smb1cli_inbuf_parse_chain fails with SMBntcreateX extended response
Gordon Ross
gordon.w.ross at gmail.com
Thu Mar 31 16:23:07 UTC 2016
Has anyone tried smbtorture lately with SMB1 NT create and the
"extended response" format? [MS-SMB] Sec. 2.2.4.9.2
Windows-based SMB servers send 50 (0x32) words in the extended
response although * they set the WordCount field to 0x2A.
This trips up smb1cli_inbuf_parse_chain, which ends up using the
"Maximal Access Rights" field as the byte count, and then decides
the response is invalid because the message is not that long.
I've attached a sample response packet.
Here's an (admittedly hack-ish) way to deal with that.
[patch attached]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-smb1cli_inbuf_parse_chain-confused-by-SMB1-NT-create.patch
Type: application/octet-stream
Size: 1253 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160331/be072a37/0001-smb1cli_inbuf_parse_chain-confused-by-SMB1-NT-create.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smb-nt-create-ext-response.pcap
Type: application/octet-stream
Size: 255 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160331/be072a37/smb-nt-create-ext-response.obj>
More information about the samba-technical
mailing list