smb1cli_inbuf_parse_chain fails with SMBntcreateX extended response

Gordon Ross gordon.w.ross at gmail.com
Mon Apr 4 16:05:20 UTC 2016


This will do it:
smbtorture ... raw.oplock.exclusive1


On Fri, Apr 1, 2016 at 2:43 PM, Jeremy Allison <jra at samba.org> wrote:
> On Thu, Mar 31, 2016 at 12:23:07PM -0400, Gordon Ross wrote:
>> Has anyone tried smbtorture lately with SMB1 NT create and the
>> "extended response" format?   [MS-SMB] Sec. 2.2.4.9.2
>>
>>     Windows-based SMB servers send 50 (0x32) words in the extended
>> response although * they set the WordCount field to 0x2A.
>>
>> This trips up smb1cli_inbuf_parse_chain, which ends up using the
>> "Maximal Access Rights" field as the byte count, and then decides
>> the response is invalid because the message is not that long.
>> I've attached a sample response packet.
>>
>> Here's an (admittedly hack-ish) way to deal with that.
>> [patch attached]
>
> Hmmm. How are you getting this to trigger in the
> client code - is it from the notify_online_send()
> code (that's the only place I can see where the
> client is using EXTENDED_RESPONSE_REQUIRED) ?



More information about the samba-technical mailing list