NTCreateAndX Response with wrong WordCount.

Michael B Allen mba2000 at ioplex.com
Mon Aug 2 07:49:03 GMT 2004


On Sun, 1 Aug 2004 16:42:07 -0500
"Christopher R. Hertel" <crh at ubiqx.mn.org> wrote:

> Okay, so let's see what happens if that 42 value is actually really truly
> correct...  The first thing I notice is that the ByteCount then becomes
> 0xA7A0, which I don't have to translate to know it can't be a ByteCount
> value.

A good way to explore packet dimensions is with Python. So the field
values displayed in Ethereal are:

          NetBIOS length: 135
              SMB offset: 0x3A
               WordCount: 42 words / 84 bytes
Start of parameter words: 0x5B

And then things aren't so certain from there. So if the SMB starts at
0x3A then the end of the packet is:

>>> 0x3A + 135
193
>>> hex(193)
'0xc1'

and Ethereal shows the last byte in the packet at 0xC0 so that lines
up. Now if the beginning of the parameter words is 0x5B then the end is:

>>> 0x5B + (42 * 2)
175
>>> hex(175)
'0xaf'

Mmmm, there's another 18 bytes after 0xAF. Certainly 2 of those bytes is
the ByteCount which leaves an even 16 but I don't see 0x10 anywhere. If
it was at the beginning 0xA7A0 is way off for a ByteCount. Also, if
there were data bytes there would probably be a pad which would make
it end on an even byte, which it does not, so I'd say the ByteCount is
actually the last two bytes 0x0000.

So you're right. The WordCount is short by 8 words / 16 bytes. Looks
like 16 bytes of garbage was injected before 16 meaningful "CSC" bytes.

> So, whatever these extra bytes may be (and I'm really interested in the 
> possibilities) W2K and WXP are clearly messing up something.  I'm just 
> amazed that the clients parse these things.

I'm not amazed. I only use the docs as a rough guide. Ethereal and of
course what works wins the day. Also most parsing routines go by outer
most dimensions then offsets to interesting fields. JCIFS uses WordCount
and ByteCount but ultimately relies on the NetBIOS header length. If
you flip on jcifs.util.loglevel=10 you'll see log messages when things
don't add up and I bet you'd see such a message in this case.

Mike

-- 
Greedo shoots first? Not in my Star Wars.


More information about the samba-technical mailing list