From 00be145b1b05ba14d132736642d0ec362a3ba489 Mon Sep 17 00:00:00 2001 From: Jeffrey Bencteux Date: Fri, 12 Jan 2018 15:30:03 +0100 Subject: [PATCH] fix setup field handling in smb1_com_transaction_request messages This field is an array of 16 bit words and was parsed as an array of 32 bit words. Moreover, one can not assume the format is going to be a 16 bits opcode followed by a 16 bit file ID, the content of the setup field is different according to its first 16 bits word that defines the subcommand code. See MS-CIFS section 2.2.4.33.1 : Setup (variable): An array of two-byte words that provides transaction context to the server. The size and content of the array are specific to individual subcommands. --- src/analyzer/protocol/smb/smb1-com-transaction.pac | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/src/analyzer/protocol/smb/smb1-com-transaction.pac b/src/analyzer/protocol/smb/smb1-com-transaction.pac index 7f3c409a95..eed584dfff 100644 --- a/src/analyzer/protocol/smb/smb1-com-transaction.pac +++ b/src/analyzer/protocol/smb/smb1-com-transaction.pac @@ -132,11 +132,6 @@ type SMB1_transaction_data(header: SMB_Header, is_orig: bool, count: uint16, sub pipe_proc : bool = $context.connection.forward_dce_rpc(pipe_data, 0, is_orig) &if(trans_type == SMB_PIPE); }; -type SMB1_transaction_setup = record { - op_code : uint16; - file_id : uint16; -} - type SMB1_transaction_request(header: SMB_Header) = record { word_count : uint8; total_param_count : uint16; @@ -155,7 +150,7 @@ type SMB1_transaction_request(header: SMB_Header) = record { setup_count : uint8; reserved3 : uint8; # word_count 16 is a different dialect that behaves a bit differently. - setup : SMB1_transaction_setup[word_count == 16 ? 1 : setup_count]; + setup : uint16[setup_count]; byte_count : uint16; name : SMB_string(header.unicode, offsetof(name)); @@ -164,7 +159,7 @@ type SMB1_transaction_request(header: SMB_Header) = record { pad2 : padding to data_offset - SMB_Header_length; data : SMB1_transaction_data(header, true, data_count, sub_cmd, transtype, is_pipe); } &let { - sub_cmd : uint16 = (sizeof(setup) && word_count != 16) > 0 ? setup[0].op_code : 0; + sub_cmd : uint16 = (sizeof(setup) && word_count != 16) > 0 ? setup[0] : 0; transtype : int = determine_transaction_type(header, name); is_pipe : bool = (transtype == SMB_PIPE || (transtype == SMB_UNKNOWN && $context.connection.get_tree_is_pipe(header.tid)));