lsa_string/lsa_stringlarge null terminator and buffer size
Matthieu Patou
mat+Informatique.Samba at matws.net
Thu Jul 9 10:57:52 MDT 2009
Dear all,
I find some strange things while creating patch for netlogon dissector
for wireshark I think it can (or lead already) to problems.
Samba is using type lsa_string and lsa_stringlarge for mapping the type
RPC_UNICODE_STRING as it used in MS-NRPC (but certainly not only here).
I guess that large is used when we want to have size > len (in order to
include null terminators), windows only use the same type but sometimes
len=size sometimes not, cf. Wkst Os entry of packet 13 (value Windows XP
Pro). Usually for the latter case it's indicated in the spec that the
string is null terminated, for instance with this entry which is OsName
described page 38 it is the case.
After a few chat on IRC and reading the idl for netlogon I have the
impression samba on reads the number of byte indicated by len (because
it's a lsa_string). In this case reading or not those bytes is harmless
because the next string is an empty dummy string but what would happen
if it wasn't the case ? the read is shifted by 2 bytes.
In the particular example of this call to GetDomainInfo is tomorrow the
dummy 3 entry starts to be used the Max Count and Actual Count will be
multiplied by 2^16 if I'm not wrong ...
It seems that the problem don't only appear in the case microsoft =>
samba but also in the opposite.
If we have a look at the Server Attribute of frame 40 (value TEST),
which corresponds to the "Logon server" attribute page 14 of MS-PAC or
page 57 of MS-NRPC is not stated to be null terminated, I think so that
len should be equal to size. It's not the case (first problem).
But what even worse is that samba4 advertise that the data can occupy 10
bytes where in fact in just use 8 (no terminators). I do not know the
heuristic of Windows but it can clearly break something (well at least
my dissector was broken for a 1/2 hours) if he really read the whole
thing ... (byte shifting).
Find attached the keytab of the workstation and the capture (you'll need
a recent wireshark svn with my patch for netlogon decryption in order to
see the traffic.
Matthieu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rpc
Type: application/octet-stream
Size: 10962 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20090709/cf1420a2/rpc-0001.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smb400001.keytab
Type: application/octet-stream
Size: 67 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20090709/cf1420a2/smb400001-0001.obj
More information about the samba-technical
mailing list