NetShareEnum: disable sanity check for better compatibility with Windows

Giovanni Bajo rasky at develer.com
Sun Jan 10 06:03:50 MST 2010 

Il giorno dom, 06/12/2009 alle 14.31 +0100, Giovanni Bajo ha scritto:
> Il giorno dom, 29/11/2009 alle 14.46 +0100, Volker Lendecke ha scritto:
> > On Sun, Nov 29, 2009 at 02:15:18PM +0100, Giovanni Bajo wrote:
> > > the attached patches increase Samba compatibility with Windows by
> > > disabling a sanity check which prevents Samba from issuing an answer to
> > > a NetShareEnum request in case of a corrupted (invalid) packet.
> > > 
> > > Long version. I have recently bought a Samsung BD-P3600 bluray player.
> > > This unit has wired/wifi connection and a primitive/buggy support for
> > > streaming files off Windows shares. It works well if the shares are on a
> > > Windows PC, but it fails to detect shares on Linux and Mac OSX. I
> > > investigated the problem and it turns out that the bluray player sends
> > > an invalid packet:
> > > 
> > > 0000  00 1b fc 91 80 08 00 12  fb 2a d9 7c 08 00 45 00   ........ .*.|..E.
> > > 0010  00 9e b8 2e 40 00 40 06  fe c2 c0 a8 01 17 c0 a8   .... at .@. ........
> > > 0020  01 01 cc 54 00 8b 46 cc  34 d6 de 00 9f ae 80 18   ...T..F. 4.......
> > > 0030  0b 68 01 e3 00 00 01 01  08 0a 00 00 99 c7 00 64   .h...... .......d
> > > 0040  41 2d 00 00 00 66 ff 53  4d 42 25 00 00 00 00 08   A-...f.S MB%.....
> > > 0050  01 00 00 00 00 00 00 00  00 00 00 00 00 00 01 00   ........ ........
> > > 0060  3b 00 00 00 9f 00 0e 1a  00 00 00 63 00 ff ff 00   ;....... ...c....
> > > 0070  00 00 00 00 00 00 00 00  00 1a 00 4c 00 00 00 66   ........ ...L...f
> > > 0080  00 00 00 27 00 5c 50 49  50 45 5c 4c 41 4e 4d 41   ...'.\PI PE\LANMA
> > > 0090  4e 00 00 00 57 72 4c 65  68 00 42 31 33 42 57 7a   N...WrLe h.B13BWz
> > > 00a0  57 57 57 7a 42 39 42 00  01 00 ff ff               WWWzB9B. ....
> > > 
> > > Microsoft Windows Lanman Remote API Protocol
> > >   Function Code: NetShareEnum (0)
> > >   Parameter Descriptor: WrLeh
> > >   Return Descriptor: B13BWzWWWzB9B
> > >   Detail Level: 1
> > >   Receive Buffer Length: 65535
> > > 
> > > This packet is malformed because, for level 1 query, the correct return
> > > descriptor would be "B13BWz". I've attached the full wireshark dump, in
> > > case it matters.
> > > 
> > > What happens is that Samba refuses to answer to this query because it
> > > fails an internal sanity check; instead, Windows happily answers and the
> > > conversation goes on.
> > > 
> > > I verified my fix against a samba2 server (this is what I'm running on
> > > my DDWRT-based router), and forward-ported the same patch on samba3 and
> > > samba4 trees by visual inspection.
> > > 
> > > This is my first contribution to Samba, so I'm looking for some guidance
> > > for this patch to be accepted.
> > 
> > It seems that the descriptor they send is actually a level2
> > descriptor. Can you get us a trace against a Windows box? I
> > would be interested to see what they return in this case. Do
> > they decide based upon the level or the descriptor?
> 
> Hi Volker,
> 
> sorry for the late reply. This is the packet returned by a Windows box
> when queried with the malformed LANMAN request quoted above:
> 
> 0000  00 12 fb 2a d9 7c 00 21  63 fe 8e 85 08 00 45 00   ...*.|.! c.....E.
> 0010  01 19 18 e5 40 00 80 06  5c b6 c0 a8 01 dc c0 a8   .... at ... \.......
> 0020  01 17 00 8b d9 da a3 31  12 99 e1 d2 01 fa 80 18   .......1 ........
> 0030  8d f8 d0 62 00 00 01 01  08 0a 00 01 bf b5 00 04   ...b.... ........
> 0040  86 ff 00 00 00 e1 ff 53  4d 42 25 00 00 00 00 88   .......S MB%.....
> 0050  01 00 00 00 00 00 00 00  00 00 00 00 00 00 01 08   ........ ........
> 0060  3b 00 02 08 9f 00 0a 08  00 a1 00 00 00 08 00 38   ;....... .......8
> 0070  00 00 00 a1 00 40 00 00  00 00 00 aa 00 00 00 00   ..... at .. ........
> 0080  5e ff 05 00 05 00 49 50  43 24 00 00 00 00 00 00   ^.....IP C$......
> 0090  00 00 00 00 03 00 f4 ff  00 00 44 4f 57 4e 00 00   ........ ..DOWN..
> 00a0  00 00 00 00 00 00 00 00  00 00 f3 ff 00 00 44 6f   ........ ......Do
> 00b0  77 6e 6c 6f 61 64 00 00  00 00 00 00 00 00 f2 ff   wnload.. ........
> 00c0  00 00 41 44 4d 49 4e 24  00 00 00 00 00 00 00 00   ..ADMIN$ ........
> 00d0  00 00 db ff 00 00 43 24  00 00 00 00 00 00 00 00   ......C$ ........
> 00e0  00 00 00 00 00 00 c2 ff  00 00 43 6f 6e 64 69 76   ........ ..Condiv
> 00f0  69 73 69 6f 6e 65 20 70  72 65 64 65 66 69 6e 69   isione p redefini
> 0100  74 61 00 41 6d 6d 69 6e  69 73 74 72 61 7a 69 6f   ta.Ammin istrazio
> 0110  6e 65 20 72 65 6d 6f 74  61 00 00 00 49 50 43 20   ne remot a...IPC 
> 0120  72 65 6d 6f 74 6f 00                               remoto. 
> 
> Wireshark decodes it as "NetShareEnum Response[malformed packet]". It
> obviously is a level-1 answer (you can see that there are exactly 18
> bytes between "IPC$" and "DOWN"). Wireshark tries to decoded it at
> level-2 and fails.
> 
> So what happens is that Windows ignores the descriptor and trusts the
> level. On the other hand, Wireshark seems to trust the descriptor more
> and thus fails to decode the packet. In fact, it does not even mark the
> query packet as malformed, though it obviously doesn't match the
> specifications.
> 
> > And, would it be possible not to completely drop the check
> > but to also allow the level2 descriptor for level1?
> 
> Sure, see the attached patch. I would say that my experiment proves that
> the descriptor is ignored by Windows (at least for the NetShareEnum
> query) and thus it is better to drop the check altogether, but anyway.
> 
> BTW, compared to last week, I have now also verified the fix against a
> patched Samba3 server (previously, I had tested it on Samba2 only).
> 
> Thanks!

Hi,

I didn't get any reply on these patches. Can somebody please have a
look?

Thanks!
-- 
Giovanni Bajo
Develer S.r.l.
http://www.develer.com

More information about the samba-technical mailing list