smb1cli_inbuf_parse_chain fails with SMBntcreateX extended response

Jeremy Allison jra at
Fri Apr 1 18:43:57 UTC 2016

On Thu, Mar 31, 2016 at 12:23:07PM -0400, Gordon Ross wrote:
> Has anyone tried smbtorture lately with SMB1 NT create and the
> "extended response" format?   [MS-SMB] Sec.
>     Windows-based SMB servers send 50 (0x32) words in the extended
> response although * they set the WordCount field to 0x2A.
> This trips up smb1cli_inbuf_parse_chain, which ends up using the
> "Maximal Access Rights" field as the byte count, and then decides
> the response is invalid because the message is not that long.
> I've attached a sample response packet.
> Here's an (admittedly hack-ish) way to deal with that.
> [patch attached]

Hmmm. How are you getting this to trigger in the
client code - is it from the notify_online_send()
code (that's the only place I can see where the

More information about the samba-technical mailing list