[cifs-protocol] [REG: 110080417580961] [MS-BKRP] 3.1.4.1 "misc" 0x00020000 value
Edgar Olougouna
edgaro at microsoft.com
Thu Aug 19 09:18:36 MDT 2010
Thanks for confirming that there is no "misc" parameter. I debugged this at the server side and noticed it was down to NDR marshaling.
Best regards,
Edgar
-----Original Message-----
From: Stefan (metze) Metzmacher [mailto:metze at samba.org]
Sent: Thursday, August 19, 2010 1:16 AM
To: Edgar Olougouna
Cc: mat at samba.org; pfif at tridgell.net; cifs-protocol at samba.org; MSSolve Case Email
Subject: Re: [cifs-protocol] [REG: 110080417580961] [MS-BKRP] 3.1.4.1 "misc" 0x00020000 value
Hi Matthieu,
> Issue verbatim
> ------------------
>
> So page 31 of MS-BKRP.pdf state that the message format for exchange is :
>
> NET_API_STATUS BackuprKey(
> [in] handle_t h,
> [in] GUID* pguidActionAgent,
> [in, size_is(cbDataIn)] byte* pDataIn, [in] DWORD cbDataIn, [out,
> size_is(,*pcbDataOut)] byte** ppDataOut, [out] DWORD* pcbDataOut, [in] DWORD dwParam ); I already asked if there is not some bytes after the dwParam.
>
> After analyzing the out message I have the impression that before the ppDataOut there is some kind of integer.
> Here is the hex dump of an output message:
>
> 00000000 00 00 02 00 44 00 00 00 00 00 00 00 8d 65 cd e4
> |....D........e..|
> 00000010 6c 93 62 22 48 e7 04 ff 0c 8f 0e 83 7a e4 dd d4
> |l.b"H.......z...|
> 00000020 4b d1 8e 74 95 67 4f 85 be a5 9c b7 7f fd 39 2c
> |K..t.gO.......9,|
> 00000030 54 bc a7 60 e4 e0 13 26 49 6f ca 35 ee bb 23 24
> |T..`...&Io.5..#$|
> 00000040 51 d4 4e c9 37 1d f0 9e 83 69 bd 10 44 00 00 00
> |Q.N.7....i..D...|
> 00000050 00 00 00 00 |....|
> 00000054
>
> so from byte 4 (0x44 ) we have clearly (at least to me) the ppDataOut
> variable that is NDR encoded (meaning that the size is specified
> before on the wire) up to byte 4B then we have the size (pcbDataOut)
> (0x44 0x00
> 0x00 0x00) and then the return code.
>
> I attach the out message extracted from the trace I sent last time.
> With the following samba idl:
>
> [public,nopush,nopull,noprint] WERROR bkrp_BackupKey (
> [in,ref] GUID *guidActionAgent,
> [in,ref] [subcontext(4)] uint8 *data_in,
> [in] uint32 data_in_len,
> [in] uint32 param,
> [out] uint32 misc,
> [out] DATA_BLOB secret,
> [out] uint32 data_out_len
> );
>
> We have the following result while using our ndrdump tool:
>
> pull returned NT_STATUS_OK
> bkrp_BackupKey: struct bkrp_BackupKey
> out: struct bkrp_BackupKey
> misc : 0x00020000 (131072)
> secret : DATA_BLOB length=68
> data_out_len : 0x00000044 (68)
> result : WERR_OK
> dump OK
>
> As I have also managed to get a correct
> BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID exchange I also witnessed that on
> the out message there is also "something" (that I named misc in our
> idl) (see the get_key_out file which is the extraction of out message on a BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID request). As the certificate that I extracted seems to be correct I pretty encline to think I am right as first we are able to parse the NDR encoded data, and that the result seems sensible.
> Can you see if my analysis is correct and if so can you give us the
> explanation of this "misc" parameter. If not, well please tell me the correct way to parse the message.
>
The "misc" parameter is the unique pointer.
[out, size_is(,*pcbDataOut)] byte** ppDataOut means a the first pointer is [ref] and the 2nd pointer is (pointer_default() of the interface, unique in this case) And the unique pointer points to an array of bytes with size *pcbDataOut.
metze
More information about the cifs-protocol
mailing list