|
|
/*++
Copyright (c) 1995 Microsoft Corporation
Module Name:
NdsFsctl.c
Abstract:
This implements the NDS user mode hooks to the redirector.
Author:
Cory West [CoryWest] 23-Feb-1995
--*/
#include "Procs.h"
#define Dbg (DEBUG_TRACE_NDS)
#pragma alloc_text( PAGE, DispatchNds )
#pragma alloc_text( PAGE, PrepareLockedBufferFromFsd )
#pragma alloc_text( PAGE, DoBrowseFsctl )
#pragma alloc_text( PAGE, NdsRawFragex )
#pragma alloc_text( PAGE, NdsResolveName )
#pragma alloc_text( PAGE, NdsGetObjectInfo )
#pragma alloc_text( PAGE, NdsListSubordinates )
#pragma alloc_text( PAGE, NdsReadAttributes )
#pragma alloc_text( PAGE, NdsGetVolumeInformation )
#pragma alloc_text( PAGE, NdsOpenStream )
#pragma alloc_text( PAGE, NdsSetContext )
#pragma alloc_text( PAGE, NdsGetContext )
#pragma alloc_text( PAGE, NdsVerifyTreeHandle )
#pragma alloc_text( PAGE, NdsGetPrintQueueInfo )
#pragma alloc_text( PAGE, NdsChangePass )
#pragma alloc_text( PAGE, NdsListTrees )
//
// The main handler for all NDS FSCTL calls.
//
NTSTATUSDispatchNds( ULONG IoctlCode, PIRP_CONTEXT IrpContext )/*++
Routine Description:
This routine instigates an NDS transaction requested from the fsctl interface.
Arguments:
IoctlCode - Supplies the code to be used for the NDS transaction. IrpContext - A pointer to IRP context information for this request.
Return Value:
Status of transaction.
--*/{ NTSTATUS Status = STATUS_NOT_SUPPORTED; SECURITY_SUBJECT_CONTEXT SubjectContext; LARGE_INTEGER Uid;
PAGED_CODE();
//
// Always set the user uid in the irp context so that
// referral creates NEVER go astray.
//
SeCaptureSubjectContext(&SubjectContext); Uid = GetUid( &SubjectContext ); SeReleaseSubjectContext(&SubjectContext);
IrpContext->Specific.Create.UserUid.QuadPart = Uid.QuadPart;
switch ( IoctlCode ) {
//
// These calls do not require us to lock down
// the user's buffer, but they do generate wire
// traffic.
//
case FSCTL_NWR_NDS_SETCONTEXT: DebugTrace( 0, Dbg, "DispatchNds: Set Context\n", 0 ); return DoBrowseFsctl( IrpContext, IoctlCode, FALSE );
case FSCTL_NWR_NDS_GETCONTEXT: DebugTrace( 0, Dbg, "DispatchNds: Get Context\n", 0 ); return DoBrowseFsctl( IrpContext, IoctlCode, FALSE );
case FSCTL_NWR_NDS_OPEN_STREAM: DebugTrace( 0, Dbg, "DispatchNds: Open Stream\n", 0 ); return DoBrowseFsctl( IrpContext, IoctlCode, FALSE );
case FSCTL_NWR_NDS_VERIFY_TREE: DebugTrace( 0, Dbg, "DispatchNds: Verify Tree\n", 0 ); return DoBrowseFsctl( IrpContext, IoctlCode, FALSE );
case FSCTL_NWR_NDS_GET_QUEUE_INFO: DebugTrace( 0, Dbg, "DispatchNds: Get Queue Info\n", 0 ); return DoBrowseFsctl( IrpContext, IoctlCode, FALSE );
case FSCTL_NWR_NDS_GET_VOLUME_INFO: DebugTrace( 0, Dbg, "DispatchNds: Get Volume Info\n", 0 ); return DoBrowseFsctl( IrpContext, IoctlCode, FALSE );
//
// These four fsctl calls are the basis of browsing. They
// all require a request packet and a user buffer that we
// lock down.
//
case FSCTL_NWR_NDS_RESOLVE_NAME: DebugTrace( 0, Dbg, "DispatchNds: Resolve Name\n", 0 ); return DoBrowseFsctl( IrpContext, IoctlCode, TRUE );
case FSCTL_NWR_NDS_LIST_SUBS: DebugTrace( 0, Dbg, "DispatchNds: List Subordinates\n", 0 ); return DoBrowseFsctl( IrpContext, IoctlCode, TRUE );
case FSCTL_NWR_NDS_READ_INFO: DebugTrace( 0, Dbg, "DispatchNds: Read Object Info\n", 0 ); return DoBrowseFsctl( IrpContext, IoctlCode, TRUE );
case FSCTL_NWR_NDS_READ_ATTR: DebugTrace( 0, Dbg, "DispatchNds: Read Attribute\n", 0 ); return DoBrowseFsctl( IrpContext, IoctlCode, TRUE );
//
// Support for user mode fragment exchange.
//
case FSCTL_NWR_NDS_RAW_FRAGEX: DebugTrace( 0, Dbg, "DispatchNds: Raw Fragex\n", 0 ); return NdsRawFragex( IrpContext );
//
// Change an NDS password.
//
case FSCTL_NWR_NDS_CHANGE_PASS: DebugTrace( 0, Dbg, "DispatchNds: Change Password\n", 0 ); return NdsChangePass( IrpContext );
//
// Special fsctl to list the trees that a particular nt user
// has credentials to since the change pass ui runs under the
// system luid. Sigh.
//
case FSCTL_NWR_NDS_LIST_TREES: DebugTrace( 0, Dbg, "DispatchNds: List trees\n", 0 ); return NdsListTrees( IrpContext );
default:
DebugTrace( 0, Dbg, "DispatchNds: No Such IOCTL\n", 0 ); break;
}
DebugTrace( 0, Dbg, " -> %08lx\n", Status ); return Status;
}
NTSTATUSPrepareLockedBufferFromFsd( PIRP_CONTEXT pIrpContext, PLOCKED_BUFFER pLockedBuffer)/*
Description:
This routine takes the irp context for an FSD request with a user mode buffer, and locks down the buffer so that it may be sent to the transport. The locked down buffer, in addition to being described in the irp and irp context, is described in the LOCKED_BUFFER structure.
Arguments:
pIrpContext - irp context for this request pLockedBuffer - the locked response buffer
*/{
PIRP irp; PIO_STACK_LOCATION irpSp;
PVOID OutputBuffer; ULONG OutputBufferLength;
PAGED_CODE();
//
// Get the irp and input buffer information and lock the
// buffer to the irp.
//
irp = pIrpContext->pOriginalIrp; irpSp = IoGetCurrentIrpStackLocation( irp );
OutputBufferLength = irpSp->Parameters.FileSystemControl.OutputBufferLength;
if ( !OutputBufferLength ) {
DebugTrace( 0, Dbg, "No fsd buffer length in PrepareLockedBufferFromFsd...\n", 0 ); return STATUS_BUFFER_TOO_SMALL;
}
NwLockUserBuffer( irp, IoWriteAccess, OutputBufferLength ); NwMapUserBuffer( irp, irp->RequestorMode, (PVOID *)&OutputBuffer );
if ( !OutputBuffer ) {
DebugTrace( 0, Dbg, "No fsd buffer in PrepareLockedBufferFromFsd...\n", 0 ); return STATUS_BUFFER_TOO_SMALL;
}
//
// Update the original MDL record in the Irp context, since
// NwLockUserBuffer may have created a new MDL.
//
pIrpContext->pOriginalMdlAddress = irp->MdlAddress;
//
// Fill in our locked buffer description.
//
pLockedBuffer->pRecvBufferVa = MmGetMdlVirtualAddress( irp->MdlAddress ); pLockedBuffer->dwRecvLen = MdlLength( irp->MdlAddress ); pLockedBuffer->pRecvMdl = irp->MdlAddress;
// DebugTrace( 0, Dbg, "Locked fsd buffer at %08lx\n", pLockedBuffer->pRecvBufferVa );
// DebugTrace( 0, Dbg, " len -> %d\n", pLockedBuffer->dwRecvLen );
// DebugTrace( 0, Dbg, " recv mdl at %08lx\n", pLockedBuffer->pRecvMdl );
return STATUS_SUCCESS;
}
NTSTATUSDoBrowseFsctl( PIRP_CONTEXT pIrpContext, ULONG IoctlCode, BOOL LockdownBuffer)/*+++
Description:
This actually sets up for an NDS operation that requires wire traffic, including locking down the user buffer if necessary.
Arguments:
pIrpContext - the irp context for this request IoctlCode - the ioctl requested LockdownBuffer - do we need to lock down the user buffer
---*/{
NTSTATUS Status;
PIRP irp; PIO_STACK_LOCATION irpSp;
PNWR_NDS_REQUEST_PACKET InputBuffer; ULONG InputBufferLength;
PVOID fsContext, fsObject; NODE_TYPE_CODE nodeTypeCode; PSCB pScb = NULL; PICB pIcb = NULL;
LOCKED_BUFFER LockedBuffer; PNDS_SECURITY_CONTEXT pCredential; UNICODE_STRING CredentialName;
PAGED_CODE();
//
// Get the request packet in the input buffer.
//
irp = pIrpContext->pOriginalIrp; irpSp = IoGetCurrentIrpStackLocation( irp );
InputBuffer = (PNWR_NDS_REQUEST_PACKET) irpSp->Parameters.FileSystemControl.Type3InputBuffer; InputBufferLength = irpSp->Parameters.FileSystemControl.InputBufferLength;
if ( !InputBuffer || !InputBufferLength ) {
DebugTrace( 0, Dbg, "BrowseFsctl has no input buffer...\n", 0 ); return STATUS_BUFFER_TOO_SMALL; }
//
// tommye - MS bug 32134 (MCS 265)
//
// Probe the input arguments to make sure they are kosher before
// touching them.
//
try {
if ( irp->RequestorMode != KernelMode ) { ProbeForRead( InputBuffer, InputBufferLength, sizeof(CHAR));
//
// tommye
//
// If the output buffer came from user space, then probe it for write.
//
if ((irpSp->Parameters.FileSystemControl.FsControlCode & 3) == METHOD_NEITHER) { ULONG OutputBufferLength = irpSp->Parameters.DeviceIoControl.OutputBufferLength;
ProbeForWrite( irp->UserBuffer, OutputBufferLength, sizeof(CHAR) ); } }
} except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); }
//
// Decode the file object and point the irp context the
// the appropriate connection... Should this be in an
// exception frame?
//
nodeTypeCode = NwDecodeFileObject( irpSp->FileObject, &fsContext, &fsObject );
if ( nodeTypeCode == NW_NTC_ICB_SCB ) {
pIcb = (PICB) fsObject; pScb = (pIcb->SuperType).Scb;
pIrpContext->pScb = pScb; pIrpContext->pNpScb = pIrpContext->pScb->pNpScb; pIrpContext->Icb = pIcb;
//
// If this is a handle made on an ex-create, then
// we have to be aware of our credentials while
// jumping servers.
//
// This is not too intuitive since this doesn't
// seem to be a create path irp, but referrals
// on any path cause the create paths to be
// traversed.
//
if ( pIcb->IsExCredentialHandle ) {
pIrpContext->Specific.Create.fExCredentialCreate = TRUE;
pCredential = (PNDS_SECURITY_CONTEXT) pIcb->pContext;
Status = GetCredentialFromServerName( &pCredential->NdsTreeName, &CredentialName ); if ( !NT_SUCCESS( Status ) ) { return STATUS_INVALID_HANDLE; }
pIrpContext->Specific.Create.puCredentialName = &CredentialName; }
}
//
// Lock the users buffer if this destined for the transport.
//
if ( LockdownBuffer && nodeTypeCode == NW_NTC_ICB_SCB ) {
Status = PrepareLockedBufferFromFsd( pIrpContext, &LockedBuffer );
if ( !NT_SUCCESS( Status ) ) { return Status; }
//
// Call the appropriate browser.
//
switch ( IoctlCode ) {
case FSCTL_NWR_NDS_RESOLVE_NAME:
return NdsResolveName( pIrpContext, InputBuffer, InputBufferLength, &LockedBuffer );
case FSCTL_NWR_NDS_LIST_SUBS:
return NdsListSubordinates( pIrpContext, InputBuffer, &LockedBuffer );
case FSCTL_NWR_NDS_READ_INFO:
return NdsGetObjectInfo( pIrpContext, InputBuffer, &LockedBuffer );
case FSCTL_NWR_NDS_READ_ATTR:
return NdsReadAttributes( pIrpContext, InputBuffer, InputBufferLength, &LockedBuffer );
default:
DebugTrace( 0, Dbg, "Invalid ioctl for locked BrowseFsctl...\n", 0 ); return STATUS_NOT_SUPPORTED;
}
}
//
// There's no user reply buffer for these calls, hence there's no lockdown.
//
switch ( IoctlCode ) {
case FSCTL_NWR_NDS_OPEN_STREAM:
//
// There has to be an ICB for this!
//
if ( nodeTypeCode != NW_NTC_ICB_SCB ) { return STATUS_INVALID_HANDLE; }
return NdsOpenStream( pIrpContext, InputBuffer, InputBufferLength );
case FSCTL_NWR_NDS_SETCONTEXT:
return NdsSetContext( pIrpContext, InputBuffer, InputBufferLength );
case FSCTL_NWR_NDS_GETCONTEXT:
return NdsGetContext( pIrpContext, InputBuffer, InputBufferLength );
case FSCTL_NWR_NDS_VERIFY_TREE:
//
// Verify that this handle is valid for the specified tree.
//
return NdsVerifyTreeHandle( pIrpContext, InputBuffer, InputBufferLength );
case FSCTL_NWR_NDS_GET_QUEUE_INFO:
//
// Get the queue info for this print queue.
//
return NdsGetPrintQueueInfo( pIrpContext, InputBuffer, InputBufferLength );
case FSCTL_NWR_NDS_GET_VOLUME_INFO:
//
// Get the volume info for this volume object.
// For the new shell property sheets.
//
return NdsGetVolumeInformation( pIrpContext, InputBuffer, InputBufferLength );
}
//
// All others are not supported.
//
return STATUS_NOT_SUPPORTED;}
NTSTATUSNdsRawFragex( PIRP_CONTEXT pIrpContext)/*+++
Send a raw user requested fragment.
---*/{
NTSTATUS Status;
PIRP irp; PIO_STACK_LOCATION irpSp; NODE_TYPE_CODE nodeTypeCode; PVOID fsContext, fsObject; PSCB pScb = NULL; PICB pIcb = NULL;
DWORD NdsVerb; LOCKED_BUFFER NdsRequest;
PNWR_NDS_REQUEST_PACKET Rrp; PBYTE RawRequest; DWORD RawRequestLen; PNDS_SECURITY_CONTEXT pCredential; UNICODE_STRING CredentialName;
PAGED_CODE();
//
// Get the request.
//
irp = pIrpContext->pOriginalIrp; irpSp = IoGetCurrentIrpStackLocation( irp );
Rrp = ( PNWR_NDS_REQUEST_PACKET ) irpSp->Parameters.FileSystemControl.Type3InputBuffer; RawRequestLen = irpSp->Parameters.FileSystemControl.InputBufferLength;
if ( !Rrp || ( RawRequestLen < sizeof( NWR_NDS_REQUEST_PACKET ) ) ) {
DebugTrace( 0, Dbg, "No raw request buffer.\n", 0 ); return STATUS_INVALID_PARAMETER; }
//
// Decode the file object and point the irp context
// to the appropriate connection.
//
nodeTypeCode = NwDecodeFileObject( irpSp->FileObject, &fsContext, &fsObject );
if ( nodeTypeCode != NW_NTC_ICB_SCB ) {
DebugTrace( 0, Dbg, "A raw fragment request requires a server handle.\n", 0 ); return STATUS_INVALID_HANDLE; }
pIcb = (PICB) fsObject; pScb = (pIcb->SuperType).Scb;
pIrpContext->pScb = pScb; pIrpContext->pNpScb = pIrpContext->pScb->pNpScb; pIrpContext->Icb = pIcb;
//
// If this is a handle made on an ex-create, then
// we have to be aware of our credentials while
// jumping servers.
//
// This is not too intuitive since this doesn't
// seem to be a create path irp, but referrals
// on any path cause the create paths to be
// traversed.
//
if ( pIcb->IsExCredentialHandle ) {
pIrpContext->Specific.Create.fExCredentialCreate = TRUE;
pCredential = (PNDS_SECURITY_CONTEXT) pIcb->pContext;
Status = GetCredentialFromServerName( &pCredential->NdsTreeName, &CredentialName ); if ( !NT_SUCCESS( Status ) ) { return STATUS_INVALID_HANDLE; }
pIrpContext->Specific.Create.puCredentialName = &CredentialName; }
//
// Dig out the parameters.
//
NdsVerb = Rrp->Parameters.RawRequest.NdsVerb; RawRequestLen = Rrp->Parameters.RawRequest.RequestLength; RawRequest = &Rrp->Parameters.RawRequest.Request[0];
//
// Get the reply buffer all locked in for the fragex.
//
Status = PrepareLockedBufferFromFsd( pIrpContext, &NdsRequest );
if ( !NT_SUCCESS( Status ) ) { return Status; }
try {
if ( RawRequestLen ) {
Status = FragExWithWait( pIrpContext, NdsVerb, &NdsRequest, "r", RawRequest, RawRequestLen ); } else {
Status = FragExWithWait( pIrpContext, NdsVerb, &NdsRequest, NULL ); }
if ( NT_SUCCESS( Status ) ) { Rrp->Parameters.RawRequest.ReplyLength = NdsRequest.dwBytesWritten; }
} except ( EXCEPTION_EXECUTE_HANDLER ) {
Status = GetExceptionCode(); }
return Status;
}
NTSTATUSNdsResolveName( PIRP_CONTEXT pIrpContext, PNWR_NDS_REQUEST_PACKET pNdsRequest, ULONG RequestLength, PLOCKED_BUFFER pLockedBuffer)/*+++
Description:
This function decodes the resolve name request and makes the actual wire request.
Parameters:
pIrpContext - describes the irp for this request pLockedBuffer - describes the locked, user mode buffer that we will write the response into pNdsRequest - the request parameters
Return Value:
The status of the exchange.
---*/{ NTSTATUS Status; UNICODE_STRING uObjectName; DWORD dwResolverFlags; WCHAR ObjectName[MAX_NDS_NAME_CHARS];
PNDS_WIRE_RESPONSE_RESOLVE_NAME pWireResponse; PNDS_WIRE_RESPONSE_RESOLVE_NAME_REFERRAL pReferral; PNDS_RESPONSE_RESOLVE_NAME pUserResponse; IPXaddress *ReferredAddress; PSCB Scb, OldScb;
PAGED_CODE();
//
// Fill in the resolver flags and the unicode string for the
// object name from the request packet.
//
try {
if (RequestLength < (FIELD_OFFSET(NWR_NDS_REQUEST_PACKET, Parameters.ResolveName.ObjectName) + pNdsRequest->Parameters.ResolveName.ObjectNameLength)) { DebugTrace( 0, Dbg, "ResolveName Request Length is too short.\n", 0 ); return STATUS_INVALID_PARAMETER; }
uObjectName.Length = (USHORT)(pNdsRequest->Parameters).ResolveName.ObjectNameLength; uObjectName.MaximumLength = sizeof( ObjectName );
if ( uObjectName.Length > sizeof( ObjectName ) ) { ExRaiseStatus( STATUS_INVALID_BUFFER_SIZE ); }
RtlCopyMemory( ObjectName, (pNdsRequest->Parameters).ResolveName.ObjectName, uObjectName.Length );
uObjectName.Buffer = ObjectName;
dwResolverFlags = (pNdsRequest->Parameters).ResolveName.ResolverFlags;
} except ( EXCEPTION_EXECUTE_HANDLER ) {
DebugTrace( 0, Dbg, "Bad user mode buffer in resolving name.\n", 0 ); return GetExceptionCode(); }
Status = FragExWithWait( pIrpContext, NDSV_RESOLVE_NAME, pLockedBuffer, "DDDSDDDD", 0, // version
dwResolverFlags, // flags
0, // scope
&uObjectName, // distinguished name
1,0, // transport type
1,0 ); // treeWalker type
if ( !NT_SUCCESS( Status ) ) { return Status; }
Status = NdsCompletionCodetoNtStatus( pLockedBuffer );
if ( !NT_SUCCESS( Status ) ) { return Status; }
//
// We need to convert the NDS_WIRE_RESPONSE_RESOLVE_NAME that
// we got from the server into an NDS_RESPONSE_RESOLVE_NAME
// for more general consumption. Notice that a referral packet
// has an additional DWORD in it - what a pain.
//
pWireResponse = (PNDS_WIRE_RESPONSE_RESOLVE_NAME) pLockedBuffer->pRecvBufferVa; pReferral = (PNDS_WIRE_RESPONSE_RESOLVE_NAME_REFERRAL) pLockedBuffer->pRecvBufferVa; pUserResponse = (PNDS_RESPONSE_RESOLVE_NAME) pLockedBuffer->pRecvBufferVa;
try {
if ( pWireResponse->RemoteEntry == RESOLVE_NAME_ACCEPT_REMOTE ) {
//
// This server can handle this request.
//
pUserResponse->ServerNameLength = 0; (pNdsRequest->Parameters).ResolveName.BytesWritten = 4 * sizeof( DWORD );
} else {
//
// tommye - MS 71699
// These were BUGB-G's but we made it a valid check instead.
// Original comment: I have seen this assertion fail because we only get
// a valid competion code (four bytes) and no more data. I wonder
// if the server is sending us this incomplete packet? If we
// don't get a complete referal, we probably shouldn't chase it.
//
if ((pWireResponse->RemoteEntry != RESOLVE_NAME_REFER_REMOTE) || (pReferral->ServerAddresses != 1) || (pReferral->AddressType != 0) || (pReferral->AddressLength != sizeof(IPXaddress))) {
return ERROR_INVALID_PARAMETER; }
//
// We've been referred to another server. We have to connect
// to the referred server to get the name for the caller.
//
ReferredAddress = (IPXaddress *) pReferral->Address;
OldScb = pIrpContext->pScb;
//
// Dequeue us from our original server. Do not defer the
// logon at this point since a referral means we're in the
// middle of a browse operation.
//
NwDequeueIrpContext( pIrpContext, FALSE );
Status = CreateScb( &Scb, pIrpContext, NULL, ReferredAddress, NULL, NULL, TRUE, FALSE );
if ( !NT_SUCCESS( Status ) ) { return Status; }
RtlCopyMemory( pUserResponse->ReferredServer, Scb->pNpScb->ServerName.Buffer, Scb->pNpScb->ServerName.Length );
pUserResponse->ServerNameLength = Scb->pNpScb->ServerName.Length; (pNdsRequest->Parameters).ResolveName.BytesWritten = ( 4 * sizeof( DWORD ) ) + Scb->pNpScb->ServerName.Length;
DebugTrace( 0, Dbg, "Resolve name referral to: %wZ\n", &Scb->pNpScb->ServerName );
//
// Restore the server pointers, we're not ready to jump
// servers yet since this might be a request from the fsd.
//
NwDequeueIrpContext( pIrpContext, FALSE ); NwDereferenceScb( Scb->pNpScb ); pIrpContext->pScb = OldScb; pIrpContext->pNpScb = OldScb->pNpScb;
}
} except ( EXCEPTION_EXECUTE_HANDLER ) {
DebugTrace( 0, Dbg, "Bad user mode buffer in resolving name.\n", 0 ); return GetExceptionCode();
}
return STATUS_SUCCESS;}
NTSTATUSNdsGetObjectInfo( PIRP_CONTEXT pIrpContext, PNWR_NDS_REQUEST_PACKET pNdsRequest, PLOCKED_BUFFER pLockedBuffer)/*++
Routine Description:
Get the basic object information for the listed object.
Routine Arguments:
pIrpContext - describes the irp for this request pLockedBuffer - describes the locked, user mode buffer that we will write the response into pNdsRequest - the request parameters
Return Value:
The Status of the exchange.
--*/{ NTSTATUS Status; DWORD dwObjId;
PAGED_CODE();
//
// Get the object id from the users request packet.
//
try { dwObjId = (pNdsRequest->Parameters).GetObjectInfo.ObjectId; } except ( EXCEPTION_EXECUTE_HANDLER ) { DebugTrace( 0, Dbg, "Bonk! Lost user mode buffer in NdsGetObjectId...\n", 0 ); Status = GetExceptionCode(); return Status; }
//
// Hit the wire.
//
Status = FragExWithWait( pIrpContext, NDSV_READ_ENTRY_INFO, pLockedBuffer, "DD", 0, dwObjId );
if ( !NT_SUCCESS( Status ) ) { return Status; }
Status = NdsCompletionCodetoNtStatus( pLockedBuffer );
if ( NT_SUCCESS( Status ) ) {
try {
(pNdsRequest->Parameters).GetObjectInfo.BytesWritten = pLockedBuffer->dwBytesWritten;
} except ( EXCEPTION_EXECUTE_HANDLER ) {
DebugTrace( 0, Dbg, "Bonk! Lost user mode buffer after getting object info...\n", 0 ); Status = GetExceptionCode(); return Status;
} }
return Status;
}
NTSTATUSNdsListSubordinates( PIRP_CONTEXT pIrpContext, PNWR_NDS_REQUEST_PACKET pNdsRequest, PLOCKED_BUFFER pLockedBuffer)/*++
Routine Description:
List the immediate subordinates of an object.
Routine Arguments:
pIrpContext - describes the irp for this request pLockedBuffer - describes the locked, user mode buffer that we will write the response into pNdsRequest - the request parameters
Return Value:
The Status of the exchange.
--*/{ NTSTATUS Status; DWORD dwParent, dwIterHandle;
PAGED_CODE();
//
// Dig out the request parameters.
//
try {
dwParent = (pNdsRequest->Parameters).ListSubordinates.ObjectId; dwIterHandle = (DWORD) (pNdsRequest->Parameters).ListSubordinates.IterHandle;
} except ( EXCEPTION_EXECUTE_HANDLER ) {
DebugTrace( 0, Dbg, "Bonk! No user mode buffer in ListSubordinates...\n", 0 ); Status = GetExceptionCode(); return Status;
}
//
// Make the request.
//
Status = FragExWithWait( pIrpContext, NDSV_LIST, pLockedBuffer, "DDDD", 0, 0x40, dwIterHandle, dwParent );
if ( !NT_SUCCESS( Status ) ) { return Status; }
Status = NdsCompletionCodetoNtStatus( pLockedBuffer );
if ( NT_SUCCESS( Status ) ) {
try {
(pNdsRequest->Parameters).ListSubordinates.BytesWritten = pLockedBuffer->dwBytesWritten;
} except ( EXCEPTION_EXECUTE_HANDLER ) {
DebugTrace( 0, Dbg, "Bonk! Lost user mode buffer after getting subordinate list...\n", 0 ); Status = GetExceptionCode(); return Status;
} }
return Status;
}
NTSTATUSNdsReadAttributes( PIRP_CONTEXT pIrpContext, PNWR_NDS_REQUEST_PACKET pNdsRequest, ULONG RequestLength, PLOCKED_BUFFER pLockedBuffer)/*++
Routine Description:
Retrieve the named attribute of an object.
Routine Arguments:
pIrpContext - describes the irp for this request pLockedBuffer - describes the locked, user mode buffer that we will write the response into pNdsRequest - the request parameters
Return Value:
The Status of the exchange.
--*/{ NTSTATUS Status;
DWORD dwIterHandle, dwOid; UNICODE_STRING uAttributeName; WCHAR AttributeName[MAX_NDS_SCHEMA_NAME_CHARS]; // was MAX_NDS_NAME_CHARS
PAGED_CODE();
RtlZeroMemory( AttributeName, sizeof( AttributeName ) );
try {
if (RequestLength < (FIELD_OFFSET(NWR_NDS_REQUEST_PACKET, Parameters.ReadAttribute.AttributeName) + pNdsRequest->Parameters.ReadAttribute.AttributeNameLength)) { DebugTrace( 0, Dbg, "ReadAttributes Request Length is too short.\n", 0 ); return STATUS_INVALID_PARAMETER; }
uAttributeName.Length = (USHORT)(pNdsRequest->Parameters).ReadAttribute.AttributeNameLength; uAttributeName.MaximumLength = sizeof( AttributeName );
if ( uAttributeName.Length > uAttributeName.MaximumLength ) { ExRaiseStatus( STATUS_INVALID_BUFFER_SIZE ); }
RtlCopyMemory( AttributeName, (pNdsRequest->Parameters).ReadAttribute.AttributeName, uAttributeName.Length );
uAttributeName.Buffer = AttributeName;
dwIterHandle = (DWORD) (pNdsRequest->Parameters).ReadAttribute.IterHandle; dwOid = (pNdsRequest->Parameters).ReadAttribute.ObjectId;
} except ( EXCEPTION_EXECUTE_HANDLER ) {
DebugTrace( 0 , Dbg, "Bonk! Exception accessing user mode buffer in read attributes...\n", 0 ); return GetExceptionCode(); }
Status = FragExWithWait( pIrpContext, NDSV_READ, pLockedBuffer, "DDDDDDS", 0, // version
dwIterHandle, // iteration handle
dwOid, // object id
1, // info type
//
// The attribute specifier has been seen at zero and
// at 0x4e0000. I don't know why... but zero doesn't
// work sometimes...
//
0x4e0000, // attrib type
1, // number of attribs
&uAttributeName ); // attrib name
if ( !NT_SUCCESS( Status ) ) { return Status; }
Status = NdsCompletionCodetoNtStatus( pLockedBuffer );
if ( NT_SUCCESS( Status ) ) {
try {
(pNdsRequest->Parameters).ReadAttribute.BytesWritten = pLockedBuffer->dwBytesWritten;
} except ( EXCEPTION_EXECUTE_HANDLER ) {
DebugTrace( 0, Dbg, "Bonk! Lost user mode buffer after reading attribute...\n", 0 ); return GetExceptionCode();
}
}
return Status;
}
NTSTATUSNdsGetVolumeInformation( PIRP_CONTEXT pIrpContext, PNWR_NDS_REQUEST_PACKET pNdsRequest, ULONG RequestLength)/*+++
Description:
This function gets the name of the server that hosts the listed nds volume.
Parameters:
pIrpContext - describes the irp for this request pNdsRequest - the request parameters
---*/{
NTSTATUS Status;
PIRP irp; PIO_STACK_LOCATION irpSp; PSCB pOriginalScb; PBYTE OutputBuffer = NULL; ULONG OutputBufferLength;
UNICODE_STRING VolumeObject; DWORD VolumeOid; UNICODE_STRING HostServerAttr; UNICODE_STRING HostVolumeAttr; UNICODE_STRING Attribute;
PWCHAR ServerString; ULONG ServerLength;
PAGED_CODE();
try { if (RequestLength < (FIELD_OFFSET(NWR_NDS_REQUEST_PACKET, Parameters.GetVolumeInfo.VolumeName) + pNdsRequest->Parameters.GetVolumeInfo.VolumeNameLen)) { DebugTrace( 0, Dbg, "GetVolumeInfo Request Length is too short.\n", 0 ); return STATUS_INVALID_PARAMETER; } } except ( EXCEPTION_EXECUTE_HANDLER ) { return GetExceptionCode(); }
//
// Get the irp and output buffer information.
//
irp = pIrpContext->pOriginalIrp; irpSp = IoGetCurrentIrpStackLocation( irp );
OutputBufferLength = irpSp->Parameters.FileSystemControl.OutputBufferLength;
if ( OutputBufferLength ) { NwMapUserBuffer( irp, irp->RequestorMode, (PVOID *)&OutputBuffer );
//
// tommye
//
// NwMapUserBuffer may return a NULL OutputBuffer in low resource
// situations; this was not being checked.
//
if (OutputBuffer == NULL) { DebugTrace(-1, DEBUG_TRACE_USERNCP, "NwMapUserBuffer returned NULL OutputBuffer", 0); return STATUS_INSUFFICIENT_RESOURCES; } } else { return STATUS_BUFFER_TOO_SMALL; }
try {
//
// Prepare the input information.
//
VolumeObject.Length = (USHORT)pNdsRequest->Parameters.GetVolumeInfo.VolumeNameLen; VolumeObject.MaximumLength = VolumeObject.Length; VolumeObject.Buffer = &(pNdsRequest->Parameters.GetVolumeInfo.VolumeName[0]);
// tommye - make sure that the name length isn't bigger than we expect
if (VolumeObject.Length > MAX_NDS_NAME_SIZE) { DebugTrace( 0 , Dbg, "NdsGetVolumeInformation: Volume name too long!.\n", 0 ); return STATUS_INVALID_PARAMETER; }
DebugTrace( 0, Dbg, "Retrieving volume info for %wZ\n", &VolumeObject );
HostServerAttr.Buffer = HOST_SERVER_ATTRIBUTE; // L"Host Server"
HostServerAttr.Length = sizeof( HOST_SERVER_ATTRIBUTE ) - sizeof( WCHAR ); HostServerAttr.MaximumLength = HostServerAttr.Length;
HostVolumeAttr.Buffer = HOST_VOLUME_ATTRIBUTE; // L"Host Resource Name"
HostVolumeAttr.Length = sizeof( HOST_VOLUME_ATTRIBUTE ) - sizeof( WCHAR ); HostVolumeAttr.MaximumLength = HostVolumeAttr.Length;
//
// NdsResolveNameKm may have to jump servers to service this
// request, however it's dangerous for us to derefence the original
// scb because that would expose a scavenger race condition. So,
// we add an additional ref-count to the original scb and then clean
// up appropriately afterwards, depending on whether or not we
// jumped servers.
//
pOriginalScb = pIrpContext->pScb;
NwReferenceScb( pOriginalScb->pNpScb );
Status = NdsResolveNameKm ( pIrpContext, &VolumeObject, &VolumeOid, TRUE, DEFAULT_RESOLVE_FLAGS );
if ( !NT_SUCCESS( Status )) { NwDereferenceScb( pOriginalScb->pNpScb ); return STATUS_BAD_NETWORK_PATH; }
if ( pIrpContext->pScb == pOriginalScb ) {
//
// We didn't jump servers.
//
NwDereferenceScb( pOriginalScb->pNpScb ); }
//
// We have to read the server into a temporary buffer so
// we can strip off the x500 prefix and the context
// from the server name. This isn't really what I would
// call nice, but it's the way Netware works.
//
Attribute.Length = 0; Attribute.MaximumLength = MAX_NDS_NAME_SIZE; Attribute.Buffer = ALLOCATE_POOL( PagedPool, MAX_NDS_NAME_SIZE );
if (!Attribute.Buffer) { Status = STATUS_INSUFFICIENT_RESOURCES; goto CleanupScbReferences; }
Status = NdsReadStringAttribute( pIrpContext, VolumeOid, &HostServerAttr, &Attribute );
if ( !NT_SUCCESS( Status )) { FREE_POOL( Attribute.Buffer ); goto CleanupScbReferences; }
ServerString = Attribute.Buffer;
while( Attribute.Length ) {
if ( *ServerString == L'=' ) { ServerString += 1; Attribute.Length -= sizeof( WCHAR ); break; }
ServerString += 1; Attribute.Length -= sizeof( WCHAR ); }
if ( Attribute.Length == 0 ) { DebugTrace( 0, Dbg, "Malformed server for volume.\n", 0 ); FREE_POOL( Attribute.Buffer ); Status = STATUS_UNSUCCESSFUL; goto CleanupScbReferences; }
ServerLength = 0;
while ( ServerLength < (Attribute.Length / sizeof( WCHAR )) ) {
if ( ServerString[ServerLength] == L'.' ) { break; }
ServerLength++; }
if ( ServerLength == ( Attribute.Length / sizeof( WCHAR ) ) ) { DebugTrace( 0, Dbg, "Malformed server for volume.\n", 0 ); FREE_POOL( Attribute.Buffer ); Status = STATUS_UNSUCCESSFUL; goto CleanupScbReferences; }
ServerLength *= sizeof( WCHAR ); RtlCopyMemory( OutputBuffer, ServerString, ServerLength );
pNdsRequest->Parameters.GetVolumeInfo.ServerNameLen = ServerLength;
FREE_POOL( Attribute.Buffer );
Attribute.Length = Attribute.MaximumLength = (USHORT)ServerLength; Attribute.Buffer = (PWCHAR)OutputBuffer; DebugTrace( 0, Dbg, "Host server is: %wZ\n", &Attribute );
//
// Now do the volume in place. This is the easy one.
//
Attribute.MaximumLength = (USHORT)( OutputBufferLength - ServerLength ); Attribute.Buffer = (PWSTR) ( OutputBuffer + ServerLength ); Attribute.Length = 0;
Status = NdsReadStringAttribute( pIrpContext, VolumeOid, &HostVolumeAttr, &Attribute );
if ( !NT_SUCCESS( Status )) { goto CleanupScbReferences; }
pNdsRequest->Parameters.GetVolumeInfo.TargetVolNameLen = Attribute.Length; DebugTrace( 0, Dbg, "Host volume is: %wZ\n", &Attribute );
} except ( EXCEPTION_EXECUTE_HANDLER ) {
DebugTrace( 0, Dbg, "Exception handling user mode buffer in GetVolumeInfo.\n", 0 ); goto CleanupScbReferences;
}
Status = STATUS_SUCCESS;
CleanupScbReferences:
if ( pIrpContext->pScb != pOriginalScb ) {
//
// We jumped servers and have to cleanup.
//
NwDequeueIrpContext( pIrpContext, FALSE ); NwDereferenceScb( pIrpContext->pScb->pNpScb ); pIrpContext->pScb = pOriginalScb; pIrpContext->pNpScb = pOriginalScb->pNpScb;
}
return Status;}
NTSTATUSNdsOpenStream( PIRP_CONTEXT pIrpContext, PNWR_NDS_REQUEST_PACKET pNdsRequest, ULONG RequestLength) {
NTSTATUS Status;
UNICODE_STRING uStream; WCHAR StreamName[MAX_NDS_NAME_CHARS];
LOCKED_BUFFER NdsRequest;
DWORD dwOid, StreamAccess; DWORD hNwHandle, dwFileLen;
PICB pIcb; PSCB pScb = pIrpContext->pNpScb->pScb;
BOOLEAN LicensedConnection = FALSE;
PAGED_CODE();
pIcb = pIrpContext->Icb;
uStream.Length = 0; uStream.MaximumLength = sizeof( StreamName ); uStream.Buffer = StreamName;
DebugTrace( 0 , Dbg, "NDS open stream...\n", 0 );
try {
if (RequestLength < (ULONG)(FIELD_OFFSET(NWR_NDS_REQUEST_PACKET, Parameters.OpenStream.StreamNameString) + pNdsRequest->Parameters.OpenStream.StreamName.Length)) { DebugTrace( 0, Dbg, "OpenStream Request Length is too short.\n", 0 ); return STATUS_INVALID_PARAMETER; }
dwOid = (pNdsRequest->Parameters).OpenStream.ObjectOid; StreamAccess = (pNdsRequest->Parameters).OpenStream.StreamAccess; RtlCopyUnicodeString( &uStream, &(pNdsRequest->Parameters).OpenStream.StreamName );
} except ( EXCEPTION_EXECUTE_HANDLER ) {
DebugTrace( 0 , Dbg, "Bonk! Bad user mode buffer in open stream.\n", 0 ); return GetExceptionCode(); }
//
// We have the oid and stream name; let's get the handle.
//
Status = NdsAllocateLockedBuffer( &NdsRequest, NDS_BUFFER_SIZE );
if ( !NT_SUCCESS( Status ) ) { return STATUS_INSUFFICIENT_RESOURCES; }
//
// If we haven't licensed this connection yet, it's time. Get to the
// head of the queue to protect the SCB fields and authenticate the
// connection (do not defer the login).
//
NwAppendToQueueAndWait( pIrpContext );
ASSERT( pScb->MajorVersion > 3 );
if ( ( pScb->UserName.Length == 0 ) && ( pScb->VcbCount == 0 ) && ( pScb->OpenNdsStreams == 0 ) ) {
if ( pScb->pNpScb->State != SCB_STATE_IN_USE ) {
Status = ConnectScb( &pScb, pIrpContext, &(pScb->pNpScb->ServerName), NULL, // address
NULL, // name
NULL, // password
FALSE, // defer login
FALSE, // delete connection
TRUE ); // existing scb
if ( !NT_SUCCESS( Status ) ) { DebugTrace( 0, Dbg, "Couldn't connect server %08lx to open NDS stream.\n", pScb ); goto ExitWithCleanup; } }
ASSERT( pScb->pNpScb->State == SCB_STATE_IN_USE );
Status = NdsLicenseConnection( pIrpContext );
if ( !NT_SUCCESS( Status ) ) { Status = STATUS_REMOTE_SESSION_LIMIT; goto ExitWithCleanup; }
LicensedConnection = TRUE; }
Status = FragExWithWait( pIrpContext, NDSV_OPEN_STREAM, &NdsRequest, "DDDs", 0, // version
StreamAccess, // file access
dwOid, // object id
&uStream ); // attribute name
if ( !NT_SUCCESS( Status )) { goto ExitWithCleanup; }
Status = NdsCompletionCodetoNtStatus( &NdsRequest );
if ( !NT_SUCCESS( Status )) { goto ExitWithCleanup; }
Status = ParseResponse( NULL, NdsRequest.pRecvBufferVa, NdsRequest.dwBytesWritten, "G_DD", sizeof( DWORD ), // completion code
&hNwHandle, // remote handle
&dwFileLen ); // file length
if ( !NT_SUCCESS( Status )) { goto ExitWithCleanup; }
*(WORD *)(&pIcb->Handle[0]) = (WORD)hNwHandle + 1; *( (UNALIGNED DWORD *) (&pIcb->Handle[2]) ) = hNwHandle;
pIrpContext->pScb->OpenNdsStreams++;
DebugTrace( 0, Dbg, "File stream opened. Length = %d\n", dwFileLen );
(pNdsRequest->Parameters).OpenStream.FileLength = dwFileLen; pIcb->HasRemoteHandle = TRUE;
pIcb->FileObject->CurrentByteOffset.QuadPart = 0;
ExitWithCleanup:
NdsFreeLockedBuffer( &NdsRequest );
if ( ( !NT_SUCCESS( Status ) ) && ( LicensedConnection ) ) { NdsUnlicenseConnection( pIrpContext ); }
NwDequeueIrpContext( pIrpContext, FALSE ); return Status;
}
NTSTATUSNdsSetContext( PIRP_CONTEXT pIrpContext, PNWR_NDS_REQUEST_PACKET pNdsRequest, ULONG RequestLength) {
NTSTATUS Status;
PLOGON pLogon;
UNICODE_STRING Tree, Context; PNDS_SECURITY_CONTEXT pCredentials;
PAGED_CODE();
DebugTrace( 0 , Dbg, "NDS set context.\n", 0 );
try { if (RequestLength < (FIELD_OFFSET(NWR_NDS_REQUEST_PACKET, Parameters.SetContext.TreeAndContextString) + pNdsRequest->Parameters.SetContext.TreeNameLen)) { DebugTrace( 0, Dbg, "SetContext Request Length is too short.\n", 0 ); return STATUS_INVALID_PARAMETER; } } except ( EXCEPTION_EXECUTE_HANDLER ) { return GetExceptionCode(); } //
// Find out who this is.
//
NwAcquireExclusiveRcb( &NwRcb, TRUE ); pLogon = FindUser( &(pIrpContext->Specific.Create.UserUid), FALSE ); NwReleaseRcb( &NwRcb );
if ( !pLogon ) {
DebugTrace( 0, Dbg, "Couldn't find logon data for this user.\n", 0 ); return STATUS_ACCESS_DENIED;
}
//
// Verify that this context really is a context.
//
Tree.Length = (USHORT)(pNdsRequest->Parameters).SetContext.TreeNameLen; Tree.MaximumLength = Tree.Length; Tree.Buffer = (pNdsRequest->Parameters).SetContext.TreeAndContextString;
Context.Length = (USHORT)(pNdsRequest->Parameters).SetContext.ContextLen; Context.MaximumLength = Context.Length; Context.Buffer = (WCHAR *) (((BYTE *)Tree.Buffer) + Tree.Length);
Status = NdsVerifyContext( pIrpContext, &Tree, &Context );
if ( !NT_SUCCESS( Status ) ) { return STATUS_INVALID_PARAMETER; }
Status = NdsLookupCredentials( pIrpContext, &Tree, pLogon, &pCredentials, CREDENTIAL_READ, TRUE );
if ( !NT_SUCCESS( Status ) ) {
DebugTrace( 0, Dbg, "No credentials in set context.\n", 0 ); return STATUS_NO_SUCH_LOGON_SESSION; }
//
// ALERT! We are holding the credential list!
//
if ( Context.Length > MAX_NDS_NAME_SIZE ) {
DebugTrace( 0, Dbg, "Context too long.\n", 0 ); Status = STATUS_INVALID_PARAMETER; goto ReleaseAndExit; }
try {
RtlCopyUnicodeString( &pCredentials->CurrentContext, &Context );
} except ( EXCEPTION_EXECUTE_HANDLER ) {
DebugTrace( 0, Dbg, "Bad user buffer in SetContext.\n", 0 ); Status = STATUS_INVALID_PARAMETER; goto ReleaseAndExit; }
NwReleaseCredList( pLogon, pIrpContext );
//
// RELAX! The credential list is free.
//
DebugTrace( 0, Dbg, "New context: %wZ\n", &Context ); return STATUS_SUCCESS;
ReleaseAndExit:
NwReleaseCredList( pLogon, pIrpContext ); return Status;}
NTSTATUSNdsGetContext( PIRP_CONTEXT pIrpContext, PNWR_NDS_REQUEST_PACKET pNdsRequest, ULONG RequestLength) {
NTSTATUS Status;
PLOGON pLogon;
UNICODE_STRING Tree; PNDS_SECURITY_CONTEXT pCredentials;
PAGED_CODE();
DebugTrace( 0 , Dbg, "NDS get context.\n", 0 );
try { if (RequestLength < (FIELD_OFFSET(NWR_NDS_REQUEST_PACKET, Parameters.GetContext.TreeNameString) + pNdsRequest->Parameters.GetContext.TreeNameLen)) { DebugTrace( 0, Dbg, "GetContext Request Length is too short.\n", 0 ); return STATUS_INVALID_PARAMETER; } } except ( EXCEPTION_EXECUTE_HANDLER ) { return GetExceptionCode(); }
//
// Find out who this is.
//
NwAcquireExclusiveRcb( &NwRcb, TRUE ); pLogon = FindUser( &(pIrpContext->Specific.Create.UserUid), FALSE ); NwReleaseRcb( &NwRcb );
if ( !pLogon ) {
DebugTrace( 0, Dbg, "Couldn't find logon data for this user.\n", 0 ); return STATUS_ACCESS_DENIED;
}
//
// We know who it is, so get the context.
//
Tree.Length = (USHORT)(pNdsRequest->Parameters).GetContext.TreeNameLen; Tree.MaximumLength = Tree.Length; Tree.Buffer = (pNdsRequest->Parameters).GetContext.TreeNameString;
Status = NdsLookupCredentials( pIrpContext, &Tree, pLogon, &pCredentials, CREDENTIAL_READ, FALSE );
if ( !NT_SUCCESS( Status ) ) {
//
// No context has been set, so report none.
//
try {
(pNdsRequest->Parameters).GetContext.Context.Length = 0; return STATUS_SUCCESS;
} except ( EXCEPTION_EXECUTE_HANDLER ) {
DebugTrace( 0, Dbg, "Bad user buffer in GetContext.\n", 0 ); return STATUS_INVALID_PARAMETER;
}
}
//
// Make sure we can report the whole thing.
// ALERT! We are holding the credential list!
//
if ( (pNdsRequest->Parameters).GetContext.Context.MaximumLength < pCredentials->CurrentContext.Length ) {
Status = STATUS_BUFFER_TOO_SMALL; goto ReleaseAndExit; }
try {
RtlCopyUnicodeString( &(pNdsRequest->Parameters).GetContext.Context, &pCredentials->CurrentContext );
} except ( EXCEPTION_EXECUTE_HANDLER ) {
DebugTrace( 0, Dbg, "Bad user buffer in GetContext.\n", 0 ); Status = STATUS_INVALID_PARAMETER; goto ReleaseAndExit; }
NwReleaseCredList( pLogon, pIrpContext );
//
// RELAX! The credential list is free.
//
DebugTrace( 0, Dbg, "Reported context: %wZ\n", &pCredentials->CurrentContext ); return STATUS_SUCCESS;
ReleaseAndExit:
NwReleaseCredList( pLogon, pIrpContext ); return Status;
}
NTSTATUSNdsVerifyTreeHandle( PIRP_CONTEXT pIrpContext, PNWR_NDS_REQUEST_PACKET pNdsRequest, ULONG RequestLength) {
NTSTATUS Status; UNICODE_STRING NdsTree; WCHAR TreeBuffer[NDS_TREE_NAME_LEN];
PAGED_CODE();
try {
if (RequestLength < (ULONG)(FIELD_OFFSET(NWR_NDS_REQUEST_PACKET, Parameters.VerifyTree.NameString) + pNdsRequest->Parameters.VerifyTree.TreeName.Length)) { DebugTrace( 0, Dbg, "VerifyTreeHandle Request Length is too short.\n", 0 ); return STATUS_INVALID_PARAMETER; }
//
// Check to see if the handle points to a dir server in the
// specified tree. Make sure to unmunge the tree name in
// the SCB first, just in case.
//
NdsTree.Length = 0; NdsTree.MaximumLength = sizeof( TreeBuffer ); NdsTree.Buffer = TreeBuffer;
UnmungeCredentialName( &pIrpContext->pScb->NdsTreeName, &NdsTree );
if ( !RtlCompareUnicodeString( &NdsTree, &(pNdsRequest->Parameters).VerifyTree.TreeName, TRUE ) ) {
DebugTrace( 0 , Dbg, "NdsVerifyTreeHandle: Success\n", 0 ); Status = STATUS_SUCCESS; } else {
DebugTrace( 0 , Dbg, "NdsVerifyTreeHandle: Failure\n", 0 ); Status = STATUS_ACCESS_DENIED; }
} except ( EXCEPTION_EXECUTE_HANDLER ) {
DebugTrace( 0 , Dbg, "NdsVerifyTreeHandle: Invalid parameters.\n", 0 ); Status = STATUS_INVALID_PARAMETER;
}
return Status;
}
NTSTATUSNdsGetPrintQueueInfo( PIRP_CONTEXT pIrpContext, PNWR_NDS_REQUEST_PACKET pNdsRequest, ULONG RequestLength) {
NTSTATUS Status;
UNICODE_STRING ServerAttribute; WCHAR Server[] = L"Host Server";
PSCB pPrintHost = NULL; PNONPAGED_SCB pOriginalNpScb = NULL;
DWORD dwObjectId, dwObjectType;
UNICODE_STRING uPrintServer;
BYTE *pbQueue, *pbRQueue;
PAGED_CODE();
try { if (RequestLength < (ULONG)FIELD_OFFSET(NWR_NDS_REQUEST_PACKET, Parameters.GetQueueInfo.QueueId)) { DebugTrace( 0, Dbg, "GetQueueInfo Request Length is too short.\n", 0 ); return STATUS_INVALID_PARAMETER; }
if ( pIrpContext->pOriginalIrp->RequestorMode != KernelMode ) {
ProbeForRead( pNdsRequest->Parameters.GetQueueInfo.QueueName.Buffer, pNdsRequest->Parameters.GetQueueInfo.QueueName.Length, sizeof(CHAR)); }
} except ( EXCEPTION_EXECUTE_HANDLER ) { return GetExceptionCode(); }
RtlInitUnicodeString( &ServerAttribute, Server );
//
// Make sure we have a print queue object. We may
// have to jump servers if we get referred to another
// replica. If this is the case, we can't lose the
// ref count on the original server since that's where
// the ICB handle is.
//
pOriginalNpScb = pIrpContext->pNpScb;
//
// tommye - fix for case where pOriginalNpScb == NULL (devctl test case)
//
if (pOriginalNpScb == NULL) { return STATUS_INVALID_PARAMETER; }
NwReferenceScb( pOriginalNpScb );
Status = NdsVerifyObject( pIrpContext, &(pNdsRequest->Parameters).GetQueueInfo.QueueName, TRUE, DEFAULT_RESOLVE_FLAGS, &dwObjectId, &dwObjectType );
if ( pIrpContext->pNpScb == pOriginalNpScb ) {
//
// If we were not referred, remove the extra ref
// count and clear the original pointer.
//
NwDereferenceScb( pOriginalNpScb ); pOriginalNpScb = NULL; }
if ( !NT_SUCCESS( Status ) ) { goto ExitWithCleanup; }
if ( dwObjectType != NDS_OBJECTTYPE_QUEUE ) { Status = STATUS_INVALID_PARAMETER; goto ExitWithCleanup; }
//
// Retrieve the host server name.
//
Status = NdsReadStringAttribute( pIrpContext, dwObjectId, &ServerAttribute, &(pNdsRequest->Parameters).GetQueueInfo.HostServer );
if ( !NT_SUCCESS( Status ) ) { goto ExitWithCleanup; }
//
// Dig out the actual server name from the X.500 name.
//
Status = NdsGetServerBasicName( &(pNdsRequest->Parameters).GetQueueInfo.HostServer, &uPrintServer );
if ( !NT_SUCCESS( Status ) ) { goto ExitWithCleanup; }
//
// Connect to the actual host server. If there was a referral, we
// can simply dump the referred server since we are holding the ref
// count on the original owner of the ICB.
//
if ( pOriginalNpScb ) { NwDereferenceScb( pIrpContext->pNpScb ); } else { pOriginalNpScb = pIrpContext->pNpScb; }
NwDequeueIrpContext( pIrpContext, FALSE );
Status = CreateScb( &pPrintHost, pIrpContext, &uPrintServer, NULL, NULL, NULL, FALSE, FALSE );
if ( !NT_SUCCESS( Status ) ) { pIrpContext->pNpScb = NULL; goto ExitWithCleanup; }
//
// Re-query the OID of the print queue object on this server.
// Don't allow any server jumping this time; we only need the
// oid of the queue.
//
Status = NdsVerifyObject( pIrpContext, &(pNdsRequest->Parameters).GetQueueInfo.QueueName, FALSE, RSLV_CREATE_ID, &dwObjectId, NULL );
if ( NT_SUCCESS( Status ) ) {
//
// Byte swap the queue id.
//
pbRQueue = (BYTE *) &dwObjectId; pbQueue = (BYTE *) &(pNdsRequest->Parameters).GetQueueInfo.QueueId;
pbQueue[0] = pbRQueue[3]; pbQueue[1] = pbRQueue[2]; pbQueue[2] = pbRQueue[1]; pbQueue[3] = pbRQueue[0]; }
ExitWithCleanup:
NwDequeueIrpContext( pIrpContext, FALSE );
//
// Restore the pointers and ref counts as appropriate.
//
if ( pOriginalNpScb ) {
if ( pIrpContext->pNpScb ) { NwDereferenceScb( pIrpContext->pNpScb ); }
pIrpContext->pNpScb = pOriginalNpScb; pIrpContext->pScb = pOriginalNpScb->pScb; }
return Status;
}
NTSTATUSNdsChangePass( PIRP_CONTEXT pIrpContext) {
NTSTATUS Status;
PIRP irp; PIO_STACK_LOCATION irpSp; PNWR_NDS_REQUEST_PACKET Rrp; ULONGLONG InputBufferLength;
UNICODE_STRING NdsTree; UNICODE_STRING UserName; UNICODE_STRING CurrentPassword; UNICODE_STRING NewPassword; PBYTE CurrentString; BOOLEAN ServerReferenced = FALSE;
OEM_STRING OemCurrentPassword; BYTE CurrentBuffer[MAX_PW_CHARS];
OEM_STRING OemNewPassword; BYTE NewBuffer[MAX_PW_CHARS];
NODE_TYPE_CODE nodeTypeCode; PSCB Scb; PICB pIcb; PVOID fsContext, fsObject; UNICODE_STRING CredentialName; PNDS_SECURITY_CONTEXT pCredential; ULONG LocalNdsTreeNameLength; ULONG LocalUserNameLength; ULONG LocalCurrentPasswordLength; ULONG LocalNewPasswordLength;
PAGED_CODE();
//
// Get the request.
//
irp = pIrpContext->pOriginalIrp; irpSp = IoGetCurrentIrpStackLocation( irp );
Rrp = ( PNWR_NDS_REQUEST_PACKET ) irpSp->Parameters.FileSystemControl.Type3InputBuffer; InputBufferLength = irpSp->Parameters.FileSystemControl.InputBufferLength;
if ( !Rrp ) {
DebugTrace( 0, Dbg, "No raw request buffer.\n", 0 ); return STATUS_INVALID_PARAMETER; }
if ( InputBufferLength < ((ULONG) FIELD_OFFSET( NWR_NDS_REQUEST_PACKET, Parameters.ChangePass.StringBuffer[0]))) {
return STATUS_INVALID_PARAMETER; }
//
// Decode the file object to see if this is an ex-create handle.
//
nodeTypeCode = NwDecodeFileObject( irpSp->FileObject, &fsContext, &fsObject );
if ( nodeTypeCode == NW_NTC_ICB_SCB ) {
pIcb = (PICB) fsObject;
//
// If this is a handle made on an ex-create, then
// we have to be aware of our credentials while
// jumping servers.
//
// This is not too intuitive since this doesn't
// seem to be a create path irp, but referrals
// on any path cause the create paths to be
// traversed.
//
if ( pIcb->IsExCredentialHandle ) {
pIrpContext->Specific.Create.fExCredentialCreate = TRUE;
pCredential = (PNDS_SECURITY_CONTEXT) pIcb->pContext;
Status = GetCredentialFromServerName( &pCredential->NdsTreeName, &CredentialName ); if ( !NT_SUCCESS( Status ) ) { return STATUS_INVALID_HANDLE; }
pIrpContext->Specific.Create.puCredentialName = &CredentialName; }
} try {
if ( irp->RequestorMode != KernelMode ) {
ProbeForRead( Rrp, (ULONG) InputBufferLength, sizeof(CHAR) ); }
//
// Capture all the interesting parameters locally so that they don't change
// after validating them.
//
LocalNdsTreeNameLength = Rrp->Parameters.ChangePass.NdsTreeNameLength; LocalUserNameLength = Rrp->Parameters.ChangePass.UserNameLength; LocalCurrentPasswordLength = Rrp->Parameters.ChangePass.CurrentPasswordLength; LocalNewPasswordLength = Rrp->Parameters.ChangePass.NewPasswordLength;
if ( InputBufferLength < ((ULONGLONG) FIELD_OFFSET( NWR_NDS_REQUEST_PACKET, Parameters.ChangePass.StringBuffer[0]) + (ULONGLONG) LocalNdsTreeNameLength + (ULONGLONG) LocalUserNameLength + (ULONGLONG) LocalCurrentPasswordLength + (ULONGLONG) LocalNewPasswordLength )) { return( STATUS_INVALID_PARAMETER ); } //
// Dig out the parameters.
//
CurrentString = ( PBYTE ) &(Rrp->Parameters.ChangePass.StringBuffer[0]); NdsTree.Length = NdsTree.MaximumLength = ( USHORT ) LocalNdsTreeNameLength; NdsTree.Buffer = ( PWCHAR ) CurrentString; CurrentString += NdsTree.Length; UserName.Length = UserName.MaximumLength = ( USHORT ) LocalUserNameLength; UserName.Buffer = ( PWCHAR ) CurrentString; CurrentString += UserName.Length; CurrentPassword.Length = CurrentPassword.MaximumLength = ( USHORT ) LocalCurrentPasswordLength; CurrentPassword.Buffer = ( PWCHAR ) CurrentString; CurrentString += CurrentPassword.Length; NewPassword.Length = NewPassword.MaximumLength = ( USHORT ) LocalNewPasswordLength; NewPassword.Buffer = ( PWCHAR ) CurrentString; //
// Get a server to handle this request.
//
//
// Convert the passwords to the appropriate type.
//
OemCurrentPassword.Length = 0; OemCurrentPassword.MaximumLength = sizeof( CurrentBuffer ); OemCurrentPassword.Buffer = CurrentBuffer;
OemNewPassword.Length = 0; OemNewPassword.MaximumLength = sizeof( NewBuffer ); OemNewPassword.Buffer = NewBuffer;
RtlUpcaseUnicodeStringToOemString( &OemCurrentPassword, &CurrentPassword, FALSE );
RtlUpcaseUnicodeStringToOemString( &OemNewPassword, &NewPassword, FALSE );
//
// Get a dir server to handle the request.
//
Status = NdsCreateTreeScb( pIrpContext, &Scb, &NdsTree, NULL, NULL, TRUE, FALSE );
if ( !NT_SUCCESS( Status ) ) {
DebugTrace( 0, Dbg, "No dir servers for nds change password.\n", 0 ); return STATUS_BAD_NETWORK_PATH; }
ServerReferenced = TRUE;
//
// Perform the change password.
//
Status = NdsTreeLogin( pIrpContext, &UserName, &OemCurrentPassword, &OemNewPassword, NULL );
NwDereferenceScb( Scb->pNpScb ); ServerReferenced = FALSE;
if ( !NT_SUCCESS( Status ) ) { goto ExitWithCleanup; }
} except ( EXCEPTION_EXECUTE_HANDLER ) {
DebugTrace( 0, Dbg, "NdsChangePass: Exception dealing with user request.\n", 0 ); Status = STATUS_INVALID_PARAMETER; goto ExitWithCleanup; }
DebugTrace( 0, Dbg, "NdsChangePassword succeeded for %wZ.\n", &UserName ); Status = STATUS_SUCCESS;
ExitWithCleanup:
if ( ServerReferenced ) { NwDereferenceScb( Scb->pNpScb ); }
//
// We get STATUS_PASSWORD_EXPIRED when the user is not allowed
// to change their password on the Netware server, so we return
// PASSWORD_RESTRICTION instead.
//
if ( Status == STATUS_PASSWORD_EXPIRED ) { Status = STATUS_PASSWORD_RESTRICTION; }
return Status;
}
NTSTATUSNdsListTrees( PIRP_CONTEXT pIrpContext)/*+++
Description:
This odd little routine takes the NTUSER name of the logged in user (on the system) and returns a list of NDS trees that the NTUSER is connected to and the user names for those connections. This is necessary because the change password ui runs in the systems luid and can't access the GET_CONN_STATUS api and because the change password code might happen when no user is logged in.
The return data in the users buffer is an array of CONN_INFORMATION structures with the strings packed after the structures. There is no continuation of this routine, so pass a decent sized buffer.
---*/{
NTSTATUS Status;
PIRP irp; PIO_STACK_LOCATION irpSp; PNWR_NDS_REQUEST_PACKET Rrp; DWORD InputBufferLength; DWORD OutputBufferLength; PBYTE OutputBuffer;
UNICODE_STRING NtUserName; PLOGON pLogon; DWORD dwTreesReturned = 0; DWORD dwBytesNeeded;
PCONN_INFORMATION pConnInfo; PLIST_ENTRY pNdsList; PNDS_SECURITY_CONTEXT pNdsContext;
PAGED_CODE();
//
// Get the request.
//
irp = pIrpContext->pOriginalIrp; irpSp = IoGetCurrentIrpStackLocation( irp );
Rrp = ( PNWR_NDS_REQUEST_PACKET ) irpSp->Parameters.FileSystemControl.Type3InputBuffer; InputBufferLength = irpSp->Parameters.FileSystemControl.InputBufferLength;
OutputBufferLength = irpSp->Parameters.DeviceIoControl.OutputBufferLength; NwMapUserBuffer( irp, KernelMode, (PVOID *)&OutputBuffer );
if ( !Rrp || !OutputBufferLength || !OutputBuffer ) { return STATUS_INVALID_PARAMETER; }
//
// tommye - MS bug 138643
//
// Probe the input arguments to make sure they are kosher before
// touching them.
//
try { if ( irp->RequestorMode != KernelMode ) {
ProbeForRead( Rrp, (ULONG) InputBufferLength, sizeof(CHAR) ); } } except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); }
//
// Dig out the parameters.
//
NtUserName.Length = NtUserName.MaximumLength = (USHORT) Rrp->Parameters.ListTrees.NtUserNameLength; NtUserName.Buffer = &(Rrp->Parameters.ListTrees.NtUserName[0]);
DebugTrace( 0, Dbg, "ListTrees: Looking up %wZ\n", &NtUserName );
NwAcquireExclusiveRcb( &NwRcb, TRUE ); pLogon = FindUserByName( &NtUserName ); NwReleaseRcb( &NwRcb );
if ( !pLogon ) { DebugTrace( 0, Dbg, "ListTrees: No such NT user.\n", 0 ); return STATUS_NO_SUCH_USER; }
//
// Otherwise build the list of trees.
//
Rrp->Parameters.ListTrees.UserLuid = pLogon->UserUid;
NwAcquireExclusiveCredList( pLogon, pIrpContext ); pConnInfo = ( PCONN_INFORMATION ) OutputBuffer;
pNdsList = pLogon->NdsCredentialList.Flink;
try {
while ( pNdsList != &(pLogon->NdsCredentialList) ) {
pNdsContext = CONTAINING_RECORD( pNdsList, NDS_SECURITY_CONTEXT, Next );
//
// Check to make sure there's a credential.
//
if ( pNdsContext->Credential == NULL ) { goto ProcessNextListEntry; }
//
// Don't report ex create credentials.
//
if ( IsCredentialName( &(pNdsContext->NdsTreeName) ) ) { goto ProcessNextListEntry; }
//
// Check to make sure there's space to report.
//
dwBytesNeeded = ( sizeof( CONN_INFORMATION ) + pNdsContext->Credential->userNameLength + pNdsContext->NdsTreeName.Length - sizeof( WCHAR ) );
if ( OutputBufferLength < dwBytesNeeded ) { break; }
//
// Report it! Note that the user name in the credential is NULL terminated.
//
pConnInfo->HostServerLength = pNdsContext->NdsTreeName.Length; pConnInfo->UserNameLength = pNdsContext->Credential->userNameLength - sizeof( WCHAR ); pConnInfo->HostServer = (LPWSTR) ( ((BYTE *)pConnInfo) + sizeof( CONN_INFORMATION ) ); pConnInfo->UserName = (LPWSTR) ( ( (BYTE *)pConnInfo) + sizeof( CONN_INFORMATION ) + pConnInfo->HostServerLength );
RtlCopyMemory( pConnInfo->HostServer, pNdsContext->NdsTreeName.Buffer, pConnInfo->HostServerLength );
RtlCopyMemory( pConnInfo->UserName, ( ((BYTE *) pNdsContext->Credential ) + sizeof( NDS_CREDENTIAL ) + pNdsContext->Credential->optDataSize ), pConnInfo->UserNameLength );
OutputBufferLength -= dwBytesNeeded; dwTreesReturned++; pConnInfo = ( PCONN_INFORMATION ) ( ((BYTE *)pConnInfo) + dwBytesNeeded );
ProcessNextListEntry:
//
// Do the next one.
//
pNdsList = pNdsList->Flink; }
} except ( EXCEPTION_EXECUTE_HANDLER ) {
//
// If we access violate, stop and return what we have.
//
DebugTrace( 0, Dbg, "User mode buffer access problem.\n", 0 ); }
NwReleaseCredList( pLogon, pIrpContext );
DebugTrace( 0, Dbg, "Returning %d tree entries.\n", dwTreesReturned ); Rrp->Parameters.ListTrees.TreesReturned = dwTreesReturned; return STATUS_SUCCESS;}
|
