This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

SMB protocol parsing BUG found

0

Hi, when you parsing SMB protocol requests you parse SMB_COM_TRANSACTION2 (0x32) command and SMB_COM_TRANSACTION2_SECONDARY (0x33) command as commands that have the equal request parameters structure. But this is mistake.

SMB_COM_TRANSACTION2_SECONDARY command have it's own parameters structure:

SMB_Parameters { UCHAR WordCount; Words { USHORT TotalParameterCount; USHORT TotalDataCount; USHORT ParameterCount; USHORT ParameterOffset; USHORT ParameterDisplacement; USHORT DataCount; USHORT DataOffset; USHORT DataDisplacement; USHORT FID; } }

SMB_Data { USHORT ByteCount; Bytes { UCHAR Pad1[]; UCHAR Trans2_Parameters[ParameterCount]; UCHAR Pad2[]; UCHAR Trans2_Data[DataCount]; } }

Detailed here: https://msdn.microsoft.com/en-us/library/ee442192.aspx https://msdn.microsoft.com/en-us/library/ee442105.aspx

asked 06 May '17, 04:19

alexweb's gravatar image

alexweb
6112
accept rate: 0%


One Answer:

1

Wrong place to report this; please open a bug report at

https://bugs.wireshark.org and attach a PCAP file if you can.

Thanks!

answered 06 May '17, 04:22

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%