mars_nwe/mars-nwe
1
0
Fork 0
Code Issues Pull Requests Actions Projects Releases 2 Wiki Activity

docs: audit RPC server-control stubs

Browse Source
This commit is contained in:
Mario Fetka
2026-06-02 16:47:12 +00:00
parent 110a5c5111
commit 16d6e805b6
4 changed files with 119 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
AI.md
View File

@@ -657,4 +657,19 @@ Latest endpoint audit checkpoint from patch 0227:
targeted behavior/security/provider review rather than another broad
endpoint-presence pass.
Next patch number should be `0228`.
Latest endpoint audit checkpoint from patch 0228:
- SDK `0x2222/131` / wire `0x83` RPC / server-control is now source-stub-audited
as a NetWare-4.x server-control planning family. No active top-level handler
exists in `src/nwconn.c`.
- Patch `0228` records disabled `MARS_NWE_4` selector slots for `131/01` RPC
Load an NLM, `131/02` RPC Unload an NLM, `131/03` RPC Mount Volume, `131/04`
RPC Dismount Volume, `131/05` RPC Add Name Space To Volume, `131/06` RPC Set
Set Command Value, and `131/07` RPC Execute NCF File.
- Future ownership belongs to the `servermgmt`/RPC provider boundary. Do not
wire these calls to fake success: the real operations can change server state
and the documented reply carries an `RPCccode`. `nwserv` may supervise or
register providers, but must not become a data-plane broker for RPC payloads.
Next patch number should be `0229`.

12
REDESIGN.md
View File

@@ -922,9 +922,13 @@ ordering and error handling harder.
Simple management and information calls should not become their own process.
Examples include login-status queries, server description strings, server time,
console-privilege checks, and small broadcast/control helpers. These can be
represented as a `servermgmt` provider for dispatch clarity, but they should stay
in-process unless a specific call requires an existing backend service.
console-privilege checks, and small broadcast/control helpers. NetWare-4.x RPC
server-control calls such as load/unload NLM, mount/dismount volume, SET command
changes, and NCF execution also belong to this provider boundary, but they are
not simple information calls and must remain disabled until there is a real
privilege model and backend behavior. These can be represented as a
`servermgmt` provider for dispatch clarity, but they should stay in-process
unless a specific call requires an existing backend service.
### Suggested provider map
@@ -937,7 +941,7 @@ queue queue objects, jobs, queue servers, print queues, direct-spool br
filesystem file, directory, volume, namespace, trustee, salvage helpers
semaphore semaphore state and old 0x2222/32 calls
message station messaging and broadcast helpers
servermgmt small server-management and information calls
servermgmt server-management, information, and guarded RPC/control calls
accounting account status, charges, holds, notes
AFP AFP namespace and metadata helpers
unknown documented but not yet mapped

36
TODO.md
View File

@@ -258,11 +258,10 @@ SDK-listed blocks that do not currently show a top-level handler in
found in the audited source, and no source stub should be added under the
current 1.x/2.x/3.x plus planned-4.x rule. It remains prose-only/out of the
current compatibility target.
- SDK `0x2222/123` / wire `0x7b` service-address enumeration and SDK
`0x2222/131` / wire `0x83` RPC/NLM-control style calls appear in the
PDF/WebSDK index but do not currently show top-level handlers in
`src/nwconn.c`. These are likely later-generation buckets, but each must be
confirmed against the includes/WebSDK before adding guarded stubs. Only
- SDK `0x2222/123` / wire `0x7b` service-address enumeration appears in the
PDF/WebSDK index but does not currently show a top-level handler in
`src/nwconn.c`. It is likely a later server-information bucket, but it must
be confirmed against the includes/WebSDK before adding guarded stubs. Only
endpoints bucketed as 1.x/2.x/3.x compatibility or planned 4.x work should
receive disabled source stubs.
@@ -914,6 +913,33 @@ Follow-up:
as complete local implementations.
### RPC / server-control group 0x2222/131
Current status:
- `NCP 0x2222/131` / wire `0x83` is source-stub-audited as a NetWare-4.x/5.x
RPC server-control family. No active top-level handler exists in
`src/nwconn.c`, so patch `0228` records the documented NetWare-4.x selectors
behind `MARS_NWE_4` without changing the default build.
- The audited selectors are `131/01` RPC Load an NLM, `131/02` RPC Unload an
NLM, `131/03` RPC Mount Volume, `131/04` RPC Dismount Volume, `131/05` RPC
Add Name Space To Volume, `131/06` RPC Set Set Command Value, and `131/07`
RPC Execute NCF File.
- These calls are server-management/RPC control operations. They must not be
implemented as fake success because clients may expect real NLM, volume, SET,
or NCF side effects and the SDK reply includes an `RPCccode` result field.
- Future owner is the `servermgmt`/RPC provider boundary. `nwserv` may remain
the control-plane supervisor/registry, but normal RPC payloads must not be
routed through `nwserv` as a data-plane broker.
Follow-up:
- Keep these stubs disabled until there is a real privilege model and backend
behavior for server-control operations.
- If any RPC call is implemented, add tests for supervisor-equivalent
authentication, request string parsing, `RPCccode` mapping, and failure paths.
### Extended volume information field mapping
Current status:

64
src/nwconn.c
View File

@@ -7474,6 +7474,70 @@ static int handle_ncp_serv(void)
break;
#endif
#if MARS_NWE_4
case 0x83 : { /* SDK 131 / wire 0x83 RPC / server-control group.
* Source outcome: no active top-level implementation exists
* for this NetWare-4.x server-control family. This disabled
* stub records the selector coverage without changing the
* default compatibility build.
*
* SDK group request header:
* word SubFunctionStrucLen (Hi-Lo)
* byte SubFuncCode
* ... subfunction-specific RPC payload
*
* Common reply layout for these RPC calls:
* long RPCccode
* long reserved[4]
*
* Future owner: server-management/RPC provider. These calls
* can load/unload NLMs, mount/dismount volumes, change SET
* commands, and execute NCF files, so they must not be wired
* to fake success. They also must not turn nwserv into a
* data-plane payload broker; nwserv should remain the control
* plane/supervisor.
*/
uint8 rpc_subfunc = (requestlen > sizeof(NCPREQUEST) + 2)
? requestdata[2]
: 0xff;
switch (rpc_subfunc) {
case 0x01: /* 131/01 RPC Load an NLM.
* Request: NLMLoadOptions long, reserved[3],
* reservedFlags[4], ASCIIZ PathAndName.
*/
case 0x02: /* 131/02 RPC Unload an NLM.
* Request: reserved[4], reservedFlags[4],
* ASCIIZ NLMName.
*/
case 0x03: /* 131/03 RPC Mount Volume.
* Request: reserved[4], reservedFlags[4],
* ASCIIZ VolumeName.
*/
case 0x04: /* 131/04 RPC Dismount Volume.
* Request: reserved[4], reservedFlags[4],
* ASCIIZ VolumeName.
*/
case 0x05: /* 131/05 RPC Add Name Space To Volume.
* Request: reserved[4], reservedFlags[4],
* ASCIIZ "NameSpaceName {TO} {VOLUME} Volume".
*/
case 0x06: /* 131/06 RPC Set Set Command Value.
* Request: set-command type/value payload plus
* ASCIIZ SetCmdName and optional ASCIIZ value.
*/
case 0x07: /* 131/07 RPC Execute NCF File.
* Request: reserved[4], reservedFlags[4],
* ASCIIZ NCF file path/name.
*/
completition = 0xfb;
break;
default: completition = 0xfb;
break;
}
}
break;
#endif
default : completition = 0xfb; /* unknown request */
break;