Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] smb2.msg_id defined as signed 64-bit integer - bug?

From: Paul Offord <Paul.Offord@xxxxxxxxxxxx>
Date: Sat, 17 Sep 2016 14:12:20 +0000

In packet-smb2.h and packet-smb2.c the SMB2 MessageId is defined as a signed 64-bit integer.

 

packet-smb2.h

------------------

typedef struct _smb2_info_t {

               guint16 opcode;

               guint32 ioctl_function;

               guint32 status;

               guint32 tid;

               guint64 sesid;

               gint64  msg_id;

               guint32 flags;

               smb2_eo_file_info_t       *eo_file_info; /* eo_smb extra info */

               smb2_conv_info_t           *conv;

               smb2_saved_info_t         *saved;

               smb2_tid_info_t                              *tree;

               smb2_sesid_info_t           *session;

               smb2_fid_info_t                              *file;

               proto_tree *top_tree;

} smb2_info_t;

 

packet-smb2.c

------------------

                              { &hf_smb2_msg_id,

                                             { "Message ID", "smb2.msg_id", FT_INT64, BASE_DEC,

                                             NULL, 0, "SMB2 Message ID", HFILL }

                              },

 

 

I believe MessageId should be an unsigned 64-bit integer.  Although the [MS-SMB2] document isn’t specific, Microsoft Message Analyzer defines the field as UInt64.

 

It’s not a big deal but it does mean that filtering for a range of MessageIds won’t work as expected for very large values.

 

Is it OK for me to report this as a bug through Bugzilla?

 

Best regards…Paul


______________________________________________________________________

This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.

Any views or opinions expressed are solely those of the author and do not necessarily represent those of Advance Seven Ltd. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission.

Advance Seven Ltd. Registered in England & Wales numbered 2373877 at Endeavour House, Coopers End Lane, Stansted, Essex CM24 1SJ

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________