GH-865: fix parsing of SMB NegotiateContextList

* The compression capability was incorrectly set to 0x0004 instead of 0x0003 * The padding was 4-byte instead of 8-byte aligned and also the spec. does not strictly require the padding for the last item in the list. * Add a default case to handle parsing of unknown context types.
2025-10-11 19:18:19 +00:00 · 2020-03-16 19:00:01 -07:00 · 2020-03-16 19:00:01 -07:00 · 9c70bcecbc
commit 9c70bcecbc
parent acb3b27a2c
4 changed files with 62 additions and 8 deletions
--- a/testing/btest/scripts/base/protocols/smb/compression-cap.zeek
+++ b/testing/btest/scripts/base/protocols/smb/compression-cap.zeek
@ -0,0 +1,33 @@
+# @TEST-EXEC: zeek -b -r $TRACES/smb/SMBGhost.pcap %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+@load base/protocols/smb
+
+event smb2_negotiate_response(c: connection, hdr: SMB2::Header, response: SMB2::NegotiateResponse)
+	{
+	for ( i in response$negotiate_context_values )
+		{
+		local ncv = response$negotiate_context_values[i];
+
+		print fmt("context value type %s, length %s",
+		          ncv$context_type, ncv$data_length);
+
+		switch ( ncv$context_type ) {
+		case 0x001:
+			print fmt("  %s", ncv$preauth_info);
+			break;
+		case 0x002:
+			print fmt("  %s", ncv$encryption_info);
+			break;
+		case 0x003:
+			print fmt("  %s", ncv$compression_info);
+			break;
+		case 0x005:
+			print fmt("  %s", ncv$netname);
+			break;
+		default:
+			print "  unknown context value type";
+			break;
+		}
+		}
+	}