We investigate how a new channel is added to an existing channel on a multichannel connection.
We first need to familiarise ourselves on how a new incoming connection is handled.
http://sprabhu.blogspot.com/2018/03/samba-handling-new-connections.html
To summarise how a new connection is created
a) From the main thread, we call main()->open_sockets_smbd()->smbd_open_one_socket()->tevent_add_fd() to set a tevent handler to call smbd_accept_connection() whenever a new connection is opened with the samba server.
b) For a new connection coming in, the server calls smbd_accept_connection() which forks a child process and calls smbd_process() in the child.
c) Within smbd_process() a new client(struct smbXsrv_client) and a new xconn(struct smbXsrv_connection) are created. The xconn itself is added to the connection list on the new client which was created.
d) Within smbd_add_connection(), we also add a tevent fd handler smbd_server_connection_handler() to handle incoming data on the new socket created for the client.
We also setup the infrastructure necessary to pass the socket file descriptor when a new client is created within smbd_process()->smbXsrv_client_create(), we setup the messaging infrastructure to handle incoming message requests for the message id MSG_SMBXSRV_CONNECTION_PASS.
NTSTATUS smbXsrv_client_create(TALLOC_CTX *mem_ctx,
struct tevent_context *ev_ctx,
struct messaging_context *msg_ctx,
NTTIME now,
struct smbXsrv_client **_client)
{
..
global->server_id = messaging_server_id(client->msg_ctx);
..
subreq = messaging_filtered_read_send(client,
client->raw_ev_ctx,
client->msg_ctx,
smbXsrv_client_connection_pass_filter,
client);
..
tevent_req_set_callback(subreq, smbXsrv_client_connection_pass_loop, client);
..
}
ie. For incoming requests for message id MSG_SMBXSRV_CONNECTION_PASS, we call handler smbXsrv_client_connection_pass_loop()
At this point, the socket is established. When data is first sent onto the socket by the client, it is handled by the tevent handler smbd_server_connection_handler() followed by smbd_server_connection_read_handler() which subsequently calls process_smb() to process the incoming request.
static void smbd_server_connection_handler(struct tevent_context *ev,
struct tevent_fd *fde,
uint16_t flags,
void *private_data)
{
..
//xconn is passed as argument to the tevent callback. We read this argument
struct smbXsrv_connection *xconn =
talloc_get_type_abort(private_data,
struct smbXsrv_connection);
..
if (flags & TEVENT_FD_READ) {
smbd_server_connection_read_handler(xconn, xconn->transport.sock);
return;
}
}
//Used to handle all incoming read calls.
static void smbd_server_connection_read_handler(
struct smbXsrv_connection *xconn, int fd)
{
..
process:
process_smb(xconn, inbuf, inbuf_len, unread_bytes,
seqnum, encrypted, NULL);
}
It is here where we start differentiating between SMB1 and later connections
void smbd_smb2_process_negprot(struct smbXsrv_connection *xconn,
uint64_t expected_seq_low,
const uint8_t *inpdu, size_t size)
{
..
struct smbd_smb2_request *req = NULL;
..
//Documented below
status = smbd_smb2_request_create(xconn, inpdu, size, &req);
..
status = smbd_smb2_request_dispatch(req);
..
}
static NTSTATUS smbd_smb2_request_create(struct smbXsrv_connection *xconn,
const uint8_t *_inpdu, size_t size,
struct smbd_smb2_request **_req)
{
struct smbd_server_connection *sconn = xconn->client->sconn;
..
struct smbd_smb2_request *req;
..
req = smbd_smb2_request_allocate(xconn);
..
req->sconn = sconn;
req->xconn = xconn;
..
status = smbd_smb2_inbuf_parse_compound(xconn,
now,
inpdu,
size,
req, &req->in.vector,
&req->in.vector_count);
..
*_req = req;
return NT_STATUS_OK;
}
At this point the buffer containing the incoming request is stored in the smbd_smb2_request *req.
We call smbd_smb2_request_dispatch() to handle the data.
NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
{
struct smbXsrv_connection *xconn = req->xconn;
..
/*
* Check if the client provided a valid session id.
*
* As some command don't require a valid session id
* we defer the check of the session_status
*/
session_status = smbd_smb2_request_check_session(req);
..
flags = IVAL(inhdr, SMB2_HDR_FLAGS);
opcode = SVAL(inhdr, SMB2_HDR_OPCODE);
mid = BVAL(inhdr, SMB2_HDR_MESSAGE_ID);
..
switch (opcode) {
..
case SMB2_OP_NEGPROT:
SMBPROFILE_IOBYTES_ASYNC_START(smb2_negprot, profile_p,
req->profile, _INBYTES(req));
return_value = smbd_smb2_request_process_negprot(req);
break;
..
}
Since this is the first call sent by the client, it is a negotiate request which is handled by smbd_smb2_request_process_negprot().
NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req)
{
..
//Obtain the GUID passed i
in_guid_blob = data_blob_const(inbody + 0x0C, 16);
..
status = GUID_from_ndr_blob(&in_guid_blob, &in_guid);
..
xconn->smb2.client.guid = in_guid;
..
if (xconn->protocol < PROTOCOL_SMB2_10) {
/*
* SMB2_02 doesn't support client guids
*/
return smbd_smb2_request_done(req, outbody, &outdyn);
}
//Only SMB3 and later protocols here.
if (!xconn->client->server_multi_channel_enabled) {
/*
* Only deal with the client guid database
* if multi-channel is enabled.
*/
return smbd_smb2_request_done(req, outbody, &outdyn);
}
//Only clients with multichannel enabled here.
..
status = smb2srv_client_lookup_global(xconn->client,
xconn->smb2.client.guid,
req, &global0);
..
if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECTID_NOT_FOUND)) {
//If no existing connection is found, set it up.
xconn->client->global->client_guid =
xconn->smb2.client.guid;
status = smbXsrv_client_update(xconn->client);
..
xconn->smb2.client.guid_verified = true;
} else if (NT_STATUS_IS_OK(status)) {
//We have found an existing client with the same guid.
//So pass the connection to the original smbd process.
status = smb2srv_client_connection_pass(req,
global0);
if (!NT_STATUS_IS_OK(status)) {
return smbd_smb2_request_error(req, status);
}
//and terminate this connection.
smbd_server_connection_terminate(xconn,
"passed connection");
return NT_STATUS_OBJECTID_EXISTS;
} else {
return smbd_smb2_request_error(req, status);
}
}
NTSTATUS smb2srv_client_connection_pass(struct smbd_smb2_request *smb2req,
struct smbXsrv_client_global0 *global)
{
..
pass_info0.initial_connect_time = global->initial_connect_time;
pass_info0.client_guid = global->client_guid;
..
pass_info0.negotiate_request.length = reqlen;
pass_info0.negotiate_request.data = talloc_array(talloc_tos(), uint8_t,
reqlen);
..
iov_buf(smb2req->in.vector, smb2req->in.vector_count,
pass_info0.negotiate_request.data,
pass_info0.negotiate_request.length);
ZERO_STRUCT(pass_blob);
pass_blob.version = smbXsrv_version_global_current();
pass_blob.info.info0 = &pass_info0;
..
ndr_err = ndr_push_struct_blob(&blob, talloc_tos(), &pass_blob,
(ndr_push_flags_fn_t)ndr_push_smbXsrv_connection_passB);
..
//Add the created data blobs to an iov
iov.iov_base = blob.data;
iov.iov_len = blob.length;
//and send the iovs to the original thread using
//message id MSG_SMBXSRV_CONNECTION_PASS.
status = messaging_send_iov(smb2req->xconn->client->msg_ctx,
global->server_id,
MSG_SMBXSRV_CONNECTION_PASS,
&iov, 1,
&smb2req->xconn->transport.sock, 1);
..
}
At this point, the smbd process for the new process sends the original smbd process a message with the data required to transfer the channel to the original process.
We call the handler for the message and process the incoming data.
static void smbXsrv_client_connection_pass_loop(struct tevent_req *subreq)
{
..
//We read data from the iovs passed in the message.
..
//We perform some sanity tests.
..
SMB_ASSERT(rec->num_fds == 1);
sock_fd = rec->fds[0];
..
//We add the new connection to the original smbd process client.
status = smbd_add_connection(client, sock_fd, &xconn);
..
//We process the negprot on the original thread.
xconn->smb2.client.guid_verified = true;
smbd_smb2_process_negprot(xconn, seq_low,
pass_info0->negotiate_request.data,
pass_info0->negotiate_request.length);
..
}
At this point, we have
a) Added a new connection xconn to the existing client from the original connection.
b) Set the data handler for the socket file descriptor to smbd_server_connection_handler() so that any incoming data is handled by the samba thread handling the original connection.
c) Terminated the new samba thread created for the new channel and handle all new incoming request in handler specified in b.