smbXsrv_session_table_init(struct smbXsrv_connection *conn,
     218             :                                            uint32_t lowest_id,
     219             :                                            uint32_t highest_id,
     220             :                                            uint32_t max_sessions)
     221             : {
     222       26908 :         struct smbXsrv_client *client = conn->client;
     223             :         struct smbXsrv_session_table *table;
     224             :         NTSTATUS status;
     225             :         struct tevent_req *subreq;
     226             :         uint64_t max_range;
     227             : 
     228       26908 :         if (lowest_id > highest_id) {
     229           0 :                 return NT_STATUS_INTERNAL_ERROR;
     230             :         }
     231             : 
     232       26908 :         max_range = highest_id;
     233       26908 :         max_range -= lowest_id;
     234       26908 :         max_range += 1;
     235             : 
     236       26908 :         if (max_sessions > max_range) {
     237           0 :                 return NT_STATUS_INTERNAL_ERROR;
     238             :         }
     239             : 
     240       26908 :         table = talloc_zero(client, struct smbXsrv_session_table);
     241       26908 :         if (table == NULL) {
     242           0 :                 return NT_STATUS_NO_MEMORY;
     243             :         }
     244             : 
     245       26908 :         table->local.db_ctx = db_open_rbt(table);
     246       26908 :         if (table->local.db_ctx == NULL) {
     247           0 :                 TALLOC_FREE(table);
     248           0 :                 return NT_STATUS_NO_MEMORY;
     249             :         }
     250       26908 :         table->local.lowest_id = lowest_id;
     251       26908 :         table->local.highest_id = highest_id;
     252       26908 :         table->local.max_sessions = max_sessions;
     253             : 
     254       26908 :         status = smbXsrv_session_global_init(client->msg_ctx);
     255       26908 :         if (!NT_STATUS_IS_OK(status)) {
     256           0 :                 TALLOC_FREE(table);
     257           0 :                 return status;
     258             :         }
     259             : 
     260       26908 :         table->global.db_ctx = smbXsrv_session_global_db_ctx;
     261             : 
     262       26908 :         subreq = messaging_read_send(table,
     263             :                                      client->raw_ev_ctx,
     264             :                                      client->msg_ctx,
     265             :                                      MSG_SMBXSRV_SESSION_CLOSE);
     266       26908 :         if (subreq == NULL) {
     267           0 :                 TALLOC_FREE(table);
     268           0 :                 return NT_STATUS_NO_MEMORY;
     269             :         }
     270       26908 :         tevent_req_set_callback(subreq, smbXsrv_session_close_loop, client);
     271             : 
     272       26908 :         client->session_table = table;
     273       26908 :         return NT_STATUS_OK;
     274             : }
     275             : 
     276             : static void smbXsrv_session_close_shutdown_done(struct tevent_req *subreq);
     277             : 
     278          50 : static void smbXsrv_session_close_loop(struct tevent_req *subreq)
     279             : {
     280          50 :         struct smbXsrv_client *client =
     281          50 :                 tevent_req_callback_data(subreq,
     282             :                 struct smbXsrv_client);
     283          50 :         struct smbXsrv_session_table *table = client->session_table;
     284             :         int ret;
     285          50 :         struct messaging_rec *rec = NULL;
     286             :         struct smbXsrv_session_closeB close_blob;
     287             :         enum ndr_err_code ndr_err;
     288          50 :         struct smbXsrv_session_close0 *close_info0 = NULL;
     289          50 :         struct smbXsrv_session *session = NULL;
     290             :         NTSTATUS status;
     291          50 :         struct timeval tv = timeval_current();
     292          50 :         NTTIME now = timeval_to_nttime(&tv);
     293             : 
     294          50 :         ret = messaging_read_recv(subreq, talloc_tos(), &rec);
     295          50 :         TALLOC_FREE(subreq);
     296          50 :         if (ret != 0) {
     297           0 :                 goto next;
     298             :         }
     299             : 
     300          50 :         ndr_err = ndr_pull_struct_blob(&rec->buf, rec, &close_blob,
     301             :                         (ndr_pull_flags_fn_t)ndr_pull_smbXsrv_session_closeB);
     302          50 :         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
     303           0 :                 status = ndr_map_error2ntstatus(ndr_err);
     304           0 :                 DEBUG(1,("smbXsrv_session_close_loop: "
     305             :                          "ndr_pull_struct_blob - %s\n",
     306             :                          nt_errstr(status)));
     307           0 :                 goto next;
     308             :         }
     309             : 
     310          50 :         DEBUG(10,("smbXsrv_session_close_loop: MSG_SMBXSRV_SESSION_CLOSE\n"));
     311          50 :         if (DEBUGLVL(10)) {
     312           0 :                 NDR_PRINT_DEBUG(smbXsrv_session_closeB, &close_blob);
     313             :         }
     314             : 
     315          50 :         if (close_blob.version != SMBXSRV_VERSION_0) {
     316           0 :                 DEBUG(0,("smbXsrv_session_close_loop: "
     317             :                          "ignore invalid version %u\n", close_blob.version));
     318           0 :                 NDR_PRINT_DEBUG(smbXsrv_session_closeB, &close_blob);
     319           0 :                 goto next;
     320             :         }
     321             : 
     322          50 :         close_info0 = close_blob.info.info0;
     323          50 :         if (close_info0 == NULL) {
     324           0 :                 DEBUG(0,("smbXsrv_session_close_loop: "
     325             :                          "ignore NULL info %u\n", close_blob.version));
     326           0 :                 NDR_PRINT_DEBUG(smbXsrv_session_closeB, &close_blob);
     327           0 :                 goto next;
     328             :         }
     329             : 
     330          50 :         status = smb2srv_session_lookup_client(client,
     331             :                                                close_info0->old_session_wire_id,
     332             :                                                now, &session);
     333          50 :         if (NT_STATUS_EQUAL(status, NT_STATUS_USER_SESSION_DELETED)) {
     334           0 :                 DEBUG(4,("smbXsrv_session_close_loop: "
     335             :                          "old_session_wire_id %llu not found\n",
     336             :                          (unsigned long long)close_info0->old_session_wire_id));
     337           0 :                 if (DEBUGLVL(4)) {
     338           0 :                         NDR_PRINT_DEBUG(smbXsrv_session_closeB, &close_blob);
     339             :                 }
     340           0 :                 goto next;
     341             :         }
     342          50 :         if (!NT_STATUS_IS_OK(status) &&
     343           0 :             !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) &&
     344           0 :             !NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED)) {
     345           0 :                 DEBUG(1,("smbXsrv_session_close_loop: "
     346             :                          "old_session_wire_id %llu - %s\n",
     347             :                          (unsigned long long)close_info0->old_session_wire_id,
     348             :                          nt_errstr(status)));
     349           0 :                 if (DEBUGLVL(1)) {
     350           0 :                         NDR_PRINT_DEBUG(smbXsrv_session_closeB, &close_blob);
     351             :                 }
     352           0 :                 goto next;
     353             :         }
     354             : 
     355          50 :         if (session->global->session_global_id != close_info0->old_session_global_id) {
     356           0 :                 DEBUG(1,("smbXsrv_session_close_loop: "
     357             :                          "old_session_wire_id %llu - global %u != %u\n",
     358             :                          (unsigned long long)close_info0->old_session_wire_id,
     359             :                          session->global->session_global_id,
     360             :                          close_info0->old_session_global_id));
     361           0 :                 if (DEBUGLVL(1)) {
     362           0 :                         NDR_PRINT_DEBUG(smbXsrv_session_closeB, &close_blob);
     363             :                 }
     364           0 :                 goto next;
     365             :         }
     366             : 
     367          50 :         if (session->global->creation_time != close_info0->old_creation_time) {
     368           0 :                 DEBUG(1,("smbXsrv_session_close_loop: "
     369             :                          "old_session_wire_id %llu - "
     370             :                          "creation %s (%llu) != %s (%llu)\n",
     371             :                          (unsigned long long)close_info0->old_session_wire_id,
     372             :                          nt_time_string(rec, session->global->creation_time),
     373             :                          (unsigned long long)session->global->creation_time,
     374             :                          nt_time_string(rec, close_info0->old_creation_time),
     375             :                          (unsigned long long)close_info0->old_creation_time));
     376           0 :                 if (DEBUGLVL(1)) {
     377           0 :                         NDR_PRINT_DEBUG(smbXsrv_session_closeB, &close_blob);
     378             :                 }
     379           0 :                 goto next;
     380             :         }
     381             : 
     382          50 :         subreq = smb2srv_session_shutdown_send(session, client->raw_ev_ctx,
     383             :                                                session, NULL);
     384          50 :         if (subreq == NULL) {
     385           0 :                 status = NT_STATUS_NO_MEMORY;
     386           0 :                 DEBUG(0, ("smbXsrv_session_close_loop: "
     387             :                           "smb2srv_session_shutdown_send(%llu) failed: %s\n",
     388             :                           (unsigned long long)session->global->session_wire_id,
     389             :                           nt_errstr(status)));
     390           0 :                 if (DEBUGLVL(1)) {
     391           0 :                         NDR_PRINT_DEBUG(smbXsrv_session_closeB, &close_blob);
     392             :                 }
     393           0 :                 goto next;
     394             :         }
     395          50 :         tevent_req_set_callback(subreq,
     396             :                                 smbXsrv_session_close_shutdown_done,
     397             :                                 session);
     398             : 
     399          50 : next:
     400          50 :         TALLOC_FREE(rec);
     401             : 
     402          50 :         subreq = messaging_read_send(table,
     403             :                                      client->raw_ev_ctx,
     404             :                                      client->msg_ctx,
     405             :                                      MSG_SMBXSRV_SESSION_CLOSE);
     406          50 :         if (subreq == NULL) {
     407             :                 const char *r;
     408           0 :                 r = "messaging_read_send(MSG_SMBXSRV_SESSION_CLOSE) failed";
     409           0 :                 exit_server_cleanly(r);
     410             :                 return;
     411             :         }
     412          50 :         tevent_req_set_callback(subreq, smbXsrv_session_close_loop, client);
     413          50 : }
     414             : 
     415          50 : static void smbXsrv_session_close_shutdown_done(struct tevent_req *subreq)
     416             : {
     417          50 :         struct smbXsrv_session *session =
     418          50 :                 tevent_req_callback_data(subreq,
     419             :                 struct smbXsrv_session);
     420             :         NTSTATUS status;
     421             : 
     422          50 :         status = smb2srv_session_shutdown_recv(subreq);
     423          50 :         TALLOC_FREE(subreq);
     424          50 :         if (!NT_STATUS_IS_OK(status)) {
     425           0 :                 DEBUG(0, ("smbXsrv_session_close_loop: "
     426             :                           "smb2srv_session_shutdown_recv(%llu) failed: %s\n",
     427             :                           (unsigned long long)session->global->session_wire_id,
     428             :                           nt_errstr(status)));
     429             :         }
     430             : 
     431          50 :         status = smbXsrv_session_logoff(session);
     432          50 :         if (!NT_STATUS_IS_OK(status)) {
     433           0 :                 DEBUG(0, ("smbXsrv_session_close_loop: "
     434             :                           "smbXsrv_session_logoff(%llu) failed: %s\n",
     435             :                           (unsigned long long)session->global->session_wire_id,
     436             :                           nt_errstr(status)));
     437             :         }
     438             : 
     439          50 :         TALLOC_FREE(session);
     440          50 : }
     441             : 
     442             : struct smb1srv_session_local_allocate_state {
     443             :         const uint32_t lowest_id;
     444             :         const uint32_t highest_id;
     445             :         uint32_t last_id;
     446             :         uint32_t useable_id;
     447             :         NTSTATUS status;
     448             : };
     449             : 
     450           0 : static int smb1srv_session_local_allocate_traverse(struct db_record *rec,
     451             :                                                    void *private_data)
     452             : {
     453           0 :         struct smb1srv_session_local_allocate_state *state =
     454             :                 (struct smb1srv_session_local_allocate_state *)private_data;
     455           0 :         TDB_DATA key = dbwrap_record_get_key(rec);
     456           0 :         uint32_t id = 0;
     457             :         NTSTATUS status;
     458             : 
     459           0 :         status = smbXsrv_session_local_key_to_id(key, &id);
     460           0 :         if (!NT_STATUS_IS_OK(status)) {
     461           0 :                 state->status = status;
     462           0 :                 return -1;
     463             :         }
     464             : 
     465           0 :         if (id <= state->last_id) {
     466           0 :                 state->status = NT_STATUS_INTERNAL_DB_CORRUPTION;
     467           0 :                 return -1;
     468             :         }
     469           0 :         state->last_id = id;
     470             : 
     471           0 :         if (id > state->useable_id) {
     472           0 :                 state->status = NT_STATUS_OK;
     473           0 :                 return -1;
     474             :         }
     475             : 
     476           0 :         if (state->useable_id == state->highest_id) {
     477           0 :                 state->status = NT_STATUS_INSUFFICIENT_RESOURCES;
     478           0 :                 return -1;
     479             :         }
     480             : 
     481           0 :         state->useable_id +=1;
     482           0 :         return 0;
     483             : }
     484             : 
     485        5282 : static NTSTATUS smb1srv_session_local_allocate_id(struct db_context *db,
     486             :                                                   uint32_t lowest_id,
     487             :                                                   uint32_t highest_id,
     488             :                                                   TALLOC_CTX *mem_ctx,
     489             :                                                   struct db_record **_rec,
     490             :                                                   uint32_t *_id)
     491             : {
     492        5282 :         struct smb1srv_session_local_allocate_state state = {
     493             :                 .lowest_id = lowest_id,
     494             :                 .highest_id = highest_id,
     495             :                 .last_id = 0,
     496             :                 .useable_id = lowest_id,
     497             :                 .status = NT_STATUS_INTERNAL_ERROR,
     498             :         };
     499             :         uint32_t i;
     500             :         uint32_t range;
     501             :         NTSTATUS status;
     502        5282 :         int count = 0;
     503             : 
     504        5282 :         *_rec = NULL;
     505        5282 :         *_id = 0;
     506             : 
     507        5282 :         if (lowest_id > highest_id) {
     508           0 :                 return NT_STATUS_INSUFFICIENT_RESOURCES;
     509             :         }
     510             : 
     511             :         /*
     512             :          * first we try randomly
     513             :          */
     514        5282 :         range = (highest_id - lowest_id) + 1;
     515             : 
     516       10564 :         for (i = 0; i < (range / 2); i++) {
     517             :                 uint32_t id;
     518             :                 TDB_DATA val;
     519        5282 :                 struct db_record *rec = NULL;
     520             : 
     521        5282 :                 id = generate_random() % range;
     522        5282 :                 id += lowest_id;
     523             : 
     524        5282 :                 if (id < lowest_id) {
     525           0 :                         id = lowest_id;
     526             :                 }
     527        5282 :                 if (id > highest_id) {
     528           0 :                         id = highest_id;
     529             :                 }
     530             : 
     531        5282 :                 rec = smbXsrv_session_local_fetch_locked(db, id, mem_ctx);
     532        5282 :                 if (rec == NULL) {
     533        5282 :                         return NT_STATUS_INSUFFICIENT_RESOURCES;
     534             :                 }
     535             : 
     536        5282 :                 val = dbwrap_record_get_value(rec);
     537        5282 :                 if (val.dsize != 0) {
     538           0 :                         TALLOC_FREE(rec);
     539           0 :                         continue;
     540             :                 }
     541             : 
     542        5282 :                 *_rec = rec;
     543        5282 :                 *_id = id;
     544        5282 :                 return NT_STATUS_OK;
     545             :         }
     546             : 
     547             :         /*
     548             :          * if the range is almost full,
     549             :          * we traverse the whole table
     550             :          * (this relies on sorted behavior of dbwrap_rbt)
     551             :          */
     552           0 :         status = dbwrap_traverse_read(db, smb1srv_session_local_allocate_traverse,
     553             :                                       &state, &count);
     554           0 :         if (NT_STATUS_IS_OK(status)) {
     555           0 :                 if (NT_STATUS_IS_OK(state.status)) {
     556           0 :                         return NT_STATUS_INTERNAL_ERROR;
     557             :                 }
     558             : 
     559           0 :                 if (!NT_STATUS_EQUAL(state.status, NT_STATUS_INTERNAL_ERROR)) {
     560           0 :                         return state.status;
     561             :                 }
     562             : 
     563           0 :                 if (state.useable_id <= state.highest_id) {
     564           0 :                         state.status = NT_STATUS_OK;
     565             :                 } else {
     566           0 :                         return NT_STATUS_INSUFFICIENT_RESOURCES;
     567             :                 }
     568           0 :         } else if (!NT_STATUS_EQUAL(status, NT_STATUS_INTERNAL_DB_CORRUPTION)) {
     569             :                 /*
     570             :                  * Here we really expect NT_STATUS_INTERNAL_DB_CORRUPTION!
     571             :                  *
     572             :                  * If we get anything else it is an error, because it
     573             :                  * means we did not manage to find a free slot in
     574             :                  * the db.
     575             :                  */
     576           0 :                 return NT_STATUS_INSUFFICIENT_RESOURCES;
     577             :         }
     578             : 
     579           0 :         if (NT_STATUS_IS_OK(state.status)) {
     580             :                 uint32_t id;
     581             :                 TDB_DATA val;
     582           0 :                 struct db_record *rec = NULL;
     583             : 
     584           0 :                 id = state.useable_id;
     585             : 
     586           0 :                 rec = smbXsrv_session_local_fetch_locked(db, id, mem_ctx);
     587           0 :                 if (rec == NULL) {
     588           0 :                         return NT_STATUS_INSUFFICIENT_RESOURCES;
     589             :                 }
     590             : 
     591           0 :                 val = dbwrap_record_get_value(rec);
     592           0 :                 if (val.dsize != 0) {
     593           0 :                         TALLOC_FREE(rec);
     594           0 :                         return NT_STATUS_INTERNAL_DB_CORRUPTION;
     595             :                 }
     596             : 
     597           0 :                 *_rec = rec;
     598           0 :                 *_id = id;
     599           0 :                 return NT_STATUS_OK;
     600             :         }
     601             : 
     602           0 :         return state.status;
     603             : }
     604             : 
     605             : struct smbXsrv_session_local_fetch_state {
     606             :         struct smbXsrv_session *session;
     607             :         NTSTATUS status;
     608             : };
     609             : 
     610     3868956 : static void smbXsrv_session_local_fetch_parser(TDB_DATA key, TDB_DATA data,
     611             :                                                void *private_data)
     612             : {
     613     3868956 :         struct smbXsrv_session_local_fetch_state *state =
     614             :                 (struct smbXsrv_session_local_fetch_state *)private_data;
     615             :         void *ptr;
     616             : 
     617     3868956 :         if (data.dsize != sizeof(ptr)) {
     618           0 :                 state->status = NT_STATUS_INTERNAL_DB_ERROR;
     619           0 :                 return;
     620             :         }
     621             : 
     622     3868956 :         memcpy(&ptr, data.dptr, data.dsize);
     623     3868956 :         state->session = talloc_get_type_abort(ptr, struct smbXsrv_session);
     624     3868956 :         state->status = NT_STATUS_OK;
     625             : }
     626             : 
     627     2073692 : static NTSTATUS smbXsrv_session_local_lookup(struct smbXsrv_session_table *table,
     628             :                                              /* conn: optional */
     629             :                                              struct smbXsrv_connection *conn,
     630             :                                              uint32_t session_local_id,
     631             :                                              NTTIME now,
     632             :                                              struct smbXsrv_session **_session)
     633             : {
     634     2073692 :         struct smbXsrv_session_local_fetch_state state = {
     635             :                 .session = NULL,
     636             :                 .status = NT_STATUS_INTERNAL_ERROR,
     637             :         };
     638             :         uint8_t key_buf[SMBXSRV_SESSION_LOCAL_TDB_KEY_SIZE];
     639             :         TDB_DATA key;
     640             :         NTSTATUS status;
     641             : 
     642     2073692 :         *_session = NULL;
     643             : 
     644     2073692 :         if (session_local_id == 0) {
     645       86157 :                 return NT_STATUS_USER_SESSION_DELETED;
     646             :         }
     647             : 
     648     1987535 :         if (table == NULL) {
     649             :                 /* this might happen before the end of negprot */
     650           0 :                 return NT_STATUS_USER_SESSION_DELETED;
     651             :         }
     652             : 
     653     1987535 :         if (table->local.db_ctx == NULL) {
     654           0 :                 return NT_STATUS_INTERNAL_ERROR;
     655             :         }
     656             : 
     657     1987535 :         key = smbXsrv_session_local_id_to_key(session_local_id, key_buf);
     658             : 
     659     1987535 :         status = dbwrap_parse_record(table->local.db_ctx, key,
     660             :                                      smbXsrv_session_local_fetch_parser,
     661             :                                      &state);
     662     1987535 :         if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
     663         895 :                 return NT_STATUS_USER_SESSION_DELETED;
     664     1986640 :         } else if (!NT_STATUS_IS_OK(status)) {
     665           0 :                 return status;
     666             :         }
     667     1986640 :         if (!NT_STATUS_IS_OK(state.status)) {
     668           0 :                 return state.status;
     669             :         }
     670             : 
     671     1986640 :         if (NT_STATUS_EQUAL(state.session->status, NT_STATUS_USER_SESSION_DELETED)) {
     672           0 :                 return NT_STATUS_USER_SESSION_DELETED;
     673             :         }
     674             : 
     675             :         /*
     676             :          * If a connection is specified check if the session is
     677             :          * valid on the channel.
     678             :          */
     679     1986640 :         if (conn != NULL) {
     680     1969134 :                 struct smbXsrv_channel_global0 *c = NULL;
     681             : 
     682     1969134 :                 status = smbXsrv_session_find_channel(state.session, conn, &c);
     683     1969134 :                 if (!NT_STATUS_IS_OK(status)) {
     684         120 :                         return status;
     685             :                 }
     686             :         }
     687             : 
     688     1986520 :         state.session->idle_time = now;
     689             : 
     690     1986520 :         if (!NT_STATUS_IS_OK(state.session->status)) {
     691       24736 :                 *_session = state.session;
     692       24736 :                 return state.session->status;
     693             :         }
     694             : 
     695     1961784 :         if (now > state.session->global->expiration_time) {
     696          40 :                 state.session->status = NT_STATUS_NETWORK_SESSION_EXPIRED;
     697             :         }
     698             : 
     699     1961784 :         *_session = state.session;
     700     1961784 :         return state.session->status;
     701             : }
     702             : 
     703       26915 : static int smbXsrv_session_global_destructor(struct smbXsrv_session_global0 *global)
     704             : {
     705       26915 :         return 0;
     706             : }
     707             : 
     708             : static void smbXsrv_session_global_verify_record(struct db_record *db_rec,
     709             :                                         bool *is_free,
     710             :                                         bool *was_free,
     711             :                                         TALLOC_CTX *mem_ctx,
     712             :                                         struct smbXsrv_session_global0 **_g);
     713             : 
     714       26929 : static NTSTATUS smbXsrv_session_global_allocate(struct db_context *db,
     715             :                                         TALLOC_CTX *mem_ctx,
     716             :                                         struct smbXsrv_session_global0 **_global)
     717             : {
     718             :         uint32_t i;
     719       26929 :         struct smbXsrv_session_global0 *global = NULL;
     720       26929 :         uint32_t last_free = 0;
     721       26929 :         const uint32_t min_tries = 3;
     722             : 
     723       26929 :         *_global = NULL;
     724             : 
     725       26929 :         global = talloc_zero(mem_ctx, struct smbXsrv_session_global0);
     726       26929 :         if (global == NULL) {
     727           0 :                 return NT_STATUS_NO_MEMORY;
     728             :         }
     729       26929 :         talloc_set_destructor(global, smbXsrv_session_global_destructor);
     730             : 
     731             :         /*
     732             :          * Here we just randomly try the whole 32-bit space
     733             :          *
     734             :          * We use just 32-bit, because we want to reuse the
     735             :          * ID for SRVSVC.
     736             :          */
     737       26929 :         for (i = 0; i < UINT32_MAX; i++) {
     738       26929 :                 bool is_free = false;
     739       26929 :                 bool was_free = false;
     740             :                 uint32_t id;
     741             : 
     742       26929 :                 if (i >= min_tries && last_free != 0) {
     743           0 :                         id = last_free;
     744             :                 } else {
     745       26929 :                         id = generate_random();
     746             :                 }
     747       26929 :                 if (id == 0) {
     748           0 :                         id++;
     749             :                 }
     750       26929 :                 if (id == UINT32_MAX) {
     751           0 :                         id--;
     752             :                 }
     753             : 
     754       26929 :                 global->db_rec = smbXsrv_session_global_fetch_locked(db, id,
     755             :                                                                      mem_ctx);
     756       26929 :                 if (global->db_rec == NULL) {
     757           0 :                         talloc_free(global);
     758       26929 :                         return NT_STATUS_INSUFFICIENT_RESOURCES;
     759             :                 }
     760             : 
     761       26929 :                 smbXsrv_session_global_verify_record(global->db_rec,
     762             :                                                      &is_free,
     763             :                                                      &was_free,
     764             :                                                      NULL, NULL);
     765             : 
     766       26929 :                 if (!is_free) {
     767           0 :                         TALLOC_FREE(global->db_rec);
     768           0 :                         continue;
     769             :                 }
     770             : 
     771       26929 :                 if (!was_free && i < min_tries) {
     772             :                         /*
     773             :                          * The session_id is free now,
     774             :                          * but was not free before.
     775             :                          *
     776             :                          * This happens if a smbd crashed
     777             :                          * and did not cleanup the record.
     778             :                          *
     779             :                          * If this is one of our first tries,
     780             :                          * then we try to find a real free one.
     781             :                          */
     782           0 :                         if (last_free == 0) {
     783           0 :                                 last_free = id;
     784             :                         }
     785           0 :                         TALLOC_FREE(global->db_rec);
     786           0 :                         continue;
     787             :                 }
     788             : 
     789       26929 :                 global->session_global_id = id;
     790             : 
     791       26929 :                 *_global = global;
     792       26929 :                 return NT_STATUS_OK;
     793             :         }
     794             : 
     795             :         /* should not be reached */
     796           0 :         talloc_free(global);
     797           0 :         return NT_STATUS_INTERNAL_ERROR;
     798             : }
     799             : 
     800       27939 : static void smbXsrv_session_global_verify_record(struct db_record *db_rec,
     801             :                                         bool *is_free,
     802             :                                         bool *was_free,
     803             :                                         TALLOC_CTX *mem_ctx,
     804             :                                         struct smbXsrv_session_global0 **_g)
     805             : {
     806             :         TDB_DATA key;
     807             :         TDB_DATA val;
     808             :         DATA_BLOB blob;
     809             :         struct smbXsrv_session_globalB global_blob;
     810             :         enum ndr_err_code ndr_err;
     811       27939 :         struct smbXsrv_session_global0 *global = NULL;
     812             :         bool exists;
     813       27939 :         TALLOC_CTX *frame = talloc_stackframe();
     814             : 
     815       27939 :         *is_free = false;
     816             : 
     817       27939 :         if (was_free) {
     818       26929 :                 *was_free = false;
     819             :         }
     820       27939 :         if (_g) {
     821        1010 :                 *_g = NULL;
     822             :         }
     823             : 
     824       27939 :         key = dbwrap_record_get_key(db_rec);
     825             : 
     826       27939 :         val = dbwrap_record_get_value(db_rec);
     827       27939 :         if (val.dsize == 0) {
     828       27037 :                 TALLOC_FREE(frame);
     829       27037 :                 *is_free = true;
     830       27037 :                 if (was_free) {
     831       26929 :                         *was_free = true;
     832             :                 }
     833       53552 :                 return;
     834             :         }
     835             : 
     836         902 :         blob = data_blob_const(val.dptr, val.dsize);
     837             : 
     838         902 :         ndr_err = ndr_pull_struct_blob(&blob, frame, &global_blob,
     839             :                         (ndr_pull_flags_fn_t)ndr_pull_smbXsrv_session_globalB);
     840         902 :         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
     841           0 :                 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
     842           0 :                 DEBUG(1,("smbXsrv_session_global_verify_record: "
     843             :                          "key '%s' ndr_pull_struct_blob - %s\n",
     844             :                          hex_encode_talloc(frame, key.dptr, key.dsize),
     845             :                          nt_errstr(status)));
     846           0 :                 TALLOC_FREE(frame);
     847           0 :                 *is_free = true;
     848           0 :                 if (was_free) {
     849           0 :                         *was_free = true;
     850             :                 }
     851           0 :                 return;
     852             :         }
     853             : 
     854         902 :         DEBUG(10,("smbXsrv_session_global_verify_record\n"));
     855         902 :         if (DEBUGLVL(10)) {
     856           0 :                 NDR_PRINT_DEBUG(smbXsrv_session_globalB, &global_blob);
     857             :         }
     858             : 
     859         902 :         if (global_blob.version != SMBXSRV_VERSION_0) {
     860           0 :                 DEBUG(0,("smbXsrv_session_global_verify_record: "
     861             :                          "key '%s' use unsupported version %u\n",
     862             :                          hex_encode_talloc(frame, key.dptr, key.dsize),
     863             :                          global_blob.version));
     864           0 :                 NDR_PRINT_DEBUG(smbXsrv_session_globalB, &global_blob);
     865           0 :                 TALLOC_FREE(frame);
     866           0 :                 *is_free = true;
     867           0 :                 if (was_free) {
     868           0 :                         *was_free = true;
     869             :                 }
     870           0 :                 return;
     871             :         }
     872             : 
     873         902 :         global = global_blob.info.info0;
     874             : 
     875             : #define __BLOB_KEEP_SECRET(__blob) do { \
     876             :         if ((__blob).length != 0) { \
     877             :                 talloc_keep_secret((__blob).data); \
     878             :         } \
     879             : } while(0)
     880             :         {
     881             :                 uint32_t i;
     882         902 :                 __BLOB_KEEP_SECRET(global->application_key_blob);
     883         902 :                 __BLOB_KEEP_SECRET(global->signing_key_blob);
     884         902 :                 __BLOB_KEEP_SECRET(global->encryption_key_blob);
     885         902 :                 __BLOB_KEEP_SECRET(global->decryption_key_blob);
     886        1812 :                 for (i = 0; i < global->num_channels; i++) {
     887         910 :                         __BLOB_KEEP_SECRET(global->channels[i].signing_key_blob);
     888             :                 }
     889             :         }
     890             : #undef __BLOB_KEEP_SECRET
     891             : 
     892         902 :         exists = serverid_exists(&global->channels[0].server_id);
     893         902 :         if (!exists) {
     894             :                 struct server_id_buf idbuf;
     895           0 :                 DEBUG(2,("smbXsrv_session_global_verify_record: "
     896             :                          "key '%s' server_id %s does not exist.\n",
     897             :                          hex_encode_talloc(frame, key.dptr, key.dsize),
     898             :                          server_id_str_buf(global->channels[0].server_id,
     899             :                                            &idbuf)));
     900           0 :                 if (DEBUGLVL(2)) {
     901           0 :                         NDR_PRINT_DEBUG(smbXsrv_session_globalB, &global_blob);
     902             :                 }
     903           0 :                 TALLOC_FREE(frame);
     904           0 :                 dbwrap_record_delete(db_rec);
     905           0 :                 *is_free = true;
     906           0 :                 return;
     907             :         }
     908             : 
     909         902 :         if (_g) {
     910         902 :                 *_g = talloc_move(mem_ctx, &global);
     911             :         }
     912         902 :         TALLOC_FREE(frame);
     913             : }
     914             : 
     915      138752 : static NTSTATUS smbXsrv_session_global_store(struct smbXsrv_session_global0 *global)
     916             : {
     917             :         struct smbXsrv_session_globalB global_blob;
     918      138752 :         DATA_BLOB blob = data_blob_null;
     919             :         TDB_DATA key;
     920             :         TDB_DATA val;
     921             :         NTSTATUS status;
     922             :         enum ndr_err_code ndr_err;
     923             : 
     924             :         /*
     925             :          * TODO: if we use other versions than '0'
     926             :          * we would add glue code here, that would be able to
     927             :          * store the information in the old format.
     928             :          */
     929             : 
     930      138752 :         if (global->db_rec == NULL) {
     931           0 :                 return NT_STATUS_INTERNAL_ERROR;
     932             :         }
     933             : 
     934      138752 :         key = dbwrap_record_get_key(global->db_rec);
     935      138752 :         val = dbwrap_record_get_value(global->db_rec);
     936             : 
     937      138752 :         ZERO_STRUCT(global_blob);
     938      138752 :         global_blob.version = smbXsrv_version_global_current();
     939      138752 :         if (val.dsize >= 8) {
     940      111823 :                 global_blob.seqnum = IVAL(val.dptr, 4);
     941             :         }
     942      138752 :         global_blob.seqnum += 1;
     943      138752 :         global_blob.info.info0 = global;
     944             : 
     945      138752 :         ndr_err = ndr_push_struct_blob(&blob, global->db_rec, &global_blob,
     946             :                         (ndr_push_flags_fn_t)ndr_push_smbXsrv_session_globalB);
     947      138752 :         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
     948           0 :                 status = ndr_map_error2ntstatus(ndr_err);
     949           0 :                 DEBUG(1,("smbXsrv_session_global_store: key '%s' ndr_push - %s\n",
     950             :                          hex_encode_talloc(global->db_rec, key.dptr, key.dsize),
     951             :                          nt_errstr(status)));
     952           0 :                 TALLOC_FREE(global->db_rec);
     953           0 :                 return status;
     954             :         }
     955             : 
     956      138752 :         val = make_tdb_data(blob.data, blob.length);
     957      138752 :         status = dbwrap_record_store(global->db_rec, val, TDB_REPLACE);
     958      138752 :         if (!NT_STATUS_IS_OK(status)) {
     959           0 :                 DEBUG(1,("smbXsrv_session_global_store: key '%s' store - %s\n",
     960             :                          hex_encode_talloc(global->db_rec, key.dptr, key.dsize),
     961             :                          nt_errstr(status)));
     962           0 :                 TALLOC_FREE(global->db_rec);
     963           0 :                 return status;
     964             :         }
     965             : 
     966      138752 :         if (DEBUGLVL(10)) {
     967           0 :                 DEBUG(10,("smbXsrv_session_global_store: key '%s' stored\n",
     968             :                          hex_encode_talloc(global->db_rec, key.dptr, key.dsize)));
     969           0 :                 NDR_PRINT_DEBUG(smbXsrv_session_globalB, &global_blob);
     970             :         }
     971             : 
     972      138752 :         TALLOC_FREE(global->db_rec);
     973             : 
     974      138752 :         return NT_STATUS_OK;
     975             : }
     976             : 
     977             : struct smb2srv_session_close_previous_state {
     978             :         struct tevent_context *ev;
     979             :         struct smbXsrv_connection *connection;
     980             :         struct dom_sid *current_sid;
     981             :         uint64_t previous_session_id;
     982             :         uint64_t current_session_id;
     983             :         struct db_record *db_rec;
     984             : };
     985             : 
     986             : static void smb2srv_session_close_previous_check(struct tevent_req *req);
     987             : static void smb2srv_session_close_previous_modified(struct tevent_req *subreq);
     988             : 
     989          98 : struct tevent_req *smb2srv_session_close_previous_send(TALLOC_CTX *mem_ctx,
     990             :                                         struct tevent_context *ev,
     991             :                                         struct smbXsrv_connection *conn,
     992             :                                         struct auth_session_info *session_info,
     993             :                                         uint64_t previous_session_id,
     994             :                                         uint64_t current_session_id)
     995             : {
     996             :         struct tevent_req *req;
     997             :         struct smb2srv_session_close_previous_state *state;
     998          98 :         uint32_t global_id = previous_session_id & UINT32_MAX;
     999          98 :         uint64_t global_zeros = previous_session_id & 0xFFFFFFFF00000000LLU;
    1000          98 :         struct smbXsrv_session_table *table = conn->client->session_table;
    1001          98 :         struct security_token *current_token = NULL;
    1002             : 
    1003          98 :         req = tevent_req_create(mem_ctx, &state,
    1004             :                                 struct smb2srv_session_close_previous_state);
    1005          98 :         if (req == NULL) {
    1006           0 :                 return NULL;
    1007             :         }
    1008          98 :         state->ev = ev;
    1009          98 :         state->connection = conn;
    1010          98 :         state->previous_session_id = previous_session_id;
    1011          98 :         state->current_session_id = current_session_id;
    1012             : 
    1013          98 :         if (global_zeros != 0) {
    1014           0 :                 tevent_req_done(req);
    1015           0 :                 return tevent_req_post(req, ev);
    1016             :         }
    1017             : 
    1018          98 :         if (session_info == NULL) {
    1019           0 :                 tevent_req_done(req);
    1020           0 :                 return tevent_req_post(req, ev);
    1021             :         }
    1022          98 :         current_token = session_info->security_token;
    1023             : 
    1024          98 :         if (current_token->num_sids > PRIMARY_USER_SID_INDEX) {
    1025          98 :                 state->current_sid = &current_token->sids[PRIMARY_USER_SID_INDEX];
    1026             :         }
    1027             : 
    1028          98 :         if (state->current_sid == NULL) {
    1029           0 :                 tevent_req_done(req);
    1030           0 :                 return tevent_req_post(req, ev);
    1031             :         }
    1032             : 
    1033          98 :         if (!security_token_has_nt_authenticated_users(current_token)) {
    1034             :                 /* TODO */
    1035           0 :                 tevent_req_done(req);
    1036           0 :                 return tevent_req_post(req, ev);
    1037             :         }
    1038             : 
    1039          98 :         state->db_rec = smbXsrv_session_global_fetch_locked(
    1040             :                                                         table->global.db_ctx,
    1041             :                                                         global_id,
    1042             :                                                         state /* TALLOC_CTX */);
    1043          98 :         if (state->db_rec == NULL) {
    1044           0 :                 tevent_req_nterror(req, NT_STATUS_UNSUCCESSFUL);
    1045           0 :                 return tevent_req_post(req, ev);
    1046             :         }
    1047             : 
    1048          98 :         smb2srv_session_close_previous_check(req);
    1049          98 :         if (!tevent_req_is_in_progress(req)) {
    1050          46 :                 return tevent_req_post(req, ev);
    1051             :         }
    1052             : 
    1053          52 :         return req;
    1054             : }
    1055             : 
    1056         150 : static void smb2srv_session_close_previous_check(struct tevent_req *req)
    1057             : {
    1058         150 :         struct smb2srv_session_close_previous_state *state =
    1059         150 :                 tevent_req_data(req,
    1060             :                 struct smb2srv_session_close_previous_state);
    1061         150 :         struct smbXsrv_connection *conn = state->connection;
    1062             :         DATA_BLOB blob;
    1063         150 :         struct security_token *previous_token = NULL;
    1064         150 :         struct smbXsrv_session_global0 *global = NULL;
    1065             :         enum ndr_err_code ndr_err;
    1066             :         struct smbXsrv_session_close0 close_info0;
    1067             :         struct smbXsrv_session_closeB close_blob;
    1068         150 :         struct tevent_req *subreq = NULL;
    1069             :         NTSTATUS status;
    1070         150 :         bool is_free = false;
    1071             : 
    1072         150 :         smbXsrv_session_global_verify_record(state->db_rec,
    1073             :                                              &is_free,
    1074             :                                              NULL,
    1075             :                                              state,
    1076             :                                              &global);
    1077             : 
    1078         150 :         if (is_free) {
    1079          98 :                 TALLOC_FREE(state->db_rec);
    1080          98 :                 tevent_req_done(req);
    1081          98 :                 return;
    1082             :         }
    1083             : 
    1084          52 :         if (global->auth_session_info == NULL) {
    1085           0 :                 TALLOC_FREE(state->db_rec);
    1086           0 :                 tevent_req_done(req);
    1087           0 :                 return;
    1088             :         }
    1089             : 
    1090          52 :         previous_token = global->auth_session_info->security_token;
    1091             : 
    1092          52 :         if (!security_token_is_sid(previous_token, state->current_sid)) {
    1093           0 :                 TALLOC_FREE(state->db_rec);
    1094           0 :                 tevent_req_done(req);
    1095           0 :                 return;
    1096             :         }
    1097             : 
    1098          52 :         subreq = dbwrap_watched_watch_send(state, state->ev, state->db_rec,
    1099          52 :                                            (struct server_id){0});
    1100          52 :         if (tevent_req_nomem(subreq, req)) {
    1101           0 :                 TALLOC_FREE(state->db_rec);
    1102           0 :                 return;
    1103             :         }
    1104          52 :         tevent_req_set_callback(subreq,
    1105             :                                 smb2srv_session_close_previous_modified,
    1106             :                                 req);
    1107             : 
    1108          52 :         close_info0.old_session_global_id = global->session_global_id;
    1109          52 :         close_info0.old_session_wire_id = global->session_wire_id;
    1110          52 :         close_info0.old_creation_time = global->creation_time;
    1111          52 :         close_info0.new_session_wire_id = state->current_session_id;
    1112             : 
    1113          52 :         ZERO_STRUCT(close_blob);
    1114          52 :         close_blob.version = smbXsrv_version_global_current();
    1115          52 :         close_blob.info.info0 = &close_info0;
    1116             : 
    1117          52 :         ndr_err = ndr_push_struct_blob(&blob, state, &close_blob,
    1118             :                         (ndr_push_flags_fn_t)ndr_push_smbXsrv_session_closeB);
    1119          52 :         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
    1120           0 :                 TALLOC_FREE(state->db_rec);
    1121           0 :                 status = ndr_map_error2ntstatus(ndr_err);
    1122           0 :                 DEBUG(1,("smb2srv_session_close_previous_check: "
    1123             :                          "old_session[%llu] new_session[%llu] ndr_push - %s\n",
    1124             :                          (unsigned long long)close_info0.old_session_wire_id,
    1125             :                          (unsigned long long)close_info0.new_session_wire_id,
    1126             :                          nt_errstr(status)));
    1127           0 :                 tevent_req_nterror(req, status);
    1128           0 :                 return;
    1129             :         }
    1130             : 
    1131          52 :         status = messaging_send(conn->client->msg_ctx,
    1132          52 :                                 global->channels[0].server_id,
    1133             :                                 MSG_SMBXSRV_SESSION_CLOSE, &blob);
    1134          52 :         TALLOC_FREE(state->db_rec);
    1135          52 :         if (tevent_req_nterror(req, status)) {
    1136           0 :                 return;
    1137             :         }
    1138             : 
    1139          52 :         TALLOC_FREE(global);
    1140          52 :         return;
    1141             : }
    1142             : 
    1143          52 : static void smb2srv_session_close_previous_modified(struct tevent_req *subreq)
    1144             : {
    1145          52 :         struct tevent_req *req =
    1146          52 :                 tevent_req_callback_data(subreq,
    1147             :                 struct tevent_req);
    1148          52 :         struct smb2srv_session_close_previous_state *state =
    1149          52 :                 tevent_req_data(req,
    1150             :                 struct smb2srv_session_close_previous_state);
    1151             :         uint32_t global_id;
    1152             :         NTSTATUS status;
    1153             : 
    1154          52 :         status = dbwrap_watched_watch_recv(subreq, NULL, NULL);
    1155          52 :         TALLOC_FREE(subreq);
    1156          52 :         if (tevent_req_nterror(req, status)) {
    1157           0 :                 return;
    1158             :         }
    1159             : 
    1160          52 :         global_id = state->previous_session_id & UINT32_MAX;
    1161             : 
    1162          52 :         state->db_rec = smbXsrv_session_global_fetch_locked(
    1163          52 :                 state->connection->client->session_table->global.db_ctx,
    1164             :                 global_id, state /* TALLOC_CTX */);
    1165          52 :         if (state->db_rec == NULL) {
    1166           0 :                 tevent_req_nterror(req, NT_STATUS_UNSUCCESSFUL);
    1167           0 :                 return;
    1168             :         }
    1169             : 
    1170          52 :         smb2srv_session_close_previous_check(req);
    1171             : }
    1172             : 
    1173          98 : NTSTATUS smb2srv_session_close_previous_recv(struct tevent_req *req)
    1174             : {
    1175             :         NTSTATUS status;
    1176             : 
    1177          98 :         if (tevent_req_is_nterror(req, &status)) {
    1178           0 :                 tevent_req_received(req);
    1179           0 :                 return status;
    1180             :         }
    1181             : 
    1182          98 :         tevent_req_received(req);
    1183          98 :         return NT_STATUS_OK;
    1184             : }
    1185             : 
    1186       52142 : static NTSTATUS smbXsrv_session_clear_and_logoff(struct smbXsrv_session *session)
    1187             : {
    1188             :         NTSTATUS status;
    1189       52142 :         struct smbXsrv_connection *xconn = NULL;
    1190             : 
    1191       52142 :         if (session->client != NULL) {
    1192       26664 :                 xconn = session->client->connections;
    1193             :         }
    1194             : 
    1195       77810 :         for (; xconn != NULL; xconn = xconn->next) {
    1196             :                 struct smbd_smb2_request *preq;
    1197             : 
    1198       26768 :                 for (preq = xconn->smb2.requests; preq != NULL; preq = preq->next) {
    1199          56 :                         if (preq->session != session) {
    1200           0 :                                 continue;
    1201             :                         }
    1202             : 
    1203          56 :                         preq->session = NULL;
    1204             :                         /*
    1205             :                          * If we no longer have a session we can't
    1206             :                          * sign or encrypt replies.
    1207             :                          */
    1208          56 :                         preq->do_signing = false;
    1209          56 :                         preq->do_encryption = false;
    1210          56 :                         preq->preauth = NULL;
    1211             :                 }
    1212             :         }
    1213             : 
    1214       52142 :         status = smbXsrv_session_logoff(session);
    1215       52142 :         return status;
    1216             : }
    1217             : 
    1218       26915 : static int smbXsrv_session_destructor(struct smbXsrv_session *session)
    1219             : {
    1220             :         NTSTATUS status;
    1221             : 
    1222       26915 :         DBG_DEBUG("destructing session(%llu)\n",
    1223             :                   (unsigned long long)session->global->session_wire_id);
    1224             : 
    1225       26915 :         status = smbXsrv_session_clear_and_logoff(session);
    1226       26915 :         if (!NT_STATUS_IS_OK(status)) {
    1227           0 :                 DEBUG(0, ("smbXsrv_session_destructor: "
    1228             :                           "smbXsrv_session_logoff() failed: %s\n",
    1229             :                           nt_errstr(status)));
    1230             :         }
    1231             : 
    1232       26915 :         TALLOC_FREE(session->global);
    1233             : 
    1234       26915 :         return 0;
    1235             : }
    1236             : 
    1237       26929 : NTSTATUS smbXsrv_session_create(struct smbXsrv_connection *conn,
    1238             :                                 NTTIME now,
    1239             :                                 struct smbXsrv_session **_session)
    1240             : {
    1241       26929 :         struct smbXsrv_session_table *table = conn->client->session_table;
    1242       26929 :         struct db_record *local_rec = NULL;
    1243       26929 :         struct smbXsrv_session *session = NULL;
    1244       26929 :         void *ptr = NULL;
    1245             :         TDB_DATA val;
    1246       26929 :         struct smbXsrv_session_global0 *global = NULL;
    1247       26929 :         struct smbXsrv_channel_global0 *channel = NULL;
    1248             :         NTSTATUS status;
    1249             : 
    1250       26929 :         if (table->local.num_sessions >= table->local.max_sessions) {
    1251           0 :                 return NT_STATUS_INSUFFICIENT_RESOURCES;
    1252             :         }
    1253             : 
    1254       26929 :         session = talloc_zero(table, struct smbXsrv_session);
    1255       26929 :         if (session == NULL) {
    1256           0 :                 return NT_STATUS_NO_MEMORY;
    1257             :         }
    1258       26929 :         session->table = table;
    1259       26929 :         session->idle_time = now;
    1260       26929 :         session->status = NT_STATUS_MORE_PROCESSING_REQUIRED;
    1261       26929 :         session->client = conn->client;
    1262       26929 :         session->homes_snum = -1;
    1263             : 
    1264       26929 :         status = smbXsrv_session_global_allocate(table->global.db_ctx,
    1265             :                                                  session,
    1266             :                                                  &global);
    1267       26929 :         if (!NT_STATUS_IS_OK(status)) {
    1268           0 :                 TALLOC_FREE(session);
    1269           0 :                 return status;
    1270             :         }
    1271       26929 :         session->global = global;
    1272             : 
    1273       26929 :         if (conn->protocol >= PROTOCOL_SMB2_02) {
    1274       21647 :                 uint64_t id = global->session_global_id;
    1275             : 
    1276       21647 :                 global->connection_dialect = conn->smb2.server.dialect;
    1277             : 
    1278       21647 :                 global->session_wire_id = id;
    1279             : 
    1280       21647 :                 status = smb2srv_tcon_table_init(session);
    1281       21647 :                 if (!NT_STATUS_IS_OK(status)) {
    1282           0 :                         TALLOC_FREE(session);
    1283           0 :                         return status;
    1284             :                 }
    1285             : 
    1286       21647 :                 session->local_id = global->session_global_id;
    1287             : 
    1288       21647 :                 local_rec = smbXsrv_session_local_fetch_locked(
    1289             :                                                 table->local.db_ctx,
    1290             :                                                 session->local_id,
    1291             :                                                 session /* TALLOC_CTX */);
    1292       21647 :                 if (local_rec == NULL) {
    1293           0 :                         TALLOC_FREE(session);
    1294           0 :                         return NT_STATUS_NO_MEMORY;
    1295             :                 }
    1296             : 
    1297       21647 :                 val = dbwrap_record_get_value(local_rec);
    1298       21647 :                 if (val.dsize != 0) {
    1299           0 :                         TALLOC_FREE(session);
    1300           0 :                         return NT_STATUS_INTERNAL_DB_CORRUPTION;
    1301             :                 }
    1302             :         } else {
    1303             : 
    1304        5282 :                 status = smb1srv_session_local_allocate_id(table->local.db_ctx,
    1305             :                                                         table->local.lowest_id,
    1306             :                                                         table->local.highest_id,
    1307             :                                                         session,
    1308             :                                                         &local_rec,
    1309             :                                                         &session->local_id);
    1310        5282 :                 if (!NT_STATUS_IS_OK(status)) {
    1311           0 :                         TALLOC_FREE(session);
    1312           0 :                         return status;
    1313             :                 }
    1314             : 
    1315        5282 :                 global->session_wire_id = session->local_id;
    1316             :         }
    1317             : 
    1318       26929 :         global->creation_time = now;
    1319       26929 :         global->expiration_time = GENSEC_EXPIRE_TIME_INFINITY;
    1320             : 
    1321       26929 :         status = smbXsrv_session_add_channel(session, conn, now, &channel);
    1322       26929 :         if (!NT_STATUS_IS_OK(status)) {
    1323           0 :                 TALLOC_FREE(session);
    1324           0 :                 return status;
    1325             :         }
    1326             : 
    1327       26929 :         ptr = session;
    1328       26929 :         val = make_tdb_data((uint8_t const *)&ptr, sizeof(ptr));
    1329       26929 :         status = dbwrap_record_store(local_rec, val, TDB_REPLACE);
    1330       26929 :         TALLOC_FREE(local_rec);
    1331       26929 :         if (!NT_STATUS_IS_OK(status)) {
    1332           0 :                 TALLOC_FREE(session);
    1333           0 :                 return status;
    1334             :         }
    1335       26929 :         table->local.num_sessions += 1;
    1336             : 
    1337       26929 :         talloc_set_destructor(session, smbXsrv_session_destructor);
    1338             : 
    1339       26929 :         status = smbXsrv_session_global_store(global);
    1340       26929 :         if (!NT_STATUS_IS_OK(status)) {
    1341           0 :                 DEBUG(0,("smbXsrv_session_create: "
    1342             :                          "global_id (0x%08x) store failed - %s\n",
    1343             :                          session->global->session_global_id,
    1344             :                          nt_errstr(status)));
    1345           0 :                 TALLOC_FREE(session);
    1346           0 :                 return status;
    1347             :         }
    1348             : 
    1349       26929 :         if (DEBUGLVL(10)) {
    1350           0 :                 struct smbXsrv_sessionB session_blob = {
    1351             :                         .version = SMBXSRV_VERSION_0,
    1352             :                         .info.info0 = session,
    1353             :                 };
    1354             : 
    1355           0 :                 DEBUG(10,("smbXsrv_session_create: global_id (0x%08x) stored\n",
    1356             :                          session->global->session_global_id));
    1357           0 :                 NDR_PRINT_DEBUG(smbXsrv_sessionB, &session_blob);
    1358             :         }
    1359             : 
    1360       26929 :         *_session = session;
    1361       26929 :         return NT_STATUS_OK;
    1362             : }
    1363             : 
    1364       27693 : NTSTATUS smbXsrv_session_add_channel(struct smbXsrv_session *session,
    1365             :                                      struct smbXsrv_connection *conn,
    1366             :                                      NTTIME now,
    1367             :                                      struct smbXsrv_channel_global0 **_c)
    1368             : {
    1369       27693 :         struct smbXsrv_session_global0 *global = session->global;
    1370       27693 :         struct smbXsrv_channel_global0 *c = NULL;
    1371             : 
    1372       27693 :         if (global->num_channels > 31) {
    1373             :                 /*
    1374             :                  * Windows allow up to 32 channels
    1375             :                  */
    1376           4 :                 return NT_STATUS_INSUFFICIENT_RESOURCES;
    1377             :         }
    1378             : 
    1379       27689 :         c = talloc_realloc(global,
    1380             :                            global->channels,
    1381             :                            struct smbXsrv_channel_global0,
    1382             :                            global->num_channels + 1);
    1383       27689 :         if (c == NULL) {
    1384           0 :                 return NT_STATUS_NO_MEMORY;
    1385             :         }
    1386       27689 :         global->channels = c;
    1387             : 
    1388       27689 :         c = &global->channels[global->num_channels];
    1389       27689 :         ZERO_STRUCTP(c);
    1390             : 
    1391       27689 :         c->server_id = messaging_server_id(conn->client->msg_ctx);
    1392       27689 :         c->channel_id = conn->channel_id;
    1393       27689 :         c->creation_time = now;
    1394       27689 :         c->local_address = tsocket_address_string(conn->local_address,
    1395       27689 :                                                   global->channels);
    1396       27689 :         if (c->local_address == NULL) {
    1397           0 :                 return NT_STATUS_NO_MEMORY;
    1398             :         }
    1399       27689 :         c->remote_address = tsocket_address_string(conn->remote_address,
    1400       27689 :                                                    global->channels);
    1401       27689 :         if (c->remote_address == NULL) {
    1402           0 :                 return NT_STATUS_NO_MEMORY;
    1403             :         }
    1404       27689 :         c->remote_name = talloc_strdup(global->channels,
    1405             :                                        conn->remote_hostname);
    1406       27689 :         if (c->remote_name == NULL) {
    1407           0 :                 return NT_STATUS_NO_MEMORY;
    1408             :         }
    1409       27689 :         c->connection = conn;
    1410             : 
    1411       27689 :         global->num_channels += 1;
    1412             : 
    1413       27689 :         *_c = c;
    1414       27689 :         return NT_STATUS_OK;
    1415             : }
    1416             : 
    1417      111823 : NTSTATUS smbXsrv_session_update(struct smbXsrv_session *session)
    1418             : {
    1419      111823 :         struct smbXsrv_session_table *table = session->table;
    1420             :         NTSTATUS status;
    1421             : 
    1422      111823 :         if (session->global->db_rec != NULL) {
    1423           0 :                 DEBUG(0, ("smbXsrv_session_update(0x%08x): "
    1424             :                           "Called with db_rec != NULL'\n",
    1425             :                           session->global->session_global_id));
    1426           0 :                 return NT_STATUS_INTERNAL_ERROR;
    1427             :         }
    1428             : 
    1429      111823 :         if (table == NULL) {
    1430           0 :                 DEBUG(0, ("smbXsrv_session_update(0x%08x): "
    1431             :                           "Called with table == NULL'\n",
    1432             :                           session->global->session_global_id));
    1433           0 :                 return NT_STATUS_INTERNAL_ERROR;
    1434             :         }
    1435             : 
    1436      111823 :         session->global->db_rec = smbXsrv_session_global_fetch_locked(
    1437             :                                         table->global.db_ctx,
    1438      110385 :                                         session->global->session_global_id,
    1439      110385 :                                         session->global /* TALLOC_CTX */);
    1440      111823 :         if (session->global->db_rec == NULL) {
    1441           0 :                 return NT_STATUS_INTERNAL_DB_ERROR;
    1442             :         }
    1443             : 
    1444      111823 :         status = smbXsrv_session_global_store(session->global);
    1445      111823 :         if (!NT_STATUS_IS_OK(status)) {
    1446           0 :                 DEBUG(0,("smbXsrv_session_update: "
    1447             :                          "global_id (0x%08x) store failed - %s\n",
    1448             :                          session->global->session_global_id,
    1449             :                          nt_errstr(status)));
    1450           0 :                 return status;
    1451             :         }
    1452             : 
    1453      111823 :         if (DEBUGLVL(10)) {
    1454           0 :                 struct smbXsrv_sessionB session_blob = {
    1455             :                         .version = SMBXSRV_VERSION_0,
    1456             :                         .info.info0 = session,
    1457             :                 };
    1458             : 
    1459           0 :                 DEBUG(10,("smbXsrv_session_update: global_id (0x%08x) stored\n",
    1460             :                           session->global->session_global_id));
    1461           0 :                 NDR_PRINT_DEBUG(smbXsrv_sessionB, &session_blob);
    1462             :         }
    1463             : 
    1464      111823 :         return NT_STATUS_OK;
    1465             : }
    1466             : 
    1467     3323545 : NTSTATUS smbXsrv_session_find_channel(const struct smbXsrv_session *session,
    1468             :                                       const struct smbXsrv_connection *conn,
    1469             :                                       struct smbXsrv_channel_global0 **_c)
    1470             : {
    1471             :         uint32_t i;
    1472             : 
    1473     3382381 :         for (i=0; i < session->global->num_channels; i++) {
    1474     3377345 :                 struct smbXsrv_channel_global0 *c = &session->global->channels[i];
    1475             : 
    1476     3377345 :                 if (c->channel_id != conn->channel_id) {
    1477       58836 :                         continue;
    1478             :                 }
    1479             : 
    1480     3318509 :                 if (c->connection != conn) {
    1481           0 :                         continue;
    1482             :                 }
    1483             : 
    1484     3318509 :                 *_c = c;
    1485     3318509 :                 return NT_STATUS_OK;
    1486             :         }
    1487             : 
    1488        5036 :         return NT_STATUS_USER_SESSION_DELETED;
    1489             : }
    1490             : 
    1491       77650 : NTSTATUS smbXsrv_session_find_auth(const struct smbXsrv_session *session,
    1492             :                                    const struct smbXsrv_connection *conn,
    1493             :                                    NTTIME now,
    1494             :                                    struct smbXsrv_session_auth0 **_a)
    1495             : {
    1496             :         struct smbXsrv_session_auth0 *a;
    1497             : 
    1498       77650 :         for (a = session->pending_auth; a != NULL; a = a->next) {
    1499       20388 :                 if (a->channel_id != conn->channel_id) {
    1500           0 :                         continue;
    1501             :                 }
    1502             : 
    1503       20388 :                 if (a->connection == conn) {
    1504       20388 :                         if (now != 0) {
    1505       20374 :                                 a->idle_time = now;
    1506             :                         }
    1507       20388 :                         *_a = a;
    1508       20388 :                         return NT_STATUS_OK;
    1509             :                 }
    1510             :         }
    1511             : 
    1512       57262 :         return NT_STATUS_USER_SESSION_DELETED;
    1513             : }
    1514             : 
    1515       27794 : static int smbXsrv_session_auth0_destructor(struct smbXsrv_session_auth0 *a)
    1516             : {
    1517       27794 :         if (a->session == NULL) {
    1518          14 :                 return 0;
    1519             :         }
    1520             : 
    1521       27780 :         DLIST_REMOVE(a->session->pending_auth, a);
    1522       27780 :         a->session = NULL;
    1523       27780 :         return 0;
    1524             : }
    1525             : 
    1526       27792 : NTSTATUS smbXsrv_session_create_auth(struct smbXsrv_session *session,
    1527             :                                      struct smbXsrv_connection *conn,
    1528             :                                      NTTIME now,
    1529             :                                      uint8_t in_flags,
    1530             :                                      uint8_t in_security_mode,
    1531             :                                      struct smbXsrv_session_auth0 **_a)
    1532             : {
    1533             :         struct smbXsrv_session_auth0 *a;
    1534             :         NTSTATUS status;
    1535             : 
    1536       27792 :         status = smbXsrv_session_find_auth(session, conn, 0, &a);
    1537       27792 :         if (NT_STATUS_IS_OK(status)) {
    1538           0 :                 return NT_STATUS_INTERNAL_ERROR;
    1539             :         }
    1540             : 
    1541       27792 :         a = talloc_zero(session, struct smbXsrv_session_auth0);
    1542       27792 :         if (a == NULL) {
    1543           0 :                 return NT_STATUS_NO_MEMORY;
    1544             :         }
    1545       27792 :         a->session = session;
    1546       27792 :         a->connection = conn;
    1547       27792 :         a->in_flags = in_flags;
    1548       27792 :         a->in_security_mode = in_security_mode;
    1549       27792 :         a->creation_time = now;
    1550       27792 :         a->idle_time = now;
    1551       27792 :         a->channel_id = conn->channel_id;
    1552             : 
    1553       27792 :         if (conn->protocol >= PROTOCOL_SMB3_11) {
    1554       19936 :                 a->preauth = talloc(a, struct smbXsrv_preauth);
    1555       19936 :                 if (a->preauth == NULL) {
    1556           0 :                         TALLOC_FREE(session);
    1557           0 :                         return NT_STATUS_NO_MEMORY;
    1558             :                 }
    1559       19936 :                 *a->preauth = conn->smb2.preauth;
    1560             :         }
    1561             : 
    1562       27792 :         talloc_set_destructor(a, smbXsrv_session_auth0_destructor);
    1563       27792 :         DLIST_ADD_END(session->pending_auth, a);
    1564             : 
    1565       27792 :         *_a = a;
    1566       27792 :         return NT_STATUS_OK;
    1567             : }
    1568             : 
    1569             : static void smbXsrv_session_remove_channel_done(struct tevent_req *subreq);
    1570             : 
    1571        1692 : NTSTATUS smbXsrv_session_remove_channel(struct smbXsrv_session *session,
    1572             :                                         struct smbXsrv_connection *xconn)
    1573             : {
    1574        1692 :         struct smbXsrv_session_auth0 *a = NULL;
    1575        1692 :         struct smbXsrv_channel_global0 *c = NULL;
    1576             :         NTSTATUS status;
    1577        1692 :         bool need_update = false;
    1578             : 
    1579        1692 :         status = smbXsrv_session_find_auth(session, xconn, 0, &a);
    1580        1692 :         if (!NT_STATUS_IS_OK(status)) {
    1581        1678 :                 a = NULL;
    1582             :         }
    1583        1692 :         status = smbXsrv_session_find_channel(session, xconn, &c);
    1584        1692 :         if (!NT_STATUS_IS_OK(status)) {
    1585         900 :                 c = NULL;
    1586             :         }
    1587             : 
    1588        1692 :         if (a != NULL) {
    1589          14 :                 smbXsrv_session_auth0_destructor(a);
    1590          14 :                 a->connection = NULL;
    1591          14 :                 need_update = true;
    1592             :         }
    1593             : 
    1594        1692 :         if (c != NULL) {
    1595         792 :                 struct smbXsrv_session_global0 *global = session->global;
    1596             :                 ptrdiff_t n;
    1597             : 
    1598         792 :                 n = (c - global->channels);
    1599         792 :                 if (n >= global->num_channels || n < 0) {
    1600           0 :                         return NT_STATUS_INTERNAL_ERROR;
    1601             :                 }
    1602         792 :                 ARRAY_DEL_ELEMENT(global->channels, n, global->num_channels);
    1603         792 :                 global->num_channels--;
    1604         792 :                 if (global->num_channels == 0) {
    1605          40 :                         struct smbXsrv_client *client = session->client;
    1606          40 :                         struct tevent_queue *xconn_wait_queue =
    1607             :                                 xconn->transport.shutdown_wait_queue;
    1608          40 :                         struct tevent_req *subreq = NULL;
    1609             : 
    1610             :                         /*
    1611             :                          * Let the connection wait until the session is
    1612             :                          * destroyed.
    1613             :                          *
    1614             :                          * We don't set a callback, as we just want to block the
    1615             :                          * wait queue and the talloc_free() of the session will
    1616             :                          * remove the item from the wait queue in order
    1617             :                          * to remove allow the connection to disapear.
    1618             :                          */
    1619          40 :                         if (xconn_wait_queue != NULL) {
    1620          40 :                                 subreq = tevent_queue_wait_send(session,
    1621             :                                                                 client->raw_ev_ctx,
    1622             :                                                                 xconn_wait_queue);
    1623          40 :                                 if (subreq == NULL) {
    1624           0 :                                         status = NT_STATUS_NO_MEMORY;
    1625           0 :                                         DBG_ERR("tevent_queue_wait_send() session(%llu) failed: %s\n",
    1626             :                                                 (unsigned long long)session->global->session_wire_id,
    1627             :                                                 nt_errstr(status));
    1628           0 :                                         return status;
    1629             :                                 }
    1630             :                         }
    1631             : 
    1632             :                         /*
    1633             :                          * This is garanteed to set
    1634             :                          * session->status = NT_STATUS_USER_SESSION_DELETED
    1635             :                          * even if NULL is returned.
    1636             :                          */
    1637          40 :                         subreq = smb2srv_session_shutdown_send(session,
    1638             :                                                                client->raw_ev_ctx,
    1639             :                                                                session,
    1640             :                                                                NULL);
    1641          40 :                         if (subreq == NULL) {
    1642           0 :                                 status = NT_STATUS_NO_MEMORY;
    1643           0 :                                 DBG_ERR("smb2srv_session_shutdown_send(%llu) failed: %s\n",
    1644             :                                         (unsigned long long)session->global->session_wire_id,
    1645             :                                         nt_errstr(status));
    1646           0 :                                 return status;
    1647             :                         }
    1648          40 :                         tevent_req_set_callback(subreq,
    1649             :                                                 smbXsrv_session_remove_channel_done,
    1650             :                                                 session);
    1651             :                 }
    1652         792 :                 need_update = true;
    1653             :         }
    1654             : 
    1655        1692 :         if (!need_update) {
    1656         900 :                 return NT_STATUS_OK;
    1657             :         }
    1658             : 
    1659         792 :         return smbXsrv_session_update(session);
    1660             : }
    1661             : 
    1662          40 : static void smbXsrv_session_remove_channel_done(struct tevent_req *subreq)
    1663             : {
    1664          40 :         struct smbXsrv_session *session =
    1665          40 :                 tevent_req_callback_data(subreq,
    1666             :                 struct smbXsrv_session);
    1667             :         NTSTATUS status;
    1668             : 
    1669          40 :         status = smb2srv_session_shutdown_recv(subreq);
    1670          40 :         TALLOC_FREE(subreq);
    1671          40 :         if (!NT_STATUS_IS_OK(status)) {
    1672           0 :                 DBG_ERR("smb2srv_session_shutdown_recv(%llu) failed: %s\n",
    1673             :                         (unsigned long long)session->global->session_wire_id,
    1674             :                         nt_errstr(status));
    1675             :         }
    1676             : 
    1677          40 :         status = smbXsrv_session_logoff(session);
    1678          40 :         if (!NT_STATUS_IS_OK(status)) {
    1679           0 :                 DBG_ERR("smbXsrv_session_logoff(%llu) failed: %s\n",
    1680             :                         (unsigned long long)session->global->session_wire_id,
    1681             :                         nt_errstr(status));
    1682             :         }
    1683             : 
    1684          40 :         TALLOC_FREE(session);
    1685          40 : }
    1686             : 
    1687             : struct smb2srv_session_shutdown_state {
    1688             :         struct tevent_queue *wait_queue;
    1689             : };
    1690             : 
    1691             : static void smb2srv_session_shutdown_wait_done(struct tevent_req *subreq);
    1692             : 
    1693        1240 : struct tevent_req *smb2srv_session_shutdown_send(TALLOC_CTX *mem_ctx,
    1694             :                                         struct tevent_context *ev,
    1695             :                                         struct smbXsrv_session *session,
    1696             :                                         struct smbd_smb2_request *current_req)
    1697             : {
    1698             :         struct tevent_req *req;
    1699             :         struct smb2srv_session_shutdown_state *state;
    1700             :         struct tevent_req *subreq;
    1701        1240 :         struct smbXsrv_connection *xconn = NULL;
    1702        1240 :         size_t len = 0;
    1703             : 
    1704             :         /*
    1705             :          * Make sure that no new request will be able to use this session.
    1706             :          */
    1707        1240 :         session->status = NT_STATUS_USER_SESSION_DELETED;
    1708             : 
    1709        1240 :         req = tevent_req_create(mem_ctx, &state,
    1710             :                                 struct smb2srv_session_shutdown_state);
    1711        1240 :         if (req == NULL) {
    1712           0 :                 return NULL;
    1713             :         }
    1714             : 
    1715        1240 :         state->wait_queue = tevent_queue_create(state, "smb2srv_session_shutdown_queue");
    1716        1240 :         if (tevent_req_nomem(state->wait_queue, req)) {
    1717           0 :                 return tevent_req_post(req, ev);
    1718             :         }
    1719             : 
    1720        2558 :         for (xconn = session->client->connections; xconn != NULL; xconn = xconn->next) {
    1721             :                 struct smbd_smb2_request *preq;
    1722             : 
    1723        2502 :                 for (preq = xconn->smb2.requests; preq != NULL; preq = preq->next) {
    1724        1184 :                         if (preq == current_req) {
    1725             :                                 /* Can't cancel current request. */
    1726        1150 :                                 continue;
    1727             :                         }
    1728          34 :                         if (preq->session != session) {
    1729             :                                 /* Request on different session. */
    1730          22 :                                 continue;
    1731             :                         }
    1732             : 
    1733          12 :                         if (preq->subreq != NULL) {
    1734          12 :                                 tevent_req_cancel(preq->subreq);
    1735             :                         }
    1736             : 
    1737             :                         /*
    1738             :                          * Now wait until the request is finished.
    1739             :                          *
    1740             :                          * We don't set a callback, as we just want to block the
    1741             :                          * wait queue and the talloc_free() of the request will
    1742             :                          * remove the item from the wait queue.
    1743             :                          */
    1744          12 :                         subreq = tevent_queue_wait_send(preq, ev, state->wait_queue);
    1745          12 :                         if (tevent_req_nomem(subreq, req)) {
    1746           0 :                                 return tevent_req_post(req, ev);
    1747             :                         }
    1748             :                 }
    1749             :         }
    1750             : 
    1751        1240 :         len = tevent_queue_length(state->wait_queue);
    1752        1240 :         if (len == 0) {
    1753        1228 :                 tevent_req_done(req);
    1754        1228 :                 return tevent_req_post(req, ev);
    1755             :         }
    1756             : 
    1757             :         /*
    1758             :          * Now we add our own waiter to the end of the queue,
    1759             :          * this way we get notified when all pending requests are finished
    1760             :          * and send to the socket.
    1761             :          */
    1762          12 :         subreq = tevent_queue_wait_send(state, ev, state->wait_queue);
    1763          12 :         if (tevent_req_nomem(subreq, req)) {
    1764           0 :                 return tevent_req_post(req, ev);
    1765             :         }
    1766          12 :         tevent_req_set_callback(subreq, smb2srv_session_shutdown_wait_done, req);
    1767             : 
    1768          12 :         return req;
    1769             : }
    1770             : 
    1771          12 : static void smb2srv_session_shutdown_wait_done(struct tevent_req *subreq)
    1772             : {
    1773          12 :         struct tevent_req *req =
    1774          12 :                 tevent_req_callback_data(subreq,
    1775             :                 struct tevent_req);
    1776             : 
    1777          12 :         tevent_queue_wait_recv(subreq);
    1778          12 :         TALLOC_FREE(subreq);
    1779             : 
    1780          12 :         tevent_req_done(req);
    1781          12 : }
    1782             : 
    1783        1240 : NTSTATUS smb2srv_session_shutdown_recv(struct tevent_req *req)
    1784             : {
    1785        1240 :         return tevent_req_simple_recv_ntstatus(req);
    1786             : }
    1787             : 
    1788       52393 : NTSTATUS smbXsrv_session_logoff(struct smbXsrv_session *session)
    1789             : {
    1790             :         struct smbXsrv_session_table *table;
    1791       52393 :         struct db_record *local_rec = NULL;
    1792       52393 :         struct db_record *global_rec = NULL;
    1793       52393 :         struct smbd_server_connection *sconn = NULL;
    1794             :         NTSTATUS status;
    1795       52393 :         NTSTATUS error = NT_STATUS_OK;
    1796             : 
    1797       52393 :         if (session->table == NULL) {
    1798       25478 :                 return NT_STATUS_OK;
    1799             :         }
    1800             : 
    1801       26915 :         table = session->table;
    1802       26915 :         session->table = NULL;
    1803             : 
    1804       26915 :         sconn = session->client->sconn;
    1805       26915 :         session->client = NULL;
    1806       26915 :         session->status = NT_STATUS_USER_SESSION_DELETED;
    1807             : 
    1808             :         /*
    1809             :          * For SMB2 this is a bit redundant as files are also close
    1810             :          * below via smb2srv_tcon_disconnect_all() -> ... ->
    1811             :          * smbXsrv_tcon_disconnect() -> close_cnum() ->
    1812             :          * file_close_conn().
    1813             :          */
    1814       26915 :         file_close_user(sconn, session->global->session_wire_id);
    1815             : 
    1816       26915 :         if (session->tcon_table != NULL) {
    1817             :                 /*
    1818             :                  * Note: We only have a tcon_table for SMB2.
    1819             :                  */
    1820       21645 :                 status = smb2srv_tcon_disconnect_all(session);
    1821       21645 :                 if (!NT_STATUS_IS_OK(status)) {
    1822          36 :                         DEBUG(0, ("smbXsrv_session_logoff(0x%08x): "
    1823             :                                   "smb2srv_tcon_disconnect_all() failed: %s\n",
    1824             :                                   session->global->session_global_id,
    1825             :                                   nt_errstr(status)));
    1826          36 :                         error = status;
    1827             :                 }
    1828             :         }
    1829             : 
    1830       26915 :         invalidate_vuid(sconn, session->global->session_wire_id);
    1831             : 
    1832       26915 :         global_rec = session->global->db_rec;
    1833       26915 :         session->global->db_rec = NULL;
    1834       26915 :         if (global_rec == NULL) {
    1835       26915 :                 global_rec = smbXsrv_session_global_fetch_locked(
    1836             :                                         table->global.db_ctx,
    1837       26393 :                                         session->global->session_global_id,
    1838       26393 :                                         session->global /* TALLOC_CTX */);
    1839       26915 :                 if (global_rec == NULL) {
    1840           0 :                         error = NT_STATUS_INTERNAL_ERROR;
    1841             :                 }
    1842             :         }
    1843             : 
    1844       26915 :         if (global_rec != NULL) {
    1845       26915 :                 status = dbwrap_record_delete(global_rec);
    1846       26915 :                 if (!NT_STATUS_IS_OK(status)) {
    1847           0 :                         TDB_DATA key = dbwrap_record_get_key(global_rec);
    1848             : 
    1849           0 :                         DEBUG(0, ("smbXsrv_session_logoff(0x%08x): "
    1850             :                                   "failed to delete global key '%s': %s\n",
    1851             :                                   session->global->session_global_id,
    1852             :                                   hex_encode_talloc(global_rec, key.dptr,
    1853             :                                                     key.dsize),
    1854             :                                   nt_errstr(status)));
    1855           0 :                         error = status;
    1856             :                 }
    1857             :         }
    1858       26915 :         TALLOC_FREE(global_rec);
    1859             : 
    1860       26915 :         local_rec = session->db_rec;
    1861       26915 :         if (local_rec == NULL) {
    1862        1688 :                 local_rec = smbXsrv_session_local_fetch_locked(
    1863             :                                                 table->local.db_ctx,
    1864             :                                                 session->local_id,
    1865             :                                                 session /* TALLOC_CTX */);
    1866        1688 :                 if (local_rec == NULL) {
    1867           0 :                         error = NT_STATUS_INTERNAL_ERROR;
    1868             :                 }
    1869             :         }
    1870             : 
    1871       26915 :         if (local_rec != NULL) {
    1872       26915 :                 status = dbwrap_record_delete(local_rec);
    1873       26915 :                 if (!NT_STATUS_IS_OK(status)) {
    1874           0 :                         TDB_DATA key = dbwrap_record_get_key(local_rec);
    1875             : 
    1876           0 :                         DEBUG(0, ("smbXsrv_session_logoff(0x%08x): "
    1877             :                                   "failed to delete local key '%s': %s\n",
    1878             :                                   session->global->session_global_id,
    1879             :                                   hex_encode_talloc(local_rec, key.dptr,
    1880             :                                                     key.dsize),
    1881             :                                   nt_errstr(status)));
    1882           0 :                         error = status;
    1883             :                 }
    1884       26915 :                 table->local.num_sessions -= 1;
    1885             :         }
    1886       26915 :         if (session->db_rec == NULL) {
    1887        1688 :                 TALLOC_FREE(local_rec);
    1888             :         }
    1889       26915 :         session->db_rec = NULL;
    1890             : 
    1891       26915 :         return error;
    1892             : }
    1893             : 
    1894             : struct smbXsrv_session_logoff_all_state {
    1895             :         NTSTATUS first_status;
    1896             :         int errors;
    1897             : };
    1898             : 
    1899             : static int smbXsrv_session_logoff_all_callback(struct db_record *local_rec,
    1900             :                                                void *private_data);
    1901             : 
    1902       27490 : NTSTATUS smbXsrv_session_logoff_all(struct smbXsrv_client *client)
    1903             : {
    1904       27490 :         struct smbXsrv_session_table *table = client->session_table;
    1905             :         struct smbXsrv_session_logoff_all_state state;
    1906             :         NTSTATUS status;
    1907       27490 :         int count = 0;
    1908             : 
    1909       27490 :         if (table == NULL) {
    1910         596 :                 DEBUG(10, ("smbXsrv_session_logoff_all: "
    1911             :                            "empty session_table, nothing to do.\n"));
    1912         596 :                 return NT_STATUS_OK;
    1913             :         }
    1914             : 
    1915       26894 :         ZERO_STRUCT(state);
    1916             : 
    1917       26894 :         status = dbwrap_traverse(table->local.db_ctx,
    1918             :                                  smbXsrv_session_logoff_all_callback,
    1919             :                                  &state, &count);
    1920       26894 :         if (!NT_STATUS_IS_OK(status)) {
    1921           0 :                 DEBUG(0, ("smbXsrv_session_logoff_all: "
    1922             :                           "dbwrap_traverse() failed: %s\n",
    1923             :                           nt_errstr(status)));
    1924           0 :                 return status;
    1925             :         }
    1926             : 
    1927       26894 :         if (!NT_STATUS_IS_OK(state.first_status)) {
    1928          36 :                 DEBUG(0, ("smbXsrv_session_logoff_all: "
    1929             :                           "count[%d] errors[%d] first[%s]\n",
    1930             :                           count, state.errors,
    1931             :                           nt_errstr(state.first_status)));
    1932          36 :                 return state.first_status;
    1933             :         }
    1934             : 
    1935       26858 :         return NT_STATUS_OK;
    1936             : }
    1937             : 
    1938       25227 : static int smbXsrv_session_logoff_all_callback(struct db_record *local_rec,
    1939             :                                                void *private_data)
    1940             : {
    1941       25227 :         struct smbXsrv_session_logoff_all_state *state =
    1942             :                 (struct smbXsrv_session_logoff_all_state *)private_data;
    1943             :         TDB_DATA val;
    1944       25227 :         void *ptr = NULL;
    1945       25227 :         struct smbXsrv_session *session = NULL;
    1946             :         NTSTATUS status;
    1947             : 
    1948       25227 :         val = dbwrap_record_get_value(local_rec);
    1949       25227 :         if (val.dsize != sizeof(ptr)) {
    1950           0 :                 status = NT_STATUS_INTERNAL_ERROR;
    1951           0 :                 if (NT_STATUS_IS_OK(state->first_status)) {
    1952           0 :                         state->first_status = status;
    1953             :                 }
    1954           0 :                 state->errors++;
    1955           0 :                 return 0;
    1956             :         }
    1957             : 
    1958       25227 :         memcpy(&ptr, val.dptr, val.dsize);
    1959       25227 :         session = talloc_get_type_abort(ptr, struct smbXsrv_session);
    1960             : 
    1961       25227 :         session->db_rec = local_rec;
    1962       25227 :         status = smbXsrv_session_clear_and_logoff(session);
    1963       25227 :         session->db_rec = NULL;
    1964       25227 :         if (!NT_STATUS_IS_OK(status)) {
    1965          36 :                 if (NT_STATUS_IS_OK(state->first_status)) {
    1966          36 :                         state->first_status = status;
    1967             :                 }
    1968          36 :                 state->errors++;
    1969          36 :                 return 0;
    1970             :         }
    1971             : 
    1972       24669 :         return 0;
    1973             : }
    1974             : 
    1975             : struct smbXsrv_session_local_trav_state {
    1976             :         NTSTATUS status;
    1977             :         int (*caller_cb)(struct smbXsrv_session *session,
    1978             :                          void *caller_data);
    1979             :         void *caller_data;
    1980             : };
    1981             : 
    1982             : static int smbXsrv_session_local_traverse_cb(struct db_record *local_rec,
    1983             :                                              void *private_data);
    1984             : 
    1985           0 : NTSTATUS smbXsrv_session_local_traverse(
    1986             :         struct smbXsrv_client *client,
    1987             :         int (*caller_cb)(struct smbXsrv_session *session,
    1988             :                          void *caller_data),
    1989             :         void *caller_data)
    1990             : {
    1991           0 :         struct smbXsrv_session_table *table = client->session_table;
    1992             :         struct smbXsrv_session_local_trav_state state;
    1993             :         NTSTATUS status;
    1994           0 :         int count = 0;
    1995             : 
    1996           0 :         state = (struct smbXsrv_session_local_trav_state) {
    1997             :                 .status = NT_STATUS_OK,
    1998             :                 .caller_cb = caller_cb,
    1999             :                 .caller_data = caller_data,
    2000             :         };
    2001             : 
    2002           0 :         if (table == NULL) {
    2003           0 :                 DBG_DEBUG("empty session_table, nothing to do.\n");
    2004           0 :                 return NT_STATUS_OK;
    2005             :         }
    2006             : 
    2007           0 :         status = dbwrap_traverse(table->local.db_ctx,
    2008             :                                  smbXsrv_session_local_traverse_cb,
    2009             :                                  &state,
    2010             :                                  &count);
    2011           0 :         if (!NT_STATUS_IS_OK(status)) {
    2012           0 :                 DBG_ERR("dbwrap_traverse() failed: %s\n", nt_errstr(status));
    2013           0 :                 return status;
    2014             :         }
    2015           0 :         if (!NT_STATUS_IS_OK(state.status)) {
    2016           0 :                 DBG_ERR("count[%d] status[%s]\n",
    2017             :                         count, nt_errstr(state.status));
    2018           0 :                 return state.status;
    2019             :         }
    2020             : 
    2021           0 :         return NT_STATUS_OK;
    2022             : }
    2023             : 
    2024           0 : static int smbXsrv_session_local_traverse_cb(struct db_record *local_rec,
    2025             :                                              void *private_data)
    2026             : {
    2027           0 :         struct smbXsrv_session_local_trav_state *state =
    2028             :                 (struct smbXsrv_session_local_trav_state *)private_data;
    2029             :         TDB_DATA val;
    2030           0 :         void *ptr = NULL;
    2031           0 :         struct smbXsrv_session *session = NULL;
    2032             :         int ret;
    2033             : 
    2034           0 :         val = dbwrap_record_get_value(local_rec);
    2035           0 :         if (val.dsize != sizeof(ptr)) {
    2036           0 :                 state->status = NT_STATUS_INTERNAL_ERROR;
    2037           0 :                 return -1;
    2038             :         }
    2039             : 
    2040           0 :         memcpy(&ptr, val.dptr, val.dsize);
    2041           0 :         session = talloc_get_type_abort(ptr, struct smbXsrv_session);
    2042             : 
    2043           0 :         session->db_rec = local_rec;
    2044           0 :         ret = state->caller_cb(session, state->caller_data);
    2045           0 :         session->db_rec = NULL;
    2046             : 
    2047           0 :         return ret;
    2048             : }
    2049             : 
    2050             : struct smbXsrv_session_disconnect_xconn_state {
    2051             :         struct smbXsrv_connection *xconn;
    2052             :         NTSTATUS first_status;
    2053             :         int errors;
    2054             : };
    2055             : 
    2056             : static int smbXsrv_session_disconnect_xconn_callback(struct db_record *local_rec,
    2057             :                                                void *private_data);
    2058             : 
    2059         930 : NTSTATUS smbXsrv_session_disconnect_xconn(struct smbXsrv_connection *xconn)
    2060             : {
    2061         930 :         struct smbXsrv_client *client = xconn->client;
    2062         930 :         struct smbXsrv_session_table *table = client->session_table;
    2063             :         struct smbXsrv_session_disconnect_xconn_state state;
    2064             :         NTSTATUS status;
    2065         930 :         int count = 0;
    2066             : 
    2067         930 :         if (table == NULL) {
    2068           0 :                 DBG_ERR("empty session_table, nothing to do.\n");
    2069           0 :                 return NT_STATUS_OK;
    2070             :         }
    2071             : 
    2072         930 :         ZERO_STRUCT(state);
    2073         930 :         state.xconn = xconn;
    2074             : 
    2075         930 :         status = dbwrap_traverse(table->local.db_ctx,
    2076             :                                  smbXsrv_session_disconnect_xconn_callback,
    2077             :                                  &state, &count);
    2078         930 :         if (!NT_STATUS_IS_OK(status)) {
    2079           0 :                 DBG_ERR("dbwrap_traverse() failed: %s\n",
    2080             :                         nt_errstr(status));
    2081           0 :                 return status;
    2082             :         }
    2083             : 
    2084         930 :         if (!NT_STATUS_IS_OK(state.first_status)) {
    2085           0 :                 DBG_ERR("count[%d] errors[%d] first[%s]\n",
    2086             :                         count, state.errors,
    2087             :                         nt_errstr(state.first_status));
    2088           0 :                 return state.first_status;
    2089             :         }
    2090             : 
    2091         930 :         return NT_STATUS_OK;
    2092             : }
    2093             : 
    2094         998 : static int smbXsrv_session_disconnect_xconn_callback(struct db_record *local_rec,
    2095             :                                                void *private_data)
    2096             : {
    2097         998 :         struct smbXsrv_session_disconnect_xconn_state *state =
    2098             :                 (struct smbXsrv_session_disconnect_xconn_state *)private_data;
    2099             :         TDB_DATA val;
    2100         998 :         void *ptr = NULL;
    2101         998 :         struct smbXsrv_session *session = NULL;
    2102             :         NTSTATUS status;
    2103             : 
    2104         998 :         val = dbwrap_record_get_value(local_rec);
    2105         998 :         if (val.dsize != sizeof(ptr)) {
    2106           0 :                 status = NT_STATUS_INTERNAL_ERROR;
    2107           0 :                 if (NT_STATUS_IS_OK(state->first_status)) {
    2108           0 :                         state->first_status = status;
    2109             :                 }
    2110           0 :                 state->errors++;
    2111           0 :                 return 0;
    2112             :         }
    2113             : 
    2114         998 :         memcpy(&ptr, val.dptr, val.dsize);
    2115         998 :         session = talloc_get_type_abort(ptr, struct smbXsrv_session);
    2116             : 
    2117         998 :         session->db_rec = local_rec;
    2118         998 :         status = smbXsrv_session_remove_channel(session, state->xconn);
    2119         998 :         session->db_rec = NULL;
    2120         998 :         if (!NT_STATUS_IS_OK(status)) {
    2121           0 :                 if (NT_STATUS_IS_OK(state->first_status)) {
    2122           0 :                         state->first_status = status;
    2123             :                 }
    2124           0 :                 state->errors++;
    2125             :         }
    2126             : 
    2127         998 :         return 0;
    2128             : }
    2129             : 
    2130        4856 : NTSTATUS smb1srv_session_table_init(struct smbXsrv_connection *conn)
    2131             : {
    2132             :         /*
    2133             :          * Allow a range from 1..65534 with 65534 values.
    2134             :          */
    2135        4856 :         return smbXsrv_session_table_init(conn, 1, UINT16_MAX - 1,
    2136             :                                           UINT16_MAX - 1);
    2137             : }
    2138             : 
    2139      660287 : NTSTATUS smb1srv_session_lookup(struct smbXsrv_connection *conn,
    2140             :                                 uint16_t vuid, NTTIME now,
    2141             :                                 struct smbXsrv_session **session)
    2142             : {
    2143      660287 :         struct smbXsrv_session_table *table = conn->client->session_table;
    2144      660287 :         uint32_t local_id = vuid;
    2145             : 
    2146      660287 :         return smbXsrv_session_local_lookup(table, conn, local_id, now,
    2147             :                                             session);
    2148             : }
    2149             : 
    2150     1855103 : NTSTATUS smbXsrv_session_info_lookup(struct smbXsrv_client *client,
    2151             :                                      uint64_t session_wire_id,
    2152             :                                      struct auth_session_info **si)
    2153             : {
    2154     1855103 :         struct smbXsrv_session_table *table = client->session_table;
    2155             :         uint8_t key_buf[SMBXSRV_SESSION_LOCAL_TDB_KEY_SIZE];
    2156     1855103 :         struct smbXsrv_session_local_fetch_state state = {
    2157             :                 .session = NULL,
    2158             :                 .status = NT_STATUS_INTERNAL_ERROR,
    2159             :         };
    2160             :         TDB_DATA key;
    2161             :         NTSTATUS status;
    2162             : 
    2163     1855103 :         if (session_wire_id == 0) {
    2164           0 :                 return NT_STATUS_USER_SESSION_DELETED;
    2165             :         }
    2166             : 
    2167     1855103 :         if (table == NULL) {
    2168             :                 /* this might happen before the end of negprot */
    2169           0 :                 return NT_STATUS_USER_SESSION_DELETED;
    2170             :         }
    2171             : 
    2172     1855103 :         if (table->local.db_ctx == NULL) {
    2173           0 :                 return NT_STATUS_INTERNAL_ERROR;
    2174             :         }
    2175             : 
    2176     1870604 :         key = smbXsrv_session_local_id_to_key(session_wire_id, key_buf);
    2177             : 
    2178     1855103 :         status = dbwrap_parse_record(table->local.db_ctx, key,
    2179             :                                      smbXsrv_session_local_fetch_parser,
    2180             :                                      &state);
    2181     1855103 :         if (!NT_STATUS_IS_OK(status)) {
    2182          17 :                 return status;
    2183             :         }
    2184     1855086 :         if (!NT_STATUS_IS_OK(state.status)) {
    2185           0 :                 return state.status;
    2186             :         }
    2187     1855086 :         if (state.session->global->auth_session_info == NULL) {
    2188           0 :                 return NT_STATUS_USER_SESSION_DELETED;
    2189             :         }
    2190             : 
    2191     1855086 :         *si = state.session->global->auth_session_info;
    2192     1855086 :         return NT_STATUS_OK;
    2193             : }
    2194             : 
    2195             : /*
    2196             :  * In memory of get_valid_user_struct()
    2197             :  *
    2198             :  * This function is similar to smbXsrv_session_local_lookup() and it's wrappers,
    2199             :  * but it doesn't implement the state checks of
    2200             :  * those. get_valid_smbXsrv_session() is NOT meant to be called to validate the
    2201             :  * session wire-id of incoming SMB requests, it MUST only be used in later
    2202             :  * internal processing where the session wire-id has already been validated.
    2203             :  */
    2204       27230 : NTSTATUS get_valid_smbXsrv_session(struct smbXsrv_client *client,
    2205             :                                    uint64_t session_wire_id,
    2206             :                                    struct smbXsrv_session **session)
    2207             : {
    2208       27230 :         struct smbXsrv_session_table *table = client->session_table;
    2209             :         uint8_t key_buf[SMBXSRV_SESSION_LOCAL_TDB_KEY_SIZE];
    2210       27230 :         struct smbXsrv_session_local_fetch_state state = {
    2211             :                 .session = NULL,
    2212             :                 .status = NT_STATUS_INTERNAL_ERROR,
    2213             :         };
    2214             :         TDB_DATA key;
    2215             :         NTSTATUS status;
    2216             : 
    2217       27230 :         if (session_wire_id == 0) {
    2218           0 :                 return NT_STATUS_USER_SESSION_DELETED;
    2219             :         }
    2220             : 
    2221       27230 :         if (table == NULL) {
    2222             :                 /* this might happen before the end of negprot */
    2223           0 :                 return NT_STATUS_USER_SESSION_DELETED;
    2224             :         }
    2225             : 
    2226       27230 :         if (table->local.db_ctx == NULL) {
    2227           0 :                 return NT_STATUS_INTERNAL_ERROR;
    2228             :         }
    2229             : 
    2230       27752 :         key = smbXsrv_session_local_id_to_key(session_wire_id, key_buf);
    2231             : 
    2232       27230 :         status = dbwrap_parse_record(table->local.db_ctx, key,
    2233             :                                      smbXsrv_session_local_fetch_parser,
    2234             :                                      &state);
    2235       27230 :         if (!NT_STATUS_IS_OK(status)) {
    2236           0 :                 return status;
    2237             :         }
    2238       27230 :         if (!NT_STATUS_IS_OK(state.status)) {
    2239           0 :                 return state.status;
    2240             :         }
    2241       27230 :         if (state.session->global->auth_session_info == NULL) {
    2242        1425 :                 return NT_STATUS_USER_SESSION_DELETED;
    2243             :         }
    2244             : 
    2245       25805 :         *session = state.session;
    2246       25805 :         return NT_STATUS_OK;
    2247             : }
    2248             : 
    2249       22507 : NTSTATUS smb2srv_session_lookup_global(struct smbXsrv_client *client,
    2250             :                                        uint64_t session_wire_id,
    2251             :                                        TALLOC_CTX *mem_ctx,
    2252             :                                        struct smbXsrv_session **_session)
    2253             : {
    2254       22507 :         TALLOC_CTX *frame = talloc_stackframe();
    2255       22507 :         struct smbXsrv_session_table *table = client->session_table;
    2256       22507 :         uint32_t global_id = session_wire_id & UINT32_MAX;
    2257       22507 :         uint64_t global_zeros = session_wire_id & 0xFFFFFFFF00000000LLU;
    2258       22507 :         struct smbXsrv_session *session = NULL;
    2259       22507 :         struct db_record *global_rec = NULL;
    2260       22507 :         bool is_free = false;
    2261             :         NTSTATUS status;
    2262             : 
    2263       22507 :         if (global_id == 0) {
    2264       21647 :                 TALLOC_FREE(frame);
    2265       21647 :                 return NT_STATUS_USER_SESSION_DELETED;
    2266             :         }
    2267         860 :         if (global_zeros != 0) {
    2268           0 :                 TALLOC_FREE(frame);
    2269           0 :                 return NT_STATUS_USER_SESSION_DELETED;
    2270             :         }
    2271             : 
    2272         860 :         if (table == NULL) {
    2273             :                 /* this might happen before the end of negprot */
    2274           0 :                 TALLOC_FREE(frame);
    2275           0 :                 return NT_STATUS_USER_SESSION_DELETED;
    2276             :         }
    2277             : 
    2278         860 :         if (table->global.db_ctx == NULL) {
    2279           0 :                 TALLOC_FREE(frame);
    2280           0 :                 return NT_STATUS_INTERNAL_ERROR;
    2281             :         }
    2282             : 
    2283         860 :         session = talloc_zero(mem_ctx, struct smbXsrv_session);
    2284         860 :         if (session == NULL) {
    2285           0 :                 TALLOC_FREE(frame);
    2286           0 :                 return NT_STATUS_NO_MEMORY;
    2287             :         }
    2288         860 :         talloc_steal(frame, session);
    2289             : 
    2290         860 :         session->client = client;
    2291         860 :         session->status = NT_STATUS_BAD_LOGON_SESSION_STATE;
    2292         860 :         session->local_id = global_id;
    2293             : 
    2294             :         /*
    2295             :          * This means smb2_get_new_nonce() will return
    2296             :          * NT_STATUS_ENCRYPTION_FAILED.
    2297             :          *
    2298             :          * But we intialize some random parts just in case...
    2299             :          */
    2300         860 :         session->nonce_high_max = session->nonce_high = 0;
    2301         860 :         generate_nonce_buffer((uint8_t *)&session->nonce_high_random,
    2302             :                               sizeof(session->nonce_high_random));
    2303         860 :         generate_nonce_buffer((uint8_t *)&session->nonce_low,
    2304             :                               sizeof(session->nonce_low));
    2305             : 
    2306         860 :         global_rec = smbXsrv_session_global_fetch_locked(table->global.db_ctx,
    2307             :                                                          global_id,
    2308             :                                                          frame);
    2309         860 :         if (global_rec == NULL) {
    2310           0 :                 TALLOC_FREE(frame);
    2311           0 :                 return NT_STATUS_INTERNAL_DB_ERROR;
    2312             :         }
    2313             : 
    2314         860 :         smbXsrv_session_global_verify_record(global_rec,
    2315             :                                              &is_free,
    2316             :                                              NULL,
    2317             :                                              session,
    2318         860 :                                              &session->global);
    2319         860 :         if (is_free) {
    2320          10 :                 TALLOC_FREE(frame);
    2321          10 :                 return NT_STATUS_USER_SESSION_DELETED;
    2322             :         }
    2323             : 
    2324             :         /*
    2325             :          * We don't have channels on this session
    2326             :          * and only the main signing key
    2327             :          */
    2328         850 :         session->global->num_channels = 0;
    2329        1700 :         status = smb2_signing_key_sign_create(session->global,
    2330         850 :                                               session->global->signing_algo,
    2331             :                                               NULL, /* no master key */
    2332             :                                               NULL, /* derivations */
    2333         850 :                                               &session->global->signing_key);
    2334         850 :         if (!NT_STATUS_IS_OK(status)) {
    2335           0 :                 TALLOC_FREE(frame);
    2336           0 :                 return NT_STATUS_NO_MEMORY;
    2337             :         }
    2338         850 :         session->global->signing_key->blob = session->global->signing_key_blob;
    2339         850 :         session->global->signing_flags = 0;
    2340             : 
    2341        1700 :         status = smb2_signing_key_cipher_create(session->global,
    2342         850 :                                                 session->global->encryption_cipher,
    2343             :                                                 NULL, /* no master key */
    2344             :                                                 NULL, /* derivations */
    2345         850 :                                                 &session->global->decryption_key);
    2346         850 :         if (!NT_STATUS_IS_OK(status)) {
    2347           0 :                 TALLOC_FREE(frame);
    2348           0 :                 return NT_STATUS_NO_MEMORY;
    2349             :         }
    2350         850 :         session->global->decryption_key->blob = session->global->decryption_key_blob;
    2351         850 :         session->global->encryption_flags = 0;
    2352             : 
    2353         850 :         *_session = talloc_move(mem_ctx, &session);
    2354         850 :         TALLOC_FREE(frame);
    2355         850 :         return NT_STATUS_OK;
    2356             : }
    2357             : 
    2358       22052 : NTSTATUS smb2srv_session_table_init(struct smbXsrv_connection *conn)
    2359             : {
    2360             :         /*
    2361             :          * Allow a range from 1..4294967294 with 65534 (same as SMB1) values.
    2362             :          */
    2363       22052 :         return smbXsrv_session_table_init(conn, 1, UINT32_MAX - 1,
    2364             :                                           UINT16_MAX - 1);
    2365             : }
    2366             : 
    2367     1404173 : static NTSTATUS smb2srv_session_lookup_raw(struct smbXsrv_session_table *table,
    2368             :                                            /* conn: optional */
    2369             :                                            struct smbXsrv_connection *conn,
    2370             :                                            uint64_t session_id, NTTIME now,
    2371             :                                            struct smbXsrv_session **session)
    2372             : {
    2373     1413429 :         uint32_t local_id = session_id & UINT32_MAX;
    2374     1413429 :         uint64_t local_zeros = session_id & 0xFFFFFFFF00000000LLU;
    2375             : 
    2376     1413429 :         if (local_zeros != 0) {
    2377          24 :                 return NT_STATUS_USER_SESSION_DELETED;
    2378             :         }
    2379             : 
    2380     1413405 :         return smbXsrv_session_local_lookup(table, conn, local_id, now,
    2381             :                                             session);
    2382             : }
    2383             : 
    2384     1373584 : NTSTATUS smb2srv_session_lookup_conn(struct smbXsrv_connection *conn,
    2385             :                                      uint64_t session_id, NTTIME now,
    2386             :                                      struct smbXsrv_session **session)
    2387             : {
    2388     1373584 :         struct smbXsrv_session_table *table = conn->client->session_table;
    2389     1373584 :         return smb2srv_session_lookup_raw(table, conn, session_id, now,
    2390             :                                           session);
    2391             : }
    2392             : 
    2393       39845 : NTSTATUS smb2srv_session_lookup_client(struct smbXsrv_client *client,
    2394             :                                        uint64_t session_id, NTTIME now,
    2395             :                                        struct smbXsrv_session **session)
    2396             : {
    2397       39845 :         struct smbXsrv_session_table *table = client->session_table;
    2398       39845 :         return smb2srv_session_lookup_raw(table, NULL, session_id, now,
    2399             :                                           session);
    2400             : }
    2401             : 
    2402             : struct smbXsrv_session_global_traverse_state {
    2403             :         int (*fn)(struct smbXsrv_session_global0 *, void *);
    2404             :         void *private_data;
    2405             : };
    2406             : 
    2407          28 : static int smbXsrv_session_global_traverse_fn(struct db_record *rec, void *data)
    2408             : {
    2409          28 :         int ret = -1;
    2410          28 :         struct smbXsrv_session_global_traverse_state *state =
    2411             :                 (struct smbXsrv_session_global_traverse_state*)data;
    2412          28 :         TDB_DATA key = dbwrap_record_get_key(rec);
    2413          28 :         TDB_DATA val = dbwrap_record_get_value(rec);
    2414          28 :         DATA_BLOB blob = data_blob_const(val.dptr, val.dsize);
    2415             :         struct smbXsrv_session_globalB global_blob;
    2416             :         enum ndr_err_code ndr_err;
    2417          28 :         TALLOC_CTX *frame = talloc_stackframe();
    2418             : 
    2419          28 :         ndr_err = ndr_pull_struct_blob(&blob, frame, &global_blob,
    2420             :                         (ndr_pull_flags_fn_t)ndr_pull_smbXsrv_session_globalB);
    2421          28 :         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
    2422           0 :                 DEBUG(1,("Invalid record in smbXsrv_session_global.tdb:"
    2423             :                          "key '%s' ndr_pull_struct_blob - %s\n",
    2424             :                          hex_encode_talloc(frame, key.dptr, key.dsize),
    2425             :                          ndr_errstr(ndr_err)));
    2426           0 :                 goto done;
    2427             :         }
    2428             : 
    2429          28 :         if (global_blob.version != SMBXSRV_VERSION_0) {
    2430           0 :                 DEBUG(1,("Invalid record in smbXsrv_session_global.tdb:"
    2431             :                          "key '%s' unsupported version - %d\n",
    2432             :                          hex_encode_talloc(frame, key.dptr, key.dsize),
    2433             :                          (int)global_blob.version));
    2434           0 :                 goto done;
    2435             :         }
    2436             : 
    2437          28 :         if (global_blob.info.info0 == NULL) {
    2438           0 :                 DEBUG(1,("Invalid record in smbXsrv_tcon_global.tdb:"
    2439             :                          "key '%s' info0 NULL pointer\n",
    2440             :                          hex_encode_talloc(frame, key.dptr, key.dsize)));
    2441           0 :                 goto done;
    2442             :         }
    2443             : 
    2444          28 :         global_blob.info.info0->db_rec = rec;
    2445          28 :         ret = state->fn(global_blob.info.info0, state->private_data);
    2446          28 : done:
    2447          28 :         TALLOC_FREE(frame);
    2448          28 :         return ret;
    2449             : }
    2450             : 
    2451          28 : NTSTATUS smbXsrv_session_global_traverse(
    2452             :                         int (*fn)(struct smbXsrv_session_global0 *, void *),
    2453             :                         void *private_data)
    2454             : {
    2455             : 
    2456             :         NTSTATUS status;
    2457          28 :         int count = 0;
    2458          28 :         struct smbXsrv_session_global_traverse_state state = {
    2459             :                 .fn = fn,
    2460             :                 .private_data = private_data,
    2461             :         };
    2462             : 
    2463          28 :         become_root();
    2464          28 :         status = smbXsrv_session_global_init(NULL);
    2465          28 :         if (!NT_STATUS_IS_OK(status)) {
    2466           0 :                 unbecome_root();
    2467           0 :                 DEBUG(0, ("Failed to initialize session_global: %s\n",
    2468             :                           nt_errstr(status)));
    2469           0 :                 return status;
    2470             :         }
    2471             : 
    2472          28 :         status = dbwrap_traverse_read(smbXsrv_session_global_db_ctx,
    2473             :                                       smbXsrv_session_global_traverse_fn,
    2474             :                                       &state,
    2475             :                                       &count);
    2476          28 :         unbecome_root();
    2477             : 
    2478          28 :         return status;
    2479             : }

Generated by: LCOV version 1.13