[jcifs] Win2K: Primary Domain Fld of Ssn Setup Not Properly Zero Term'd

Allen, Michael B (RSCH) Michael_B_Allen at ml.com
Mon Aug 26 12:02:49 EST 2002


Clients should not check for *two* zero bytes after the Primary Domain field Unicode string
in SMB_COM_SESSION_SETUP_ANDX. You may only get *one* 0x00 byte. I'm almost
glad this is a bug in Win2K, I thought this was a bug in jCIFS. At least I have two articles of
evidence suggesting the bug is with Win2K. One is inlined here and the other is a PNG of a
pcap.

Aug 21 06:58:52.472 - bad string
00000: FF 53 4D 42 73 00 00 00 00 98 01 80 00 00 00 00  |ÿSMBs...........|
00010: 00 00 00 00 00 00 00 00 05 88 56 34 01 F8 04 00  |..........V4.ø..|
00020: 03 75 00 81 00 00 00 58 00 7C 57 00 69 00 6E 00  |.u.....X.|W.i.n.|
00030: 64 00 6F 00 77 00 73 00 20 00 35 00 2E 00 30 00  |d.o.w.s. .5...0.|
00040: 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00  |..W.i.n.d.o.w.s.|
00050: 20 00 32 00 30 00 30 00 30 00 20 00 4C 00 41 00  | .2.0.0.0. .L.A.|
00060: 4E 00 20 00 4D 00 61 00 6E 00 61 00 67 00 65 00  |N. .M.a.n.a.g.e.|
00070: 72 00 00 00 44 00 49 00 56 00 49 00 4E 00 45 00  |r...D.I.V.I.N.E.|
00080: 00 30 2D 4E 00 57 65 73 74 20 63 6F 70 79 20 73  |.0-N.West copy s|
                                                          ^
00090: 70 6F 74 00 43 75 62 65 20 31 30 31 30 20 43 6F  |pot.Cube 1010 Co|
000A0: 6C 6F 72 00 43 75 62 65 20 32 30 30 32 00 4F 66  |lor.Cube 2002.Of|
000B0: 66 69 63 65 20 32 30 33 2D 53 00 4C 6F 67 6F 6E  |fice 203-S.Logon|
000C0: 20 73 65 72 76 65 72 20 73 68 61 72 65 20 00 4F  | server share .O|
000D0: 66 66 69 63 65 20 31 30 30 34 00 4F 66 66 69 63  |ffice 1004.Offic|
000E0: 65 20 53 2D 32 30 36 00 4F 66 66 69 63 65 20 32  |e S-206.Office 2|
000F0: 30 35 2D 53 00 22 45 76 65 6E 74 20 6C 6F 67 67  |05-S."Event logg|

Actually, I should mention that in both cases these are
SMB_COM_SESSION_SETUP_ANDX responses with an
SMB_COM_TREE_CONNECT_ANDX response batched right after it. The PrimaryDomain
field is the last in this package. You can see the junk (NetShareEnum remarks) from when
the buffer was used previously but this is only because the
SMB_COM_TREE_CONNECT_ANDX has not been decoded yet (which I thought might be
concurrency issue in my implementation *phew*). This condition is also a little elusive
which leads me to believe padding might also be involved meaning the lengths of
preceding strings might need to be aligned just so but I haven't investigated that.

 <<nozero.png>> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nozero.png
Type: application/octet-stream
Size: 14579 bytes
Desc: not available
Url : http://lists.samba.org/archive/jcifs/attachments/20020825/3f70470b/nozero.obj


More information about the jcifs mailing list