Parsing array and its size in EcDoRpcExt2

Harsha inet.harsha at
Mon Apr 27 22:38:15 GMT 2009

Hi all,

I am writing a dissector for Wireshark for MAPI protocol and was
trying to parse a DCERPC message. The code comments in Wireshark
mentioned that the Samba folks maintain the DCERPC part, so I figured
that this would be the best place to post my question.

I was trying to parse this MSRPC function in Wireshark-

long __stdcall EcDoRpcExt2(
[in, out, ref] CXH * pcxh, [in, out] unsigned long *pulFlags,
[in, size_is(cbIn)] unsigned char rgbIn[],
[in] unsigned long cbIn, <br/>
[out, length_is(*pcbOut), size_is(*pcbOut)] unsigned char rgbOut[],
[in, out] BIG_RANGE_ULONG *pcbOut, <br/>
[in, size_is(cbAuxIn)] unsigned char rgbAuxIn[],
[in] unsigned long cbAuxIn, [out, length_is(*pcbAuxOut),
size_is(*pcbAuxOut)] unsigned char rgbAuxOut[],
[in, out] SMALL_RANGE_ULONG *pcbAuxOut,
[out] unsigned long *pulTransTime

I'm stuck trying to parse

[in, size_is(cbIn)] unsigned char rgbIn[],
[in] unsigned long cbIn,

The problem I see is that we first have the array and then it length.

I did a quick read of the relevant part of DCE RPC specs, but in all
the cases I saw it always had the size and then the array. In those
cases it is trivial to first extract the size and use the size to
extract the array contents.

I'm sure it is not a typo in the spec, so clearly I'm missing
something. Can someone please clarify how to parse the array field ?

Any pointers/ suggestions/ hints welcome.

Many thanks,

More information about the samba-technical mailing list