/*++ Copyright (c) 1989-1993 Microsoft Corporation Module Name: Ntisol.h Abstract: This file contains the interface between the TDI interface on the top of NBT and the OS independent code. It takes the parameters out of the irps and puts in into procedure calls for the OS independent code (which is mostly in name.c). Author: Jim Stewart (Jimst) 10-2-92 Revision History: Notes: The Nbt routines have been modified to include an additional parameter, i.e, the transport type. This transport type is used primarily to distinguish the NETBIOS over TCP/IP implementation from the Messaging Over TCP/IP implementation. The primary difference between the two being that the later uses the NETBT framing without the associated NETBIOS name registartion/resolution. It primarily uses DNS for name resolution. All the names that are registered for the new transport are local names and are not defended on the network. The primary usage is in conjuntion with an extended NETBIOS address type defined in tdi.h. The NETBIOS name resolution/registration traffic occurs in two phases. The first phase contains all the broadcast traffic that ensues during NETBIOS name registration. Subsequently the NETBT implementation queries the remote adapter status to choose the appropriate called name. This approach results in additional traffic for querying the remote adapter status. The new address type defined in tdi.h enables the client of netbt to supply the name to be used in NETBT session setup. This avoids the network traffic for querying the adapter status. The original design which has not been fully implemented involved exposing two device objects from the NetBt driver -- the NetBt device object which would be the full implementation of NETBIOS over TCP/IP and the MoTcp device object which would be the implementation of Messaging over TCP/IP. The MoTcp device object would use the same port address as NetBt and use the same session setup protocol to talk to remote machines running old NetBt drivers and machines running new NetBt drivers. The transport type variations combined with the address type changes present us with four different cases which need to be handled -- the NetBt transport being presented with a TDI_ADDRESS_NETBIOS_EX structure, the NetBt transport being prsented with a TDI_ADDRESS_NETBIOS structure and the same two cases for the MoTcp transport. --*/ #include "precomp.h" #include "ntprocs.h" #include #include // for IOCTL_TCP_SET_INFORMATION_EX #ifdef RASAUTODIAL #include #include #endif // RASAUTODIAL #include #include #include "ntisol.tmh" #if BACK_FILL #define SESSION_HDR_SIZE sizeof(tSESSIONHDR) #endif NTSTATUS SendCompletion( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp, IN PVOID Context ); NTSTATUS NTSendCleanupConnection( IN tCONNECTELE *pConnEle, IN PVOID pCompletionRoutine, IN PVOID Context, IN PIRP pIrp); VOID DpcSendSession( IN PKDPC pDpc, IN PVOID Context, IN PVOID SystemArgument1, IN PVOID SystemArgument2 ); NBT_WORK_ITEM_CONTEXT * FindLmhSvcRequest( IN PDEVICE_OBJECT DeviceContext, IN PIRP pIrp, IN tLMHSVC_REQUESTS *pLmhRequest ); NTSTATUS NbtCancelCancelRoutine( IN PIRP pIrp ); #ifdef RASAUTODIAL extern ACD_DRIVER AcdDriverG; BOOLEAN NbtCancelPostConnect( IN PIRP pIrp ); #endif // RASAUTODIAL NTSTATUS NbtQueryGetAddressInfo( IN PIO_STACK_LOCATION pIrpSp, OUT PVOID *ppBuffer, OUT ULONG *pSize ); VOID NbtCancelConnect( IN PDEVICE_OBJECT pDeviceContext, IN PIRP pIrp ); VOID NbtCancelReceive( IN PDEVICE_OBJECT DeviceContext, IN PIRP pIrp ); NTSTATUS GetIpAddrs( IN tDEVICECONTEXT *pDeviceContext, IN PIRP pIrp ); typedef struct { struct _DeviceContext *pDeviceContext; PIRP pClientIrp; PIRP pLocalIrp; tCONNECTELE *pConnEle; PTA_NETBT_INTERNAL_ADDRESS pTransportAddress; TDI_CONNECTION_INFORMATION LocalConnectionInformation; BOOLEAN ProcessingDone; TDI_ADDRESS_NETBIOS_UNICODE_EX *pUnicodeAddress; // First Readable buffer in the transport address list TDI_ADDRESS_NETBIOS_UNICODE_EX *pReturnBuffer; // First writable buffer in the transport address list LONG CurrIndex, NumberOfAddresses; LONG TaAddressLength, RemainingAddressLength; PUCHAR pTaAddress; } NBT_DELAYED_CONNECT_CONTEXT, *PNBT_DELAYED_CONNECT_CONTEXT; extern POBJECT_TYPE *IoFileObjectType; NTSTATUS InitDelayedNbtProcessConnect( IN PNBT_DELAYED_CONNECT_CONTEXT pDelConnCtx ); HANDLE NbtOpenParametersRegistry( VOID ); //******************* Pageable Routine Declarations **************** #ifdef ALLOC_PRAGMA #pragma CTEMakePageable(PAGE, NTOpenControl) #pragma CTEMakePageable(PAGE, NTOpenAddr) #pragma CTEMakePageable(PAGE, NTCloseAddress) #pragma CTEMakePageable(PAGE, NTOpenConnection) #pragma CTEMakePageable(PAGE, NTAssocAddress) #pragma CTEMakePageable(PAGE, NTCloseConnection) #pragma CTEMakePageable(PAGE, NTSetSharedAccess) #pragma CTEMakePageable(PAGE, NTCheckSharedAccess) #pragma CTEMakePageable(PAGE, NTCleanUpConnection) #pragma CTEMakePageable(PAGE, NTCleanUpAddress) #pragma CTEMakePageable(PAGE, NTDisAssociateAddress) #pragma CTEMakePageable(PAGE, NTListen) #pragma CTEMakePageable(PAGE, DelayedNbtProcessConnect) #pragma CTEMakePageable(PAGE, InitDelayedNbtProcessConnect) #pragma CTEMakePageable(PAGE, DispatchIoctls) #pragma CTEMakePageable(PAGE, NTSendDatagram) #pragma CTEMakePageable(PAGE, NTSetInformation) #pragma CTEMakePageable(PAGE, NTSetEventHandler) #pragma CTEMakePageable(PAGE, NbtOpenParametersRegistry) // // Should not be pageable since AFD can call us at raised Irql in case of AcceptEx. // // #pragma CTEMakePageable(PAGE, NTQueryInformation) #endif //******************* Pageable Routine Declarations **************** int check_unicode_string(IN PUNICODE_STRING str); //---------------------------------------------------------------------------- NTSTATUS NTOpenControl( IN tDEVICECONTEXT *pDeviceContext, IN PIRP pIrp) /*++ Routine Description: This Routine handles opening the control object, which represents the driver itself. For example QueryInformation uses the control object as the destination of the Query message. Arguments: pIrp - a ptr to an IRP Return Value: NTSTATUS - status of the request --*/ { PIO_STACK_LOCATION pIrpSp; NTSTATUS status; CTEPagedCode(); pIrpSp = IoGetCurrentIrpStackLocation(pIrp); pIrpSp->FileObject->FsContext2 = (PVOID)(NBT_CONTROL_TYPE); // return a ptr the control endpoint pIrpSp->FileObject->FsContext = (PVOID)pNbtGlobConfig->pControlObj; // // the following call opens a control object with the transport below since // several of the query information calls are passed directly on to the // transport below. // if (!pDeviceContext->pControlFileObject) { status = NbtTdiOpenControl(pDeviceContext); } else status = STATUS_SUCCESS; return(status); } //---------------------------------------------------------------------------- NTSTATUS NTOpenAddr( IN tDEVICECONTEXT *pDeviceContext, IN PIRP pIrp, IN PFILE_FULL_EA_INFORMATION ea) /*++ Routine Description: This Routine handles converting an Open Address Request from an IRP to a procedure call so that NbtOpenAddress can be called in an OS independent manner. Arguments: pIrp - a ptr to an IRP Return Value: NTSTATUS - status of the request --*/ { TDI_REQUEST Request; TA_ADDRESS *pAddress; int j; NTSTATUS status=STATUS_INVALID_ADDRESS_COMPONENT; ULONG BufferLength, MinBufferLength; TRANSPORT_ADDRESS UNALIGNED *pTransportAddr; // structure containing counted array of TA_ADDRESS CTEPagedCode(); // make up the Request data structure from the IRP info Request.Handle.AddressHandle = NULL; // // Verify Minimum Buffer length! // Bug#: 120683 // BufferLength = ea->EaValueLength; if (BufferLength < sizeof(TA_NETBIOS_ADDRESS)) { IF_DBG(NBT_DEBUG_NETBIOS_EX) KdPrint(("Nbt.NTOpenAddr[1]: ...Rejecting Open Address request -- BufferLength<%d> < Min<%d>\n", BufferLength, sizeof(TA_NETBIOS_ADDRESS))); NbtTrace(NBT_TRACE_LOCALNAMES, ("Rejecting Open Address request -- BufferLength<%d> < Min<%d>", BufferLength, sizeof(TA_NETBIOS_ADDRESS))); return (status); } MinBufferLength = FIELD_OFFSET(TRANSPORT_ADDRESS,Address); // Set for Address[0] pTransportAddr = (PTRANSPORT_ADDRESS)&ea->EaName[ea->EaNameLength+1]; pAddress = (TA_ADDRESS *) &pTransportAddr->Address[0]; // this includes the address type + the actual address // // The Transport Address information is packed as follows: // Field: Length: // ------ ------- // TAAddressCount --> LONG // // Address[0].AddressLength --> USHORT // Address[0].AddressType --> USHORT // Address[0].Address.. --> Address[0].AddressLength // // Address[1].AddressLength --> USHORT // Address[1].AddressType --> USHORT // Address[1].Address.. --> Address[1].AddressLength // : // // loop through the addresses passed in until ONE is successfully used // *TODO* do we need this loop or can we just assume the name is at the start of the address buffer... // *TODO* does this need to handle multiple names?? for (j=0; BufferLength >= MinBufferLength && jTAAddressCount ;j++ ) { // // do we have enough data to access the "AddressLength" field? // MinBufferLength += FIELD_OFFSET(TA_ADDRESS,Address); if (BufferLength < MinBufferLength) { return (status); } // // Now we can safely access AddressLength // MinBufferLength += pAddress->AddressLength; if (BufferLength < MinBufferLength) { return (status); } // // We support only 2 address types: // if (pAddress->AddressType == TDI_ADDRESS_TYPE_NETBIOS && pAddress->AddressLength >= sizeof(TDI_ADDRESS_NETBIOS)) { status = STATUS_SUCCESS; break; } else if (pAddress->AddressType == TDI_ADDRESS_TYPE_NETBIOS_EX && pAddress->AddressLength >= sizeof(TDI_ADDRESS_NETBIOS_EX)) { status = STATUS_SUCCESS; break; } IF_DBG(NBT_DEBUG_NETBIOS_EX) KdPrint(("Nbt.NTOpenAddr[2]: ...Rejecting Open Address request for AddressType=<%d>\n", pAddress->AddressType)); // // Set pAddress to point to the next address // pAddress = (TA_ADDRESS *) ((PUCHAR)pAddress + FIELD_OFFSET(TA_ADDRESS,Address) + pAddress->AddressLength); } if (status == STATUS_SUCCESS) // We found a valid address type! { // call the non-NT specific function to open an address status = NbtOpenAddress(&Request, pAddress, pDeviceContext->IpAddress, pDeviceContext, (PVOID)pIrp); if (status != STATUS_SUCCESS) { NbtTrace(NBT_TRACE_NAMESRV, ("NbtOpenAddress returns %!status!", status)); } } return(status); } //---------------------------------------------------------------------------- NTSTATUS NTCloseAddress( IN tDEVICECONTEXT *pDeviceContext, IN PIRP pIrp) /*++ Routine Description: This Routine handles converting a Close Address Request from an IRP to a procedure call so that NbtCloseAddress can be called in an OS independent manner. Arguments: pIrp - a ptr to an IRP Return Value: NTSTATUS - status of the request --*/ { TDI_REQUEST Request; TDI_REQUEST_STATUS RequestStatus; PIO_STACK_LOCATION pIrpSp; NTSTATUS status; tCLIENTELE *pClientEle; CTEPagedCode(); pIrpSp = IoGetCurrentIrpStackLocation(pIrp); pClientEle = Request.Handle.ConnectionContext = pIrpSp->FileObject->FsContext; if (!NBT_VERIFY_HANDLE2 (pClientEle, NBT_VERIFY_CLIENT, NBT_VERIFY_CLIENT_DOWN)) { ASSERTMSG ("Nbt.NTCloseAddress: ERROR - Invalid Address Handle\n", 0); return (STATUS_INVALID_HANDLE); } status = NbtCloseAddress (&Request, &RequestStatus, pDeviceContext, (PVOID)pIrp); NbtTrace(NBT_TRACE_NAMESRV, ("NbtCloseAddress returns %!status! for ClientEle=%p", status, pClientEle)); return(status); } //---------------------------------------------------------------------------- NTSTATUS NTOpenConnection( IN tDEVICECONTEXT *pDeviceContext, IN PIRP pIrp, IN PFILE_FULL_EA_INFORMATION ea) /*++ Routine Description: This Routine handles converting an Open Connection Request from an IRP to a procedure call so that NbtOpenConnection can be called in an OS independent manner. The connection must be associated with an address before it can be used, except for in inbound call where the client returns the connection ID in the accept. Arguments: pIrp - a ptr to an IRP Return Value: NTSTATUS - status of the request --*/ { TDI_REQUEST Request; PIO_STACK_LOCATION pIrpSp; CONNECTION_CONTEXT ConnectionContext; NTSTATUS status; PFILE_OBJECT pFileObject; ULONG BufferLength; tCONNECTELE *pConnEle; CTEPagedCode(); pIrpSp = IoGetCurrentIrpStackLocation(pIrp); // make up the Request data structure from the IRP info Request.Handle.ConnectionContext = NULL; // // Verify Minimum Buffer length! // Bug#: 120682 // BufferLength = ea->EaValueLength; if (BufferLength < sizeof(CONNECTION_CONTEXT)) { IF_DBG(NBT_DEBUG_NETBIOS_EX) KdPrint(("Nbt.NTOpenConnection: ERROR -- Open Connection request -- (BufferLength=%d < Min=%d)\n", BufferLength, sizeof(CONNECTION_CONTEXT))); ASSERT(0); return (STATUS_INVALID_ADDRESS_COMPONENT); } // the connection context value is stored in the string just after the // name "connectionContext", and it is most likely unaligned, so just // copy it out.( 4 bytes of copying ). CTEMemCopy(&ConnectionContext, (CONNECTION_CONTEXT)&ea->EaName[ea->EaNameLength+1], sizeof(CONNECTION_CONTEXT)); // call the non-NT specific function to open an address status = NbtOpenConnection (&Request, ConnectionContext, pDeviceContext); pFileObject = pIrpSp->FileObject; if (!NT_SUCCESS(status)) { pFileObject->FsContext = NULL; NbtTrace(NBT_TRACE_OUTBOUND, ("NbtOpenConnection returns %!status!", status)); } else if (Request.Handle.ConnectionContext) { // fill the IRP with successful completion information so we can // find the connection object given the fileObject later. pConnEle = pFileObject->FsContext = Request.Handle.ConnectionContext; if (!NBT_VERIFY_HANDLE (pConnEle, NBT_VERIFY_CONNECTION)) { ASSERTMSG ("Nbt.NTOpenConnection: ERROR - Invalid Connection Handle\n", 0); return (STATUS_UNSUCCESSFUL); } pFileObject->FsContext2 = (PVOID)(NBT_CONNECTION_TYPE); pConnEle->pClientFileObject = pFileObject; NbtTrace(NBT_TRACE_OUTBOUND, ("New connection %p", pConnEle)); status = STATUS_SUCCESS; } return(status); } //---------------------------------------------------------------------------- NTSTATUS NTAssocAddress( IN tDEVICECONTEXT *pDeviceContext, IN PIRP pIrp) /*++ Routine Description: This Routine handles converting an Associate Address Request from an IRP to a procedure call so that NbtAssociateAddress can be called in an OS independent manner. Arguments: pIrp - a ptr to an IRP Return Value: NTSTATUS - status of the request --*/ { TDI_REQUEST Request; PIO_STACK_LOCATION pIrpSp; PFILE_OBJECT fileObject; PTDI_REQUEST_KERNEL_ASSOCIATE parameters; // holds address handle NTSTATUS status; tCONNECTELE *pConnEle; tCLIENTELE *pClientEle; CTEPagedCode(); pIrpSp = IoGetCurrentIrpStackLocation(pIrp); pConnEle = Request.Handle.ConnectionContext = pIrpSp->FileObject->FsContext; if (!NBT_VERIFY_HANDLE (pConnEle, NBT_VERIFY_CONNECTION)) { ASSERTMSG ("Nbt.NTAssocAddress: ERROR - Invalid Connection Handle\n", 0); return (STATUS_INVALID_HANDLE); } // the address handle is buried in the Irp... parameters = (PTDI_REQUEST_KERNEL_ASSOCIATE)&pIrpSp->Parameters; // now get a pointer to the file object, which points to the address // element by calling a kernel routine to convert this filehandle into // a file pointer. status = ObReferenceObjectByHandle (parameters->AddressHandle, FILE_READ_DATA, *IoFileObjectType, pIrp->RequestorMode, (PVOID *)&fileObject, NULL); IF_DBG(NBT_DEBUG_HANDLES) KdPrint (("\t ++<%x>====><%x>\tNTAssocAddress->ObReferenceObject, Status = <%x>\n", parameters->AddressHandle, fileObject, status)); if ((NT_SUCCESS(status)) && (fileObject->DeviceObject->DriverObject == NbtConfig.DriverObject) && // Bug# 202349 NBT_VERIFY_HANDLE(((tDEVICECONTEXT*)fileObject->DeviceObject), NBT_VERIFY_DEVCONTEXT) && // Bug# 202349 (PtrToUlong(fileObject->FsContext2) == TDI_TRANSPORT_ADDRESS_FILE)) { pClientEle = fileObject->FsContext; if (NBT_VERIFY_HANDLE (pClientEle, NBT_VERIFY_CLIENT)) { // call the non-NT specific function to associate the address with // the connection status = NbtAssociateAddress (&Request, pClientEle, (PVOID)pIrp); NbtTrace(NBT_TRACE_OUTBOUND, ("NbtAssociateAddress returns %!status!", status)); } else { ASSERTMSG ("Nbt.NTAssocAddress: ERROR - Invalid Address Handle\n", 0); status = STATUS_INVALID_HANDLE; } // we are done with the file object, so release the reference ObDereferenceObject((PVOID)fileObject); return(status); } else { return(STATUS_INVALID_HANDLE); } } //---------------------------------------------------------------------------- NTSTATUS NTCloseConnection( IN tDEVICECONTEXT *pDeviceContext, IN PIRP pIrp) /*++ Routine Description: This Routine handles converting a Close Connection Request from an IRP to a procedure call so that NbtCloseConnection can be called in an OS independent manner. Arguments: pIrp - a ptr to an IRP Return Value: NTSTATUS - status of the request --*/ { TDI_REQUEST Request; TDI_REQUEST_STATUS RequestStatus; PIO_STACK_LOCATION pIrpSp; NTSTATUS status; tCONNECTELE *pConnEle; CTEPagedCode(); pIrpSp = IoGetCurrentIrpStackLocation(pIrp); pConnEle = Request.Handle.ConnectionContext = pIrpSp->FileObject->FsContext; if (!NBT_VERIFY_HANDLE2 (pConnEle, NBT_VERIFY_CONNECTION, NBT_VERIFY_CONNECTION_DOWN)) { ASSERTMSG ("Nbt.NTCloseConnection: ERROR - Invalid Connection Handle\n", 0); return (STATUS_INVALID_HANDLE); } status = NbtCloseConnection( &Request, &RequestStatus, pDeviceContext, (PVOID)pIrp); NbtTrace(NBT_TRACE_OUTBOUND, ("Close connection %p returns %!status!", pConnEle, status)); return(status); } //---------------------------------------------------------------------------- VOID NTSetFileObjectContexts( IN PIRP pIrp, IN PVOID FsContext, IN PVOID FsContext2) /*++ Routine Description: This Routine handles fills in two context values in the Irp stack location, that has to be done in an OS-dependent manner. This routine is called from NbtOpenAddress() when a name is being registered on the network( i.e. as a result of OpenAddress). Arguments: pIrp - a ptr to an IRP Return Value: NTSTATUS - status of the request --*/ { PIO_STACK_LOCATION pIrpSp; PFILE_OBJECT pFileObject; // // fill the IRP with context information so we can // find the address object given the fileObject later. // // This must be done here, rather than after the call to NbtOpenAddress // because that call can complete the Irp before it returns. Soooo, // in the complete routine for the Irp, if the completion code is not // good, it Nulls these two context values. // pIrpSp = IoGetCurrentIrpStackLocation(pIrp); pFileObject = pIrpSp->FileObject; pFileObject->FsContext = FsContext; pFileObject->FsContext2 =FsContext2; } //---------------------------------------------------------------------------- VOID NTClearFileObjectContext( IN PIRP pIrp ) /*++ Routine Description: This Routine clears the context value in the file object when an address object is closed. Arguments: pIrp - a ptr to an IRP Return Value: none --*/ { PIO_STACK_LOCATION pIrpSp; pIrpSp = IoGetCurrentIrpStackLocation(pIrp); CHECK_PTR(pIrpSp->FileObject); pIrpSp->FileObject->FsContext = NULL; } //---------------------------------------------------------------------------- NTSTATUS NTSetSharedAccess( IN tDEVICECONTEXT *pDeviceContext, IN PIRP pIrp, IN tADDRESSELE *pAddress) /*++ Routine Description: This Routine handles setting the shared access on the file object. Arguments: pIrp - a ptr to an IRP Return Value: NTSTATUS - status of the request --*/ { PACCESS_STATE AccessState; ULONG DesiredAccess; PIO_STACK_LOCATION pIrpSp; NTSTATUS status; static GENERIC_MAPPING AddressGenericMapping = { READ_CONTROL, READ_CONTROL, READ_CONTROL, READ_CONTROL }; CTEPagedCode(); pIrpSp = IoGetCurrentIrpStackLocation(pIrp); if ((pIrpSp->Parameters.Create.ShareAccess & FILE_SHARE_READ) || (pIrpSp->Parameters.Create.ShareAccess & FILE_SHARE_WRITE)) { DesiredAccess = (ULONG)FILE_SHARE_READ; } else { DesiredAccess = (ULONG)0; } IoSetShareAccess (FILE_READ_DATA, DesiredAccess, pIrpSp->FileObject, &pAddress->ShareAccess); // assign the security descriptor ( need to to do this with the spinlock // released because the descriptor is not mapped. Assign and CheckAccess // are synchronized using a Resource. AccessState = pIrpSp->Parameters.Create.SecurityContext->AccessState; status = SeAssignSecurity (NULL, // Parent Descriptor AccessState->SecurityDescriptor, &pAddress->SecurityDescriptor, FALSE, // is a directory &AccessState->SubjectSecurityContext, &AddressGenericMapping, NonPagedPool); if (!NT_SUCCESS(status)) { IoRemoveShareAccess (pIrpSp->FileObject, &pAddress->ShareAccess); } return status; } //---------------------------------------------------------------------------- NTSTATUS NTCheckSharedAccess( IN tDEVICECONTEXT *pDeviceContext, IN PIRP pIrp, IN tADDRESSELE *pAddress) /*++ Routine Description: This Routine handles setting the shared access on the file object. Arguments: pIrp - a ptr to an IRP Return Value: NTSTATUS - status of the request --*/ { PACCESS_STATE AccessState; ACCESS_MASK GrantedAccess; BOOLEAN AccessAllowed; ULONG DesiredAccess; PIO_STACK_LOCATION pIrpSp; BOOLEAN duplicate=FALSE; NTSTATUS status; ULONG DesiredShareAccess; static GENERIC_MAPPING AddressGenericMapping = { READ_CONTROL, READ_CONTROL, READ_CONTROL, READ_CONTROL }; CTEPagedCode(); pIrpSp = IoGetCurrentIrpStackLocation(pIrp); if ((pIrpSp->Parameters.Create.ShareAccess & FILE_SHARE_READ) || (pIrpSp->Parameters.Create.ShareAccess & FILE_SHARE_WRITE)) DesiredAccess = (ULONG)FILE_SHARE_READ; else DesiredAccess = (ULONG)0; // // The address already exists. Check the ACL and see if we // can access it. If so, simply use this address as our address. // AccessState = pIrpSp->Parameters.Create.SecurityContext->AccessState; status = STATUS_SUCCESS; // *TODO* check that this routine is doing the right thing... // AccessAllowed = SeAccessCheck( pAddress->SecurityDescriptor, &AccessState->SubjectSecurityContext, FALSE, // tokens locked pIrpSp->Parameters.Create.SecurityContext->DesiredAccess, (ACCESS_MASK)0, // previously granted NULL, // privileges &AddressGenericMapping, pIrp->RequestorMode, &GrantedAccess, &status); // use the status from the IoCheckShareAccess as the return access // event if SeAccessCheck fails.... // // Hmmm .... Compare DesiredAccess to GrantedAccess? // // // Now check that we can obtain the desired share // access. We use read access to control all access. // DesiredShareAccess = (ULONG) (((pIrpSp->Parameters.Create.ShareAccess & FILE_SHARE_READ) || (pIrpSp->Parameters.Create.ShareAccess & FILE_SHARE_WRITE)) ? FILE_SHARE_READ : 0); //ACQUIRE_SPIN_LOCK (&pDeviceContext->SpinLock, &oldirql); status = IoCheckShareAccess( FILE_READ_DATA, DesiredAccess, pIrpSp->FileObject, &pAddress->ShareAccess, TRUE); return(status); } //---------------------------------------------------------------------------- NTSTATUS NTCleanUpAddress( IN tDEVICECONTEXT *pDeviceContext, IN PIRP pIrp) /*++ Routine Description: This Routine handles the first stage of releasing an address object. Arguments: pIrp - a ptr to an IRP Return Value: NTSTATUS - status of the request --*/ { NTSTATUS status; tCLIENTELE *pClientEle; PIO_STACK_LOCATION pIrpSp; CTEPagedCode(); IF_DBG(NBT_DEBUG_NAMESRV) KdPrint(("Nbt.NTCleanUpAddress: Cleanup Address Hit ***\n")); // // Disconnect any active connections, and for each connection that is not // in use, remove one from the free list to the transport below. // pIrpSp = IoGetCurrentIrpStackLocation(pIrp); pClientEle = (tCLIENTELE *) pIrpSp->FileObject->FsContext; if (!NBT_VERIFY_HANDLE (pClientEle, NBT_VERIFY_CLIENT)) { ASSERTMSG ("Nbt.NTCleanUpAddress: ERROR - Invalid Address Handle\n", 0); return (STATUS_INVALID_HANDLE); } CTEVerifyHandle(pClientEle,NBT_VERIFY_CLIENT,tCLIENTELE,&status); status = NbtCleanUpAddress(pClientEle,pDeviceContext); NbtTrace(NBT_TRACE_NAMESRV, ("Cleanup address %p returns %!status!", pClientEle, status)); return(status); } //---------------------------------------------------------------------------- NTSTATUS NTCleanUpConnection( IN tDEVICECONTEXT *pDeviceContext, IN PIRP pIrp) /*++ Routine Description: This Routine handles running down a connection in preparation for a close that will come in next. NtClose hits this entry first, and then it hits the NTCloseConnection next. If the connection was outbound, then the address object must be closed as well as the connection. This routine mainly deals with the pLowerconn connection to the transport whereas NbtCloseConnection deals with closing pConnEle, the connection to the client. Arguments: pIrp - a ptr to an IRP Return Value: NTSTATUS - status of the request --*/ { NTSTATUS status; PIO_STACK_LOCATION pIrpSp; tCONNECTELE *pConnEle; CTEPagedCode(); pIrpSp = IoGetCurrentIrpStackLocation(pIrp); pConnEle = (tCONNECTELE *) pIrpSp->FileObject->FsContext; if (!NBT_VERIFY_HANDLE2 (pConnEle, NBT_VERIFY_CONNECTION, NBT_VERIFY_CONNECTION_DOWN)) { ASSERTMSG ("Nbt.NTCleanUpConnection: ERROR - Invalid Connection Handle\n", 0); return (STATUS_INVALID_HANDLE); } //CTEVerifyHandle(pConnEle,NBT_VERIFY_CONNECTION,tCONNECTELE,&status); IF_DBG(NBT_DEBUG_NAMESRV) KdPrint(("Nbt.NTCleanUpConnection: Cleanup Connection Hit state= %X\n",pConnEle->state)); pConnEle->ConnectionCleanedUp = TRUE; status = NbtCleanUpConnection(pConnEle,pDeviceContext); ASSERT (status != STATUS_PENDING); NbtTrace(NBT_TRACE_NAMESRV, ("Cleanup connection %p returns %!status!", pConnEle, status)); return(status); } //---------------------------------------------------------------------------- NTSTATUS NTAccept( IN tDEVICECONTEXT *pDeviceContext, IN PIRP pIrp) /*++ Routine Description: This Routine handles passing an accept for an inbound connect indication to the OS independent code. Arguments: pIrp - a ptr to an IRP Return Value: NTSTATUS - status of the request --*/ { NTSTATUS status; TDI_REQUEST TdiRequest; PIO_STACK_LOCATION pIrpSp; PTDI_REQUEST_KERNEL_ACCEPT pRequest; tCONNECTELE *pConnEle; IF_DBG(NBT_DEBUG_NAMESRV) KdPrint(("Nbt.NTAccept: ** Got an Accept from the Client **\n")); // pull the junk out of the Irp and call the non-OS specific routine. pIrpSp = IoGetCurrentIrpStackLocation(pIrp); // the Parameters value points to a Request structure... pRequest = (PTDI_REQUEST_KERNEL_ACCEPT)&pIrpSp->Parameters; // the pConnEle ptr was stored in the FsContext value when the connection // was initially created. pConnEle = TdiRequest.Handle.ConnectionContext = pIrpSp->FileObject->FsContext; if (!NBT_VERIFY_HANDLE2 (pConnEle, NBT_VERIFY_CONNECTION, NBT_VERIFY_CONNECTION_DOWN)) { ASSERTMSG ("Nbt.NTAccept: ERROR - Invalid Connection Handle\n", 0); return (STATUS_INVALID_HANDLE); } status = NbtAccept( &TdiRequest, pRequest->RequestConnectionInformation, pRequest->ReturnConnectionInformation, pIrp); return(status); } //---------------------------------------------------------------------------- NTSTATUS NTDisAssociateAddress( IN tDEVICECONTEXT *pDeviceContext, IN PIRP pIrp) /*++ Routine Description: This Routine handles Arguments: pIrp - a ptr to an IRP Return Value: NTSTATUS - status of the request --*/ { NTSTATUS status; TDI_REQUEST TdiRequest; PIO_STACK_LOCATION pIrpSp; PTDI_REQUEST_KERNEL_ACCEPT pRequest; tCONNECTELE *pConnEle; CTEPagedCode(); // pull the junk out of the Irp and call the non-OS specific routine. pIrpSp = IoGetCurrentIrpStackLocation(pIrp); // the Parameters value points to a Request structure... pRequest = (PTDI_REQUEST_KERNEL_ACCEPT)&pIrpSp->Parameters; // the pConnEle ptr was stored in the FsContext value when the connection // was initially created. pConnEle = TdiRequest.Handle.ConnectionContext = pIrpSp->FileObject->FsContext; if (!NBT_VERIFY_HANDLE2 (pConnEle, NBT_VERIFY_CONNECTION, NBT_VERIFY_CONNECTION_DOWN)) { ASSERTMSG ("Nbt.NTCloseAddress: ERROR - Invalid Address Handle\n", 0); return (STATUS_INVALID_HANDLE); } status = NbtDisassociateAddress(&TdiRequest); return(status); } LONG NextTransportAddress( IN PNBT_DELAYED_CONNECT_CONTEXT pDelConnCtx ) /*++ Move the pointer to the next address. --*/ { pDelConnCtx->RemainingAddressLength -= (pDelConnCtx->TaAddressLength + FIELD_OFFSET(TRANSPORT_ADDRESS,Address)); pDelConnCtx->pTaAddress += pDelConnCtx->TaAddressLength + FIELD_OFFSET(TRANSPORT_ADDRESS,Address); RtlCopyMemory(&pDelConnCtx->TaAddressLength, (pDelConnCtx->pTaAddress+FIELD_OFFSET(TA_ADDRESS,AddressLength)), sizeof(USHORT)); pDelConnCtx->CurrIndex++; /* * make sure we don't overrun the buffer */ if(pDelConnCtx->RemainingAddressLength < (pDelConnCtx->TaAddressLength + FIELD_OFFSET(TRANSPORT_ADDRESS,Address))) { KdPrint(("netbt!NextTransportAddress: insufficient TaAddress buffer size\n")); pDelConnCtx->CurrIndex = pDelConnCtx->NumberOfAddresses; } return pDelConnCtx->CurrIndex; } NTSTATUS InitDelayedNbtProcessConnect( IN PNBT_DELAYED_CONNECT_CONTEXT pDelConnCtx ) /*++ Reset the NBT_DELAYED_CONNECT_CONTEXT Find the first readable unicode address and writable buffer. In compound address case, NetBT will first try to establish the connection using the first readable unicode address. If this fails, it will attempt to use OEM address, ie. only one readable unicode address is effective. If DNS name resolution is used, NetBT will return the result in the first writable buffer and update the NameBufferType to NBT_WRITTEN. --*/ { PTDI_REQUEST_KERNEL pRequestKernel; PIO_STACK_LOCATION pIrpSp; PTRANSPORT_ADDRESS pRemoteAddress; PUCHAR pTaAddress; enum eNameBufferType NameBufferType, UnicodeAddressNameBufferType; NTSTATUS status; tCONNECTELE *pConnEle = NULL; CTEPagedCode(); pIrpSp = IoGetCurrentIrpStackLocation(pDelConnCtx->pClientIrp); pRequestKernel = (PTDI_REQUEST_KERNEL) &pIrpSp->Parameters; pRemoteAddress = pRequestKernel->RequestConnectionInformation->RemoteAddress; pDelConnCtx->NumberOfAddresses = pRemoteAddress->TAAddressCount; pDelConnCtx->RemainingAddressLength = pRequestKernel->RequestConnectionInformation->RemoteAddressLength; pDelConnCtx->pTaAddress = (PCHAR)&pRemoteAddress->Address[0]; RtlCopyMemory(&pDelConnCtx->TaAddressLength, (pDelConnCtx->pTaAddress+FIELD_OFFSET(TA_ADDRESS,AddressLength)), sizeof(USHORT)); pDelConnCtx->CurrIndex = 0; /* * Find the first writable buffer and readable unicode address */ pDelConnCtx->pReturnBuffer = NULL; pDelConnCtx->pUnicodeAddress = NULL; for (pDelConnCtx->CurrIndex = 0; pDelConnCtx->CurrIndex < pDelConnCtx->NumberOfAddresses; NextTransportAddress(pDelConnCtx)) { USHORT TaAddressType; RtlCopyMemory(&TaAddressType, (pDelConnCtx->pTaAddress+FIELD_OFFSET(TA_ADDRESS,AddressType)), sizeof(USHORT)); if (TaAddressType != TDI_ADDRESS_TYPE_NETBIOS_UNICODE_EX) { continue; } RtlCopyMemory(&NameBufferType, pDelConnCtx->pTaAddress + FIELD_OFFSET(TA_ADDRESS,Address)+ FIELD_OFFSET(TDI_ADDRESS_NETBIOS_UNICODE_EX,NameBufferType), sizeof(NameBufferType)); if (NameBufferType != NBT_READONLY && NameBufferType != NBT_WRITEONLY && NameBufferType != NBT_READWRITE && NameBufferType != NBT_WRITTEN) { return STATUS_INVALID_ADDRESS; } if (NameBufferType == NBT_READONLY || NameBufferType == NBT_READWRITE) { if (pDelConnCtx->pUnicodeAddress == NULL) { pDelConnCtx->pUnicodeAddress = (TDI_ADDRESS_NETBIOS_UNICODE_EX*) (pDelConnCtx->pTaAddress + FIELD_OFFSET(TA_ADDRESS,Address)); UnicodeAddressNameBufferType = NameBufferType; } } if (NameBufferType == NBT_WRITEONLY) { pDelConnCtx->pReturnBuffer = (TDI_ADDRESS_NETBIOS_UNICODE_EX*) (pDelConnCtx->pTaAddress + FIELD_OFFSET(TA_ADDRESS,Address)); break; } if (NameBufferType == NBT_READWRITE) { pDelConnCtx->pReturnBuffer = (TDI_ADDRESS_NETBIOS_UNICODE_EX*) (pDelConnCtx->pTaAddress + FIELD_OFFSET(TA_ADDRESS,Address)); /* * Only when no WRITEONLY buffer is presented, can we use a READWRITE buffer. So continue searching. */ } } pDelConnCtx->NumberOfAddresses = pRemoteAddress->TAAddressCount; pDelConnCtx->RemainingAddressLength = pRequestKernel->RequestConnectionInformation->RemoteAddressLength; pDelConnCtx->pTaAddress = (PCHAR)&pRemoteAddress->Address[0]; RtlCopyMemory(&pDelConnCtx->TaAddressLength, (pDelConnCtx->pTaAddress+FIELD_OFFSET(TA_ADDRESS,AddressLength)), sizeof(USHORT)); pDelConnCtx->CurrIndex = 0; /* * Setup the first local transport address */ if (pDelConnCtx->pUnicodeAddress != NULL) { pTaAddress = ((PUCHAR)pDelConnCtx->pUnicodeAddress - FIELD_OFFSET(TA_ADDRESS,Address)); } else { pTaAddress = pDelConnCtx->pTaAddress; } status = NewInternalAddressFromTransportAddress( (PTRANSPORT_ADDRESS) (pTaAddress-FIELD_OFFSET(TRANSPORT_ADDRESS,Address)), pDelConnCtx->RemainingAddressLength, &pDelConnCtx->pTransportAddress); if (status != STATUS_SUCCESS) { ASSERT(pDelConnCtx->pTransportAddress == NULL); return status; } if (pDelConnCtx->pUnicodeAddress == NULL || UnicodeAddressNameBufferType != NBT_READWRITE) { pDelConnCtx->pTransportAddress->Address[0].Address[0].pNetbiosUnicodeEX = pDelConnCtx->pReturnBuffer; } ASSERT(pDelConnCtx->pTransportAddress); pConnEle = pIrpSp->FileObject->FsContext; if (NULL == pConnEle || !NBT_VERIFY_HANDLE2 (pConnEle, NBT_VERIFY_CONNECTION, NBT_VERIFY_CONNECTION_DOWN)) { return STATUS_INVALID_HANDLE; } pDelConnCtx->pConnEle = pConnEle; NBT_REFERENCE_CONNECTION (pConnEle, REF_CONN_MULTIPLE_CONNECT); // so we don't delete the connection return STATUS_SUCCESS; } NTSTATUS NextDelayedNbtProcessConnect( IN PNBT_DELAYED_CONNECT_CONTEXT pDelConnCtx ) /*++ Move the pointer to the next address. --*/ { USHORT TaAddressType; enum eNameBufferType NameBufferType; PTA_NETBT_INTERNAL_ADDRESS pTransportAddress = NULL; TDI_ADDRESS_NETBT_INTERNAL *pAddr; PIO_STACK_LOCATION pIrpSp; tCONNECTELE *pConnEle; NTSTATUS status; pIrpSp = IoGetCurrentIrpStackLocation(pDelConnCtx->pClientIrp); pConnEle = pIrpSp->FileObject->FsContext; ASSERT (pConnEle->pIrp == NULL); ASSERT(pDelConnCtx->pTransportAddress); status = STATUS_SUCCESS; while(1) { /* * Free memory allocated in previous loop */ if (pTransportAddress) { DeleteInternalAddress(pTransportAddress); pTransportAddress = NULL; } if (pDelConnCtx->pUnicodeAddress == NULL) { NextTransportAddress(pDelConnCtx); } else { pDelConnCtx->pUnicodeAddress = NULL; } if (pDelConnCtx->CurrIndex >= pDelConnCtx->NumberOfAddresses) { break; } /* * Skip UNICODE address. * UNICODE address is always done first, ie. just after InitDelayedNbtProcessConnect gets called. */ RtlCopyMemory(&TaAddressType, (pDelConnCtx->pTaAddress+FIELD_OFFSET(TA_ADDRESS,AddressType)), sizeof(USHORT)); if (TaAddressType != TDI_ADDRESS_TYPE_NETBIOS && TaAddressType != TDI_ADDRESS_TYPE_NETBIOS_EX) { continue; } /* * Since we only do OEM address, we can safely call NewInternalAddressFromTransportAddress (this guy will * call Rtl* to convert UNICODE to OEM in UNICODE address case so that we may hit bug check.) */ status = NewInternalAddressFromTransportAddress( (PTRANSPORT_ADDRESS) (pDelConnCtx->pTaAddress-FIELD_OFFSET(TRANSPORT_ADDRESS,Address)), pDelConnCtx->RemainingAddressLength, &pTransportAddress); if (status != STATUS_SUCCESS) { ASSERT(pTransportAddress == NULL); continue; } ASSERT(pTransportAddress); pAddr = pTransportAddress->Address[0].Address; /* * Always attach a writable buffer in OEM address case */ pAddr->pNetbiosUnicodeEX = pDelConnCtx->pReturnBuffer; /* * Skip any address which is same as previous one. * Since the previous one fails, there is no point to use it again. */ if (IsDeviceNetbiosless(pDelConnCtx->pDeviceContext) || (pDelConnCtx->pLocalIrp->IoStatus.Status == STATUS_HOST_UNREACHABLE)) { OEM_STRING RemoteName, PreviouseRemoteName; CTEMemCopy (&RemoteName, &pAddr->OEMRemoteName, sizeof(OEM_STRING)); CTEMemCopy (&PreviouseRemoteName, &pDelConnCtx->pTransportAddress->Address[0].Address[0].OEMRemoteName, sizeof(OEM_STRING)); if ((RemoteName.Length) && (RemoteName.Length == PreviouseRemoteName.Length) && (CTEMemEqu (RemoteName.Buffer, PreviouseRemoteName.Buffer, RemoteName.Length))) { IF_DBG(NBT_DEBUG_NETBIOS_EX) KdPrint(("Nbt.DelayedNbtProcessConnect: Irp=<%x>, Names match!<%16.16s:%x>, Types=<%x:%x>\n", pDelConnCtx->pClientIrp, pAddr->OEMRemoteName.Buffer, pAddr->OEMRemoteName.Buffer[15], pAddr->AddressType, pDelConnCtx->pTransportAddress->Address[0].Address[0].AddressType)); continue; } } if (pConnEle->RemoteNameDoesNotExistInDNS) { IF_DBG(NBT_DEBUG_NETBIOS_EX) KdPrint(("netbt!DelayedNbtProcessConnect: Skipping address type %lx length %lx\n" "\t\tfor nonexistent name, pIrp %lx, pLocalIrp %lx\n", TaAddressType, pDelConnCtx->TaAddressLength, pDelConnCtx->pClientIrp, pDelConnCtx->pLocalIrp)); // If the address type is such that we rely on DNS name resolution and // if a prior attempt failed, there is no point in reissuing the request. // We can fail them without having to go on the NET. if (TaAddressType == TDI_ADDRESS_TYPE_NETBIOS_EX) { status = STATUS_BAD_NETWORK_PATH; continue; } else if (pDelConnCtx->TaAddressLength != TDI_ADDRESS_LENGTH_NETBIOS) { ASSERT(TaAddressType == TDI_ADDRESS_TYPE_NETBIOS); status = STATUS_INVALID_ADDRESS_COMPONENT; continue; } } IF_DBG(NBT_DEBUG_NETBIOS_EX) KdPrint(("netbt!DelayedNbtProcessConnect: Sending local irp=%lx, %lx of %lx\n" "\t\t\t\tTA=%lx Length=%lx\n", pDelConnCtx->pLocalIrp, pDelConnCtx->CurrIndex+1, pDelConnCtx->NumberOfAddresses, pDelConnCtx->pTaAddress, pDelConnCtx->TaAddressLength)); DeleteInternalAddress(pDelConnCtx->pTransportAddress); pDelConnCtx->pTransportAddress = pTransportAddress; pTransportAddress = NULL; break; } if (pTransportAddress) { DeleteInternalAddress(pTransportAddress); pTransportAddress = NULL; } return status; } VOID DoneDelayedNbtProcessConnect( IN PNBT_DELAYED_CONNECT_CONTEXT pDelConnCtx, NTSTATUS status ) /*++ 1. Complete the client IRP 2. Cleanup everything --*/ { tCONNECTELE *pConnEle = NULL; ASSERT(pDelConnCtx->pLocalIrp); ASSERT(pDelConnCtx->pClientIrp); NbtCancelCancelRoutine(pDelConnCtx->pClientIrp); pConnEle = pDelConnCtx->pConnEle; NBT_DEREFERENCE_CONNECTION (pConnEle, REF_CONN_MULTIPLE_CONNECT); // so we don't delete the connection ASSERT(status != STATUS_PENDING); if (pDelConnCtx->pLocalIrp) { IF_DBG(NBT_DEBUG_NETBIOS_EX) KdPrint(("netbt!DoneDelayedNbtProcessConnect: Freeing Local Irp=<%x>\n", pDelConnCtx->pLocalIrp)); IoFreeIrp(pDelConnCtx->pLocalIrp); } if (pDelConnCtx->pTransportAddress) { DeleteInternalAddress(pDelConnCtx->pTransportAddress); } IF_DBG(NBT_DEBUG_NETBIOS_EX) KdPrint(("netbt!DoneDelayed...: Connect Complete, LocalIrp=<%x>, ClientIrp=<%x>, Status=<%x>\n", pDelConnCtx->pLocalIrp, pDelConnCtx->pClientIrp, status)); NbtTrace(NBT_TRACE_OUTBOUND, ("Complete connection request pIrp=%p pLocalIrp=%p with %!status!", pDelConnCtx->pClientIrp, pDelConnCtx->pLocalIrp, status)); NTIoComplete (pDelConnCtx->pClientIrp, status, 0); pDelConnCtx->pLocalIrp = NULL; pDelConnCtx->pClientIrp = NULL; pDelConnCtx->pTransportAddress = NULL; CTEFreeMem(pDelConnCtx); } //---------------------------------------------------------------------------- NTSTATUS NbtpConnectCompletionRoutine( PDEVICE_OBJECT pDeviceObject, PIRP pIrp, PVOID pCompletionContext ) /*++ Routine Description: This Routine is the completion routine for local IRPS that are generated to handle compound transport addresses Arguments: pDeviceObject - the device object pIrp - a ptr to an IRP pCompletionContext - the completion context Return Value: NTSTATUS - status of the request --*/ { PNBT_DELAYED_CONNECT_CONTEXT pDelConnCtx; NTSTATUS Status, Status2; PIRP pLocalIrp; tDEVICECONTEXT *pDeviceContext; pDelConnCtx = pCompletionContext; pDeviceContext = pDelConnCtx->pDeviceContext; pLocalIrp = pDelConnCtx->pLocalIrp; ASSERT (pIrp == pLocalIrp); Status = pLocalIrp->IoStatus.Status; ASSERT(Status != STATUS_PENDING); NbtTrace(NBT_TRACE_OUTBOUND, ("pIrp %p: %!status! pParentIrp %p", pIrp, Status, pDelConnCtx->pClientIrp)); pDelConnCtx->ProcessingDone = TRUE; /* * Let's move to next address */ Status2 = NextDelayedNbtProcessConnect(pDelConnCtx); /* * Are we done */ if (Status == STATUS_CANCELLED || Status == STATUS_SUCCESS || Status2 != STATUS_SUCCESS || pDelConnCtx->CurrIndex >= pDelConnCtx->NumberOfAddresses) { if (Status2 != STATUS_SUCCESS) { Status = Status2; } IF_DBG(NBT_DEBUG_NETBIOS_EX) KdPrint(("Nbt.NbtpC...:==>Connect Complete, LocalIrp=<%x>, ClientIrp=<%x>, Status=<%x> <==\n", pIrp,pDelConnCtx->pClientIrp, Status)); if (Status == STATUS_HOST_UNREACHABLE) { Status = STATUS_BAD_NETWORK_PATH; } DoneDelayedNbtProcessConnect(pDelConnCtx, Status); return STATUS_MORE_PROCESSING_REQUIRED; } /* * Start worker thread to process the Connect request on the next address */ IF_DBG(NBT_DEBUG_NETBIOS_EX) KdPrint(("NbtpConnectCompletionRoutine: queuing worker item, local irp=%lx, previous status=%lx\n", pIrp, Status)); if (STATUS_SUCCESS != NTQueueToWorkerThread(NULL, DelayedNbtProcessConnect, NULL, pDelConnCtx, NULL, pDeviceContext, FALSE)) { KdPrint(("Nbt.NbtpConnectCompletionRoutine: Failed to Enqueue Worker thread\n")); DoneDelayedNbtProcessConnect(pDelConnCtx, STATUS_INSUFFICIENT_RESOURCES); } return STATUS_MORE_PROCESSING_REQUIRED; } //---------------------------------------------------------------------------- NTSTATUS DelayedNbtProcessConnect( IN tDGRAM_SEND_TRACKING *pUnused1, IN PVOID pClientContext, IN PVOID pUnused2, IN tDEVICECONTEXT *pUnused3 ) /*++ Routine Description: This Routine is the worker thread for processing Connect Requests. Arguments: pContext Return Value: NONE --*/ { PNBT_DELAYED_CONNECT_CONTEXT pDelConnCtx = NULL; PIRP pIrp = NULL, pLocalIrp = NULL; PIO_STACK_LOCATION pIrpSp = NULL; tCONNECTELE *pConnEle = NULL; NTSTATUS Status = STATUS_SUCCESS; PTDI_REQUEST_KERNEL pRequestKernel = NULL; CTEPagedCode(); pDelConnCtx = (PNBT_DELAYED_CONNECT_CONTEXT) pClientContext; pIrp = pDelConnCtx->pClientIrp; pLocalIrp = pDelConnCtx->pLocalIrp; IF_DBG(NBT_DEBUG_NETBIOS_EX) KdPrint(("netbt!DelayedNbtProcessConnect: Enter with local irp=%lx, %lx of %lx\n" "\t\t\t\tTA=%lx Length=%lx\n", pLocalIrp, pDelConnCtx->CurrIndex+1, pDelConnCtx->NumberOfAddresses, pDelConnCtx->pTaAddress, pDelConnCtx->TaAddressLength)); pConnEle = pDelConnCtx->pConnEle; if (!NBT_VERIFY_HANDLE2 (pConnEle, NBT_VERIFY_CONNECTION, NBT_VERIFY_CONNECTION_DOWN)) { DbgPrint ("Nbt.DelayedNbtProcessConnect: ERROR - Invalid Connection Handle\n"); DoneDelayedNbtProcessConnect(pDelConnCtx, (pDelConnCtx->ProcessingDone)? pLocalIrp->IoStatus.Status: STATUS_UNSUCCESSFUL); return STATUS_UNSUCCESSFUL; } CHECK_PTR (pConnEle); Status = STATUS_UNSUCCESSFUL; /* * Set the Cancel routine and ensure that the original IRP was not cancelled before continuing. */ IF_DBG(NBT_DEBUG_NETBIOS_EX) KdPrint (("Nbt.DelayedNbtProcessConnect: Setting Cancel= for Irp:Device <%x:%x>\n", pIrp, pDelConnCtx->pDeviceContext)); if (STATUS_CANCELLED == NTCheckSetCancelRoutine(pIrp, NbtCancelConnect, pDelConnCtx->pDeviceContext)) { IF_DBG(NBT_DEBUG_NETBIOS_EX) KdPrint(("Nbt.DelayedNbtProcessConnect: Irp <%x> was cancelled\n", pIrp)); pConnEle->pIrp = NULL; DoneDelayedNbtProcessConnect(pDelConnCtx, STATUS_CANCELLED); return STATUS_CANCELLED; } /* * InitDelayedNbtProcessConnect/NextDelayedNbtProcessConnect has set up pDelConnCtx->pTransportAddress properly */ ASSERT(pDelConnCtx->pTransportAddress); pConnEle->AddressType = pDelConnCtx->pTransportAddress->Address[0].Address[0].AddressType; pIrpSp = IoGetCurrentIrpStackLocation(pIrp); pRequestKernel = (PTDI_REQUEST_KERNEL) &pIrpSp->Parameters; pDelConnCtx->LocalConnectionInformation = *(pRequestKernel->RequestConnectionInformation); pDelConnCtx->LocalConnectionInformation.RemoteAddress = pDelConnCtx->pTransportAddress; pDelConnCtx->LocalConnectionInformation.RemoteAddressLength = pDelConnCtx->pTransportAddress->Address[0].AddressLength; // // Save the thread info for debugging purposes! // pLocalIrp->Tail.Overlay.Thread = PsGetCurrentThread(); TdiBuildConnect (pLocalIrp, &pDelConnCtx->pDeviceContext->DeviceObject, pIrpSp->FileObject, NbtpConnectCompletionRoutine, pDelConnCtx, pRequestKernel->RequestSpecific, &pDelConnCtx->LocalConnectionInformation, pRequestKernel->ReturnConnectionInformation); Status = IoCallDriver(&pDelConnCtx->pDeviceContext->DeviceObject,pLocalIrp); if (Status != STATUS_PENDING) { IF_DBG(NBT_DEBUG_NETBIOS_EX) KdPrint(("Nbt.DelayedNbtProcessConnect: IoCallDriver returned %lx for irp %lx (%lx)\n", Status,pIrp,pLocalIrp)); // ASSERT(0); } return STATUS_PENDING; } //---------------------------------------------------------------------------- NTSTATUS NTConnect( IN tDEVICECONTEXT *pDeviceContext, IN PIRP pIrp) /*++ Routine Description: This Routine handles calling the non OS specific code to open a session connection to a destination. Arguments: pIrp - a ptr to an IRP Return Value: NTSTATUS - status of the request --*/ { PIO_STACK_LOCATION pIrpSp; PTRANSPORT_ADDRESS pRemoteAddress; PTDI_REQUEST_KERNEL pRequestKernel; PIRP pLocalIrp; PNBT_DELAYED_CONNECT_CONTEXT pDelConnCtx; NTSTATUS Status; pIrpSp = IoGetCurrentIrpStackLocation(pIrp); pRequestKernel = (PTDI_REQUEST_KERNEL)&pIrpSp->Parameters; NbtTrace(NBT_TRACE_OUTBOUND, ("TDI_CONNECT pIrp %p", pIrp)); try { pRemoteAddress = pRequestKernel->RequestConnectionInformation->RemoteAddress; if (pRequestKernel->RequestConnectionInformation->RemoteAddressLength < sizeof(TRANSPORT_ADDRESS)) { return STATUS_INVALID_ADDRESS_COMPONENT; } } except(EXCEPTION_EXECUTE_HANDLER) { KdPrint (("Nbt.NTConnect: Exception <0x%x> trying to access Connection info\n", GetExceptionCode())); return STATUS_INVALID_ADDRESS_COMPONENT; } if (pIrpSp->CompletionRoutine != NbtpConnectCompletionRoutine) { pDelConnCtx = NbtAllocMem(sizeof(NBT_DELAYED_CONNECT_CONTEXT),NBT_TAG('e')); if (!pDelConnCtx) { return(STATUS_INSUFFICIENT_RESOURCES); } CTEZeroMemory(pDelConnCtx, sizeof(NBT_DELAYED_CONNECT_CONTEXT)); pLocalIrp = IoAllocateIrp(pDeviceContext->DeviceObject.StackSize,FALSE); if (!pLocalIrp) { CTEFreeMem(pDelConnCtx); return(STATUS_INSUFFICIENT_RESOURCES); } pDelConnCtx->pDeviceContext = pDeviceContext; pDelConnCtx->pClientIrp = pIrp; pDelConnCtx->pLocalIrp = pLocalIrp; pDelConnCtx->pTransportAddress = NULL; pDelConnCtx->ProcessingDone = FALSE; Status = InitDelayedNbtProcessConnect(pDelConnCtx); if (!NT_SUCCESS(Status)) { CTEFreeMem(pDelConnCtx); IoFreeIrp(pLocalIrp); return Status; } NbtTrace(NBT_TRACE_OUTBOUND, ("Connection request pIrp=%p pLocalIrp=%p", pIrp, pLocalIrp)); //return (DelayedNbtProcessConnect (NULL, pDelConnCtx, NULL, NULL)); DelayedNbtProcessConnect (NULL, pDelConnCtx, NULL, NULL); // Ignore the return from DelayedNbtProcessConnect and always return STATUS_PENDING; // our client completion routine will take care of completing the IRP // Otherwise, we will complete the IRP twice. return STATUS_PENDING; } else { TDI_REQUEST Request; tCONNECTELE *pConnEle; // call the non-NT specific function to setup the connection pConnEle = Request.Handle.ConnectionContext = pIrpSp->FileObject->FsContext; if (!NBT_VERIFY_HANDLE2 (pConnEle, NBT_VERIFY_CONNECTION, NBT_VERIFY_CONNECTION_DOWN)) { ASSERTMSG ("Nbt.NTConnect: ERROR - Invalid Connection Handle\n", 0); return (STATUS_INVALID_HANDLE); } /* * A user mode process may send us a faked request with a completion routine * equal to NbtpConnectCompletionRoutine. * Never let it pass through. */ if (pIrp->RequestorMode != KernelMode) { ASSERTMSG ("Nbt.NTConnect: ERROR - Invalid request\n", 0); return (STATUS_INVALID_PARAMETER); } return NbtConnect(&Request, pRequestKernel->RequestSpecific, // Ulong pRequestKernel->RequestConnectionInformation, pIrp); } } //---------------------------------------------------------------------------- NTSTATUS NTDisconnect( IN tDEVICECONTEXT *pDeviceContext, IN PIRP pIrp) /*++ Routine Description: This Routine handles calling the Non OS specific code to disconnect a session. Arguments: pIrp - a ptr to an IRP Return Value: NTSTATUS - status of the request --*/ { TDI_REQUEST Request; PIO_STACK_LOCATION pIrpSp; NTSTATUS status; PTDI_REQUEST_KERNEL pRequestKernel; tCONNECTELE *pConnEle; pIrpSp = IoGetCurrentIrpStackLocation(pIrp); pRequestKernel = (PTDI_REQUEST_KERNEL)&pIrpSp->Parameters; pConnEle = Request.Handle.ConnectionContext = pIrpSp->FileObject->FsContext; if (!NBT_VERIFY_HANDLE2 (pConnEle, NBT_VERIFY_CONNECTION, NBT_VERIFY_CONNECTION_DOWN)) { ASSERTMSG ("Nbt.NTDisconnect: ERROR - Invalid Connection Handle\n", 0); return (STATUS_INVALID_HANDLE); } // call the non-NT specific function to setup the connection NbtTrace(NBT_TRACE_DISCONNECT, ("Client Disconnects %!NBTNAME!<%02x>", pConnEle->RemoteName, (unsigned char)pConnEle->RemoteName[15])); status = NbtDisconnect( &Request, pRequestKernel->RequestSpecific, // Large Integer (ULONG) pRequestKernel->RequestFlags, pRequestKernel->RequestConnectionInformation, pRequestKernel->ReturnConnectionInformation, pIrp ); NbtTrace(NBT_TRACE_DISCONNECT, ("Client Disconnects status: %!status!", status)); return(status); } //---------------------------------------------------------------------------- NTSTATUS NTListen( IN tDEVICECONTEXT *pDeviceContext, IN PIRP pIrp) /*++ Routine Description: This Routine handles Arguments: pIrp - a ptr to an IRP Return Value: NTSTATUS - status of the request --*/ { NTSTATUS status; TDI_REQUEST Request; PTDI_REQUEST_KERNEL pRequestKernel; PIO_STACK_LOCATION pIrpSp; tCONNECTELE *pConnEle; CTEPagedCode(); IF_DBG(NBT_DEBUG_NAMESRV) KdPrint(("Nbt.NTListen: Got a LISTEN !!! *****************\n")); pIrpSp = IoGetCurrentIrpStackLocation(pIrp); pRequestKernel = (PTDI_REQUEST_KERNEL)&pIrpSp->Parameters; pConnEle = Request.Handle.ConnectionContext = pIrpSp->FileObject->FsContext; if (NBT_VERIFY_HANDLE2 (pConnEle, NBT_VERIFY_CONNECTION, NBT_VERIFY_CONNECTION_DOWN)) { try { PCHAR pName; ULONG lNameType; ULONG NameLen; // Initialize Request data (may be needed by Vxd) Request.RequestNotifyObject = NULL; Request.RequestContext = NULL; // call the non-NT specific function to setup the connection status = NbtListen (&Request, (ULONG) pRequestKernel->RequestFlags, // Ulong pRequestKernel->RequestConnectionInformation, pRequestKernel->ReturnConnectionInformation, pIrp); } except(EXCEPTION_EXECUTE_HANDLER) { KdPrint (("Nbt.NTListen: Exception <0x%x> trying to access buffer\n", GetExceptionCode())); status = STATUS_INVALID_ADDRESS; } } else { ASSERTMSG ("Nbt.NTListen: ERROR - Invalid Connection Handle\n", 0); status = STATUS_INVALID_HANDLE; // Bug# 202340: Have to complete Irp here! } if (status != STATUS_PENDING) { NTIoComplete(pIrp,status,0); } return(status); } //---------------------------------------------------------------------------- NBT_WORK_ITEM_CONTEXT * FindLmhSvcRequest( IN PDEVICE_OBJECT DeviceContext, IN PIRP pIrp, IN tLMHSVC_REQUESTS *pLmhRequest ) /*++ Routine Description: This routine handles the cancelling a Query to LmHost, so that the client's irp can be returned to the client. This cancellation is instigated by the client (i.e. RDR). Arguments: Return Value: The final status from the operation. --*/ { tDGRAM_SEND_TRACKING *pTracker; NBT_WORK_ITEM_CONTEXT *Context; BOOLEAN FoundIt = FALSE; PLIST_ENTRY pHead; PLIST_ENTRY pEntry; if (pLmhRequest->ResolvingNow && pLmhRequest->Context) { // this is the session setup tracker // Context = (NBT_WORK_ITEM_CONTEXT *) pLmhRequest->Context; pTracker = (tDGRAM_SEND_TRACKING *) Context->pClientContext; if (pTracker->pClientIrp == pIrp) { pLmhRequest->Context = NULL; FoundIt = TRUE; } } else { // // go through the list of Queued requests to find the correct one // and cancel it // pHead = pEntry = &pLmhRequest->ToResolve; while ((pEntry = pEntry->Flink) != pHead) { Context = CONTAINING_RECORD (pEntry,NBT_WORK_ITEM_CONTEXT,Linkage); // this is the session setup tracker // pTracker = (tDGRAM_SEND_TRACKING *)Context->pClientContext; if (pTracker->pClientIrp == pIrp) { RemoveEntryList(pEntry); FoundIt = TRUE; break; } } } return (FoundIt ? Context : NULL); } //---------------------------------------------------------------------------- NTSTATUS QueryProviderCompletion( IN PDEVICE_OBJECT DeviceContext, IN PIRP Irp, IN PVOID Context ) /*++ Routine Description: This routine handles the completion event when the Query Provider Information completes. This routine must decrement the MaxDgramSize and max send size by the respective NBT header sizes. Arguments: DeviceObject - unused. Irp - Supplies Irp that the transport has finished processing. Context - not used Return Value: The final status from the operation (success or an exception). --*/ { PTDI_PROVIDER_INFO pProvider; ULONG HdrSize; ULONG SubnetAddr; ULONG ThisSubnetAddr; PLIST_ENTRY pHead; PLIST_ENTRY pEntry; tDEVICECONTEXT *pDeviceContext; tDEVICECONTEXT *pDevContext; CTELockHandle OldIrq; if (NT_SUCCESS(Irp->IoStatus.Status)) { pDeviceContext = (tDEVICECONTEXT *)DeviceContext; pProvider = (PTDI_PROVIDER_INFO)MmGetMdlVirtualAddress(Irp->MdlAddress); // // Set the correct service flags to indicate what Netbt supports. // pProvider->ServiceFlags = TDI_SERVICE_MESSAGE_MODE | TDI_SERVICE_CONNECTION_MODE | TDI_SERVICE_CONNECTIONLESS_MODE | TDI_SERVICE_ERROR_FREE_DELIVERY | TDI_SERVICE_BROADCAST_SUPPORTED | TDI_SERVICE_MULTICAST_SUPPORTED | TDI_SERVICE_DELAYED_ACCEPTANCE | TDI_SERVICE_ROUTE_DIRECTED | TDI_SERVICE_FORCE_ACCESS_CHECK; pProvider->MinimumLookaheadData = 128; if (pProvider->MaxSendSize > sizeof(tSESSIONHDR)) { // // Nbt has just a two byte + 1 bit session message length, so it // can't have a send size larger than 1ffff // if (pProvider->MaxSendSize > (0x1FFFF + sizeof(tSESSIONHDR))) { pProvider->MaxSendSize = 0x1FFFF; } else { pProvider->MaxSendSize -= sizeof(tSESSIONHDR); } } else { pProvider->MaxSendSize = 0; } // subtract the datagram hdr size and the scope size (times 2) HdrSize = DGRAM_HDR_SIZE + (NbtConfig.ScopeLength << 1); if ((!IsDeviceNetbiosless (pDeviceContext)) && (pProvider->MaxDatagramSize > HdrSize)) { pProvider->MaxDatagramSize -= HdrSize; if (pProvider->MaxDatagramSize > MAX_NBT_DGRAM_SIZE) { pProvider->MaxDatagramSize = MAX_NBT_DGRAM_SIZE; } } else { pProvider->MaxDatagramSize = 0; } // // We need to hold the JointLock before we traverse // the list of Devices // CTESpinLock(&NbtConfig.JointLock,OldIrq); // // Check if any of the adapters with the same subnet address have // the PointtoPoint bit set - and if so set it in the response. // SubnetAddr = pDeviceContext->IpAddress & pDeviceContext->SubnetMask; pEntry = pHead = &NbtConfig.DeviceContexts; while ((pEntry = pEntry->Flink) != pHead) { pDevContext = CONTAINING_RECORD(pEntry,tDEVICECONTEXT,Linkage); ThisSubnetAddr = pDevContext->IpAddress & pDevContext->SubnetMask; if ((SubnetAddr == ThisSubnetAddr) && (pDevContext->IpInterfaceFlags & IP_INTFC_FLAG_P2P)) { pProvider->ServiceFlags |= TDI_SERVICE_POINT_TO_POINT; break; } } CTESpinFree(&NbtConfig.JointLock,OldIrq); } // // Must return a non-error status otherwise the IO system will not copy // back into the users buffer. // return(STATUS_SUCCESS); } //---------------------------------------------------------------------------- NTSTATUS NTQueryInformation( IN tDEVICECONTEXT *pDeviceContext, IN PIRP pIrp) /*++ Routine Description: This Routine handles Arguments: pIrp - a ptr to an IRP Return Value: NTSTATUS - status of the request --*/ { PIO_STACK_LOCATION pIrpSp; PTDI_REQUEST_KERNEL_QUERY_INFORMATION Query; NTSTATUS status = STATUS_UNSUCCESSFUL; NTSTATUS Locstatus; PVOID pBuffer = NULL; LONG Size ; PTA_NETBIOS_ADDRESS BroadcastAddress; ULONG AddressLength; ULONG BytesCopied = 0; PDEVICE_OBJECT pDeviceObject; // // Should not be pageable since AFD can call us at raised Irql in case of AcceptEx. // // CTEPagedCode(); if (pDeviceContext == pWinsDeviceContext) { NTIoComplete(pIrp, STATUS_INVALID_DEVICE_REQUEST, 0); return (STATUS_INVALID_DEVICE_REQUEST); } pIrpSp = IoGetCurrentIrpStackLocation(pIrp); Query = (PTDI_REQUEST_KERNEL_QUERY_INFORMATION)&pIrpSp->Parameters; IF_DBG(NBT_DEBUG_NAMESRV) KdPrint(("Nbt.NTQueryInformation: Query type = %X\n",Query->QueryType)); switch (Query->QueryType) { case TDI_QUERY_BROADCAST_ADDRESS: { // the broadcast address is the netbios name "*0000000..." if ((!pIrp->MdlAddress) || (!(BroadcastAddress = (PTA_NETBIOS_ADDRESS)NbtAllocMem(sizeof(TA_NETBIOS_ADDRESS),NBT_TAG('b'))))) { status = STATUS_INSUFFICIENT_RESOURCES; break; } AddressLength = sizeof(TA_NETBIOS_ADDRESS); BroadcastAddress->TAAddressCount = 1; BroadcastAddress->Address[0].AddressLength = NETBIOS_NAME_SIZE + sizeof(USHORT); BroadcastAddress->Address[0].AddressType = TDI_ADDRESS_TYPE_NETBIOS; BroadcastAddress->Address[0].Address[0].NetbiosNameType = TDI_ADDRESS_NETBIOS_TYPE_GROUP; // the broadcast address to NetBios is "* 000000...", an * followed // by 15 zeroes. CTEZeroMemory(BroadcastAddress->Address[0].Address[0].NetbiosName, NETBIOS_NAME_SIZE); BroadcastAddress->Address[0].Address[0].NetbiosName[0] = '*'; status = TdiCopyBufferToMdl ( (PVOID)BroadcastAddress, 0, AddressLength, pIrp->MdlAddress, 0, (PULONG)&pIrp->IoStatus.Information); BytesCopied = (ULONG) pIrp->IoStatus.Information; CTEMemFree((PVOID)BroadcastAddress); break; } case TDI_QUERY_PROVIDER_INFO: { // // Simply pass the Irp on by to the Transport, and let it // fill in the provider info // if (!pDeviceContext->IpAddress) { status = STATUS_INVALID_DEVICE_STATE; break; } if (StreamsStack) { TdiBuildQueryInformation(pIrp, pDeviceContext->pFileObjects->pDgramDeviceObject, pDeviceContext->pFileObjects->pDgramFileObject, QueryProviderCompletion, NULL, TDI_QUERY_PROVIDER_INFO, pIrp->MdlAddress); } else { TdiBuildQueryInformation(pIrp, pDeviceContext->pControlDeviceObject, pDeviceContext->pControlFileObject, QueryProviderCompletion, NULL, TDI_QUERY_PROVIDER_INFO, pIrp->MdlAddress); } CHECK_COMPLETION(pIrp); status = IoCallDriver(pDeviceContext->pControlDeviceObject,pIrp); // // we must return the next drivers ret code back to the IO subsystem // return(status); } case TDI_QUERY_ADAPTER_STATUS: { if (!pIrp->MdlAddress) { break; } Size = MmGetMdlByteCount (pIrp->MdlAddress); // // check if it is a remote or local adapter status // if (Query->RequestConnectionInformation && Query->RequestConnectionInformation->RemoteAddress) { PCHAR pName; ULONG lNameType; ULONG NameLen; tDGRAM_SEND_TRACKING *pTracker; TDI_ADDRESS_NETBT_INTERNAL TdiAddr; // // // in case the call results in a name query on the wire... // IoMarkIrpPending(pIrp); status = STATUS_SUCCESS; if (pIrp->RequestorMode != KernelMode) { try { ProbeForRead(Query->RequestConnectionInformation->RemoteAddress, Query->RequestConnectionInformation->RemoteAddressLength, sizeof(BYTE)); } except(EXCEPTION_EXECUTE_HANDLER) { status = STATUS_INVALID_PARAMETER; } } if (NT_SUCCESS(status) && NT_SUCCESS (status = GetNetBiosNameFromTransportAddress( (PTRANSPORT_ADDRESS) Query->RequestConnectionInformation->RemoteAddress, Query->RequestConnectionInformation->RemoteAddressLength, &TdiAddr))) { pName = TdiAddr.OEMRemoteName.Buffer; NameLen = TdiAddr.OEMRemoteName.Length; lNameType = TdiAddr.NameType; if ((lNameType == TDI_ADDRESS_NETBIOS_TYPE_UNIQUE) && (NameLen == NETBIOS_NAME_SIZE) && (NT_SUCCESS (status = GetTracker(&pTracker, NBT_TRACKER_ADAPTER_STATUS)))) { pTracker->ClientContext = pIrp; status = NbtSendNodeStatus (pDeviceContext, pName, NULL, pTracker, CopyNodeStatusResponseCompletion); // only complete the irp (below) for failure status's if (status == STATUS_PENDING) { return(status); } // // We cannot have a Success status returned here! // if (status == STATUS_SUCCESS) { ASSERT (0); status = STATUS_UNSUCCESSFUL; } FreeTracker (pTracker, RELINK_TRACKER); } else if (NT_SUCCESS(status)) { status = STATUS_INVALID_PARAMETER; // The NameType or NameLen must be wrong! } } // the request has been satisfied, so unmark the pending // since we will return the irp below // pIrpSp->Control &= ~SL_PENDING_RETURNED; } else { // return an array of netbios names that are registered status = NbtQueryAdapterStatus(pDeviceContext, &pBuffer, &Size, NBT_LOCAL); } break; } case TDI_QUERY_CONNECTION_INFO: { tCONNECTELE *pConnectEle; tLOWERCONNECTION *pLowerConn; KIRQL OldIrq1, OldIrq2; // pass to transport to get the current throughput, delay and // reliability numbers // pConnectEle = (tCONNECTELE *)pIrpSp->FileObject->FsContext; if (!NBT_VERIFY_HANDLE2 (pConnectEle, NBT_VERIFY_CONNECTION, NBT_VERIFY_CONNECTION_DOWN)) { ASSERTMSG ("Nbt.NTQueryInformation: ERROR - Invalid Connection Handle\n", 0); status = STATUS_INVALID_HANDLE; break; } CTESpinLock(pConnectEle, OldIrq1); pLowerConn = (tLOWERCONNECTION *)pConnectEle->pLowerConnId; if (!NBT_VERIFY_HANDLE (pLowerConn, NBT_VERIFY_LOWERCONN)) { status = STATUS_CONNECTION_INVALID; CTESpinFree(pConnectEle, OldIrq1); break; } CTESpinLock(pLowerConn, OldIrq2); NBT_REFERENCE_LOWERCONN (pLowerConn, REF_LOWC_QUERY_INFO); // Bug # 212632 CTESpinFree(pLowerConn, OldIrq2); CTESpinFree(pConnectEle, OldIrq1); // // Simply pass the Irp on by to the Transport, and let it // fill in the info // pDeviceObject = IoGetRelatedDeviceObject( pLowerConn->pFileObject ); TdiBuildQueryInformation(pIrp, pDeviceObject, pLowerConn->pFileObject, NULL, NULL, TDI_QUERY_CONNECTION_INFO, pIrp->MdlAddress); status = IoCallDriver(pDeviceObject,pIrp); NBT_DEREFERENCE_LOWERCONN (pLowerConn, REF_LOWC_QUERY_INFO, FALSE); // // we must return the next drivers ret code back to the IO subsystem // return(status); } case TDI_QUERY_FIND_NAME: { // // // in case the call results in a name query on the wire... // if (pIrp->MdlAddress) { // // Verify the request address space // try { status = STATUS_INVALID_ADDRESS_COMPONENT; if (pIrp->RequestorMode == KernelMode) { // // Since the TdiBuildQueryInformation macro NULLs out the // RequestConnectionInformation field, we need to dereference // it under Try/Except to ensure that the caller has filled // the fields in properly // PTRANSPORT_ADDRESS pRemoteAddress=Query->RequestConnectionInformation->RemoteAddress; if ((Query->RequestConnectionInformation->RemoteAddressLength < sizeof(TRANSPORT_ADDRESS)) || (pRemoteAddress->TAAddressCount < 1) || (pRemoteAddress->Address[0].AddressType != TDI_ADDRESS_TYPE_NETBIOS)) { break; } } else // User-mode client { ProbeForRead(Query->RequestConnectionInformation->RemoteAddress, Query->RequestConnectionInformation->RemoteAddressLength, sizeof(BYTE)); } } except(EXCEPTION_EXECUTE_HANDLER) { KdPrint (("Nbt.TDI_QUERY_FIND_NAME: Exception <0x%x> during Probe\n", GetExceptionCode())); break; } IoMarkIrpPending(pIrp); status = NbtQueryFindName(Query->RequestConnectionInformation, pDeviceContext, pIrp, FALSE); if (status == STATUS_PENDING) { return(status); } // the request has been satisfied, so unmark the pending // since we will return the irp below // pIrpSp->Control &= ~SL_PENDING_RETURNED; } break; } case TDI_QUERY_ADDRESS_INFO: { if (pIrp->MdlAddress) { status = NbtQueryGetAddressInfo (pIrpSp, &pBuffer, &Size); } break; } case TDI_QUERY_SESSION_STATUS: default: { IF_DBG(NBT_DEBUG_NAMESRV) KdPrint(("Nbt Query Info NOT SUPPORTED = %X\n",Query->QueryType)); status = STATUS_NOT_SUPPORTED; break; } } // switch if (!NT_ERROR(status) && // allow buffer overflow to pass by ((Query->QueryType == TDI_QUERY_ADAPTER_STATUS) || (Query->QueryType == TDI_QUERY_ADDRESS_INFO))) { status = TdiCopyBufferToMdl (pBuffer, 0, Size, pIrp->MdlAddress, 0, &BytesCopied); CTEMemFree((PVOID)pBuffer); } // // either Success or an Error // so complete the irp // NTIoComplete(pIrp,status,BytesCopied); return(status); } //---------------------------------------------------------------------------- NTSTATUS NbtQueryGetAddressInfo( IN PIO_STACK_LOCATION pIrpSp, OUT PVOID *ppBuffer, OUT ULONG *pSize ) { NTSTATUS status; BOOLEAN IsGroup; PLIST_ENTRY p; tADDRESSELE *pAddressEle; tNAMEADDR *pNameAddr; tADDRESS_INFO *pAddressInfo; tCLIENTELE *pClientEle; tCONNECTELE *pConnectEle; CTELockHandle OldIrq; CTELockHandle OldIrq1; PNBT_ADDRESS_PAIR_INFO pAddressPairInfo; // // We are not sure whether this is a ConnectionContext or a ClientContext! // pConnectEle = (tCONNECTELE *) pClientEle = pIrpSp->FileObject->FsContext; if (NBT_VERIFY_HANDLE2 (pConnectEle, NBT_VERIFY_CONNECTION, NBT_VERIFY_CONNECTION_DOWN)) { // // We crashed here since the pLowerConn was NULL below. // Check the state of the connection, since it is possible that the connection // was aborted and the disconnect indicated, but this query came in before the client // got the disconnect indication. // If the state is idle (in case of TDI_DISCONNECT_ABORT) or DISCONNECTED // (TDI_DISCONNECT_RELEASE), error out. // Also check for NBT_ASSOCIATED. // // NOTE: If NbtOpenConnection is unable to allocate the lower conn block (say, if the session fileobj // has not been created yet), the state will be still be IDLE, so we are covered here. // CTESpinLock(pConnectEle,OldIrq); if (pConnectEle->Verify != NBT_VERIFY_CONNECTION) { CTESpinFree(pConnectEle,OldIrq); return (STATUS_INVALID_HANDLE); } else if ((pConnectEle->state <= NBT_ASSOCIATED) || // includes NBT_IDLE (pConnectEle->state == NBT_DISCONNECTED)) { CTESpinFree(pConnectEle,OldIrq); return (STATUS_CONNECTION_DISCONNECTED); } // // A TdiQueryInformation() call requesting TDI_QUERY_ADDRESS_INFO // on a connection. Fill in a TDI_ADDRESS_INFO containing both the // NetBIOS address and the IP address of the remote. Some of the // fields are fudged. // if (pAddressPairInfo = NbtAllocMem(sizeof (NBT_ADDRESS_PAIR_INFO), NBT_TAG('c'))) { memset ( pAddressPairInfo, 0, sizeof(NBT_ADDRESS_PAIR_INFO) ); pAddressPairInfo->ActivityCount = 1; pAddressPairInfo->AddressPair.TAAddressCount = 2; pAddressPairInfo->AddressPair.AddressIP.AddressType = TDI_ADDRESS_TYPE_IP; pAddressPairInfo->AddressPair.AddressIP.AddressLength = TDI_ADDRESS_LENGTH_IP; pAddressPairInfo->AddressPair.AddressNetBIOS.AddressType = TDI_ADDRESS_TYPE_NETBIOS; pAddressPairInfo->AddressPair.AddressNetBIOS.AddressLength = TDI_ADDRESS_LENGTH_NETBIOS; pAddressPairInfo->AddressPair.AddressNetBIOS.Address.NetbiosNameType = TDI_ADDRESS_NETBIOS_TYPE_UNIQUE; memcpy( &pAddressPairInfo->AddressPair.AddressNetBIOS.Address.NetbiosName[0], &pConnectEle->RemoteName[0], NETBIOS_NAME_SIZE); // // Check for NULL (should not be NULL here since we check for states above). // if (pConnectEle->pLowerConnId) { pAddressPairInfo->AddressPair.AddressIP.Address.in_addr = pConnectEle->pLowerConnId->SrcIpAddr; *ppBuffer = (PVOID)pAddressPairInfo; *pSize = sizeof(NBT_ADDRESS_PAIR_INFO); status = STATUS_SUCCESS; } else { DbgPrint("pLowerConn NULL in pConnEle%lx, state: %lx\n", pConnectEle, pConnectEle->state); CTEMemFree ((PVOID)pAddressPairInfo); status = STATUS_CONNECTION_DISCONNECTED; } } else { status = STATUS_INSUFFICIENT_RESOURCES; } CTESpinFree(pConnectEle,OldIrq); } else if (NBT_VERIFY_HANDLE2 (pClientEle, NBT_VERIFY_CLIENT, NBT_VERIFY_CLIENT_DOWN)) { pAddressInfo = NbtAllocMem(sizeof(tADDRESS_INFO),NBT_TAG('c')); if (pAddressInfo) { // // count the clients attached to this address // We need to spinlock the address element, which // is why this routine is not pageable // pAddressInfo->ActivityCount = 0; pAddressEle = pClientEle->pAddress; // // The Client can be removed from the AddressEle only under the JointLock, // so we need to hold that while counting the Clients on htis address // CTESpinLock(&NbtConfig.JointLock,OldIrq); CTESpinLock(pAddressEle,OldIrq1); for (p = pAddressEle->ClientHead.Flink; p != &pAddressEle->ClientHead; p = p->Flink) { ++pAddressInfo->ActivityCount; } CTESpinFree(pAddressEle,OldIrq1); CTESpinFree(&NbtConfig.JointLock,OldIrq); pNameAddr = pAddressEle->pNameAddr; IsGroup = (pNameAddr->NameTypeState & NAMETYPE_UNIQUE) ? FALSE : TRUE; TdiBuildNetbiosAddress((PUCHAR)pNameAddr->Name, IsGroup, &pAddressInfo->NetbiosAddress); *ppBuffer = (PVOID)pAddressInfo; *pSize = sizeof(tADDRESS_INFO); status = STATUS_SUCCESS; } else { status = STATUS_INSUFFICIENT_RESOURCES; } } else // neither a client nor a connection context! { ASSERTMSG ("Nbt.NbtQueryGetAddressInfo: ERROR - Invalid Handle\n", 0); return (STATUS_INVALID_HANDLE); } return status; } //---------------------------------------------------------------------------- NTSTATUS NbtGetInterfaceInfo( IN PIRP pIrp ) /*++ Routine Description: gets the interface to index mapping info for all the interfaces Arguments: Irp - Pointer to I/O request packet to cancel. IrpSp - pointer to current stack Return Value: NTSTATUS Indicates status success or failure Notes: Function does not pend. --*/ { NTSTATUS LocStatus, Status = STATUS_SUCCESS; ULONG InfoBufferLen, MaxSize, i=0; NETBT_INTERFACE_INFO *pInterfaceInfo; KIRQL OldIrq; PLIST_ENTRY pEntry,pHead; tDEVICECONTEXT *pDeviceContext; PIO_STACK_LOCATION pIrpSp = IoGetCurrentIrpStackLocation (pIrp); CTESpinLock(&NbtConfig.JointLock,OldIrq); IF_DBG(NBT_DEBUG_NAMESRV) KdPrint(("Nbt.NbtGetInterfaceInfo: AdapterCount=<%x>\n", NbtConfig.AdapterCount)); InfoBufferLen = pIrpSp->Parameters.DeviceIoControl.OutputBufferLength; MaxSize = (NbtConfig.AdapterCount+1)*sizeof(NETBT_ADAPTER_INDEX_MAP)+sizeof(ULONG); if (MaxSize <= InfoBufferLen) { if (pInterfaceInfo = NbtAllocMem (MaxSize,NBT_TAG('P'))) { pEntry = pHead = &NbtConfig.DeviceContexts; while ((pEntry = pEntry->Flink) != pHead) { pDeviceContext = CONTAINING_RECORD(pEntry, tDEVICECONTEXT, Linkage); CTEMemCopy (&pInterfaceInfo->Adapter[i].Name, pDeviceContext->ExportName.Buffer, pDeviceContext->ExportName.Length); pInterfaceInfo->Adapter[i].Name[pDeviceContext->ExportName.Length/2] = 0; pInterfaceInfo->Adapter[i].Index = i; i++; } pInterfaceInfo->NumAdapters = i; Status = TdiCopyBufferToMdl (pInterfaceInfo, 0, i*sizeof(NETBT_ADAPTER_INDEX_MAP)+sizeof(ULONG), pIrp->MdlAddress, 0, (PULONG)&pIrp->IoStatus.Information); CTEMemFree (pInterfaceInfo); } else { Status = STATUS_INSUFFICIENT_RESOURCES; } } else { //KdPrint(("GetInterfaceInfo Buffer Overflow %x\n", pIrp)); //pIrp->IoStatus.Information = sizeof(ULONG); Status = STATUS_BUFFER_OVERFLOW; } CTESpinFree(&NbtConfig.JointLock,OldIrq); //KdPrint(("GetInterfaceInfo exit status %x\n", Status)); return Status; } //---------------------------------------------------------------------------- NTSTATUS NbtFlushEntryFromRemoteHashTable( tNAME *pRemoteName ) { NTSTATUS status; KIRQL OldIrq; tNAMEADDR *pNameAddr = NULL; CTESpinLock(&NbtConfig.JointLock,OldIrq); status = FindInHashTable (NbtConfig.pRemoteHashTbl, pRemoteName->Name, NbtConfig.pScope, &pNameAddr); if (NT_SUCCESS (status)) { if (pNameAddr->RefCount <= 1) { NBT_DEREFERENCE_NAMEADDR (pNameAddr, REF_NAME_REMOTE, TRUE); } else { status = STATUS_UNSUCCESSFUL; } } else { status = STATUS_RESOURCE_NAME_NOT_FOUND; } CTESpinFree(&NbtConfig.JointLock,OldIrq); return (status); } //---------------------------------------------------------------------------- NTSTATUS SetTcpInfo( IN HANDLE FileHandle, IN PVOID pInfoBuffer, IN ULONG InfoBufferLength ) { IO_STATUS_BLOCK IoStatus; HANDLE event; BOOLEAN fAttached = FALSE; NTSTATUS status; CTEAttachFsp(&fAttached, REF_FSP_SET_TCP_INFO); status = ZwCreateEvent (&event, EVENT_ALL_ACCESS, NULL, SynchronizationEvent, FALSE); if (NT_SUCCESS(status)) { // // Make the actual TDI call // IoStatus.Status = STATUS_SUCCESS; status = ZwDeviceIoControlFile (FileHandle, event, NULL, NULL, &IoStatus, IOCTL_TCP_SET_INFORMATION_EX, pInfoBuffer, InfoBufferLength, NULL, 0); // // If the call pended and we were supposed to wait for completion, // then wait. // if (status == STATUS_PENDING) { status = NtWaitForSingleObject (event, FALSE, NULL); ASSERT(status == STATUS_SUCCESS); } else if (!NT_SUCCESS(status) && IoStatus.Status == STATUS_SUCCESS) { // // Set the IoStatus.Status if it hasn't been set so that we could // return the correct status below. // IoStatus.Status = status; } status = ZwClose (event); ASSERT (NT_SUCCESS(status)); status = IoStatus.Status; } CTEDetachFsp(fAttached, REF_FSP_SET_TCP_INFO); return (status); } //---------------------------------------------------------------------------- NTSTATUS NbtClientSetTcpInfo( IN tCONNECTELE *pConnEle, IN PVOID pInfoBuffer, IN ULONG InfoBufferLength ) /*++ Routine Description: Sets the Tcp connection information as requested by the client Arguments: pConnEle - NetBT's Connection object pInfoBuffer - pointer to TCP_REQUEST_SET_INFORMATION_EX structure pInfoBufferLength - length of pInfoBuffer Return Value: NTSTATUS Indicates status success or failure Notes: Function does not pend. --*/ { NTSTATUS status; tLOWERCONNECTION *pLowerConn; KIRQL OldIrq1, OldIrq2; if (!NBT_VERIFY_HANDLE2 (pConnEle, NBT_VERIFY_CONNECTION, NBT_VERIFY_CONNECTION_DOWN)) { return STATUS_INVALID_HANDLE; } CTESpinLock(pConnEle, OldIrq1); if ((!NBT_VERIFY_HANDLE ((pLowerConn = pConnEle->pLowerConnId), NBT_VERIFY_LOWERCONN)) || (pLowerConn->RefCount > 500)) // if queued for WipeOutLowerConn { CTESpinFree(pConnEle, OldIrq1); return STATUS_BAD_NETWORK_PATH; } CTESpinLock(pLowerConn, OldIrq2); // // We have verified that the lower connection is up -- reference it // so that the FileObject does not get Dereferenced by some disconnect // from the transport // NBT_REFERENCE_LOWERCONN (pLowerConn, REF_LOWC_SET_TCP_INFO); CTESpinFree(pLowerConn, OldIrq2); CTESpinFree(pConnEle, OldIrq1); status = SetTcpInfo (pLowerConn->FileHandle, pInfoBuffer, InfoBufferLength); NBT_DEREFERENCE_LOWERCONN (pLowerConn, REF_LOWC_SET_TCP_INFO, FALSE); return (status); } //---------------------------------------------------------------------------- NTSTATUS NbtSetTcpInfo( IN HANDLE FileHandle, IN ULONG ToiId, IN ULONG ToiType, IN ULONG InfoBufferValue ) { NTSTATUS Status; ULONG BufferLength; TCP_REQUEST_SET_INFORMATION_EX *pTcpInfo; TCPSocketOption *pSockOption; BufferLength = sizeof(TCP_REQUEST_SET_INFORMATION_EX) + sizeof(TCPSocketOption); if (!(pTcpInfo = (TCP_REQUEST_SET_INFORMATION_EX *) NbtAllocMem (BufferLength,NBT_TAG2('22')))) { return (STATUS_INSUFFICIENT_RESOURCES); } CTEZeroMemory(pTcpInfo, BufferLength); pSockOption = (TCPSocketOption *) (&pTcpInfo->Buffer[0]); pTcpInfo->ID.toi_entity.tei_entity = CO_TL_ENTITY; pTcpInfo->ID.toi_class = INFO_CLASS_PROTOCOL; pTcpInfo->BufferSize = sizeof (TCPSocketOption); // // Set the Configured values // pTcpInfo->ID.toi_id = ToiId; pTcpInfo->ID.toi_type = ToiType; pSockOption->tso_value = InfoBufferValue; Status = SetTcpInfo (FileHandle, pTcpInfo, BufferLength); if (!NT_SUCCESS(Status)) { KdPrint (("Nbt.NbtSetTcpInfo: SetTcpInfo FAILed <%x>, Id=<0x%x>, Type=<0x%x>, Value=<%x>\n", Status, ToiId, ToiType, InfoBufferValue)); } CTEMemFree (pTcpInfo); return (Status); } //---------------------------------------------------------------------------- NTSTATUS NbtSetSmbBindingInfo2( IN tDEVICECONTEXT *pDeviceContext, IN NETBT_SMB_BIND_REQUEST *pSmbRequest ) { ULONG i, Operation; PLIST_ENTRY pEntry,pHead; KIRQL OldIrq; ULONG NumBindings = 0; CTEULONGLONG AddedAdapterMask = 0; CTEULONGLONG DeletedAdapterMask = 0; CTEULONGLONG BindListAdapterMask = 0; CTEULONGLONG OriginalMask; tDEVICECONTEXT *pDeviceContextBind = NULL; NTSTATUS LocNtStatus = STATUS_SUCCESS; if (!IsDeviceNetbiosless (pDeviceContext)) { return (STATUS_UNSUCCESSFUL); } if (NULL == pSmbRequest) { return STATUS_INVALID_PARAMETER; } if (pSmbRequest->RequestType == SMB_SERVER) { OriginalMask = NbtConfig.ServerMask; } else if (pSmbRequest->RequestType == SMB_CLIENT) { OriginalMask = NbtConfig.ClientMask; } else { ASSERT(0); return STATUS_INVALID_PARAMETER; } if (pSmbRequest->MultiSZBindList) { NTSTATUS status; tDEVICES *pBindings = NULL; ULONG MaxBindings; MaxBindings = NBT_MAXIMUM_BINDINGS; while (MaxBindings < 5000) { status = STATUS_INSUFFICIENT_RESOURCES; MaxBindings *= 2; pBindings = NbtAllocMem ((sizeof(tDEVICES)+MaxBindings*sizeof(UNICODE_STRING)), NBT_TAG2('26')); if (pBindings == NULL) { break; } NumBindings = 0; status = NbtParseMultiSzEntries (pSmbRequest->MultiSZBindList, (PVOID)(-1), MaxBindings, pBindings, &NumBindings); if (status != STATUS_BUFFER_OVERFLOW) { break; } CTEMemFree (pBindings); pBindings = NULL; } if (status != STATUS_SUCCESS) { if (pBindings) { // NbtParseMultiSzEntries can return failure other than STATUS_BUFFER_OVERFLOW CTEMemFree (pBindings); } KdPrint(("Nbt.NbtSetSmbBindingInfo[STATUS_INSUFFICIENT_RESOURCES]: MaxBindings = <%d>\n", MaxBindings)); return status; } ASSERT(pBindings); // // First, get the complete list of all bindings // for (i=0; iNames[i], FALSE)) { BindListAdapterMask |= pDeviceContextBind->AdapterMask; NBT_DEREFERENCE_DEVICE (pDeviceContextBind, REF_DEV_FIND_REF, FALSE); } } CTEMemFree (pBindings); } else if (pSmbRequest->pDeviceName) { KdPrint (("Nbt.NbtSetSmbBindingInfo[WARNING]: NULL MultiSZBindList string!\n")); BindListAdapterMask = OriginalMask; if (pDeviceContextBind = NbtFindAndReferenceDevice (pSmbRequest->pDeviceName, FALSE)) { switch (pSmbRequest->PnPOpCode) { case (TDI_PNP_OP_ADD): { BindListAdapterMask |= pDeviceContextBind->AdapterMask; break; } case (TDI_PNP_OP_DEL): { BindListAdapterMask &= (~pDeviceContextBind->AdapterMask); break; } default: { break; } } NBT_DEREFERENCE_DEVICE (pDeviceContextBind, REF_DEV_FIND_REF, FALSE); } else { return (STATUS_SUCCESS); } } else { ASSERTMSG ("Nbt.NbtSetSmbBindingInfo[ERROE]: NULL MultiSZBindList and NULL pDeviceName!\n", 0); return (STATUS_UNSUCCESSFUL); } IF_DBG(NBT_DEBUG_PNP_POWER) KdPrint (("Nbt.NbtSetSmbBindingInfo: PnPOpCode=<%x>, Bindings=<%d>, BindMask=[%lx:%lx]==>[%lx:%lx]\n", pSmbRequest->PnPOpCode, NumBindings, OriginalMask, BindListAdapterMask)); CTESpinLock(&NbtConfig.JointLock,OldIrq); // NetBT used to incrementally add interface to tcpip. // However, for some reason, the list in tcpip and netbt // may be different. To increase the reliability, I // remove the incrementally adding. // // AddedAdapterMask = BindListAdapterMask & (~OriginalMask) AddedAdapterMask = BindListAdapterMask; // Always add device DeletedAdapterMask = OriginalMask & (~BindListAdapterMask); // Devices Removed if ((!AddedAdapterMask) && (!DeletedAdapterMask)) { // // If there are no adapters to be added or deleted, just return // CTESpinFree(&NbtConfig.JointLock,OldIrq); return (STATUS_SUCCESS); } if (pSmbRequest->RequestType == SMB_SERVER) { NbtConfig.ServerMask = BindListAdapterMask; } else if (pSmbRequest->RequestType == SMB_CLIENT) { NbtConfig.ClientMask = BindListAdapterMask; CTESpinFree(&NbtConfig.JointLock,OldIrq); return STATUS_SUCCESS; } else { ASSERT(0); } pEntry = pHead = &NbtConfig.DeviceContexts; while ((pEntry = pEntry->Flink) != pHead) { pDeviceContextBind = CONTAINING_RECORD(pEntry, tDEVICECONTEXT, Linkage); if (pDeviceContext->IPInterfaceContext == (ULONG)-1) // For Cluster devices, etc { continue; } ASSERT(0 == (AddedAdapterMask & DeletedAdapterMask)); if (AddedAdapterMask & pDeviceContextBind->AdapterMask) { AddedAdapterMask &= ~(pDeviceContextBind->AdapterMask); Operation = AO_OPTION_ADD_IFLIST; } else if (DeletedAdapterMask & pDeviceContextBind->AdapterMask) { DeletedAdapterMask &= ~(pDeviceContextBind->AdapterMask); Operation = AO_OPTION_DEL_IFLIST; } else { continue; } NBT_REFERENCE_DEVICE (pDeviceContextBind, REF_DEV_FIND_REF, TRUE); CTESpinFree(&NbtConfig.JointLock,OldIrq); IF_DBG(NBT_DEBUG_PNP_POWER) KdPrint(("Nbt.NbtSetSmbBindingInfo: %sing Device=%wZ\n", (Operation == AO_OPTION_ADD_IFLIST ? "ADD" : "REMOV"), &pDeviceContextBind->BindName)); // // Set the Session port info // if (pDeviceContext->hSession) { LocNtStatus = NbtSetTcpInfo (pDeviceContext->hSession, Operation, INFO_TYPE_ADDRESS_OBJECT, pDeviceContextBind->IPInterfaceContext); if (!NT_SUCCESS(LocNtStatus)) { NbtConfig.ServerMask &= ~(pDeviceContextBind->AdapterMask); } } // // Now, set the same for the Datagram port // if ((pDeviceContext->pFileObjects) && (pDeviceContext->pFileObjects->hDgram)) { NbtSetTcpInfo (pDeviceContext->pFileObjects->hDgram, Operation, INFO_TYPE_ADDRESS_OBJECT, pDeviceContextBind->IPInterfaceContext); } CTESpinLock(&NbtConfig.JointLock,OldIrq); NBT_DEREFERENCE_DEVICE (pDeviceContextBind, REF_DEV_FIND_REF, TRUE); // // Set to restart from the beginning // pEntry = &NbtConfig.DeviceContexts; } CTESpinFree(&NbtConfig.JointLock,OldIrq); return STATUS_SUCCESS; } //---------------------------------------------------------------------------- NTSTATUS NbtSetSmbBindingInfo( IN tDEVICECONTEXT *pDeviceContext, IN PIRP pIrp, IN PIO_STACK_LOCATION pIrpSp ) { NETBT_SMB_BIND_REQUEST *pSmbRequest = (PNETBT_SMB_BIND_REQUEST)pIrp->AssociatedIrp.SystemBuffer; PWSTR pBindListCache = NULL; PWSTR pBindList = NULL; PWSTR pOldBindList = NULL; PWSTR *pTarget = NULL; ULONG uInputLength = 0; ULONG uLength = 0; NTSTATUS status = STATUS_SUCCESS; tDEVICECONTEXT *pSavedSmbDevice = NULL; KIRQL OldIrq = 0; CTESpinLock(&NbtConfig.JointLock,OldIrq); if (pNbtSmbDevice && !gbDestroyingSmbDevice) { pSavedSmbDevice = pNbtSmbDevice; NBT_REFERENCE_DEVICE (pSavedSmbDevice, REF_DEV_SMB_BIND, TRUE); } CTESpinFree(&NbtConfig.JointLock,OldIrq); if (NULL == pSavedSmbDevice) { status = STATUS_DEVICE_BUSY; goto error; } uInputLength = pIrpSp->Parameters.DeviceIoControl.InputBufferLength; if (!(IsDeviceNetbiosless (pDeviceContext)) || (!pSmbRequest) || (uInputLength < sizeof(NETBT_SMB_BIND_REQUEST))) { KdPrint(("Nbt.NbtSetSmbBindingInfo: ERROR: pSmbRequest=<%p>, pDevice=<%p>\n", pSmbRequest, pDeviceContext)); status = STATUS_UNSUCCESSFUL; goto error; } if (pIrp->RequestorMode != KernelMode) { status = STATUS_ACCESS_DENIED; goto error; } status = NbtSetSmbBindingInfo2 (pDeviceContext, pSmbRequest); if (NT_SUCCESS(status) && pSmbRequest->MultiSZBindList) { // // Cache the binding info // pBindList = pSmbRequest->MultiSZBindList; uInputLength = 0; while (*pBindList) { uLength = wcslen (pBindList) + 1; uInputLength += uLength; pBindList += uLength; } uInputLength++; uInputLength *= sizeof(WCHAR); pBindList = pSmbRequest->MultiSZBindList; if (pSmbRequest->RequestType == SMB_SERVER) { pTarget = &NbtConfig.pServerBindings; } else if (pSmbRequest->RequestType == SMB_CLIENT) { pTarget = &NbtConfig.pClientBindings; } else { ASSERT(0); } pBindListCache = NbtAllocMem (uInputLength, NBT_TAG2('27')); if (NULL != pBindListCache) { RtlCopyMemory (pBindListCache, pBindList, uInputLength); pOldBindList = InterlockedExchangePointer (pTarget, pBindListCache); // // Free the old copy if any // if (NULL != pOldBindList) { CTEFreeMem (pOldBindList); pOldBindList = NULL; } } } error: if (pSavedSmbDevice) { NBT_DEREFERENCE_DEVICE (pSavedSmbDevice, REF_DEV_SMB_BIND, FALSE); } return status; } NTSTATUS NbtEnableNetbiosSmb( IN tDEVICECONTEXT *pDeviceContext, IN PIRP pIrp, IN PIO_STACK_LOCATION pIrpSp ) { NTSTATUS status = STATUS_SUCCESS; if (pNbtSmbDevice) { goto error; } pNbtSmbDevice = NbtCreateSmbDevice(); if (NULL == pNbtSmbDevice) { status = STATUS_INSUFFICIENT_RESOURCES; goto error; } NbtConfig.SMBDeviceEnabled = TRUE; if (AddressCount > 0) { NbtNotifyTdiClients (pNbtSmbDevice, NBT_TDI_REGISTER); } error: return status; } VOID NbtSleep( ULONG TimeToSleep ) { KEVENT NeverTriggered = { 0 }; NTSTATUS status = STATUS_SUCCESS; LARGE_INTEGER liTimeOut = { 0 }; liTimeOut.QuadPart = UInt32x32To64(TimeToSleep, 10000UL); liTimeOut.QuadPart = -liTimeOut.QuadPart; KeInitializeEvent(&NeverTriggered, NotificationEvent, FALSE); status = KeWaitForSingleObject( &NeverTriggered, Executive, KernelMode, FALSE, &liTimeOut ); ASSERT (status == STATUS_TIMEOUT); } NTSTATUS NbtDisableNetbiosSmb( IN tDEVICECONTEXT *pDeviceContext, IN PIRP pIrp, IN PIO_STACK_LOCATION pIrpSp ) { NTSTATUS status = STATUS_SUCCESS; KIRQL OldIrq = 0; tDEVICECONTEXT *pSavedSmbDevice = NULL; int i = 0; if (NULL == pNbtSmbDevice) { goto error; } // // Prevent the pNbtSmbDevice from being used // // NetBT could access the pNbtSmbDevice in 2 scenarios: // 1. referenced, but without holding the JointLock. // 2. No reference but with JointLock held. // gbDestroyingSmbDevice = TRUE; ASSERT (KeGetCurrentIrql() == PASSIVE_LEVEL); // // Wait for the refcount to become 1 for at most 8 second // for(i = 0; i < 8 && (*(volatile*)(&pNbtSmbDevice->RefCount) != 1); i++) { NbtSleep(1000); } if (*(volatile*)(&pNbtSmbDevice->RefCount) != 1) { gbDestroyingSmbDevice = FALSE; status = STATUS_DEVICE_BUSY; goto error; } // // From now on, we're sure that scenario 1 couldn't // happen any more. // // // Set pNbtSmbDevice to NULL. // CTESpinLock(&NbtConfig.JointLock,OldIrq); pSavedSmbDevice = pNbtSmbDevice; pNbtSmbDevice = NULL; NbtConfig.SMBDeviceEnabled = FALSE; CTESpinFree(&NbtConfig.JointLock,OldIrq); // // From now on, we're sure that scenario 2 couldn't // happen any more. // NbtNotifyTdiClients (pSavedSmbDevice, NBT_TDI_DEREGISTER); status = NbtDestroyDevice (pSavedSmbDevice, TRUE); KdPrint(("NbtDisableSmbDevice -- status=<%x>\n", status)); status = STATUS_SUCCESS; gbDestroyingSmbDevice = FALSE; error: return status; } HANDLE NbtOpenParametersRegistry( VOID ) { HANDLE NbtConfigHandle = NULL; HANDLE ParametersHandle = NULL; NTSTATUS status = STATUS_SUCCESS; OBJECT_ATTRIBUTES TmpObjectAttributes = { 0 }; ULONG Disposition = 0; extern NTSTATUS NbtOpenRegistry( IN HANDLE NbConfigHandle, IN PWSTR String, OUT PHANDLE pHandle ); CTEPagedCode(); InitializeObjectAttributes (&TmpObjectAttributes, &NbtConfig.pRegistry, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL ); status = ZwCreateKey (&NbtConfigHandle, KEY_READ, &TmpObjectAttributes, 0, NULL, 0, &Disposition ); if (!NT_SUCCESS(status)) { goto error; } status = NbtOpenRegistry (NbtConfigHandle, L"Parameters", &ParametersHandle); ZwClose(NbtConfigHandle); error: return ParametersHandle; } NTSTATUS NbtEnableDisableNetbiosSmb( IN tDEVICECONTEXT *pDeviceContext, IN PIRP pIrp, IN PIO_STACK_LOCATION pIrpSp ) { NTSTATUS status = STATUS_SUCCESS; PDWORD pdwEnableSmb = (PDWORD)(pIrp->AssociatedIrp.SystemBuffer); DWORD dwSMBDeviceEnabled = TRUE; HANDLE hParm = NULL; if (InterlockedIncrement(&gdwPendingEnableDisableSmbDevice) > 1) { status = STATUS_DEVICE_BUSY; goto error; } if (pIrp->RequestorMode != KernelMode) { status = STATUS_ACCESS_DENIED; goto error; } if (pDeviceContext == pNbtSmbDevice || KeGetCurrentIrql() != PASSIVE_LEVEL) { status = STATUS_INVALID_PARAMETER; goto error; } if (pIrpSp->Parameters.DeviceIoControl.InputBufferLength != sizeof(DWORD)) { status = STATUS_INVALID_PARAMETER; goto error; } switch (*pdwEnableSmb) { case NETBT_ENABLE_NETBIOS_SMB: dwSMBDeviceEnabled = TRUE; KdPrint(("Enable NetbiosSmb\n")); NbtTrace(NBT_TRACE_PNP, ("Enable NetbiosSmb")); break; case NETBT_DISABLE_NETBIOS_SMB: dwSMBDeviceEnabled = FALSE; KdPrint(("Disable NetbiosSmb\n")); NbtTrace(NBT_TRACE_PNP, ("Disable NetbiosSmb")); break; case NETBT_RESTORE_NETBIOS_SMB: KdPrint(("Restore NetbiosSmb\n")); NbtTrace(NBT_TRACE_PNP, ("Restore NetbiosSmb")); hParm = NbtOpenParametersRegistry(); if (hParm == NULL) { status = STATUS_UNSUCCESSFUL; goto error; } dwSMBDeviceEnabled = CTEReadSingleIntParameter(hParm, WS_SMB_DEVICE_ENABLED, 1, // Enabled by default 0); ZwClose(hParm); hParm = NULL; break; default: status = STATUS_INVALID_PARAMETER; goto error; } if (dwSMBDeviceEnabled) { status = NbtEnableNetbiosSmb(pDeviceContext, pIrp, pIrpSp); KdPrint(("NbtEanbleNetbiosSmb return 0x%08lx\n", status)); NbtTrace(NBT_TRACE_PNP, ("NbtEnableNetbiosSmb return %!status!", status)); } else { status = NbtDisableNetbiosSmb(pDeviceContext, pIrp, pIrpSp); KdPrint(("NbtDisableNetbiosSmb return 0x%08lx\n", status)); NbtTrace(NBT_TRACE_PNP, ("NbtDisableNetbiosSmb return %!status!", status)); } error: InterlockedDecrement(&gdwPendingEnableDisableSmbDevice); return status; } //---------------------------------------------------------------------------- NTSTATUS DispatchIoctls( IN tDEVICECONTEXT *pDeviceContext, IN PIRP pIrp, IN PIO_STACK_LOCATION pIrpSp ) /*++ Routine Description: This Routine handles calling the OS independent routine depending on the Ioctl passed in. Arguments: pIrp - a ptr to an IRP Return Value: NTSTATUS - status of the request --*/ { NTSTATUS status=STATUS_UNSUCCESSFUL; ULONG ControlCode; ULONG Size; PVOID pBuffer; ControlCode = pIrpSp->Parameters.DeviceIoControl.IoControlCode; NbtTrace(NBT_TRACE_IOCTL, ("pDeviceContext %p: pIrp %p, IOCTL 0x%08x function %d %Z", pDeviceContext, pIrp, ControlCode, (ControlCode >> 2) & 0xfff, &pDeviceContext->BindName)); switch (ControlCode) { case IOCTL_NETBT_REREAD_REGISTRY: { // // This function can be called from either IOCTL or PnP path. // IOCTL path can be called from non-admin, which can be potentially // exploited. // Therefore pass FALSE to tell the NTReReadRegistry not to do // name refreshing. // status = NTReReadRegistry(pDeviceContext, FALSE); break; } case IOCTL_NETBT_ENABLE_EXTENDED_ADDR: { // // Enable extended addressing - pass up IP addrs on Datagram Recvs. // PIO_STACK_LOCATION IrpSp = IoGetCurrentIrpStackLocation (pIrp); tCLIENTELE *pClientEle = (tCLIENTELE *)pIrpSp->FileObject->FsContext; if (!NBT_VERIFY_HANDLE2 (pClientEle, NBT_VERIFY_CLIENT, NBT_VERIFY_CLIENT_DOWN)) { // // To make the stresser (devctl.exe) happy. [JRuan 12/18/2000] // // ASSERTMSG ("Nbt.DispatchIoctls: ERROR - Invalid Address Handle\n", 0); status = STATUS_INVALID_HANDLE; } else if (pIrpSp->FileObject->FsContext2 != (PVOID)NBT_ADDRESS_TYPE) { status = STATUS_INVALID_ADDRESS; } else { pClientEle->ExtendedAddress = TRUE; status = STATUS_SUCCESS; } break; } case IOCTL_NETBT_DISABLE_EXTENDED_ADDR: { // // Disable extended addressing - dont pass up IP addrs on Datagram Recvs. // PIO_STACK_LOCATION IrpSp = IoGetCurrentIrpStackLocation (pIrp); tCLIENTELE *pClientEle = (tCLIENTELE *)pIrpSp->FileObject->FsContext; if (!NBT_VERIFY_HANDLE2 (pClientEle, NBT_VERIFY_CLIENT, NBT_VERIFY_CLIENT_DOWN)) { // ASSERTMSG ("Nbt.DispatchIoctls: ERROR - Invalid Address Handle\n", 0); status = STATUS_INVALID_HANDLE; } else if (pIrpSp->FileObject->FsContext2 != (PVOID)NBT_ADDRESS_TYPE) { status = STATUS_INVALID_ADDRESS; } else { pClientEle->ExtendedAddress = FALSE; status = STATUS_SUCCESS; } break; } case IOCTL_NETBT_GET_WINS_ADDR: { if ((pIrp->MdlAddress) && ((Size = MmGetMdlByteCount (pIrp->MdlAddress)) >= sizeof(tWINS_ADDRESSES)) && (pBuffer = (PVOID) MmGetSystemAddressForMdlSafe(pIrp->MdlAddress, NormalPagePriority))) { status = STATUS_SUCCESS; if (Size >= sizeof(tWINS_NODE_INFO)) { tWINS_NODE_INFO UNALIGNED *pWinsBuffer = (tWINS_NODE_INFO *) pBuffer; CTEMemCopy (&pWinsBuffer->AllNameServers, pDeviceContext->lAllNameServers, (sizeof(tIPADDRESS)*(2+MAX_NUM_OTHER_NAME_SERVERS))); pWinsBuffer->NumOtherServers = pDeviceContext->lNumOtherServers; pWinsBuffer->LastResponsive = pDeviceContext->lLastResponsive; pWinsBuffer->NetbiosEnabled = pDeviceContext->NetbiosEnabled; pWinsBuffer->NodeType = NodeType; pIrp->IoStatus.Information = sizeof(tWINS_NODE_INFO); } else { tWINS_ADDRESSES UNALIGNED *pWinsBuffer = (tWINS_ADDRESSES *) pBuffer; pWinsBuffer->PrimaryWinsServer = pDeviceContext->lNameServerAddress; pWinsBuffer->BackupWinsServer = pDeviceContext->lBackupServer; pIrp->IoStatus.Information = sizeof(tWINS_ADDRESSES); } } break; } case IOCTL_NETBT_GET_IP_ADDRS: { status = GetIpAddrs (pDeviceContext, pIrp); break; } case IOCTL_NETBT_GET_IP_SUBNET: { ULONG Length; PULONG pIpAddr; // // return this devicecontext's ip address and all the other // ip addrs after it. // if (pIrp->MdlAddress) { Length = MmGetMdlByteCount( pIrp->MdlAddress ); if (Length < 2*sizeof(ULONG)) { status = STATUS_BUFFER_OVERFLOW; } else if (pIpAddr = (PULONG )MmGetSystemAddressForMdlSafe(pIrp->MdlAddress, NormalPagePriority)) { // // Put this adapter first in the list // *((tIPADDRESS UNALIGNED *) pIpAddr) = pDeviceContext->AssignedIpAddress; pIpAddr++; *((tIPADDRESS UNALIGNED *) pIpAddr) = pDeviceContext->SubnetMask; pIpAddr++; if (Length >= 3*sizeof(ULONG)) { *((tIPADDRESS UNALIGNED *) pIpAddr) = pDeviceContext->DeviceType; } status = STATUS_SUCCESS; } else { status = STATUS_INSUFFICIENT_RESOURCES; } } break; } // // The following Ioctl is used mainly by the Server service // case IOCTL_NETBT_SET_TCP_CONNECTION_INFO: { status = NbtClientSetTcpInfo ((tCONNECTELE *) pIrpSp->FileObject->FsContext, pIrp->AssociatedIrp.SystemBuffer, pIrpSp->Parameters.DeviceIoControl.InputBufferLength); break; } // // The following Ioctls are used mainly by NbtStat.exe for diagnostic purposes // case IOCTL_NETBT_GET_INTERFACE_INFO: { status = NbtGetInterfaceInfo (pIrp); break; } case IOCTL_NETBT_PURGE_CACHE: { DelayedNbtResyncRemoteCache (NULL, NULL, NULL, NULL); status = STATUS_SUCCESS; break; } case IOCTL_NETBT_GET_CONNECTIONS: { if (pIrp->MdlAddress) { Size = MmGetMdlByteCount( pIrp->MdlAddress ) ; // return an array of netbios names that are registered status = NbtQueryConnectionList (pDeviceContext, &pBuffer, &Size); } break; } case IOCTL_NETBT_ADAPTER_STATUS: { if (pIrp->MdlAddress) { PIO_STACK_LOCATION pIrpSp; tIPANDNAMEINFO *pIpAndNameInfo; PCHAR pName; ULONG lNameType; ULONG NameLen; ULONG IpAddrsList[2]; tIPADDRESS *pIpAddrs = NULL; tDGRAM_SEND_TRACKING *pTracker; // // in case the call results in a name query on the wire... // IoMarkIrpPending(pIrp); pIrpSp = IoGetCurrentIrpStackLocation(pIrp); pIpAndNameInfo = pIrp->AssociatedIrp.SystemBuffer; NameLen = pIrpSp->Parameters.DeviceIoControl.InputBufferLength - FIELD_OFFSET(tIPANDNAMEINFO,NetbiosAddress); // // Bug# 125288+120947: Make sure the data passed in + the Address type are good // if ((pIpAndNameInfo) && (pIrpSp->Parameters.DeviceIoControl.InputBufferLength >= sizeof(tIPANDNAMEINFO))) { TDI_ADDRESS_NETBT_INTERNAL TdiAddr; // this routine gets a ptr to the netbios name out of the wierd // TDI address syntax. status = GetNetBiosNameFromTransportAddress( (PTRANSPORT_ADDRESS) &pIpAndNameInfo->NetbiosAddress, NameLen, &TdiAddr); pName = TdiAddr.OEMRemoteName.Buffer; NameLen = TdiAddr.OEMRemoteName.Length; lNameType = TdiAddr.NameType; } if (NT_SUCCESS(status) && (lNameType == TDI_ADDRESS_NETBIOS_TYPE_UNIQUE) && (NameLen == NETBIOS_NAME_SIZE)) { // // Nbtstat sends down * in the first byte on Nbtstat -A // Make sure we let that case go ahead. // if (!pDeviceContext->NetbiosEnabled) { status = STATUS_INVALID_DEVICE_STATE; } else if ((pName[0] == '*') && (pIpAndNameInfo->IpAddress == 0)) { status = STATUS_BAD_NETWORK_PATH; } else if (NT_SUCCESS (status = GetTracker(&pTracker, NBT_TRACKER_ADAPTER_STATUS))) { if (pIpAndNameInfo->IpAddress) { IpAddrsList[0] = pIpAndNameInfo->IpAddress; IpAddrsList[1] = 0; pIpAddrs = IpAddrsList; } pTracker->ClientContext = pIrp; status = NbtSendNodeStatus(pDeviceContext, pName, pIpAddrs, pTracker, CopyNodeStatusResponseCompletion); // only complete the irp (below) for failure status's if (status == STATUS_PENDING) { return(status); } // // We cannot have a Success status returned here! // if (status == STATUS_SUCCESS) { ASSERT (0); status = STATUS_UNSUCCESSFUL; } FreeTracker (pTracker, RELINK_TRACKER); } } else if (NT_SUCCESS(status)) { status = STATUS_INVALID_PARAMETER; // The NameType or NameLen must be wrong! } // the request has been satisfied, so unmark the pending // since we will return the irp below // pIrpSp->Control &= ~SL_PENDING_RETURNED; } break; } case IOCTL_NETBT_GET_REMOTE_NAMES: { if (pIrp->MdlAddress) { Size = MmGetMdlByteCount( pIrp->MdlAddress ) ; // return an array of netbios names that are registered status = NbtQueryAdapterStatus(pDeviceContext, &pBuffer, &Size, NBT_REMOTE); } break; } case IOCTL_NETBT_GET_BCAST_NAMES: { if (pIrp->MdlAddress) { Size = MmGetMdlByteCount( pIrp->MdlAddress ) ; // return an array of netbios names that are registered status = NbtQueryBcastVsWins(pDeviceContext,&pBuffer,&Size); } break; } case IOCTL_NETBT_NAME_RELEASE_REFRESH: { status = ReRegisterLocalNames (NULL, TRUE); break; } // // The following Ioctls are used by the Cluster code // case IOCTL_NETBT_ADD_INTERFACE: { // // Creates a dummy devicecontext which can be primed by the layer above // with a DHCP address. This is to support multiple IP addresses per adapter // for the Clusters group; but can be used by any module that needs support // for more than one IP address per adapter. This private interface hides the // devices thus created from the setup/regisrty and that is fine since the // component (say, the clusters client) takes the responsibility for ensuring // that the server (above us) comes to know of this new device. // PIO_STACK_LOCATION IrpSp = IoGetCurrentIrpStackLocation (pIrp); pBuffer = pIrp->AssociatedIrp.SystemBuffer; Size = pIrpSp->Parameters.DeviceIoControl.OutputBufferLength; // // return the export string created. // status = NbtAddNewInterface(pIrp, pBuffer, Size); IF_DBG(NBT_DEBUG_PNP_POWER) KdPrint(("Nbt.DispatchIoctls: ADD_INTERFACE -- status=<%x>\n", status)); NTIoComplete(pIrp,status,(ULONG)-1); return status; } case IOCTL_NETBT_DELETE_INTERFACE: { // // Dereference this device for the Reference taken in the // Dispatch routine so that the cleanup can proceed properly // NBT_DEREFERENCE_DEVICE (pDeviceContext, REF_DEV_DISPATCH, FALSE); if (pDeviceContext->DeviceType == NBT_DEVICE_CLUSTER) { // // Delete the device this came down on.. // status = NbtDestroyDevice (pDeviceContext, TRUE); } else { KdPrint(("Nbt.DispatchIoctls: ERROR: DELETE_INTERFACE <%x>, pDevice=<%p>\n", status, pDeviceContext)); } break; } case IOCTL_NETBT_QUERY_INTERFACE_INSTANCE: { PIO_STACK_LOCATION IrpSp = IoGetCurrentIrpStackLocation (pIrp); // // Validate input/output buffer size // Size = pIrpSp->Parameters.DeviceIoControl.OutputBufferLength; if (Size < sizeof(NETBT_ADD_DEL_IF)) { // IF_DBG(NBT_DEBUG_PNP_POWER) KdPrint(("Nbt.DispatchIoctls: QUERY_INTERFACE_INSTANCE: Output buffer too small\n")); status = STATUS_INVALID_PARAMETER; } else { PNETBT_ADD_DEL_IF pAddDelIf = (PNETBT_ADD_DEL_IF)pIrp->AssociatedIrp.SystemBuffer; status = STATUS_SUCCESS; ASSERT(pDeviceContext->DeviceType == NBT_DEVICE_CLUSTER); pAddDelIf->InstanceNumber = pDeviceContext->InstanceNumber; pAddDelIf->Status = status; pIrp->IoStatus.Information = sizeof(NETBT_ADD_DEL_IF); NTIoComplete(pIrp,status,(ULONG)-1); return status; } break; } case IOCTL_NETBT_NEW_IPADDRESS: { tNEW_IP_ADDRESS *pNewAddress = (tNEW_IP_ADDRESS *)pIrp->AssociatedIrp.SystemBuffer; status = STATUS_UNSUCCESSFUL; // // Bug# 202320: Make sure the data passed in is valid // if ((pDeviceContext->DeviceType == NBT_DEVICE_CLUSTER) && (pNewAddress) && (pIrpSp->Parameters.DeviceIoControl.InputBufferLength >= sizeof(tNEW_IP_ADDRESS))) { KdPrint (("Nbt.DispatchIoctls: Calling NbtNewDhcpAddress on ClusterDevice <%x>!\n", pDeviceContext)); pDeviceContext->AssignedIpAddress = ntohl (pNewAddress->IpAddress); status = NbtNewDhcpAddress (pDeviceContext, pNewAddress->IpAddress, pNewAddress->SubnetMask); ASSERT (pDeviceContext->AssignedIpAddress == pDeviceContext->IpAddress); IF_DBG(NBT_DEBUG_PNP_POWER) KdPrint (("Nbt.DispatchIoctls: NEW_IPADDRESS, status=<%x>, IP=<%x>, pDevice=<%p>\n", status, pNewAddress->IpAddress, pDeviceContext)); } else { KdPrint(("Nbt.DispatchIoctls: ERROR: NEW_IPADDRESS status=<%x>, pDevice=<%p>\n", status, pDeviceContext)); } break; } case IOCTL_NETBT_SET_WINS_ADDRESS: { // // Sets the WINS addresses for a dynamic adapter // PIO_STACK_LOCATION pIrpSp = IoGetCurrentIrpStackLocation (pIrp); // // Validate input/output buffer size // Size = pIrpSp->Parameters.DeviceIoControl.InputBufferLength; if (Size < sizeof(NETBT_SET_WINS_ADDR)) { // IF_DBG(NBT_DEBUG_PNP_POWER) KdPrint(("NbtSetWinsAddr: Input buffer too small for struct\n")); status = STATUS_INVALID_PARAMETER; } else if (pDeviceContext->DeviceType == NBT_DEVICE_CLUSTER) { PNETBT_SET_WINS_ADDR pSetWinsAddr = (PNETBT_SET_WINS_ADDR)pIrp->AssociatedIrp.SystemBuffer; status = STATUS_SUCCESS; pDeviceContext->lNameServerAddress = pSetWinsAddr->PrimaryWinsAddr; pDeviceContext->lBackupServer = pSetWinsAddr->SecondaryWinsAddr; pDeviceContext->SwitchedToBackup = 0; pDeviceContext->RefreshToBackup = 0; pSetWinsAddr->Status = status; pIrp->IoStatus.Information = 0; // We are not copying any data to the Output buffers NTIoComplete (pIrp,status,(ULONG)-1); return status; } else { KdPrint(("Nbt.DispatchIoctls: ERROR: SET_WINS_ADDRESS <%x>, pDevice=<%p>\n", status, pDeviceContext)); } break; } // // The following Ioctls are used by the LmHost Services Dll (lmhSvc.dll) to // help NetBT ping addresses in user space or resolve names in Dns // case IOCTL_NETBT_DNS_NAME_RESOLVE: { if (pIrp->MdlAddress) { Size = MmGetMdlByteCount( pIrp->MdlAddress ) ; if (Size < sizeof (tIPADDR_BUFFER_DNS)) { // IF_DBG(NBT_DEBUG_PNP_POWER) KdPrint(("Nbt.DnsNameResolve: Input buffer size=<%d> < tIPADDR_BUFFER_DNS=<%d>\n", Size, sizeof (tIPADDR_BUFFER_DNS))); status = STATUS_INVALID_PARAMETER; } else if (pBuffer = MmGetSystemAddressForMdlSafe (pIrp->MdlAddress, NormalPagePriority)) { // return an array of netbios names that are registered status = NtProcessLmHSvcIrp (pDeviceContext,pBuffer,Size,pIrp,NBT_RESOLVE_WITH_DNS); return(status); } else { status = STATUS_INSUFFICIENT_RESOURCES; } } break; } case IOCTL_NETBT_CHECK_IP_ADDR: { IF_DBG(NBT_DEBUG_NAMESRV) KdPrint(("Ioctl Value is %X (IOCTL_NETBT_CHECK_IP_ADDR)\n",ControlCode)); if (pIrp->MdlAddress) { Size = MmGetMdlByteCount( pIrp->MdlAddress ) ; if (Size < sizeof (tIPADDR_BUFFER_DNS)) { // IF_DBG(NBT_DEBUG_PNP_POWER) KdPrint(("Nbt.CheckIpAddr: Input buffer size=<%d> < tIPADDR_BUFFER_DNS=<%d>\n", Size, sizeof (tIPADDR_BUFFER_DNS))); status = STATUS_INVALID_PARAMETER; } else if (pBuffer = MmGetSystemAddressForMdlSafe (pIrp->MdlAddress, NormalPagePriority)) { // return an array of netbios names that are registered status = NtProcessLmHSvcIrp (pDeviceContext,pBuffer,Size,pIrp,NBT_PING_IP_ADDRS); return(status); } else { status = STATUS_INSUFFICIENT_RESOURCES; } } break; } // // The following Ioctl is used by the DNS resolver to resolve names through Wins/Bcast // case IOCTL_NETBT_FIND_NAME: { tIPADDR_BUFFER *pIpAddrBuffer; PIO_STACK_LOCATION pIrpSp = IoGetCurrentIrpStackLocation (pIrp); // // in case the call results in a name query on the wire... // IoMarkIrpPending(pIrp); // // Bug# 120957: Make sure the data passed in + the Address type are good // Bug# 234627: Verify non-NULL MdlAddress ptr // pIpAddrBuffer = pIrp->AssociatedIrp.SystemBuffer; if ((pIrp->MdlAddress) && // to copy the data back! (pIpAddrBuffer) && (pIrpSp->Parameters.DeviceIoControl.InputBufferLength >= sizeof(tIPADDR_BUFFER))) { status = NbtQueryFindName((PTDI_CONNECTION_INFORMATION)pIpAddrBuffer, pDeviceContext, pIrp, TRUE); } if (status == STATUS_PENDING) { return(status); } // the request has been satisfied, so unmark the pending // since we will return the irp below // pIrpSp->Control &= ~SL_PENDING_RETURNED; break; } // // The following Ioctls are used by the Wins server // case IOCTL_NETBT_WINS_RCV: { tWINS_INFO *pWins = pIrpSp->FileObject->FsContext; if ((pDeviceContext == pWinsDeviceContext) && (NBT_VERIFY_HANDLE (pWins, NBT_VERIFY_WINS_ACTIVE))) { if (pIrp->MdlAddress) { status = RcvIrpFromWins(pIrp); return(status); } } else { status = STATUS_INVALID_HANDLE; } break; } case IOCTL_NETBT_WINS_SEND: { tWINS_INFO *pWins = pIrpSp->FileObject->FsContext; BOOLEAN MustSend; if ((pDeviceContext == pWinsDeviceContext) && (NBT_VERIFY_HANDLE (pWins, NBT_VERIFY_WINS_ACTIVE))) { if ((pIrp->MdlAddress) && !(IsListEmpty(&NbtConfig.DeviceContexts))) { status = WinsSendDatagram (pDeviceContext,pIrp,(MustSend = FALSE)); return(status); } } else { status = STATUS_INVALID_HANDLE; } break; } case IOCTL_NETBT_WINS_SET_INFO: { tWINS_INFO *pWins = pIrpSp->FileObject->FsContext; tWINS_SET_INFO *pWinsSetInfo = (tWINS_SET_INFO *) pIrp->AssociatedIrp.SystemBuffer; if ((pDeviceContext == pWinsDeviceContext) && (NBT_VERIFY_HANDLE (pWins, NBT_VERIFY_WINS_ACTIVE))) { // // Validate input/output buffer size // Size = pIrpSp->Parameters.DeviceIoControl.InputBufferLength; if (Size >= sizeof(tWINS_SET_INFO)) { status = WinsSetInformation (pWins, pWinsSetInfo); } else { IF_DBG(NBT_DEBUG_WINS) KdPrint(("Nbt.DispatchIoctls[IOCTL_NETBT_WINS_SET_INFO]: Input buffer too small\n")); status = STATUS_INVALID_PARAMETER; } } else { status = STATUS_INVALID_HANDLE; } break; } // // The following Ioctl is used by the Remote boot code // case IOCTL_NETBT_ADD_TO_REMOTE_TABLE: { tREMOTE_CACHE *pRemoteEntry = (tREMOTE_CACHE *) pIrp->AssociatedIrp.SystemBuffer; PIO_STACK_LOCATION pIrpSp = IoGetCurrentIrpStackLocation (pIrp); // // Validate input/output buffer size // Size = pIrpSp->Parameters.DeviceIoControl.InputBufferLength; if (Size >= sizeof(tREMOTE_CACHE)) { // // We need only the name, IpAddress, name_flags, and Ttl fields // status = NbtAddEntryToRemoteHashTable (pDeviceContext, NAME_RESOLVED_BY_CLIENT, pRemoteEntry->name, pRemoteEntry->IpAddress, pRemoteEntry->Ttl, pRemoteEntry->name_flags); } else { IF_DBG(NBT_DEBUG_PNP_POWER) KdPrint(("Nbt.DispatchIoctls[IOCTL_NETBT_ADD_TO_REMOTE_TABLE]: Input buffer too small for struct\n")); status = STATUS_BUFFER_TOO_SMALL; } break; } // // The following Ioctl is used by DsGetDcName // case IOCTL_NETBT_REMOVE_FROM_REMOTE_TABLE: { tNAME *pRemoteName = (tNAME *) pIrp->AssociatedIrp.SystemBuffer; PIO_STACK_LOCATION pIrpSp = IoGetCurrentIrpStackLocation (pIrp); // // Validate input/output buffer size // Size = pIrpSp->Parameters.DeviceIoControl.InputBufferLength; if (Size >= sizeof(tNAME)) { // // We need only the name // status = NbtFlushEntryFromRemoteHashTable (pRemoteName); } else { IF_DBG(NBT_DEBUG_PNP_POWER) KdPrint(("Nbt.DispatchIoctls[IOCTL_NETBT_REMOVE_FROM_REMOTE_TABLE]: Input buffer too small\n")); status = STATUS_INVALID_PARAMETER; } break; } // // The following Ioctl is used by the Rdr/Srv to add/remove addresses from the SmbDevice // case IOCTL_NETBT_SET_SMBDEVICE_BIND_INFO: { ASSERT (NULL == pNbtSmbDevice || pDeviceContext == pNbtSmbDevice); status = NbtSetSmbBindingInfo (pDeviceContext, pIrp, pIrpSp); break; } case IOCTL_NETBT_ENABLE_DISABLE_NETBIOS_SMB: // // Private API for the new smb driver (smb.sys) // status = NbtEnableDisableNetbiosSmb(pDeviceContext, pIrp, pIrpSp); break; default: { status = STATUS_INVALID_PARAMETER; break; } } // switch NbtTrace(NBT_TRACE_IOCTL, ("pDeviceContext %p: pIrp %p %!status!", pDeviceContext, pIrp, status )); // // copy the reponse to the client's Mdl // if (!NT_ERROR(status) && // allow buffer overflow to pass by ((ControlCode == IOCTL_NETBT_GET_REMOTE_NAMES) || (ControlCode == IOCTL_NETBT_GET_BCAST_NAMES) || (ControlCode == IOCTL_NETBT_GET_CONNECTIONS)) ) { status = TdiCopyBufferToMdl (pBuffer, 0, Size, pIrp->MdlAddress, 0, (PULONG) &pIrp->IoStatus.Information); CTEMemFree((PVOID)pBuffer); } // // either Success or an Error // so complete the irp // NTIoComplete(pIrp,status,0); return(status); } //---------------------------------------------------------------------------- NTSTATUS GetIpAddrs( IN tDEVICECONTEXT *pDeviceContext, IN PIRP pIrp ) /*++ Routine Description: This routine performs the IOCTL_GET_IP_ADDRS function. It is in its own routine because it is non paged. Arguments: pDeviceContext - pIrp - Return Value: NTSTATUS - --*/ { ULONG Length; PULONG pIpAddr; PLIST_ENTRY pEntry,pHead; tDEVICECONTEXT *pDevContext; KIRQL OldIrq; tIPADDRESS IpAddr; // // return this devicecontext's ip address and all the other // ip addrs after it. // if (!pIrp->MdlAddress) { return STATUS_INVALID_PARAMETER; } else if ((Length = MmGetMdlByteCount (pIrp->MdlAddress)) < sizeof(ULONG)) { return STATUS_BUFFER_TOO_SMALL; } else if (!(pIpAddr = (PULONG )MmGetSystemAddressForMdlSafe (pIrp->MdlAddress, NormalPagePriority))) { return STATUS_UNSUCCESSFUL; } // // Put this adapter first in the list // Don't include the smb device, its address is uninteresting if (!IsDeviceNetbiosless (pDeviceContext)) { *((tIPADDRESS UNALIGNED *) pIpAddr) = pDeviceContext->AssignedIpAddress; pIpAddr++; Length -= sizeof(ULONG); } // Return the others CTESpinLock(&NbtConfig.JointLock,OldIrq); pEntry = pHead = &NbtConfig.DeviceContexts; while ((pEntry = pEntry->Flink) != pHead) { if (Length < sizeof(ULONG)) { CTESpinFree(&NbtConfig.JointLock,OldIrq); return STATUS_BUFFER_OVERFLOW; } pDevContext = CONTAINING_RECORD(pEntry, tDEVICECONTEXT, Linkage); if ((pDevContext != pDeviceContext) && (pDevContext->AssignedIpAddress)) { *((tIPADDRESS UNALIGNED *) pIpAddr) = pDevContext->AssignedIpAddress; pIpAddr++; Length -= sizeof(ULONG); } } CTESpinFree(&NbtConfig.JointLock,OldIrq); // // put a -1 address on the end // if (Length < sizeof(ULONG)) { return STATUS_BUFFER_OVERFLOW; } IpAddr = -1; *((tIPADDRESS UNALIGNED *) pIpAddr) = IpAddr; return STATUS_SUCCESS; } // GetIpAddrs //---------------------------------------------------------------------------- NTSTATUS NTReceive( IN tDEVICECONTEXT *pDeviceContext, IN PIRP pIrp ) /*++ Routine Description: This Routine handles Queuing a receive buffer on a connection or passing the recieve buffer to the transport if there is outstanding data waiting to be received on the connection. Arguments: pIrp - a ptr to an IRP Return Value: NTSTATUS - status of the request --*/ { NTSTATUS status=STATUS_UNSUCCESSFUL; PIO_STACK_LOCATION pIrpSp; tCONNECTELE *pConnEle; KIRQL OldIrq, OldIrq1; ULONG ToCopy; ULONG ClientRcvLen; tLOWERCONNECTION *pLowerConn; ULONG RemainingPdu; PTDI_REQUEST_KERNEL_RECEIVE pParams; PTDI_REQUEST_KERNEL_RECEIVE pClientParams; ULONG BytesCopied; pIrpSp = IoGetCurrentIrpStackLocation(pIrp); pConnEle = pIrpSp->FileObject->FsContext; if ((pConnEle) && (pConnEle->state == NBT_SESSION_UP)) { CTESpinLock(pConnEle,OldIrq1); PUSH_LOCATION(0x30); if (!NBT_VERIFY_HANDLE2 (pConnEle, NBT_VERIFY_CONNECTION, NBT_VERIFY_CONNECTION_DOWN)) { CTESpinFree(pConnEle,OldIrq1); ASSERTMSG ("Nbt.NTReceive: ERROR - Invalid Connection Handle\n", 0); status = STATUS_INVALID_HANDLE; } else if (pLowerConn = pConnEle->pLowerConnId) { status = STATUS_SUCCESS; } else { CTESpinFree(pConnEle,OldIrq1); status = STATUS_REMOTE_DISCONNECT; } } if (STATUS_SUCCESS != status) { PUSH_LOCATION(0x47); // // session in wrong state so reject the buffer posting // complete the irp, since there must have been some sort of error // to get to here // NTIoComplete(pIrp, status, 0); return(status); } PUSH_LOCATION(0x31); // // We are already holding the ConnEle lock CTESpinLock(pLowerConn,OldIrq); if (pLowerConn->StateRcv != PARTIAL_RCV) { // **** Fast Path Code **** // // Queue this receive buffer on to the Rcv Head // InsertTailList(&pConnEle->RcvHead, &pIrp->Tail.Overlay.ListEntry); status = NTCheckSetCancelRoutine(pIrp,(PVOID)NbtCancelReceive,pDeviceContext); if (!NT_SUCCESS(status)) { RemoveEntryList(&pIrp->Tail.Overlay.ListEntry); CTESpinFree(pLowerConn,OldIrq); CTESpinFree(pConnEle,OldIrq1); NTIoComplete(pIrp,status,0); return(status); } else { // // if the irp is not cancelled, returning pending // CTESpinFree(pLowerConn,OldIrq); CTESpinFree(pConnEle,OldIrq1); return(STATUS_PENDING); } } else { // ***** Partial Rcv - Data Still in Transport ***** BOOLEAN ZeroLengthSend; PUSH_LOCATION(0x32); IF_DBG(NBT_DEBUG_RCV) KdPrint(("Nbt.NTReceive: A Rcv Buffer posted data in Xport,InXport= %X,InIndic %X RcvIndicated %X\n", pConnEle->BytesInXport,pLowerConn->BytesInIndicate, pConnEle->ReceiveIndicated)); // get the MDL chain length pIrpSp = IoGetCurrentIrpStackLocation(pIrp); pClientParams = (PTDI_REQUEST_KERNEL_RECEIVE)&pIrpSp->Parameters; // Reset the Irp pending flag pIrpSp->Control &= ~SL_PENDING_RETURNED; // fill in the next irp stack location with our completion routine. pIrpSp = IoGetNextIrpStackLocation(pIrp); pIrpSp->CompletionRoutine = CompletionRcv; pIrpSp->Context = (PVOID)pConnEle->pLowerConnId; pIrpSp->Flags = 0; // set flags so the completion routine is always invoked. pIrpSp->Control = SL_INVOKE_ON_SUCCESS | SL_INVOKE_ON_ERROR | SL_INVOKE_ON_CANCEL; pIrpSp->MajorFunction = IRP_MJ_INTERNAL_DEVICE_CONTROL; pIrpSp->MinorFunction = TDI_RECEIVE; pIrpSp->DeviceObject = IoGetRelatedDeviceObject(pConnEle->pLowerConnId->pFileObject); pIrpSp->FileObject = pConnEle->pLowerConnId->pFileObject; pParams = (PTDI_REQUEST_KERNEL_RECEIVE)&pIrpSp->Parameters; pParams->ReceiveFlags = pClientParams->ReceiveFlags; // Since this irp is going to traverse through CompletionRcv, we // need to set the following, since it undoes this stuff. // This also prevents the LowerConn from being blown away before // the irp has returned from the transport // NBT_REFERENCE_LOWERCONN (pLowerConn, REF_LOWC_RCV_HANDLER); // // pass the receive buffer directly to the transport, decrementing // the number of receive bytes that have been indicated // ASSERT(pConnEle->TotalPcktLen >= pConnEle->BytesRcvd); if (pClientParams->ReceiveLength > (pConnEle->TotalPcktLen - pConnEle->BytesRcvd)) { pParams->ReceiveLength = pConnEle->TotalPcktLen - pConnEle->BytesRcvd; } else { pParams->ReceiveLength = pClientParams->ReceiveLength; } ClientRcvLen = pParams->ReceiveLength; // // Set the amount of data that we will receive so when the // irp completes in completionRcv, we can fill in that // info in the Irp // pConnEle->CurrentRcvLen = ClientRcvLen; // if a zero length send occurs, then ReceiveIndicated is set // to zero with the state set to RcvPartial. Or, the client may // pass down an Irp with no MDL in it!! // if ((pConnEle->ReceiveIndicated == 0) || !pIrp->MdlAddress) { ZeroLengthSend = TRUE; } else { ZeroLengthSend = FALSE; } // calculate how many bytes are still remaining for the client. if (pConnEle->ReceiveIndicated > ClientRcvLen) { PUSH_LOCATION(0x40); pConnEle->ReceiveIndicated -= ClientRcvLen; } else { pConnEle->ReceiveIndicated = 0; } if (pLowerConn->BytesInIndicate || ZeroLengthSend) { PMDL Mdl; PUSH_LOCATION(0x33); if (ClientRcvLen > pLowerConn->BytesInIndicate) { ToCopy = pLowerConn->BytesInIndicate; } else { PUSH_LOCATION(0x41); ToCopy = ClientRcvLen; } // copy data from the indicate buffer to the client's buffer, // remembering that there is a session header in the indicate // buffer at the start of it... so skip that. The // client can pass down a null Mdl address for a zero length // rcv so check for that. // if (Mdl = pIrp->MdlAddress) { TdiCopyBufferToMdl(MmGetMdlVirtualAddress(pLowerConn->pIndicateMdl), 0, // src offset ToCopy, Mdl, 0, // dest offset &BytesCopied); } else { BytesCopied = 0; } // client's MDL is too short... if (BytesCopied != ToCopy) { PUSH_LOCATION(0x42); IF_DBG(NBT_DEBUG_INDICATEBUFF) KdPrint(("Nbt:Receive Buffer too short for Indicate buff BytesCopied %X, ToCopy %X\n", BytesCopied, ToCopy)); // ToCopy = BytesCopied; // so the irp will be completed, below ClientRcvLen = BytesCopied; } pLowerConn->BytesInIndicate -= (USHORT)BytesCopied; // this case is only if the irp is full and should be returned // now. if (BytesCopied == ClientRcvLen) { PUSH_LOCATION(0x34); // check if the indicate buffer is empty now. If not, then // move the data forward to the start of the buffer. // if (pLowerConn->BytesInIndicate) { PUSH_LOCATION(0x43); CopyToStartofIndicate(pLowerConn,BytesCopied); } // // the irp is full so complete it // // the client MDL is full, so complete his irp // CompletionRcv increments the number of bytes rcvd // for this session pdu (pConnEle->BytesRcvd). pIrp->IoStatus.Information = BytesCopied; pIrp->IoStatus.Status = STATUS_SUCCESS; // since we are completing it and TdiRcvHandler did not set the next // one. // ASSERT(pIrp->CurrentLocation > 1); IoSetNextIrpStackLocation(pIrp); // we need to track how much of the client's MDL has filled // up to know when to return it. CompletionRcv subtracts // from this value as it receives bytes. pConnEle->FreeBytesInMdl = ClientRcvLen; pConnEle->CurrentRcvLen = ClientRcvLen; CTESpinFree(pLowerConn,OldIrq); CTESpinFree(pConnEle,OldIrq1); IoCompleteRequest(pIrp,IO_NETWORK_INCREMENT); return(STATUS_SUCCESS); } else { // // clear the number of bytes in the indicate buffer since the client // has taken more than the data left in the Indicate buffer // pLowerConn->BytesInIndicate = 0; // decrement the client rcv len by the amount already put into the // client Mdl // ClientRcvLen -= BytesCopied; IF_DBG(NBT_DEBUG_RCV) KdPrint(("Nbt: Pass Client Irp to Xport BytesinXport %X, ClientRcvLen %X\n", pConnEle->BytesInXport,ClientRcvLen)); // // Set the amount left inthe transport after this irp // completes if (pConnEle->BytesInXport < ClientRcvLen ) { pConnEle->BytesInXport = 0; } else { pConnEle->BytesInXport -= ClientRcvLen; } // Adjust the number of bytes in the Mdl chain so far since the // completion routine will only count the bytes filled in by the // transport pConnEle->BytesRcvd += BytesCopied; // the client is going to take more data from the transport with // this Irp. Set the new Rcv Length that accounts for the data just // copied to the Irp. // pParams->ReceiveLength = ClientRcvLen; IF_DBG(NBT_DEBUG_RCV) KdPrint(("Nbt:ClientRcvLen = %X, LeftinXport= %X BytesCopied= %X %X\n",ClientRcvLen, pConnEle->BytesInXport,BytesCopied,pLowerConn)); // set the state to this so we can undo the MDL footwork // in completion rcv - since we have made a partial MDL and // put that at the start of the chain. // SET_STATERCV_LOWER(pLowerConn, FILL_IRP, FillIrp); // Note that the Irp Mdl address changes below // when MakePartialMdl is called so this line cannot // be moved to the common code below!! pLowerConn->pMdl = pIrp->MdlAddress; // setup the next MDL so we can create a partial mdl correctly // in TdiReceiveHandler // pConnEle->pNextMdl = pIrp->MdlAddress; // Build a partial Mdl to represent the client's Mdl chain since // we have copied data to it, and the transport must copy // more data to it after that data. // // Force the system to map and lock the user buffer MmGetSystemAddressForMdlSafe (pIrp->MdlAddress, HighPagePriority); MakePartialMdl(pConnEle,pIrp,BytesCopied); // pass the Irp to the transport // // IF_DBG(NBT_DEBUG_RCV) KdPrint(("Nbt:Calling IoCallDriver\n")); ASSERT(pIrp->CurrentLocation > 1); } } else { PUSH_LOCATION(0x36); IF_DBG(NBT_DEBUG_RCV) KdPrint(("Nbt.NTReceive: Pass Irp To Xport Bytes in Xport %X, ClientRcvLen %X, RcvIndicated %X\n", pConnEle->BytesInXport,ClientRcvLen,pConnEle->ReceiveIndicated)); // // there are no bytes in the indicate buffer, so just pass the // irp on down to the transport // // // Decide the next state depending on whether the transport currently // has enough data for this irp // if (pConnEle->BytesInXport < ClientRcvLen) { PUSH_LOCATION(0x37); pConnEle->BytesInXport = 0; // // to get to here, the implication is that ReceiveIndicated // equals zero too!! Since ReceiveInd cannot be more than // BytesInXport, so we can change the state to fill irp without // worrying about overwriting PartialRcv // SET_STATERCV_LOWER(pLowerConn, FILL_IRP, FillIrp); // setup the next MDL so we can create a partial mdl correctly // in TdiReceiveHandler // pConnEle->pNextMdl = pIrp->MdlAddress; } else { PUSH_LOCATION(0x38); pConnEle->BytesInXport -= ClientRcvLen; // set the state to this so we know what to do in completion rcv // if (pConnEle->ReceiveIndicated == 0) { PUSH_LOCATION(0x39); SET_STATERCV_LOWER(pLowerConn, NORMAL, Normal); } } // // save the Irp so we can reconstruct things later // pLowerConn->pMdl = pIrp->MdlAddress; } // *** Common Code to passing irp to transport - when there is // data in the indicate buffer and when there isn't // keep track of data in MDL so we know when it is full // and we need to return it to the user // pConnEle->FreeBytesInMdl = pParams->ReceiveLength; // Force the system to map and lock the user buffer MmGetSystemAddressForMdlSafe (pIrp->MdlAddress, HighPagePriority); // // Null the Irp since we are passing it to the transport. // pConnEle->pIrpRcv = NULL; CTESpinFree(pLowerConn,OldIrq); CTESpinFree(pConnEle,OldIrq1); CHECK_COMPLETION(pIrp); status = IoCallDriver(IoGetRelatedDeviceObject(pLowerConn->pFileObject),pIrp); IF_DBG(NBT_DEBUG_RCV) KdPrint(("Nbt.NTReceive: Returning=<%x>, IoStatus.Status=<%x>, IoStatus.Information=<%x>\n", status, pIrp->IoStatus.Status, pIrp->IoStatus.Information)); } return(status); } //---------------------------------------------------------------------------- NTSTATUS NTReceiveDatagram( IN tDEVICECONTEXT *pDeviceContext, IN PIRP pIrp) /*++ Routine Description: This Routine handles receiving a datagram by passing the datagram rcv buffer to the non-OS specific code. Arguments: pIrp - a ptr to an IRP Return Value: NTSTATUS - status of the request --*/ { NTSTATUS status; PIO_STACK_LOCATION pIrpSp; PTDI_REQUEST_KERNEL_RECEIVEDG pTdiRequest; TDI_REQUEST Request; ULONG ReceivedLength; tCLIENTELE *pClientEle; IF_DBG(NBT_DEBUG_RCV) KdPrint(("Nbt: Got a Receive datagram that NBT was NOT \n")); pIrpSp = IoGetCurrentIrpStackLocation(pIrp); pClientEle = (tCLIENTELE *)pIrpSp->FileObject->FsContext; if (!NBT_VERIFY_HANDLE2 (pClientEle, NBT_VERIFY_CLIENT, NBT_VERIFY_CLIENT_DOWN)) { ASSERTMSG ("Nbt.NTReceiveDatagram: ERROR - Invalid Address Handle\n", 0); return (STATUS_INVALID_HANDLE); } // get the sending information out of the irp pTdiRequest = (PTDI_REQUEST_KERNEL_RECEIVEDG)&pIrpSp->Parameters; Request.Handle.AddressHandle = pClientEle; status = NbtReceiveDatagram( &Request, pTdiRequest->ReceiveDatagramInformation, pTdiRequest->ReturnDatagramInformation, pTdiRequest->ReceiveLength, &ReceivedLength, (PVOID)pIrp->MdlAddress, // user data (tDEVICECONTEXT *)pDeviceContext, pIrp); if (status != STATUS_PENDING) { NTIoComplete(pIrp,status,ReceivedLength); } return(status); } //---------------------------------------------------------------------------- NTSTATUS NTSend( IN tDEVICECONTEXT *pDeviceContext, IN PIRP pIrp) /*++ Routine Description: This Routine handles sending session pdus across a connection. It is all OS specific code. Arguments: pIrp - a ptr to an IRP Return Value: NTSTATUS - status of the request --*/ { PIO_STACK_LOCATION pIrpSp; NTSTATUS status; PTDI_REQUEST_KERNEL_SEND pTdiRequest; PMDL pMdl; PSINGLE_LIST_ENTRY pSingleListEntry; tSESSIONHDR *pSessionHdr; tCONNECTELE *pConnEle; KIRQL OldIrq; KIRQL OldIrq1; PTDI_REQUEST_KERNEL_SEND pParams; PFILE_OBJECT pFileObject; tLOWERCONNECTION *pLowerConn; pIrpSp = IoGetCurrentIrpStackLocation(pIrp); // // This function could be called directly also while bypassing the // Io subsystem, so we need to recheck the DeviceContext here // if (!NBT_REFERENCE_DEVICE (pDeviceContext, REF_DEV_DISPATCH, FALSE)) { // IF_DBG(NBT_DEBUG_SEND) KdPrint(("Nbt.NTSend: Invalid Device=<%x>\n", pDeviceContext)); status = STATUS_INVALID_DEVICE_STATE; goto ErrorInvalidDevice; } // get the sending information out of the irp pTdiRequest = (PTDI_REQUEST_KERNEL_SEND)&pIrpSp->Parameters; pConnEle = (tCONNECTELE *)pIrpSp->FileObject->FsContext; if (!NBT_VERIFY_HANDLE2 (pConnEle, NBT_VERIFY_CONNECTION, NBT_VERIFY_CONNECTION_DOWN)) { ASSERTMSG ("Nbt.NTSend: ERROR - Invalid Connection Handle\n", 0); status = STATUS_INVALID_HANDLE; goto ErrorExit; // Irp has to be completed in this routine! Bug# 202340 } CTESpinLock(pConnEle,OldIrq); if (!(pLowerConn = pConnEle->pLowerConnId)) { CTESpinFree(pConnEle,OldIrq); IF_DBG(NBT_DEBUG_SEND) KdPrint(("Nbt.NTSend: attempting send when LowerConn has been freed!\n")); status = STATUS_INVALID_HANDLE; goto ErrorExit; // to save on indent levels use a goto here } // // make sure lowerconn stays valid until the irp is done // CTESpinLock(pLowerConn,OldIrq1); NBT_REFERENCE_LOWERCONN (pLowerConn, REF_LOWC_SEND); CTESpinFree(pLowerConn,OldIrq1); // check the state of the connection if (pConnEle->state == NBT_SESSION_UP) { // // send the data on downward to tcp // allocate an MDL to allow us to put the session hdr in first and then // put the users buffer on after that, chained to the session hdr MDL. // #if BACK_FILL { PMDL SmbMdl; SmbMdl = (PMDL)pIrp->MdlAddress; // Check if network header type is set // if yes, then we can back fill the nbt session header if ((SmbMdl) && (SmbMdl->MdlFlags & MDL_NETWORK_HEADER)) { pSessionHdr = (tSESSIONHDR *)((ULONG_PTR)SmbMdl->MappedSystemVa - SESSION_HDR_SIZE); (ULONG_PTR)SmbMdl->MappedSystemVa -= SESSION_HDR_SIZE; SmbMdl->ByteOffset -= SESSION_HDR_SIZE; SmbMdl->ByteCount+= SESSION_HDR_SIZE; pSessionHdr->UlongLength = htonl(pTdiRequest->SendLength); IF_DBG(NBT_DEBUG_SEND) KdPrint(("Nbt: Backfilled mdl %x %x\n", pSessionHdr, SmbMdl)); } else { CTESpinLockAtDpc(&NbtConfig); if (NbtConfig.SessionMdlFreeSingleList.Next) { pSingleListEntry = PopEntryList(&NbtConfig.SessionMdlFreeSingleList); pMdl = CONTAINING_RECORD(pSingleListEntry,MDL,Next); ASSERT ( MmGetMdlByteCount ( pMdl ) == sizeof ( tSESSIONHDR ) ); } else { NbtGetMdl(&pMdl,eNBT_FREE_SESSION_MDLS); if (!pMdl) { IF_DBG(NBT_DEBUG_SEND) KdPrint(("Nbt:Unable to get an MDL for a session send!\n")); status = STATUS_INSUFFICIENT_RESOURCES; CTESpinFreeAtDpc(&NbtConfig); CTESpinFree(pConnEle,OldIrq); // to save on indent levels use a goto here goto ErrorExit1; } } CTESpinFreeAtDpc(&NbtConfig); // get the session hdr address out of the MDL pSessionHdr = (tSESSIONHDR *)MmGetMdlVirtualAddress(pMdl); // the type of PDU is always a session message, since the session // request is sent when the client issues a "connect" rather than a send // pSessionHdr->UlongLength = htonl(pTdiRequest->SendLength); // get the device object and file object for the TCP transport underneath // link the user buffer on the end of the session header Mdl on the Irp // pMdl->Next = pIrp->MdlAddress; pIrp->MdlAddress = pMdl; } } #else CTESpinLockAtDpc(&NbtConfig); if (NbtConfig.SessionMdlFreeSingleList.Next) { pSingleListEntry = PopEntryList(&NbtConfig.SessionMdlFreeSingleList); pMdl = CONTAINING_RECORD(pSingleListEntry,MDL,Next); ASSERT ( MmGetMdlByteCount ( pMdl ) == sizeof ( tSESSIONHDR ) ); } else { NbtGetMdl(&pMdl,eNBT_FREE_SESSION_MDLS); if (!pMdl) { IF_DBG(NBT_DEBUG_SEND) KdPrint(("Nbt:Unable to get an MDL for a session send!\n")); status = STATUS_INSUFFICIENT_RESOURCES; CTESpinFreeAtDpc(&NbtConfig); CTESpinFree(pConnEle,OldIrq); // to save on indent levels use a goto here goto ErrorExit1; } } CTESpinFreeAtDpc(&NbtConfig); // get the session hdr address out of the MDL pSessionHdr = (tSESSIONHDR *)MmGetMdlVirtualAddress(pMdl); // the type of PDU is always a session message, since the session // request is sent when the client issues a "connect" rather than a send // pSessionHdr->UlongLength = htonl(pTdiRequest->SendLength); // get the device object and file object for the TCP transport underneath // link the user buffer on the end of the session header Mdl on the Irp // pMdl->Next = pIrp->MdlAddress; pIrp->MdlAddress = pMdl; #endif //BACK_FILL pIrpSp = IoGetNextIrpStackLocation(pIrp); pParams = (PTDI_REQUEST_KERNEL_SEND)&pIrpSp->Parameters; pParams->SendFlags = pTdiRequest->SendFlags; pParams->SendLength = pTdiRequest->SendLength + sizeof(tSESSIONHDR); pIrpSp->CompletionRoutine = SendCompletion; pIrpSp->Context = (PVOID)pLowerConn; pIrpSp->Control = SL_INVOKE_ON_SUCCESS | SL_INVOKE_ON_ERROR | SL_INVOKE_ON_CANCEL; pIrpSp->MajorFunction = IRP_MJ_INTERNAL_DEVICE_CONTROL; pIrpSp->MinorFunction = TDI_SEND; pFileObject = pLowerConn->pFileObject; pLowerConn->BytesSent += pTdiRequest->SendLength; pIrpSp->FileObject = pFileObject; pIrpSp->DeviceObject = IoGetRelatedDeviceObject(pFileObject); CTESpinFree(pConnEle,OldIrq); CHECK_COMPLETION(pIrp); #if FAST_DISP //if we are all set to do fast path, do so now. if (pLowerConn->FastSend) { IoSetNextIrpStackLocation(pIrp); IF_DBG(NBT_DEBUG_SEND) KdPrint(("Nbt.NTSend: Fasttdi path %x %x \n", pIrp, pIrpSp)); status = pLowerConn->FastSend (pIrp, pIrpSp); } else { status = IoCallDriver (IoGetRelatedDeviceObject (pFileObject), pIrp); } #else status = IoCallDriver(IoGetRelatedDeviceObject(pFileObject),pIrp); #endif NBT_DEREFERENCE_DEVICE (pDeviceContext, REF_DEV_DISPATCH, FALSE); return(status); } //correct state CTESpinFree(pConnEle,OldIrq); IF_DBG(NBT_DEBUG_SEND) KdPrint(("Nbt:Invalid state for connection on an attempted send, %X\n", pConnEle)); status = STATUS_INVALID_HANDLE; ErrorExit1: // // Dereference pLowerConn->RefCount, referenced above. // NBT_DEREFERENCE_LOWERCONN (pLowerConn, REF_LOWC_SEND, FALSE); ErrorExit: NBT_DEREFERENCE_DEVICE (pDeviceContext, REF_DEV_DISPATCH, FALSE); ErrorInvalidDevice: // // Reset the Irp pending flag // pIrpSp->Control &= ~SL_PENDING_RETURNED; // // complete the irp, since there must have been some sort of error // to get to here // NTIoComplete (pIrp, status, 0); return(status); } //---------------------------------------------------------------------------- NTSTATUS SendCompletion( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp, IN PVOID Context ) /*++ Routine Description: This routine handles the completion event when the send completes with the underlying transport. It must put the session hdr buffer back in the correct free list and free the active q entry and put it back on its free list. Arguments: DeviceObject - unused. Irp - Supplies Irp that the transport has finished processing. Context - Supplies the pConnectEle - the connection data structure Return Value: The final status from the operation (success or an exception). --*/ { PMDL pMdl; tLOWERCONNECTION *pLowerConn; // // Do some checking to keep the Io system happy - propagate the pending // bit up the irp stack frame.... if it was set by the driver below then // it must be set by me // if (Irp->PendingReturned) { IoMarkIrpPending(Irp); } // put the MDL we back on its free list and put the clients mdl back on the Irp // as it was before the send pMdl = Irp->MdlAddress; #if BACK_FILL // If the header is back filled // we should adjust the pointers back to where it was. if (pMdl->MdlFlags & MDL_NETWORK_HEADER) { (ULONG_PTR)pMdl->MappedSystemVa += SESSION_HDR_SIZE; pMdl->ByteOffset += SESSION_HDR_SIZE; pMdl->ByteCount -= SESSION_HDR_SIZE; IF_DBG(NBT_DEBUG_SEND) KdPrint(("Nbt: Done with Backfilled mdl %x\n", pMdl)); } else { Irp->MdlAddress = pMdl->Next; ASSERT ( MmGetMdlByteCount ( pMdl ) == SESSION_HDR_SIZE ); #if DBG IF_DBG(NBT_DEBUG_SEND) { PMDL pMdl1; ULONG ulen1,ulen2,ulen3; UCHAR uc; tSESSIONHDR *pSessionHdr; PSINGLE_LIST_ENTRY pSingleListEntry; KIRQL OldIrq; pSessionHdr = (tSESSIONHDR *)MmGetMdlVirtualAddress(pMdl); ulen1 = htonl ( pSessionHdr->UlongLength ); for ( ulen2 = 0 , pMdl1 = pMdl ; ( pMdl1 = pMdl1->Next ) != NULL ; ) { ulen3 = MmGetMdlByteCount ( pMdl1 ); ASSERT ( ulen3 > 0 ); uc = ( ( UCHAR * ) MmGetMdlVirtualAddress ( pMdl1 ) ) [ ulen3 - 1 ]; ulen2 += ulen3; } ASSERT ( ulen2 == ulen1 ); CTESpinLock(&NbtConfig,OldIrq); for ( pSingleListEntry = &NbtConfig.SessionMdlFreeSingleList ; ( pSingleListEntry = pSingleListEntry->Next ) != NULL ; ) { pMdl1 = CONTAINING_RECORD(pSingleListEntry,MDL,Next); ASSERT ( pMdl1 != pMdl ); } CTESpinFree(&NbtConfig,OldIrq); } #endif // DBG ExInterlockedPushEntryList(&NbtConfig.SessionMdlFreeSingleList, (PSINGLE_LIST_ENTRY)pMdl, &NbtConfig.LockInfo.SpinLock); } #else Irp->MdlAddress = pMdl->Next; ASSERT ( MmGetMdlByteCount ( pMdl ) == sizeof ( tSESSIONHDR ) ); #if DBG IF_DBG(NBT_DEBUG_SEND) { PMDL pMdl1; ULONG ulen1,ulen2,ulen3; UCHAR uc; tSESSIONHDR *pSessionHdr; PSINGLE_LIST_ENTRY pSingleListEntry; KIRQL OldIrq; pSessionHdr = (tSESSIONHDR *)MmGetMdlVirtualAddress(pMdl); ulen1 = htonl ( pSessionHdr->UlongLength ); for ( ulen2 = 0 , pMdl1 = pMdl ; ( pMdl1 = pMdl1->Next ) != NULL ; ) { ulen3 = MmGetMdlByteCount ( pMdl1 ); ASSERT ( ulen3 > 0 ); uc = ( ( UCHAR * ) MmGetMdlVirtualAddress ( pMdl1 ) ) [ ulen3 - 1 ]; ulen2 += ulen3; } ASSERT ( ulen2 == ulen1 ); CTESpinLock(&NbtConfig,OldIrq); for ( pSingleListEntry = &NbtConfig.SessionMdlFreeSingleList ; ( pSingleListEntry = pSingleListEntry->Next ) != NULL ; ) { pMdl1 = CONTAINING_RECORD(pSingleListEntry,MDL,Next); ASSERT ( pMdl1 != pMdl ); } CTESpinFree(&NbtConfig,OldIrq); } #endif // DBG ExInterlockedPushEntryList(&NbtConfig.SessionMdlFreeSingleList, (PSINGLE_LIST_ENTRY)pMdl, &NbtConfig.LockInfo.SpinLock); #endif //BACK_FILL // fill in the sent size so that it substracts off the session header size // if (Irp->IoStatus.Information > sizeof(tSESSIONHDR)) { Irp->IoStatus.Information -= sizeof(tSESSIONHDR); } else { // nothing was sent Irp->IoStatus.Information = 0; IF_DBG(NBT_DEBUG_SEND) KdPrint(("Nbt:Zero Send Length for a session send!\n")); } // // we incremented this before the send: deref it now // pLowerConn = (tLOWERCONNECTION *)Context; ASSERT (NBT_VERIFY_HANDLE (pLowerConn, NBT_VERIFY_LOWERCONN)); NBT_DEREFERENCE_LOWERCONN (pLowerConn, REF_LOWC_SEND, FALSE); return(STATUS_SUCCESS); UNREFERENCED_PARAMETER( DeviceObject ); } //---------------------------------------------------------------------------- NTSTATUS NTSendDatagram( IN tDEVICECONTEXT *pDeviceContext, IN PIRP pIrp) /*++ Routine Description: This Routine handles sending a datagram down to the transport. Arguments: pIrp - a ptr to an IRP Return Value: NTSTATUS - status of the request --*/ { PIO_STACK_LOCATION pIrpSp; NTSTATUS status; LONG lSentLength; TDI_REQUEST Request; PTDI_REQUEST_KERNEL_SENDDG pTdiRequest; tCLIENTELE *pClientEle; CTEPagedCode(); pIrpSp = IoGetCurrentIrpStackLocation(pIrp); pClientEle = (tCLIENTELE *)pIrpSp->FileObject->FsContext; if (!NBT_VERIFY_HANDLE2 (pClientEle, NBT_VERIFY_CLIENT, NBT_VERIFY_CLIENT_DOWN)) { ASSERTMSG ("Nbt.SendDatagram: ERROR - Invalid Address Handle\n", 0); return (STATUS_INVALID_HANDLE); } // CTEVerifyHandle(pClientEle,NBT_VERIFY_CLIENT,tCLIENTELE,&status); // get the sending information out of the irp pTdiRequest = (PTDI_REQUEST_KERNEL_SENDDG)&pIrpSp->Parameters; Request.Handle.AddressHandle = pClientEle; lSentLength = 0; // // Mark IRP pending here // IoMarkIrpPending(pIrp); status = NbtSendDatagram (&Request, pTdiRequest->SendDatagramInformation, pTdiRequest->SendLength, &lSentLength, (PVOID)pIrp->MdlAddress, // user data (tDEVICECONTEXT *)pDeviceContext, pIrp); if (status != STATUS_PENDING) { // // either Success or an Error // NTIoComplete(pIrp,status,lSentLength); } // // To make driver verifier and IO system happy, always return // STATUS_PENDING for the request marked as PENDING // return STATUS_PENDING; } //---------------------------------------------------------------------------- NTSTATUS NTSetInformation( IN tDEVICECONTEXT *pDeviceContext, IN PIRP pIrp) /*++ Routine Description: This Routine handles sets up event handlers that the client passes in. Arguments: pIrp - a ptr to an IRP Return Value: NTSTATUS - status of the request --*/ { // *TODO* CTEPagedCode(); IF_DBG(NBT_DEBUG_NAMESRV) KdPrint(("Nbt:************ Got a Set Information that was NOT expected *******\n")); return(STATUS_SUCCESS); } //---------------------------------------------------------------------------- NTSTATUS NTQueueToWorkerThread( IN OUT NBT_WORK_ITEM_CONTEXT * pContext, IN PVOID DelayedWorkerRoutine, IN tDGRAM_SEND_TRACKING *pTracker, IN PVOID pClientContext, IN PVOID ClientCompletion, IN tDEVICECONTEXT *pDeviceContext, IN BOOLEAN fJointLockHeld ) /*++ Routine Description: This routine simply queues a request on an excutive worker thread for later execution. Scanning the LmHosts file must be down this way. Arguments: pContext - the workitem context. If it is NULL, this function will allocate one. Otherwise, it will use the pass in context. pTracker - the tracker block for context DelayedWorkerRoutine- the routine for the Workerthread to call pDeviceContext - the device context which is this delayed event pertains to. This could be NULL (meaning it's an event pertaining to not any specific device context) Return Value: --*/ { KIRQL OldIrq = 0; if ((pDeviceContext) && (!NBT_REFERENCE_DEVICE(pDeviceContext, REF_DEV_WORKER, fJointLockHeld))) { // ASSERT(NULL == pContext); return STATUS_INVALID_DEVICE_REQUEST; } #if 0 // // Dont bother queuing a workitem if we're running // in the same context of the work thread and we're // at PASSIVE_LEVEL // if (KeGetCurrentThread() == NbtConfig.pWorkThread && KeGetCurrentIrql() == PASSIVE_LEVEL) { KdPrint(("WorkItem: Fast Path\n")); (*((PNBT_WORKER_THREAD_ROUTINE)DelayedWorkerRoutine))( pTracker, pClientContext, ClientCompletion, pDeviceContext ); if (pDeviceContext) { NBT_DEREFERENCE_DEVICE (pDeviceContext, REF_DEV_WORKER, fJointLockHeld); } return (STATUS_SUCCESS); } #endif // // Allocate a context if // 1. the caller doesn't have one, or // 2. the context is already in queue // this is a bug in the caller. In this case, // we try to recover from the failure. // if (NULL == pContext || pContext->bQueued) { // // ASSERT out if the caller is giving us a pContext // which has already been in queue. // ASSERT(NULL == pContext); pContext = (NBT_WORK_ITEM_CONTEXT *)NbtAllocMem(sizeof(NBT_WORK_ITEM_CONTEXT),NBT_TAG2('22')); if (NULL == pContext) { if (pDeviceContext) { NBT_DEREFERENCE_DEVICE (pDeviceContext, REF_DEV_WORKER, fJointLockHeld); } return (STATUS_INSUFFICIENT_RESOURCES); } pContext->bSpecialAlloc = TRUE; pContext->bQueued = FALSE; } else { pContext->bSpecialAlloc = FALSE; } // // From now on, we cannot fail // pContext->bQueued = TRUE; pContext->pTracker = pTracker; pContext->pClientContext = pClientContext; pContext->ClientCompletion = ClientCompletion; pContext->pDeviceContext = pDeviceContext; pContext->WorkerRoutine = DelayedWorkerRoutine; InitializeListHead(&pContext->Linkage); CTESpinLock(&NbtConfig.WorkerQLock,OldIrq); InsertTailList(&NbtConfig.WorkerQList, &pContext->Linkage); InterlockedIncrement(&NbtConfig.NumWorkItemQueued); if (!NbtConfig.Unloading && !InterlockedExchange(&NbtConfig.bSystemWorkThreadQueued, TRUE)) { ExInitializeWorkItem(&NbtConfig.SystemWorkItem, NTExecuteWorker, &NbtConfig.SystemWorkItem); ExQueueWorkItem(&NbtConfig.SystemWorkItem, CriticalWorkQueue); } CTESpinFree(&NbtConfig.WorkerQLock,OldIrq); return (STATUS_SUCCESS); } //---------------------------------------------------------------------------- VOID NTExecuteWorker( IN PVOID pUnused ) /*++ Routine Description: This routine handles executing delayed requests at non-Dpc level. If the Device is currently being unloaded, we let the Unload Handler complete the request. Arguments: pUnused - Unused Return Value: none --*/ { NBT_WORK_ITEM_CONTEXT * pContext = NULL; PNBT_WORKER_THREAD_ROUTINE pDelayedWorkerRoutine = NULL; KIRQL OldIrq; PLIST_ENTRY pEntry = NULL; tDEVICECONTEXT * pDeviceContext = NULL; BOOL bSpecialAlloc = FALSE; CTESpinLock(&NbtConfig.WorkerQLock,OldIrq); ASSERT(NULL == NbtConfig.pWorkThread); NbtConfig.pWorkThread = KeGetCurrentThread(); while(!IsListEmpty(&NbtConfig.WorkerQList)) { pEntry = RemoveHeadList(&NbtConfig.WorkerQList); InterlockedDecrement(&NbtConfig.NumWorkItemQueued); CTESpinFree(&NbtConfig.WorkerQLock,OldIrq); pContext = CONTAINING_RECORD(pEntry, NBT_WORK_ITEM_CONTEXT, Linkage); pContext->bQueued = FALSE; pDelayedWorkerRoutine = (PNBT_WORKER_THREAD_ROUTINE)pContext->WorkerRoutine; // // Save the value because pContext can be freed by the worker routine // pDeviceContext = pContext->pDeviceContext; bSpecialAlloc = pContext->bSpecialAlloc; (*pDelayedWorkerRoutine) (pContext->pTracker, pContext->pClientContext, pContext->ClientCompletion, pDeviceContext ); // // Use the saved copy after the delayed worker routine is called // if (bSpecialAlloc) { CTEMemFree((PVOID) pContext); } pContext = NULL; if (pDeviceContext) { NBT_DEREFERENCE_DEVICE(pDeviceContext, REF_DEV_WORKER, FALSE); } CTESpinLock(&NbtConfig.WorkerQLock,OldIrq); } // // set the flag to FALSE before releasing the spinlock // InterlockedExchange(&NbtConfig.bSystemWorkThreadQueued, FALSE); NbtConfig.pWorkThread = NULL; CTESpinFree(&NbtConfig.WorkerQLock,OldIrq); } //---------------------------------------------------------------------------- VOID SecurityDelete( IN PVOID pContext ) /*++ Routine Description: This routine handles deleting a security context at non-dpc level. Arguments: Return Value: none --*/ { PSECURITY_CLIENT_CONTEXT pClientSecurity; pClientSecurity = (PSECURITY_CLIENT_CONTEXT)((NBT_WORK_ITEM_CONTEXT *)pContext)->pClientContext; SeDeleteClientSecurity(pClientSecurity); CTEMemFree(pContext); } //---------------------------------------------------------------------------- NTSTATUS NTSendSession( IN tDGRAM_SEND_TRACKING *pTracker, IN tLOWERCONNECTION *pLowerConn, IN PVOID pCompletion ) /*++ Routine Description: This Routine handles seting up a DPC to send a session pdu so that the stack does not get wound up in multiple sends for the keep alive timeout case. Arguments: pIrp - a ptr to an IRP Return Value: NTSTATUS - status of the request --*/ { PKDPC pDpc; if (pDpc = NbtAllocMem(sizeof(KDPC),NBT_TAG('f'))) { KeInitializeDpc(pDpc, DpcSendSession, (PVOID)pTracker); KeInsertQueueDpc(pDpc,(PVOID)pLowerConn,pCompletion); return (STATUS_SUCCESS); } return (STATUS_INSUFFICIENT_RESOURCES); } //---------------------------------------------------------------------------- VOID DpcSendSession( IN PKDPC pDpc, IN PVOID Context, IN PVOID SystemArgument1, IN PVOID SystemArgument2 ) /*++ Routine Description: This routine simply calls TcpSendSession from a Dpc started in in NTSendSession (above). Arguments: Return Value: --*/ { CTEMemFree((PVOID)pDpc); TcpSendSession((tDGRAM_SEND_TRACKING *)Context, (tLOWERCONNECTION *)SystemArgument1, (PVOID)SystemArgument2); } //---------------------------------------------------------------------------- NTSTATUS NTSetEventHandler( IN tDEVICECONTEXT *pDeviceContext, IN PIRP pIrp) /*++ Routine Description: This Routine handles Arguments: pIrp - a ptr to an IRP Return Value: NTSTATUS - status of the request --*/ { PIO_STACK_LOCATION pIrpSp; NTSTATUS status; tCLIENTELE *pClientEle; PTDI_REQUEST_KERNEL_SET_EVENT pKeSetEvent; CTEPagedCode(); pIrpSp = IoGetCurrentIrpStackLocation(pIrp); pClientEle = pIrpSp->FileObject->FsContext; if (!NBT_VERIFY_HANDLE2 (pClientEle, NBT_VERIFY_CLIENT, NBT_VERIFY_CLIENT_DOWN)) { ASSERTMSG ("Nbt.NTSetEventHandler: ERROR - Invalid Address Handle\n", 0); return (STATUS_INVALID_HANDLE); } pKeSetEvent = (PTDI_REQUEST_KERNEL_SET_EVENT)&pIrpSp->Parameters; // call the not NT specific routine to setup the event handler in the // nbt data structures status = NbtSetEventHandler( pClientEle, pKeSetEvent->EventType, pKeSetEvent->EventHandler, pKeSetEvent->EventContext); return(status); } //---------------------------------------------------------------------------- VOID NTIoComplete( IN PIRP pIrp, IN NTSTATUS Status, IN ULONG SentLength) /*++ Routine Description: This Routine handles calling the NT I/O system to complete an I/O. Arguments: status - a completion status for the Irp Return Value: NTSTATUS - status of the request --*/ { KIRQL OldIrq; #if DBG if (!NT_SUCCESS(Status)) { IF_DBG(NBT_DEBUG_NAMESRV) KdPrint(("Nbt.NTIoComplete: Returning Error status = %X\n",Status)); // ASSERTMSG("Nbt: Error Ret Code In IoComplete",0); } #endif pIrp->IoStatus.Status = Status; // use -1 as a flag to mean do not adjust the sent length since it is // already set if (SentLength != -1) { pIrp->IoStatus.Information = SentLength; } NbtTrace(NBT_TRACE_IOCTL, ("pIrp %p: %!status! Information %d", pIrp, Status, (ULONG)(pIrp->IoStatus.Information))); #if DBG if ( (Status != STATUS_SUCCESS) && (Status != STATUS_PENDING) && (Status != STATUS_INVALID_DEVICE_REQUEST) && (Status != STATUS_INVALID_PARAMETER) && (Status != STATUS_IO_TIMEOUT) && (Status != STATUS_BUFFER_OVERFLOW) && (Status != STATUS_BUFFER_TOO_SMALL) && (Status != STATUS_INVALID_HANDLE) && (Status != STATUS_INSUFFICIENT_RESOURCES) && (Status != STATUS_CANCELLED) && (Status != STATUS_DUPLICATE_NAME) && (Status != STATUS_TOO_MANY_NAMES) && (Status != STATUS_TOO_MANY_SESSIONS) && (Status != STATUS_REMOTE_NOT_LISTENING) && (Status != STATUS_BAD_NETWORK_PATH) && (Status != STATUS_HOST_UNREACHABLE) && (Status != STATUS_CONNECTION_REFUSED) && (Status != STATUS_WORKING_SET_QUOTA) && (Status != STATUS_REMOTE_DISCONNECT) && (Status != STATUS_LOCAL_DISCONNECT) && (Status != STATUS_LINK_FAILED) && (Status != STATUS_SHARING_VIOLATION) && (Status != STATUS_UNSUCCESSFUL) && (Status != STATUS_ACCESS_VIOLATION) && #ifdef MULTIPLE_WINS (Status != STATUS_NETWORK_UNREACHABLE) && #endif (Status != STATUS_NONEXISTENT_EA_ENTRY) ) { KdPrint(("Nbt.NTIoComplete: returning unusual status = %X\n",Status)); } #endif // set the Irps cancel routine to null or the system may bugcheck // with a bug code of CANCEL_STATE_IN_COMPLETED_IRP // // refer to IoCancelIrp() ..\ntos\io\iosubs.c // IoAcquireCancelSpinLock(&OldIrq); IoSetCancelRoutine(pIrp,NULL); IoReleaseCancelSpinLock(OldIrq); IoCompleteRequest(pIrp,IO_NETWORK_INCREMENT); } //---------------------------------------------------------------------------- // ***** ***** Cancel Utilities ***** ***** //---------------------------------------------------------------------------- NTSTATUS NTGetIrpIfNotCancelled( IN PIRP pIrp, IN PIRP *ppIrpInStruct ) /*++ Routine Description: This Routine gets the IOCancelSpinLock to coordinate with cancelling irps It then returns STATUS_SUCCESS. It also nulls the irp in the structure pointed to by the second parameter - so that the irp cancel routine will not also be called. Arguments: status - a completion status for the Irp Return Value: NTSTATUS - status of the request --*/ { KIRQL OldIrq; NTSTATUS status; IoAcquireCancelSpinLock(&OldIrq); // this nulls the irp in the datastructure - i.e. pConnEle->pIrp = NULL *ppIrpInStruct = NULL; if (!pIrp->Cancel) { status = STATUS_SUCCESS; } else { status = STATUS_UNSUCCESSFUL; } IoSetCancelRoutine(pIrp,NULL); IoReleaseCancelSpinLock(OldIrq); return(status); } //---------------------------------------------------------------------------- NTSTATUS NTCheckSetCancelRoutine( IN PIRP pIrp, IN PVOID CancelRoutine, IN tDEVICECONTEXT *pDeviceContext ) /*++ Routine Description: This Routine sets the cancel routine for an Irp. Arguments: status - a completion status for the Irp Return Value: NTSTATUS - status of the request --*/ { NTSTATUS status; // // Check if the irp was cancelled yet and if not, then set the // irp cancel routine. // IoAcquireCancelSpinLock(&pIrp->CancelIrql); if (pIrp->Cancel) { pIrp->IoStatus.Status = STATUS_CANCELLED; status = STATUS_CANCELLED; } else { // setup the cancel routine IoMarkIrpPending(pIrp); IoSetCancelRoutine(pIrp,CancelRoutine); status = STATUS_SUCCESS; } IoReleaseCancelSpinLock(pIrp->CancelIrql); return(status); } //---------------------------------------------------------------------------- NTSTATUS NbtSetCancelRoutine( IN PIRP pIrp, IN PVOID CancelRoutine, IN tDEVICECONTEXT *pDeviceContext ) /*++ Routine Description: This Routine sets the cancel routine for an Irp. Arguments: status - a completion status for the Irp Return Value: NTSTATUS - status of the request --*/ { NTSTATUS status; // // Check if the irp was cancelled yet and if not, then set the // irp cancel routine. // IoAcquireCancelSpinLock(&pIrp->CancelIrql); if (pIrp->Cancel) { pIrp->IoStatus.Status = STATUS_CANCELLED; status = STATUS_CANCELLED; // // Note the cancel spin lock is released by the Cancel routine // (*(PDRIVER_CANCEL)CancelRoutine)((PDEVICE_OBJECT)pDeviceContext,pIrp); } else { // setup the cancel routine and mark the irp pending // IoMarkIrpPending(pIrp); IoSetCancelRoutine(pIrp,CancelRoutine); IoReleaseCancelSpinLock(pIrp->CancelIrql); status = STATUS_SUCCESS; } return(status); } //---------------------------------------------------------------------------- VOID NTClearContextCancel( IN NBT_WORK_ITEM_CONTEXT *pContext ) /*++ Routine Description: This Routine sets the cancel routine for ((tDGRAM_SEND_TRACKING *)(pContext->pClientContext))->pClientIrp to NULL. NbtConfig.JointLock should be held when this routine is called. Arguments: status - a completion status for the Irp Return Value: NTSTATUS - status of the request --*/ { NTSTATUS status; status = NbtCancelCancelRoutine( ((tDGRAM_SEND_TRACKING *)(pContext->pClientContext))->pClientIrp ); ASSERT ( status != STATUS_CANCELLED ); } //---------------------------------------------------------------------------- NTSTATUS NbtCancelCancelRoutine( IN PIRP pIrp ) /*++ Routine Description: This Routine sets the cancel routine for an Irp to NULL Arguments: status - a completion status for the Irp Return Value: NTSTATUS - status of the request --*/ { NTSTATUS status = STATUS_SUCCESS; if ( pIrp ) { // // Check if the irp was cancelled yet and if not, then set the // irp cancel routine. // IoAcquireCancelSpinLock(&pIrp->CancelIrql); if (pIrp->Cancel) { status = STATUS_CANCELLED; } IoSetCancelRoutine(pIrp,NULL); IoReleaseCancelSpinLock(pIrp->CancelIrql); } return(status); } //---------------------------------------------------------------------------- // ***** ***** Cancel Routines ***** ***** //---------------------------------------------------------------------------- VOID NbtCancelListen( IN PDEVICE_OBJECT DeviceContext, IN PIRP pIrp ) /*++ Routine Description: This routine handles the cancelling a listen Irp. It must release the cancel spin lock before returning re: IoCancelIrp(). Arguments: Return Value: The final status from the operation. --*/ { tCONNECTELE *pConnEle; tCLIENTELE *pClientEle; KIRQL OldIrq; PLIST_ENTRY pHead; PLIST_ENTRY pEntry; PIO_STACK_LOCATION pIrpSp; tLISTENREQUESTS *pListenReq; IF_DBG(NBT_DEBUG_NAMESRV) KdPrint(("Nbt:Got a LISTEN Cancel !!! *****************\n")); pIrpSp = IoGetCurrentIrpStackLocation(pIrp); pConnEle = (tCONNECTELE *)pIrpSp->FileObject->FsContext; if ((!NBT_VERIFY_HANDLE2 (pConnEle, NBT_VERIFY_CONNECTION, NBT_VERIFY_CONNECTION_DOWN)) || (!NBT_VERIFY_HANDLE2 ((pClientEle = pConnEle->pClientEle), NBT_VERIFY_CLIENT,NBT_VERIFY_CLIENT_DOWN))) { ASSERTMSG ("Nbt.NbtCancelListen: ERROR - Invalid Connection Handle\n", 0); IoReleaseCancelSpinLock(pIrp->CancelIrql); return; } IoReleaseCancelSpinLock(pIrp->CancelIrql); NbtTrace(NBT_TRACE_INBOUND, ("Cancel Listen Irp %p pConnEle %p ClientEle %p", pIrp, pConnEle, pClientEle)); // now search the client's listen queue looking for this connection // CTESpinLock(pClientEle,OldIrq); pHead = &pClientEle->ListenHead; pEntry = pHead->Flink; while (pEntry != pHead) { pListenReq = CONTAINING_RECORD(pEntry,tLISTENREQUESTS,Linkage); if ((pListenReq->pConnectEle == pConnEle) && (pListenReq->pIrp == pIrp)) { RemoveEntryList(pEntry); CTESpinFree(pClientEle,OldIrq); // complete the irp pIrp->IoStatus.Status = STATUS_CANCELLED; IoCompleteRequest(pIrp,IO_NETWORK_INCREMENT); CTEMemFree((PVOID)pListenReq); return; } pEntry = pEntry->Flink; } CTESpinFree(pClientEle,OldIrq); return; } //---------------------------------------------------------------------------- VOID NbtCancelSession( IN PDEVICE_OBJECT DeviceContext, IN PIRP pIrp ) /*++ Routine Description: This routine handles the cancelling a connect Irp. It must release the cancel spin lock before returning re: IoCancelIrp(). It is called when the session setup pdu has been sent, and the state is still outbound. The cancel routine is only setup when the timer is started to time sending the session response pdu. Arguments: Return Value: The final status from the operation. --*/ { tCONNECTELE *pConnEle; KIRQL OldIrq; PIO_STACK_LOCATION pIrpSp; BOOLEAN DerefConnEle=FALSE; tTIMERQENTRY *pTimer; tDGRAM_SEND_TRACKING *pTracker; COMPLETIONCLIENT pCompletion; PVOID pContext; IF_DBG(NBT_DEBUG_NAMESRV) KdPrint(("Nbt.NbtCancelSession: Got a Cancel !!! *****************\n")); pIrpSp = IoGetCurrentIrpStackLocation(pIrp); pConnEle = (tCONNECTELE *)pIrpSp->FileObject->FsContext; IoReleaseCancelSpinLock(pIrp->CancelIrql); if (!NBT_VERIFY_HANDLE2 (pConnEle, NBT_VERIFY_CONNECTION, NBT_VERIFY_CONNECTION_DOWN)) { ASSERTMSG ("Nbt.NbtCancelSession: ERROR - Invalid Connection Handle\n", 0); return; } NbtTrace(NBT_TRACE_OUTBOUND, ("Cancel TDI_CONNECT pIrp %p ConnEle=%p LowerConn=%p, ClientEle=%p", pIrp, pConnEle, pConnEle->pLowerConnId, pConnEle->pClientEle)); #ifdef RASAUTODIAL // // Cancel the automatic connection if one's // in progress. If we don't find the // connection block in the automatic // connection driver, then it's already // been completed. // if (pConnEle->fAutoConnecting) { if (!NbtCancelPostConnect(pIrp)) { return; } } #endif // RASAUTODIAL CTESpinLock(&NbtConfig.JointLock,OldIrq); if ((!NBT_VERIFY_HANDLE2 (pConnEle, NBT_VERIFY_CONNECTION, NBT_VERIFY_CONNECTION_DOWN)) || (!(pConnEle->pIrp)) || // the irp could get completed while acquiring the lock (!(pTracker = (tDGRAM_SEND_TRACKING *)pConnEle->pIrpRcv))) { CTESpinFree(&NbtConfig.JointLock,OldIrq); NbtTrace(NBT_TRACE_OUTBOUND, ("pIrp %p: no tracker", pIrp)); return; } pTracker->Flags |= TRACKER_CANCELLED; if (pTimer = pTracker->pTimer) // check for SessionStartupTimeout { pTracker->pTimer = NULL; // // stop the timer and only continue if the timer was stopped before // it expired // StopTimer(pTimer, &pCompletion, &pContext); CTESpinFree(&NbtConfig.JointLock,OldIrq); NbtTrace(NBT_TRACE_OUTBOUND, ("pIrp %p: pCompletion %p", pIrp, pCompletion)); // // pCompletion will be set if the timer had not expired // We want to cause a forced timeout, so we will just call the // timeout routine with STATUS_CANCELLED // if (pCompletion) { (*pCompletion) (pContext, STATUS_CANCELLED); } } else if (pConnEle->state == NBT_SESSION_OUTBOUND) { // // for some reason there is no timer, but the connection is still // outbound, so call the timer completion routine to kill off // the connection. // CTESpinFree(&NbtConfig.JointLock,OldIrq); NbtTrace(NBT_TRACE_OUTBOUND, ("pIrp %p", pIrp)); SessionStartupTimeout (pTracker, ULongToPtr(STATUS_CANCELLED), (PVOID)1); } else { // // Free the lock // CTESpinFree(&NbtConfig.JointLock,OldIrq); } return; } //---------------------------------------------------------------------------- VOID NbtCancelConnect( IN PDEVICE_OBJECT pDeviceContext, IN PIRP pIrp ) /*++ Routine Description: This routine handles cancelling an NTConnect Irp - which has been passed down by a client (e.g. net view). Typically, when the request succeeds on another adapter, it will issue this cancel. On receiving the cancel, if we are processing a Local IRP, we just pass the cancel on to the Local Irp which will complete this Irp also in its Completion Routine. Arguments: Return Value: The final status from the operation. --*/ { PIO_STACK_LOCATION pIrpSp; IN PIRP pLocalIrp; tCONNECTELE *pConnEle; IF_DBG(NBT_DEBUG_NAMESRV) KdPrint(("Nbt:NbtCancelConnect ********** Got an Irp Cancel !!! **********\n")); pIrpSp = IoGetCurrentIrpStackLocation(pIrp); pConnEle = pIrpSp->FileObject->FsContext; if (!NBT_VERIFY_HANDLE2 (pConnEle, NBT_VERIFY_CONNECTION, NBT_VERIFY_CONNECTION_DOWN)) { ASSERTMSG ("Nbt.NbtCancelConnect: ERROR - Invalid Connection Handle\n", 0); IoReleaseCancelSpinLock(pIrp->CancelIrql); return; } NbtTrace(NBT_TRACE_OUTBOUND, ("Cancel Connect pIrp %p: pConnEle %p", pIrp, pConnEle)); if ((pConnEle) && (pLocalIrp = pConnEle->pIrp)) { IF_DBG(NBT_DEBUG_NAMESRV) KdPrint (("Nbt.NbtCancelConnect: pClientIrp=<%x>, pLocalIrp=<%x>, Device=<%x>, CancelR=<%x>\n", pIrp, pLocalIrp, pDeviceContext, pLocalIrp->CancelRoutine)); IoReleaseCancelSpinLock(pIrp->CancelIrql); IoCancelIrp(pLocalIrp); } else { IoReleaseCancelSpinLock(pIrp->CancelIrql); } return; } //---------------------------------------------------------------------------- VOID NbtCancelReceive( IN PDEVICE_OBJECT DeviceContext, IN PIRP pIrp ) /*++ Routine Description: This routine handles the cancelling a listen Irp. It must release the cancel spin lock before returning re: IoCancelIrp(). Arguments: Return Value: The final status from the operation. --*/ { tCONNECTELE *pConnEle; tLOWERCONNECTION *pLowerConn; KIRQL OldIrq; KIRQL OldIrq1; PLIST_ENTRY pHead; PLIST_ENTRY pEntry; PIO_STACK_LOCATION pIrpSp; PIRP pRcvIrp; IF_DBG(NBT_DEBUG_NAMESRV) KdPrint(("Nbt.NbtCancelReceive: Got a Cancel !!! *****************\n")); pIrpSp = IoGetCurrentIrpStackLocation(pIrp); pConnEle = (tCONNECTELE *)pIrpSp->FileObject->FsContext; IoReleaseCancelSpinLock(pIrp->CancelIrql); if (!NBT_VERIFY_HANDLE2 (pConnEle, NBT_VERIFY_CONNECTION, NBT_VERIFY_CONNECTION_DOWN)) { ASSERTMSG ("Nbt.NbtCancelReceive: ERROR - Invalid Connection Handle\n", 0); return; } NbtTrace(NBT_TRACE_INBOUND, ("Cancel Receive Irp %p ConnEle=%p LowerConn=%p, ClientEle=%p", pIrp, pConnEle, pConnEle->pLowerConnId, pConnEle->pClientEle)); CTESpinLock(&NbtConfig.JointLock,OldIrq1); pLowerConn = pConnEle->pLowerConnId; if (pLowerConn) { CTESpinLock(pLowerConn,OldIrq); } if (pConnEle->Verify == NBT_VERIFY_CONNECTION) { // now search the connection's receive queue looking for this Irp // pHead = &pConnEle->RcvHead; pEntry = pHead->Flink; while (pEntry != pHead) { pRcvIrp = CONTAINING_RECORD(pEntry,IRP,Tail.Overlay.ListEntry); if (pRcvIrp == pIrp) { RemoveEntryList(pEntry); // complete the irp pIrp->IoStatus.Status = STATUS_CANCELLED; if (pLowerConn) { CTESpinFree(pLowerConn,OldIrq); } CTESpinFree(&NbtConfig.JointLock,OldIrq1); IoCompleteRequest(pIrp,IO_NETWORK_INCREMENT); return; } pEntry = pEntry->Flink; } } if (pLowerConn) { CTESpinFree(pLowerConn,OldIrq); } CTESpinFree(&NbtConfig.JointLock,OldIrq1); return; } //---------------------------------------------------------------------------- VOID NbtCancelRcvDgram( IN PDEVICE_OBJECT DeviceContext, IN PIRP pIrp ) /*++ Routine Description: This routine handles the cancelling a listen Irp. It must release the cancel spin lock before returning re: IoCancelIrp(). Arguments: Return Value: The final status from the operation. --*/ { tCLIENTELE *pClientEle; KIRQL OldIrq; PLIST_ENTRY pHead; PLIST_ENTRY pEntry; PIO_STACK_LOCATION pIrpSp; tRCVELE *pRcvEle; IF_DBG(NBT_DEBUG_NAMESRV) KdPrint(("Nbt.NbtCancelRcvDgram: Got a Cancel !!! *****************\n")); // // Need to acquire JointLock before Cancel lock! // Bug#: 124405 // IoReleaseCancelSpinLock(pIrp->CancelIrql); CTESpinLock(&NbtConfig.JointLock,OldIrq); IoAcquireCancelSpinLock(&pIrp->CancelIrql); pIrpSp = IoGetCurrentIrpStackLocation(pIrp); pClientEle = (tCLIENTELE *)pIrpSp->FileObject->FsContext; NbtTrace(NBT_TRACE_RECVDGRAM, ("Cancel RcvDgram Irp %p ClientEle=%p", pIrp, pClientEle)); if (NBT_VERIFY_HANDLE (pClientEle, NBT_VERIFY_CLIENT)) { // now search the client's listen queue looking for this connection // pHead = &pClientEle->RcvDgramHead; pEntry = pHead->Flink; while (pEntry != pHead) { pRcvEle = CONTAINING_RECORD(pEntry,tRCVELE,Linkage); if (pRcvEle->pIrp == pIrp) { RemoveEntryList(pEntry); // complete the irp pIrp->IoStatus.Status = STATUS_CANCELLED; IoReleaseCancelSpinLock(pIrp->CancelIrql); CTESpinFree(&NbtConfig.JointLock,OldIrq); IoCompleteRequest(pIrp,IO_NETWORK_INCREMENT); CTEMemFree((PVOID)pRcvEle); return; } pEntry = pEntry->Flink; } } else { ASSERTMSG ("Nbt.NbtCancelRcvDgram: ERROR - Invalid Address Handle\n", 0); } IoReleaseCancelSpinLock(pIrp->CancelIrql); CTESpinFree(&NbtConfig.JointLock,OldIrq); return; } //---------------------------------------------------------------------------- VOID NbtCancelFindName( IN PDEVICE_OBJECT DeviceContext, IN PIRP pIrp ) /*++ Routine Description: This routine handles the cancelling a FindName Irp - which has been passed down by a client (e.g. ping). Typically, when ping succeeds on another adapter, it will issue this cancel. On receiving the cancel, we stop any timer that is running in connection with name query and then complete the irp with status_cancelled. Arguments: Return Value: The final status from the operation. --*/ { tDGRAM_SEND_TRACKING *pTracker; PIO_STACK_LOCATION pIrpSp; IF_DBG(NBT_DEBUG_NAMESRV) KdPrint(("Nbt.NbtCancelFindName: Got a Cancel !!! *****************\n")); pIrpSp = IoGetCurrentIrpStackLocation(pIrp); pTracker = pIrpSp->Parameters.Others.Argument4; NbtTrace(NBT_TRACE_NAMESRV, ("Cancel FindName Irp %p pTracker=%p", pIrp, pTracker)); // // We want to ensure that the tracker supplied by FsContext // is the right Tracker for this Irp // if (pTracker && (pIrp == pTracker->pClientIrp)) { // // if pClientIrp still valid, completion routine hasn't run yet: go ahead // and complete the irp here // pIrpSp->Parameters.Others.Argument4 = NULL; pTracker->pClientIrp = NULL; IoReleaseCancelSpinLock(pIrp->CancelIrql); NTIoComplete(pIrp,STATUS_CANCELLED,(ULONG)-1); } else { // // the completion routine has run. // IoReleaseCancelSpinLock(pIrp->CancelIrql); } return; } //---------------------------------------------------------------------------- VOID NbtCancelLmhSvcIrp( IN PDEVICE_OBJECT DeviceContext, IN PIRP pIrp ) /*++ Routine Description: This routine handles the cancelling a DNS name query Irp or the CheckIpAddrs Irp that is passed down to NBT from Lmhsvc This routine will get the Resource Lock, and Null the Irp ptr in the DnsQueries or CheckAddr structure (as approp) and then return the irp. Arguments: Return Value: The final status from the operation. --*/ { tLMHSVC_REQUESTS *pLmhSvcRequest = NULL; KIRQL OldIrq; IoReleaseCancelSpinLock(pIrp->CancelIrql); CTESpinLock(&NbtConfig.JointLock,OldIrq); if (pIrp == CheckAddr.QueryIrp) { IF_DBG(NBT_DEBUG_NAMESRV) KdPrint(("Nbt.NbtCancelLmhSvcIrp: Got a Cancel on CheckAddr Irp !!! *****************\n")); NbtTrace(NBT_TRACE_NAMESRV, ("Cancel LmhSvc CheckAddr Irp %p", pIrp)); pLmhSvcRequest = &CheckAddr; } else if (pIrp == DnsQueries.QueryIrp) { IF_DBG(NBT_DEBUG_NAMESRV) KdPrint(("Nbt.NbtCancelLmhSvcIrp: Got a Cancel on DnsQueries Irp !!! *****************\n")); NbtTrace(NBT_TRACE_NAMESRV, ("Cancel LmhSvc DnsQueries Irp %p", pIrp)); pLmhSvcRequest = &DnsQueries; } if (pLmhSvcRequest) { pIrp->IoStatus.Status = STATUS_CANCELLED; pLmhSvcRequest->QueryIrp = NULL; pLmhSvcRequest->pIpAddrBuf = NULL; CTESpinFree(&NbtConfig.JointLock,OldIrq); IoCompleteRequest(pIrp,IO_NETWORK_INCREMENT); } else { CTESpinFree(&NbtConfig.JointLock,OldIrq); } return; } //---------------------------------------------------------------------------- VOID NbtCancelDisconnectWait( IN PDEVICE_OBJECT DeviceContext, IN PIRP pIrp ) /*++ Routine Description: This routine handles the cancelling a Disconnect Wait Irp - which has been passed down by a client so that when a disconnect occurs this irp will complete and inform the client. The action here is to simply complete the irp with status cancelled. down to NBT from Lmhsvc, for the purpose of resolving a name with DNS. Nbt will complete this irp each time it has a name to resolve with DNS. This routine will get the Resource Lock, and Null the Irp ptr in the DnsQueries structure and then return the irp. Arguments: Return Value: The final status from the operation. --*/ { tCONNECTELE *pConnEle; PIO_STACK_LOCATION pIrpSp; CTELockHandle OldIrq; IF_DBG(NBT_DEBUG_NAMESRV) KdPrint(("Nbt:Got a Disc Wait Irp Cancel !!! *****************\n")); pIrpSp = IoGetCurrentIrpStackLocation(pIrp); pConnEle = (tCONNECTELE *)pIrpSp->FileObject->FsContext; IoReleaseCancelSpinLock(pIrp->CancelIrql); CTESpinLock(pConnEle,OldIrq); if (!NBT_VERIFY_HANDLE2 (pConnEle, NBT_VERIFY_CONNECTION, NBT_VERIFY_CONNECTION_DOWN)) { ASSERTMSG ("Nbt.NbtCancelDisconnectWait: ERROR - Invalid Connection Handle\n", 0); pIrp->IoStatus.Status = STATUS_INVALID_HANDLE; } else if (pConnEle->pIrpClose == pIrp) { pConnEle->pIrpClose = NULL; pIrp->IoStatus.Status = STATUS_CANCELLED; } CTESpinFree(pConnEle,OldIrq); IoCompleteRequest(pIrp,IO_NETWORK_INCREMENT); return; } //---------------------------------------------------------------------------- VOID NbtCancelWaitForLmhSvcIrp( IN PDEVICE_OBJECT DeviceContext, IN PIRP pIrp ) /*++ Routine Description: This routine handles the cancelling a Query to DNS, so that the client's irp can be returned to the client. This cancellation is instigated by the client (i.e. RDR). Arguments: Return Value: The final status from the operation. --*/ { BOOLEAN FoundIt = FALSE; NBT_WORK_ITEM_CONTEXT *Context; CTELockHandle OldIrq; tDGRAM_SEND_TRACKING *pTracker; PVOID pClientCompletion; PVOID pClientContext; PLIST_ENTRY pHead; PLIST_ENTRY pEntry; IF_DBG(NBT_DEBUG_NAMESRV) KdPrint(("Nbt.NbtCancelWaitForLmhSvcIrp: Got a Cancel !!! *****************\n")); IoReleaseCancelSpinLock(pIrp->CancelIrql); CTESpinLock(&NbtConfig.JointLock,OldIrq); // // First check the lmhost list, then the CheckAddr list, then the Dns list // if (!(Context = FindLmhSvcRequest (DeviceContext, pIrp, &LmHostQueries))) { if (!(Context = FindLmhSvcRequest (DeviceContext, pIrp, &CheckAddr))) { Context = FindLmhSvcRequest (DeviceContext, pIrp, &DnsQueries); } } CTESpinFree(&NbtConfig.JointLock,OldIrq); NbtTrace(NBT_TRACE_NAMESRV, ("Cancel WaitForLmhsvc Irp %p", pIrp)); // // Now complete the clients request to return the irp to the client // if (Context) { // // this is the name Query tracker // pTracker = Context->pTracker; pClientCompletion = Context->ClientCompletion; pClientContext = Context->pClientContext; // for dns names (NameLen>16), pTracker would be NULL if (pTracker) { // name did not resolve, so delete from table SetNameState (pTracker->pNameAddr, NULL, FALSE); NBT_DEREFERENCE_TRACKER(pTracker, FALSE); } // // this should complete any name queries that are waiting on // this first name query - i.e. queries to the resolving name // CompleteClientReq(pClientCompletion, pClientContext, STATUS_CANCELLED); CTEMemFree(Context); } } //---------------------------------------------------------------------------- VOID NbtCancelDgramSend( IN PDEVICE_OBJECT DeviceContext, IN PIRP pIrp ) /*++ Routine Description: This routine handles the cancelling of a Datagram Send. The action here is to simply complete the irp with status cancelled. This routine will Null the Irp ptr in the Tracker structure (if available) so that SendDgramContinue does not find it. Arguments: Return Value: The final status from the operation. --*/ { tDGRAM_SEND_TRACKING *pTracker; PIO_STACK_LOCATION pIrpSp; CTELockHandle OldIrq; IF_DBG(NBT_DEBUG_NAMESRV) KdPrint(("Nbt.NbtCancelDgramSend: Got a DatagramSend Irp Cancel !!! *****************\n")); pIrpSp = IoGetCurrentIrpStackLocation(pIrp); pTracker = pIrpSp->Parameters.Others.Argument4; NbtTrace(NBT_TRACE_SENDDGRAM, ("Cancel SendDgram Irp %p", pIrp)); if ((NBT_VERIFY_HANDLE (pTracker, NBT_VERIFY_TRACKER)) && (pTracker->pClientIrp == pIrp)) { pTracker->pClientIrp = NULL; pIrpSp->Parameters.Others.Argument4 = NULL; pIrp->IoStatus.Status = STATUS_CANCELLED; IoReleaseCancelSpinLock(pIrp->CancelIrql); NTIoComplete(pIrp,STATUS_CANCELLED,(ULONG)-1); } else { IoReleaseCancelSpinLock(pIrp->CancelIrql); } return; } int check_unicode_string(IN PUNICODE_STRING str) { try { ProbeForRead(str, sizeof (UNICODE_STRING), sizeof(BYTE)); if ((str->MaximumLength <= 0) || (str->Length <= 0) || (str->Length >= str->MaximumLength)) { return (-1); } ProbeForRead(str->Buffer, str->MaximumLength, sizeof(WCHAR)); ASSERT((str->Length&1) == 0); if (str->Buffer[str->Length/sizeof(WCHAR)]) { return (-1); } return 0; } except(EXCEPTION_EXECUTE_HANDLER) { KdPrint (("Nbt.check_unicode_string: Exception <0x%x> trying to access unicode string 0x%x\n", GetExceptionCode(), str)); return (-1); } }