wrong IDL for DsBind in drsuapi.idl
Matthieu Patou
mat at matws.net
Sun Oct 20 15:26:17 MDT 2013
Hello Metze & All,
With my drsuapi dissector mostly functional I started to pay attention
to packets that weren't able to be dissected.
I continuously get errors with DsBind requests and responses in NDR64
traffic.
I extracted the blob for response and run it through ndrdump:
./bin/ndrdump drsuapi drsuapi_DsBind out
~/workspace/samba/tcpdump/dcpromo/packet-851-dsbind-out --ndr64
../librpc/ndr/ndr_basic.c:171: non-zero upper 32 bits 0x3fffff7f00000030
pull returned NT_STATUS_INVALID_PARAMETER
WARNING! 68 unread bytes
[0000] F4 8C F7 1A 5C 84 B8 45 97 F2 29 75 36 A3 74 F0 ....\..E ..)u6.t.
[0010] D0 01 00 00 00 00 00 00 02 00 00 00 E3 00 1B 8D ........ ........
[0020] 26 82 28 43 B7 31 B8 49 77 45 AC B4 00 00 00 00 &.(C.1.I wE......
[0030] 46 18 3C 68 B2 DD 4D 44 83 B6 DD AE E7 EA D4 B9 F.<h..MD ........
[0040] 00 00 00 00 ....
drsuapi_DsBind: struct drsuapi_DsBind
out: struct drsuapi_DsBind
bind_info : *
bind_info: struct drsuapi_DsBindInfoCtr
length : 0x00000030 (48)
info : union
drsuapi_DsBindInfo(case 48)
info48: struct drsuapi_DsBindInfo48
supported_extensions : 0x00000000 (0)
site_guid :
00000000-0000-0000-0000-000000000000
pid : 0x00000000 (0)
repl_epoch : 0x00000000 (0)
supported_extensions_ext : 0x00000000 (0)
config_dn_guid :
00000000-0000-0000-0000-000000000000
bind_handle : NULL
bind_handle: struct policy_handle
UNEXPECTED NULL POINTER
result : WERR_OK
dump FAILED
./bin/ndrdump drsuapi drsuapi_DsBind out
~/workspace/samba/tcpdump/dcpromo/packet-851-dsbind-out
pull returned NT_STATUS_INVALID_PARAMETER
WARNING! 84 unread bytes
[0000] 30 00 00 00 00 00 00 00 30 00 00 00 7F FF FF 3F 0....... 0......?
[0010] F4 8C F7 1A 5C 84 B8 45 97 F2 29 75 36 A3 74 F0 ....\..E ..)u6.t.
[0020] D0 01 00 00 00 00 00 00 02 00 00 00 E3 00 1B 8D ........ ........
[0030] 26 82 28 43 B7 31 B8 49 77 45 AC B4 00 00 00 00 &.(C.1.I wE......
[0040] 46 18 3C 68 B2 DD 4D 44 83 B6 DD AE E7 EA D4 B9 F.<h..MD ........
[0050] 00 00 00 00 ....
drsuapi_DsBind: struct drsuapi_DsBind
out: struct drsuapi_DsBind
bind_info : *
bind_info: struct drsuapi_DsBindInfoCtr
length : 0x00000000 (0)
info : union
drsuapi_DsBindInfo(case 0)
FallBack: struct drsuapi_DsBindInfoFallBack
info : DATA_BLOB length=0
bind_handle : NULL
bind_handle: struct policy_handle
UNEXPECTED NULL POINTER
result : WERR_OK
dump FAILED
The problem is that we defined the structure like this:
typedef [nodiscriminant] union {
[case(24)][subcontext(4)] drsuapi_DsBindInfo24 info24;
[case(28)][subcontext(4)] drsuapi_DsBindInfo28 info28;
[case(48)][subcontext(4)] drsuapi_DsBindInfo48 info48;
[default][subcontext(4)] drsuapi_DsBindInfoFallBack FallBack;
} drsuapi_DsBindInfo;
typedef struct {
[range(1,10000)] uint32 length;
[switch_is(length)] drsuapi_DsBindInfo info;
} drsuapi_DsBindInfoCtr;
When DRSR says:
typedef struct {
[range(1,10000)] DWORD cb;
[size_is(cb)] BYTE rgb[];
} DRS_EXTENSIONS;
On the wire we will have:
uint3264 (size of the conformant array)
uint32 cb
uint8 rgb[cb]
When our idl says that the wire should look like
uint32 length
uint3264 (subcontext length)
uint8 infoxx[length]
I made the attached patch that works in ndrdump and allow to generate
the correct dissector in wireshark.
Matthieu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: packet-851-dsbind-out
Type: image/x-icon
Size: 92 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20131020/eedd05ec/attachment.ico>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-librpc-idl-change-the-drsuapi_DsBindInfoCtr-so-that-.patch
Type: text/x-diff
Size: 3009 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20131020/eedd05ec/attachment.patch>
More information about the samba-technical
mailing list