svn commit: samba r4885 - in branches/SAMBA_4_0/source: include
libcli libcli/nbt librpc librpc/idl librpc/ndr
Andrew Tridgell
tridge at osdl.org
Fri Jan 21 21:01:48 GMT 2005
Chris,
> Building a client library was on the top of my
> when-I-get-a-minute-to-breath list. Ah, well...
sorry :-)
> - Why use IDL? The packet formats are well-known, simple, and not likely
> to change. Hard-coding them might take a little more time and require a
> bit more careful debugging, but once done they'd be done.
I am really delighted with how IDL has turned out for this. The Samba3
code for NBT name packet parsing was very complex and incomplete. The
full rfc1002 format is much more complex than it appears at first
glance (if you want to get all the details right), and is a
surpisingly good fit for IDL.
> - I'm a big fan of randomizing packet IDs, but I can't think of a good
> reason to do so for NBT TRNs since (as far as I know) there's nothing
> that makes use of packet sequence. What is gained?
Nothing makes use of them? The name_trn_id is the key to matching
response records to queries. It is the _only_ field you can use to do
this! So if you want to have lots of queries in flight at once (which
we do) then you have to do two things:
1) guarantee that you don't use an id that is already in use by a
pending query
2) use an id that is less likely to accidentally collide (remember
that some NBT servers send replies to the wrong port).
The idtree code plus random() is ideal for this. Using idtree means
that even if we have 20 thousand outstanding packets we still only
take a instructions to find the matching record (no more linear linked
lists for response records!).
It also makes name takeover attacks on switched networks that use wins
much harder, as the attacker needs to send a huge number of packets to
have a good chance of getting a hit. That makes it more likely the
attack will be noticed. You can't make nbt completely secure, but this
is about as close as you can get.
Just to give you an idea of the advantages of using IDL, here is what
smbclient prints at maximum debug level. This printout comes from this
code:
if (DEBUGLVL(10)) {
DEBUG(10,("Received nbt packet of length %d from %s:%d\n",
blob.length, src_addr, src_port));
NDR_PRINT_DEBUG(nbt_name_packet, packet);
}
that tiny bit of code generates the following debug log.
Received nbt packet of length 62 from 192.168.115.5:137
packet: struct nbt_name_packet
name_trn_id : 0xeff2 (61426)
operation : 0x8580 (34176)
0x00: NBT_RCODE (0)
0: NBT_FLAG_BROADCAST
1: NBT_FLAG_RECURSION_AVAIL
1: NBT_FLAG_RECURSION_DESIRED
0: NBT_FLAG_TRUNCATION
1: NBT_FLAG_AUTHORITIVE
0x00: NBT_OPCODE (0)
1: NBT_FLAG_REPLY
qdcount : 0x0000 (0)
ancount : 0x0001 (1)
nscount : 0x0000 (0)
arcount : 0x0000 (0)
questions : *
questions: ARRAY(0)
answers : *
answers: ARRAY(1)
[0]: struct nbt_res_rec
name: struct nbt_name
name : 'WIN2003'
scope : NULL
type : NBT_NAME_SERVER (0x20)
rr_type : NBT_QTYPE_NETBIOS (0x20)
rr_class : NBT_QCLASS_IP (0x1)
ttl : 0x00000000 (0)
rdata : union nbt_rdata(case 32)
netbios: struct nbt_rdata_netbios
nb_flags : 0x6000 (24576)
0: NBT_NM_PERMANENT
0: NBT_NM_ACTIVE
0: NBT_NM_CONFLICT
0: NBT_NM_DEREGISTER
0x03: NBT_NM_OWNER_TYPE (3)
0: NBT_NM_GROUP
ipaddr : 0xc0a87305 (3232264965)
nsrecs : *
nsrecs: ARRAY(0)
additional : *
additional: ARRAY(0)
padding : DATA_BLOB length=0
It's like having a little packet analyser built in, and makes
debugging difficult problems _much_ easier. It all comes for free with
pidl :-)
Cheers, Tridge
More information about the samba-cvs
mailing list