smb1cli_inbuf_parse_chain fails with SMBntcreateX extended response
jra at samba.org
Fri Apr 1 18:43:57 UTC 2016
On Thu, Mar 31, 2016 at 12:23:07PM -0400, Gordon Ross wrote:
> Has anyone tried smbtorture lately with SMB1 NT create and the
> "extended response" format? [MS-SMB] Sec. 220.127.116.11.2
> Windows-based SMB servers send 50 (0x32) words in the extended
> response although * they set the WordCount field to 0x2A.
> This trips up smb1cli_inbuf_parse_chain, which ends up using the
> "Maximal Access Rights" field as the byte count, and then decides
> the response is invalid because the message is not that long.
> I've attached a sample response packet.
> Here's an (admittedly hack-ish) way to deal with that.
> [patch attached]
Hmmm. How are you getting this to trigger in the
client code - is it from the notify_online_send()
code (that's the only place I can see where the
client is using EXTENDED_RESPONSE_REQUIRED) ?
More information about the samba-technical