lsa_string/lsa_stringlarge null terminator and buffer size

Matthieu Patou mat+Informatique.Samba at
Thu Jul 9 10:57:52 MDT 2009

Dear all,

I find some strange things while creating patch for netlogon dissector 
for wireshark I think it can (or lead already) to problems.

Samba is using type lsa_string and lsa_stringlarge for mapping the type 
RPC_UNICODE_STRING as it used in MS-NRPC (but certainly not only here).
I guess that large is used when we want to have size > len (in order to 
include null terminators), windows only use the same type but sometimes 
len=size sometimes not, cf. Wkst Os entry of packet 13 (value Windows XP 
Pro). Usually for the latter case it's indicated in the spec that the 
string is null terminated, for instance with this entry which is OsName 
described page 38 it is the case.

After a few chat on IRC and reading the idl for netlogon I have the 
impression samba on reads the number of byte indicated by len (because 
it's a lsa_string). In this case reading or not those bytes is harmless 
because the next string is an empty dummy string but what would happen 
if it wasn't the case ? the read is shifted by 2 bytes.
In the particular example of this call to GetDomainInfo is tomorrow the 
dummy 3 entry starts to be used the Max Count and Actual Count will be 
multiplied by 2^16 if I'm not wrong ...

It seems that the problem don't only appear in the case microsoft => 
samba but also in the opposite.
If we have a look at the Server Attribute of frame 40 (value TEST), 
which corresponds to the "Logon server" attribute page 14 of MS-PAC or 
page 57 of MS-NRPC is not stated to be null terminated, I think so that 
len should be equal to size. It's not the case (first problem).
But what even worse is that samba4 advertise that the data can occupy 10 
bytes where in fact in just use 8 (no terminators). I do not know the 
heuristic of Windows but it can clearly break something (well at least 
my dissector was broken for a 1/2 hours) if he really read the whole 
thing ... (byte shifting).

Find attached the keytab of the workstation and the capture (you'll need 
a recent wireshark svn with my patch for netlogon decryption in order to 
see the traffic.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: rpc
Type: application/octet-stream
Size: 10962 bytes
Desc: not available
Url :
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smb400001.keytab
Type: application/octet-stream
Size: 67 bytes
Desc: not available
Url :

More information about the samba-technical mailing list