[jcifs] SmbComNTCreateAndX bug?

Michael B Allen miallen at ioplex.com
Sat Feb 23 01:27:35 GMT 2008 

On Fri, 22 Feb 2008 23:22:41 +0000 (UTC)
Josh Cooper <josh.nw at gmail.com> wrote:

> Hi Michael,
> 
> I'm connecting to the srvsvc via DCE/RPC pipe. I'm frequently, but not always
> get an error that the response has an invalid signature, even though the
> signature is actually correct.
> 
> I'm using jcifs-1.2.18e, and connecting to an XP machine. The ACME domain in
> which the target machine lives requires NTLM clients to sign messages (as set
> through group policy), and I've set the corresponding
> jcifs.smb.client.signingPreferred property.
> 
> In SmbFile, if CAP_NT_SMBS is true, and this is an instance of SmbNamedPipe,
> then we set response.isExtended = true. Then later in AndXServerMessageBlock,
> while reading the response, we advance the bufferIndex by 32 if isExtended is
> true:
> 
>  if( wordCount > 2 ) {
>    bufferIndex += readParameterWordsWireFormat( buffer, bufferIndex );
>    /* required for signing verification
>     */
>    if (command == SMB_COM_NT_CREATE_ANDX) {
>      if (((SmbComNTCreateAndXResponse)this).isExtended)
>        bufferIndex += 32;
>    }
>  ...
> 
>  byteCount = readInt2( buffer, bufferIndex ); bufferIndex += 2;
> 
> In my case, it's advancing the bufferIndex to the end of the real SMB data, and
> reading 0x3800 as the byteCount. For comparison, Ethereal reports the byteCount
> as 0, which jcifs would have done if it hadn't incremented the bufferIndex.
> 
> The bufferIndex is then incremented by the byteCount, and the response.length
> gets set incorrectly, which throws off signature verification.

If the client asks for an "extended" SMB_COM_NT_CREATE_ANDX response
(and from your debug output it did) the server should send one in which
case we have to consider the 32 bytes.

I would need to see a capture of the errant response to figure out what
is in fact going on.

Incedentally, the isExtended thing was added to make packets
identical to what was observed in captures with NetApp. But I don't
recall that it was something that NetApp actually required. It could
be that we could just but out the whole isExtended business in
SmbFile.open0(). Unfortunately I do not have access to a NetApp machine
so now we have to assume it's necessary :-(

Mike

PS: If any NetApp customers out there know how to download the NetApp
simulator for Linux or VMWare I would be delighted to know about that.

-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/

More information about the jcifs mailing list