<div dir="auto">Isn't it using the LZXPRESS algorithm instead?</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Jul 4, 2019, 8:14 PM Aurélien Aptel via cifs-protocol <<a href="mailto:cifs-protocol@lists.samba.org">cifs-protocol@lists.samba.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
Hello,<br>
<br>
I've been able to trigger a LZ77 compressed Read response against the latest<br>
Windows Server 2019 but I am unable to decompress it.<br>
<br>
Request<br>
=======<br>
<br>
SMB2 (Server Message Block Protocol version 2)<br>
[....]<br>
Read Request (0x08)<br>
StructureSize: 0x0031<br>
0000 0000 0011 000. = Fixed Part Length: 24<br>
.... .... .... ...1 = Dynamic Part: True<br>
Padding: 0x00<br>
Flags: 0x02, Compressed<br>
.... ...0 = Unbuffered: Client is NOT asking for UNBUFFERED read<br>
.... ..1. = Compressed: Client is asking for COMPRESSED data<br>
Read Length: 131072<br>
File Offset: 0<br>
GUID handle File: a<br>
File Id: 00000012-0004-0000-0100-000004000000<br>
[Frame handle opened: 52]<br>
Min Count: 0<br>
Channel: None (0x00000000)<br>
Remaining Bytes: 0<br>
Blob Offset: 0x00000000<br>
Blob Length: 0<br>
Channel Info Blob: NO DATA<br>
<br>
<br>
Response<br>
========<br>
<br>
0000 fc 53 4d 42 00 00 02 00 02 00 00 00 50 00 00 00 .SMB.... ....P...<br>
0010 fe 53 4d 42 40 00 02 00 00 00 00 00 08 00 0a 00 .SMB@... ........<br>
0020 01 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00 ........ ........<br>
0030 ff fe 00 00 01 00 00 00 35 00 00 00 00 10 00 00 ........ 5.......<br>
0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........<br>
0050 11 00 50 00 00 00 02 00 00 00 00 00 00 00 00 00 ..P..... ........<br>
0060 ff ff ff 7f ff 07 00 0f ff 00 00 fc ff 01 00 ........ .......<br>
<br>
NetBIOS Session Service<br>
Message Type: Session message (0x00)<br>
Length: 111<br>
SMB2 (Server Message Block Protocol version 2)<br>
SMB2 Compression Transform Header<br>
ProtocolId: fc534d42<br>
OriginalSize: 131072<br>
CompressionAlgorithm: LZ77 (0x0002)<br>
Reserved: 0000<br>
Offset: 0x00000050<br>
<br>
<br>
Let's look again and annotate...<br>
<br>
<br>
0000 fc 53 4d 42 00 00 02 00 02 00 00 00 50 00 00 00 .SMB.... ....P...<br>
^^^^^^^^^^^ ^^^^^^^^^^^<br>
compression transform header compressed data offset = 0x50<br>
<br>
<br>
SMB2 header follows READ<br>
vvvvvvvvvvv vvvvv<br>
0010 fe 53 4d 42 40 00 02 00 00 00 00 00 08 00 0a 00 .SMB@... ........<br>
0020 01 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00 ........ ........<br>
0030 ff fe 00 00 01 00 00 00 35 00 00 00 00 10 00 00 ........ 5.......<br>
0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........<br>
0050 11 00 50 00 00 00 02 00 00 00 00 00 00 00 00 00 ..P..... ........<br>
^^<br>
read data offset from SMB2 header is 0x50 again<br>
<br>
<br>
0060 ff ff ff 7f ff 07 00 0f ff 00 00 fc ff 01 00 ........ .......<br>
^^<br>
compressed data starts here (0x10 + 0x50 = 0x60)<br>
<br>
So the LZ77 compressed data is<br>
<br>
ff ff ff 7f ff 07 00 0f ff 00 00 fc ff 01 00<br>
<br>
I've tried to decode it using [MS-XCA] 2.4.4 "Plain LZ77 Decompression"<br>
[1] which has pseudo code that is easily runnable in python. I can<br>
decode the examples on that page fine:<br>
<br>
>>> decode(bytes.fromhex(" ff ff ff 1f 61 62 63 17 00 0f ff 26 01"))<br>
bytearray(b'abcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabc'+<br>
b'abcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabc'+<br>
b'abcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabc'+<br>
b'abcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabc'+<br>
b'abcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabc')<br>
<br>
But if I try to decode my compressed payload it is invalid:<br>
<br>
>>> decode(bytes.fromhex(" ff ff ff 7f ff 07 00 0f ff 00 00 fc ff 01 00"))<br>
Traceback (most recent call last):<br>
File "<stdin>", line 1, in <module><br>
File "lz.py", line 54, in decode<br>
raise Exception("error")<br>
<br>
This corresponds to this line in the pseudo-code:<br>
<br>
If MatchLength < 15 + 7<br>
Return error.<br>
<br>
And it fails in the very beggining after only outputting 1 byte<br>
(ff). The uncompressed payload should be all 0xFF.<br>
<br>
You can see and run the script online here [2].<br>
<br>
So, any ideas on what I'm missing? Is the LZ77 encoding used in the<br>
packet different? Am I missinterpreting some fields?<br>
<br>
1: <a href="https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-xca/34cb9ab9-5ce6-42d7-a518-107c1c7c65e7" rel="noreferrer noreferrer" target="_blank">https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-xca/34cb9ab9-5ce6-42d7-a518-107c1c7c65e7</a><br>
2: <a href="https://ideone.com/7Lr6tN" rel="noreferrer noreferrer" target="_blank">https://ideone.com/7Lr6tN</a><br>
<br>
Cheers,<br>
-- <br>
Aurélien Aptel / SUSE Labs Samba Team<br>
GPG: 1839 CB5F 9F5B FB9B AA97 8C99 03C8 A49B 521B D5D3<br>
SUSE Linux GmbH, Maxfeldstraße 5, 90409 Nürnberg, Germany<br>
GF: Felix Imendörffer, Mary Higgins, Sri Rasiah HRB 21284 (AG Nürnberg)<br>
<br>
<br>
_______________________________________________<br>
cifs-protocol mailing list<br>
<a href="mailto:cifs-protocol@lists.samba.org" target="_blank" rel="noreferrer">cifs-protocol@lists.samba.org</a><br>
<a href="https://lists.samba.org/mailman/listinfo/cifs-protocol" rel="noreferrer noreferrer" target="_blank">https://lists.samba.org/mailman/listinfo/cifs-protocol</a><br>
</blockquote></div>