On Mon, Apr 27, 2009 at 3:38 PM, Harsha <inet.harsha@xxxxxxxxx> wrote:
> I did a quick read of the relevant part of DCE RPC specs, but in all
> the cases I saw it always had the size and then the array. In those
> cases it is trivial to first extract the size and use the size to
> extract the array contents.
Here is an example in Wireshark code where the length of the array and
then the array are extracted-
void ept_lookup(
[in] handle_t hEpMapper,
[in] unsigned long inquiry_type,
[in, ptr] UUID* object,
[in, ptr] RPC_IF_ID* Ifid,
[in] unsigned long vers_option,
[in, out] ept_lookup_handle_t* entry_handle,
[in, range(0,500)] unsigned long max_ents,
[out] unsigned long* num_ents,
[out, length_is(*num_ents), size_is(max_ents)] ept_entry_t entries[], <-----
[out] error_status* status );
Related dissecting code that extracts the length of the array and then
array is in epm_dissect_ept_map_resp() in packet-dcerpc-epm.c.
Unfortunately I don't see any other case where the array comes ahead
of its length.
Thanks,
Harsha
