svn commit: samba r4885 - in branches/SAMBA_4_0/source: include libcli libcli/nbt librpc librpc/idl librpc/ndr

Andrew Tridgell tridge at
Fri Jan 21 20:58:48 GMT 2005


 > Building a client library was on the top of my 
 > when-I-get-a-minute-to-breath list.  Ah, well...

sorry :-)

 > - Why use IDL?  The packet formats are well-known, simple, and not likely 
 >   to change.  Hard-coding them might take a little more time and require a 
 >   bit more careful debugging, but once done they'd be done.

I am really delighted with how IDL has turned out for this. The Samba3
code for NBT name packet parsing was very complex and incomplete. The
full rfc1002 format is much more complex than it appears at first
glance (if you want to get all the details right), and is a
surpisingly good fit for IDL. 

 > - I'm a big fan of randomizing packet IDs, but I can't think of a good
 >   reason to do so for NBT TRNs since (as far as I know) there's nothing
 >   that makes use of packet sequence.  What is gained?

Nothing makes use of them? The name_trn_id is the key to matching
response records to queries. It is the _only_ field you can use to do
this! So if you want to have lots of queries in flight at once (which
we do) then you have to do two things:

 1) guarantee that you don't use an id that is already in use by a
    pending query
 2) use an id that is less likely to accidentally collide (remember
    that some NBT servers send replies to the wrong port).

The idtree code plus random() is ideal for this. Using idtree means
that even if we have 20 thousand outstanding packets we still only
take a instructions to find the matching record (no more linear linked
lists for response records!).

It also makes name takeover attacks on switched networks that use wins
much harder, as the attacker needs to send a huge number of packets to
have a good chance of getting a hit. That makes it more likely the
attack will be noticed. You can't make nbt completely secure, but this
is about as close as you can get.

Just to give you an idea of the advantages of using IDL, here is what
smbclient prints at maximum debug level. This printout comes from this

	if (DEBUGLVL(10)) {
		DEBUG(10,("Received nbt packet of length %d from %s:%d\n", 
			  blob.length, src_addr, src_port));
		NDR_PRINT_DEBUG(nbt_name_packet, packet);

that tiny bit of code generates the following debug log. 

Received nbt packet of length 62 from
    packet: struct nbt_name_packet
        name_trn_id              : 0xeff2 (61426)
        operation                : 0x8580 (34176)
            0x00: NBT_RCODE                 (0)
               0: NBT_FLAG_BROADCAST       
               1: NBT_FLAG_RECURSION_AVAIL 
               0: NBT_FLAG_TRUNCATION      
               1: NBT_FLAG_AUTHORITIVE     
            0x00: NBT_OPCODE                (0)
               1: NBT_FLAG_REPLY           
        qdcount                  : 0x0000 (0)
        ancount                  : 0x0001 (1)
        nscount                  : 0x0000 (0)
        arcount                  : 0x0000 (0)
        questions                : *
            questions: ARRAY(0)
        answers                  : *
            answers: ARRAY(1)
                [0]: struct nbt_res_rec
                    name: struct nbt_name
                        name                     : 'WIN2003'
                        scope                    : NULL
                        type                     : NBT_NAME_SERVER (0x20)
                    rr_type                  : NBT_QTYPE_NETBIOS (0x20)
                    rr_class                 : NBT_QCLASS_IP (0x1)
                    ttl                      : 0x00000000 (0)
                    rdata                    : union nbt_rdata(case 32)
                    netbios: struct nbt_rdata_netbios
                        nb_flags                 : 0x6000 (24576)
                               0: NBT_NM_PERMANENT         
                               0: NBT_NM_ACTIVE            
                               0: NBT_NM_CONFLICT          
                               0: NBT_NM_DEREGISTER        
                            0x03: NBT_NM_OWNER_TYPE         (3)
                               0: NBT_NM_GROUP             
                        ipaddr                   : 0xc0a87305 (3232264965)
        nsrecs                   : *
            nsrecs: ARRAY(0)
        additional               : *
            additional: ARRAY(0)
        padding                  : DATA_BLOB length=0

It's like having a little packet analyser built in, and makes
debugging difficult problems _much_ easier. It all comes for free with
pidl :-)

Cheers, Tridge

More information about the samba-technical mailing list