[Wireshark-dev] Parsing array and its size in EcDoRpcExt2

Sam Liddicott sam at liddicott.com
Tue Apr 28 07:04:12 GMT 2009

Just formpleteness, pidl supports the nodiscriminant attribute which avoids encoding the length twice, but then it must occur before the array in the I.

Wireshrk does not support nodiscriminant thogu, last time I checked.


-----Original Message-----
From: ronnie sahlberg <ronniesahlberg at gmail.com>
Sent: Tuesday, April 28, 2009 4:59 AM
To: Developer support list for Wireshark <wireshark-dev at wireshark.org>
Cc: devel at lists.openchange.org; samba-technical at lists.samba.org
Subject: Re: [Wireshark-dev] Parsing array and its size in EcDoRpcExt2

There are a number of places where the "length" variable comes after the
I think there are even places where there are other variables separating the
"length" and the array apart in some places.

This is all allowed in DCE/RPC and the reason for this is that "length" is
just a normal variable.
When used in this way
   [length_is(len)] foo_t entries[];
   int len;

This will actually encode "len" twice on the wire.
First it will encode the array like this :

uint32_t  "length" (*)
element 0
element 1
element len-1

I.e. the length of the array is encoded together with the array and it
contains the value of "lenth" as the length of the array.

A short while later you will then also have the variable "length" itself
being encoded with obviously the same value.

I.e. "length" is encoded twice, first it is encoded as part of the
(conformance data of the) array itself
and a second time as the variable "length" itself.
Therefore it does not matter where in the IDL you specify the array and its
length in relation to eachother.

(* this is a simplified example,   the array size "length" is actually not
encoded at the head of the array but much earlier in the byse-sequence. It
is actually encoded at the head of the encapsulating structure)

ronnie sahlberg

On Tue, Apr 28, 2009 at 10:32 AM, Harsha <inet.harsha at gmail.com> wrote:

> On Mon, Apr 27, 2009 at 3:38 PM, Harsha <inet.harsha at gmail.com> wrote:
> > I did a quick read of the relevant part of DCE RPC specs, but in all
> > the cases I saw it always had the size and then the array. In those
> > cases it is trivial to first extract the size and use the size to
> > extract the array contents.
> Here is an example in Wireshark code where the length of the array and
> then the array are extracted-
> void ept_lookup(
> [in] handle_t hEpMapper,
> [in] unsigned long inquiry_type,
> [in, ptr] UUID* object,
> [in, ptr] RPC_IF_ID* Ifid,
> [in] unsigned long vers_option,
> [in, out] 

[The entire original message is not included]

More information about the samba-technical mailing list