SMB NtTransCreate should decode extended response
authorGordon Ross <gordon.w.ross@gmail.com>
Thu, 26 May 2016 05:32:22 +0000 (01:32 -0400)
committerAnders Broman <a.broman58@gmail.com>
Fri, 27 May 2016 04:25:34 +0000 (04:25 +0000)
SMB Nt Transact Create can have an extended response like
SMB Nt Create, as described in MS-SMB 2.2.7.1.2

Bug: 12477
Change-Id: Id1d7b96a1eb336b8c45bcb9af7b7d1b9b42c662a
Reviewed-on: https://code.wireshark.org/review/15577
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
epan/dissectors/packet-smb.c

index e132b52e4aa3155ab5ebf54b7c446d28d1462c80..01dcb88650db308747ce73f4a51a6892d3f3b64a 100644 (file)
@@ -8474,6 +8474,13 @@ dissect_nt_trans_param_request(tvbuff_t *tvb, packet_info *pinfo, int offset, pr
                offset = dissect_nt_security_flags(tvb, tree, offset);
                bc -= 1;
 
+               /* May need to skip alignment padding. */
+               if (offset&1) {
+                       /* pad byte */
+                       proto_tree_add_item(tree, hf_smb_padding, tvb, offset, 1, ENC_NA);
+                       offset += 1;
+               }
+
                /* file name */
                fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, TRUE, TRUE, &bc);
                if (fn != NULL) {
@@ -8781,12 +8788,13 @@ dissect_nt_transaction_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tr
        }
        offset += 2;
 
-       /* this is a padding byte */
+#if 0  /* XXX this is a padding byte?  I don't think so. -gwr */
        if (offset&1) {
                /* pad byte */
                proto_tree_add_item(tree, hf_smb_padding, tvb, offset, 1, ENC_NA);
                offset += 1;
        }
+#endif
 
        /* if there were any setup bytes, decode them */
        if (sc) {
@@ -8794,6 +8802,13 @@ dissect_nt_transaction_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tr
                offset += sc*2;
        }
 
+       /*
+        * Do we really need to even look at the byte count here?
+        * Servers normally use byte_count only when assembling the
+        * setup, parameters, and data segments.  Once we know
+        * how long each of those are, we should dissect them
+        * using the lengths determined during assembly.
+        */
        BYTE_COUNT;
 
        /* reassembly of SMB NT Transaction data payload.
@@ -8975,6 +8990,7 @@ dissect_nt_trans_param_response(tvbuff_t *tvb, packet_info *pinfo,
        smb_fid_info_t         *fid_info = NULL;
        guint16                 ftype;
        guint8                  isdir;
+       guint8                  ext_resp = 0;
 
        DISSECTOR_ASSERT(si);
 
@@ -9009,6 +9025,7 @@ dissect_nt_trans_param_response(tvbuff_t *tvb, packet_info *pinfo,
                offset += 1;
 
                /* reserved byte */
+               ext_resp = tvb_get_guint8(tvb, offset);
                proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, ENC_NA);
                offset += 1;
 
@@ -9065,6 +9082,31 @@ dissect_nt_trans_param_response(tvbuff_t *tvb, packet_info *pinfo,
                proto_tree_add_item(tree, hf_smb_is_directory, tvb, offset, 1, ENC_LITTLE_ENDIAN);
                offset += 1;
 
+               /* decode extended response per [MS-SMB] 2.2.7.1.2
+                  (volume_guid, file_id, max_acc, guest_acc)
+                  Just like dissect_nt_create_andx_response */
+               if (ext_resp != 0) {
+                       proto_tree *tr = NULL;
+
+                       /* The first field is a Volume GUID ... */
+                       proto_tree_add_item(tree, hf_smb_volume_guid,
+                                           tvb, offset, 16, ENC_NA);
+                       offset += 16;
+
+                       /* The file ID comes next */
+                       proto_tree_add_item(tree, hf_smb_file_id_64bit,
+                                           tvb, offset, 8, ENC_LITTLE_ENDIAN);
+                       offset += 8;
+
+                       tr = proto_tree_add_subtree(tree, tvb, offset, 4,
+                               ett_smb_nt_access_mask, NULL, "Maximal Access Rights");
+                       offset = dissect_smb_access_mask(tvb, tr, offset);
+
+                       tr = proto_tree_add_subtree(tree, tvb, offset, 4,
+                               ett_smb_nt_access_mask, NULL, "Guest Maximal Access Rights");
+                       offset = dissect_smb_access_mask(tvb, tr, offset);
+               }
+
                /* Try to remember the type of this fid so that we can dissect
                 * any future security descriptor (access mask) properly
                 */