From: "dheitmueller"
Sent: Sunday, November 10, 2002 3:49 AM
Subject: [Ethereal-dev] Dissecting SAMR GetDomainPasswordInfo
>
> I am looking at the dissection routine for the GetDomainPasswordInfo, and
it fails to properly dissect the request.
>
> Looking at the source code (packet-dcerpc-samr.c line 2011), the domain
field is using dissect_ndr_pointer. However, when I look at the payload, it
would appear that we are dealing with a straight UNICODE string.
>
> xx xx xx xx xx xx xx xx 08 00 00 00 5c 00 5c 00 ........ ....\.\.
> 70 00 61 00 75 00 6c 00 32 00 30 00 p.a.u.l. 2.0.
>
> It looks like there is just a length, an offset, then the string.
It depends on what is in the xx fields.
The 08 00 00 00 part is the length of the encoded conformant array of
guint16s.
The 8 xx probably contains two 32 bit integers for max_length and offset,
making this field into a varying and conformant array of guint16, ie the
normal way MS encodes UNICODE_STRINGS.
So it is either a conformant array or a varying and conformant array.
conformant (varying or not) arrays can not be placed as top level objects in
NDR encoding and must
thus be reffered through through a pointer, usually as a unique or a
reference pointer.
You can try replacing the call in
samr_dissect_get_domain_password_information_rqst(
From:
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_pointer_STRING, NDR_POINTER_UNIQUE,
"Domain", hf_samr_domain, 0);
To:
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_pointer_UNICODE_STRING, NDR_POINTER_REF,
"Domain", hf_samr_domain, 0);
Please send the capture to me, if that is possible, and I can fix the
dissection of that packet.
And also review the reply packet since that one is largely unknown still.