[jcifs] Domain Corruption Quantified (Win98/ME non-compliance with CIFS std)

Matthew Tippett matthew at casero.com
Tue Dec 3 09:05:16 EST 2002


Managed to get the error repeatable. It is a little bit subtle, but 
still could be quite nasty.  It is a mix of CIFS non compliance of the 
win98 SMB codebase (as found in 98 and ME, nice one for you Chris).

Firstly, when reading in a number of bytes from the wire, it is placed 
over a 64k buffer which appears to be re-used.  Now java initialises 
arrays to be full of '0's.

Then along comes the first request, the array is nice and pristine, and 
so the code scanning for the nulls finds it straight away returns a 
'null' domain.

When the next request comes along, the buffer already has some extra 
data placed into it and so when it parses the data, it puts 'crap' in 
the URL field.

The CIFS standard defines the response as having the DOMAIN and DC 
fields when returning LANMAN2.1 responses.

The ethereal protocol-dissector for smb, tries to get a string and if 
the string is null it calls it a day.  This can be seen in the dumps 
that I have made previously.

Soo...  To solve this, there are three options,

	o Look at the capabilities fields and determine if there is a
	o Zero out the buffer (Not recommended)
	o Look back at the Encryption key length field determine what
length of the key is.

I will await guidance for resolution.




The information contained in this message is proprietary of Casero Inc.,
protected from disclosure, and may be privileged. The information is
intended to be conveyed only to the designated recipient(s) of the
message. If the reader of this message is not the intended recipient,
you are hereby notified that any dissemination, use, distribution or
copying of this communication is strictly prohibited and may be
unlawful. If you have received this communication in error, please
notify us immediately by replying to the message and deleting it from
your computer. Thank you.

More information about the jcifs mailing list