| Bug ID |
12128
|
| Summary |
SMB2 Notify response incorrectly reported as Malformed Packet in some cases
|
| Product |
Wireshark
|
| Version |
2.0.1
|
| Hardware |
x86
|
| OS |
Mac OS X 10.11
|
| Status |
UNCONFIRMED
|
| Severity |
Major
|
| Priority |
Low
|
| Component |
Dissection engine (libwireshark)
|
| Assignee |
[email protected]
|
| Reporter |
[email protected]
|
Created attachment 14333 [details]
SMB2 Packet trace with Notify Change messages
Build Information:
Version 2.0.1 (v2.0.1-0-g59ea380 from master-2.0)
--
See the attached packet trace, packets 1, 30, 53. The dissector incorrectly
reports the SMB2 Notify reply packets as malformed (Error/Malformed).
Each packet is just an SMB2 Notify Change reply with OutputBufferLength zero,
and
NT Status = STATUS_NOTIFY_ENUM_DIR.
It looks like the smb2 dissector is treating STATUS_NOTIFY_ENUM_DIR status as
an error, and is expecting an SMB2 Error struct.
SMB2 Notify Change reply with zero OutputBufferLength is documented here:
MS-SMB2 v20150630 3.3.5.19 Receiving an SMB2 Change Notify Reponse
"If the server is unable to copy the results into the buffer of the SMB2 CHANGE
NOTIFY Response, then the server MUST construct the response as decribed below
with an OutputBufferLength of zero, and set Status in the SMB2 header to
STATUS_NOTIFY_ENUM_DIR."
. . .
"OutputBufferLength MUST be set to the length, in bytes, of the result of the
enumeration. It is valid for length to be 0, indicating a change occurred but
it could not be fit within the buffer."
So when dissecting an SMB2 Notify Change reply, don't treat
STATUS_NOTIFY_ENUM_DIR as an error, instead treat it the same as if the status
was STATUS_SUCCESS.
You are receiving this mail because:
- You are watching all bug changes.
