Wireshark-bugs: [Wireshark-bugs] [Bug 3609] New: SMB2 Error Response doesn't decode properly

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Fri, 26 Jun 2009 10:53:14 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3609

           Summary: SMB2 Error Response doesn't decode properly
           Product: Wireshark
           Version: 1.3.x (Experimental)
          Platform: x86
               URL: http://msdn.microsoft.com/en-
                    us/library/cc246482(PROT.13).aspx
        OS/Version: Windows XP
            Status: NEW
          Severity: Normal
          Priority: Low
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: chcosta75@xxxxxxxxxxx



Chris Costa <chcosta75@xxxxxxxxxxx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3201|                            |review_for_checkin?
               Flag|                            |


Created an attachment (id=3201)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=3201)
SMB2 Error Response patch

Build Information:
TShark 1.3.0-CCOSTA (SVN Rev unknown)

Copyright 1998-2009 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GLib 2.20.3, with WinPcap (version unknown), with libz 1.2.3,
without POSIX capabilities, with libpcre 7.0, with SMI 0.4.8, with c-ares
1.6.0,
with Lua 5.1, without Python, with GnuTLS 2.8.1, with Gcrypt 1.4.4, with MIT
Kerberos, with GeoIP.

Running on Windows XP Service Pack 3, build 2600, with WinPcap version 4.0.2
(packet.dll version 4.0.0.1040), based on libpcap version 0.9.5, GnuTLS 2.8.1,
Gcrypt 1.4.4.

Built using Microsoft Visual C++ 9.0 build 30729
--
When a frame contains two SMB2 reponses, the first of which contains an error
code, Wireshark will report a "Malformed Packet" error.  The first response
will decode, but the second response will not decode at all.

Also, most of the fields in the error response display as "unknown", instead of
something more descriptive.  One of the fields is of variable length called
"Error Data", whose size depends on the value of the "Byte Count" field,
however Wireshark seems to decode the Error Data as if all remaining bytes in
the frame are a part of it.  This appears to be why the second response in the
frame fails to decode.

I have created a patch to fix this problem, and also to provide more
descriptive names for the fields in the Error Response. 

I have based these changes on the most recent version of Microsoft's MS-SMB2
document (SMB Version 2 Protocol Specification)


-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.