'Re: [cifs-protocol] unused bytes after while decoding bkrp requests'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cifs-protocol
Subject:    Re: [cifs-protocol] unused bytes after while decoding bkrp requests
From:       "Mark Miller (MBD)" <markmi () microsoft ! com>
Date:       2010-07-18 18:49:51
Message-ID: ABB54FDF9F37B54FB5EA17D221A920612E73557A () TK5EX14MBXC138 ! redmond ! corp ! microsoft ! com
[Download RAW message or body]

Hi Matthieu,

Thank you for your question.  A colleague will contact you to investigate this issue.

Regards,
Mark Miller
Escalation Engineer
US-CSS DSC PROTOCOL TEAM

-----Original Message-----
From: Matthieu Patou [mailto:mat@samba.org] 
Sent: Sunday, July 18, 2010 2:27 PM
To: Interoperability Documentation Help; pfif@tridgell.net; cifs-protocol@samba.org
Subject: unused bytes after while decoding bkrp requests

  Dear dochelp team,

I started to implement the backup key remote protocol for samba.

Right now I'm a bit suspicious I got the data structure ok as when I parse some bytes \
with ndrdump I have ~52 bytes unused.

 From the attached capture called protected_storage.pcap I managed to extract and \
decrypt the payload (452 bytes + 12 bytes of padding) at packet 485. The payload is \
also attached to this email as protected_xtr.

Here are the result of ndrdump
mat@ares:/usr/local/src/samba4/source4$ ./bin/ndrdump protected_storage \
bkrp_BakuprKey  in ~/protected_xtr pull returned NT_STATUS_OK WARNING! 52 unread \
bytes [0000] 8A E3 13 71 02 F4 36 71   02 40 28 00 30 7C DE 3D   ...q..6q .@(.0|.=
[0010] 5D 16 D1 11 AB 8F 00 80   5F 14 DB 40 01 00 00 00   ]....... _..@....
[0020] 04 5D 88 8A EB 1C C9 11   9F E8 08 00 2B 10 48 60   .]...... ....+.H`
[0030] 02 00 00 00                                       ....
     bkrp_BakuprKey: struct bkrp_BakuprKey
         in: struct bkrp_BakuprKey
             guidActionAgent          : *
                 guidActionAgent          : 
47270c64-2fc7-499b-ac5b-0e37cdce899a
             data_in: struct bkrp_client_side_wrapped
                 version                  : 0x00000002 (2)
                 encrypted_secret_len     : 0x00000100 (256)
                 access_check_len         : 0x00000058 (88)
                 guid                     : 
a1dc8bbd-743f-473e-8d00-0a4742df76bd
                 encrypted_secret         : DATA_BLOB length=256
                 access_check             : DATA_BLOB length=88
             data_in_len              : 0x00000174 (372)
             param                    : 0x00000000 (0)
dump OK

To me the result looks sensible I'm just concerned that it seems to have some garbage \
at the end.

I tried to analyze the frames with netmon 3.4 but it says that it's encrypted (and I \
didn't find a way to tell him to decrypt ...).

So here is my question: is it normal that I found some trailing bytes ? 
do you have the capacity to parse the protected_xtr file and give us the result of \
the parsing with your tools ?

Cheers, Matthieu.

-- 
Matthieu Patou
Samba Team        http://samba.org

_______________________________________________
cifs-protocol mailing list
cifs-protocol@cifs.org
https://lists.samba.org/mailman/listinfo/cifs-protocol

[prev in list] [next in list] [prev in thread] [next in thread] 