Bug 12581 - smbclient fails on bad endianess when listing shares from Solaris kernel SMB server on SPARC
smbclient fails on bad endianess when listing shares from Solaris kernel SMB ...
Status: RESOLVED FIXED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DCE-RPCs and pipes
4.4.8
All All
: P5 normal
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-02-14 20:38 UTC by Jura Sasek
Modified: 2017-02-17 11:05 UTC (History)
4 users (show)

See Also:


Attachments
Patch for v4-5-test (2.96 KB, patch)
2017-02-15 05:43 UTC, Stefan Metzmacher
vl: review+
metze: review? (asn)
gd: review+
Details
Patch for v4-4-test (2.96 KB, patch)
2017-02-15 05:44 UTC, Stefan Metzmacher
vl: review+
metze: review? (asn)
gd: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jura Sasek 2017-02-14 20:38:03 UTC
smbclient -d 12 -U guest -N -L 172.16.111.212

display:

ndr_pull_error(11): Pull bytes 3328 (../librpc/ndr/ndr_string.c:591)
rpc_pipe_bind: host 172.16.111.212 bind request returned NT_STATUS_BUFFER_TOO_SMALL
cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe srvsvc failed with error NT_STATUS_BUFFER_TOO_SMALL
Could not connect to srvsvc pipe: NT_STATUS_BUFFER_TOO_SMALL


Problem can be seen in wireshark in packet:

Distributed Computing Environment / Remote Procedure Call (DCE/RPC) Bind_ack, Fragment: Single, FragLen: 68, Call: 1
    Version: 5
    Version (minor): 0
    Packet type: Bind_ack (12)
    Packet Flags: 0x03
        0... .... = Object: Not set
        .0.. .... = Maybe: Not set
        ..0. .... = Did Not Execute: Not set
        ...0 .... = Multiplex: Not set
        .... 0... = Reserved: Not set
        .... .0.. = Cancel Pending: Not set
        .... ..1. = Last Frag: Set
        .... ...1 = First Frag: Set
    Data Representation: 00000000
        Byte order: Big-endian (0)
        Character: ASCII (0)
        Floating-point: IEEE (0)
    Frag Length: 68
    Auth Length: 0
    Call ID: 1
    Max Xmit Frag: 4280
    Max Recv Frag: 4280
    Assoc Group: 0x58a2f456
    Scndry Addr len: 13
    Scndry Addr: \PIPE\ntsvcs
    Num results: 1
    Ctx Item[1]: Acceptance, 32bit NDR
        Ack result: Acceptance (0)
        Transfer Syntax: 32bit NDR
        Syntax ver: 2

0000  00 21 28 75 75 87 12 34 22 d7 3d 59 08 00 45 02   .!(uu..4".=Y..E.
0010  00 b4 33 f6 40 00 3c 06 d2 58 ac 10 6f d4 ac 10   ..3.@.<..X..o...
0020  6f fe 01 bd fa 0b 6f d0 7f 9f 21 8c 09 53 80 18   o.....o...!..S..
0030  80 26 01 33 00 00 01 01 08 0a 00 0c 77 6d 23 8d   .&.3........wm#.
0040  5a 56 00 00 00 7c ff 53 4d 42 25 00 00 00 00 90   ZV...|.SMB%.....
0050  43 88 00 00 00 00 00 00 00 00 00 00 00 00 01 00   C...............
0060  06 56 01 00 05 00 0a 00 00 44 00 00 00 00 00 38   .V.......D.....8
0070  00 00 00 44 00 38 00 00 00 00 00 45 00 00 05 00   ...D.8.....E....
0080  0c 03 00 00 00 00 00 44 00 00 00 00 00 01 10 b8   .......D........
0090  10 b8 58 a2 f4 56 00 0d 5c 50 49 50 45 5c 6e 74   ..X..V..\PIPE\nt
!!!!!!!!!!!!!!!!!!!!!!! ^^^^^ strlen is interpreted in little-endian as 0x0d00 = 3328


00a0  73 76 63 73 00 00 01 00 00 00 00 00 00 00 8a 88   svcs............
00b0  5d 04 1c eb 11 c9 9f e8 08 00 2b 10 48 60 00 00   ].........+.H`..
00c0  00 02                                             ..

note: wireshark display all of the values (also: "Max Xmit Frag" (0x10b8), "Max Recv Frag" (0x10b8), "Frag Length" (0x0044)) in correct endianess so I tried to compare IDLs but both are the same.

Here are the octets from the similar packet snooped when talking to Solaris SMB server running on intel:

    Data Representation: 10000000
        Byte order: Little-endian (1)
        Character: ASCII (0)
        Floating-point: IEEE (0)
    Frag Length: 68
    Auth Length: 0
    Call ID: 1
    Max Xmit Frag: 4280
    Max Recv Frag: 4280
    Assoc Group: 0x58a2f475
    Scndry Addr len: 13
    Scndry Addr: \PIPE\ntsvcs
    Num results: 1
    Ctx Item[1]: Acceptance, 32bit NDR
        Ack result: Acceptance (0)
        Transfer Syntax: 32bit NDR
        Syntax ver: 2

0000  00 21 28 75 75 87 12 34 22 90 d4 69 08 00 45 02   .!(uu..4"..i..E.
0010  00 b4 90 06 40 00 3c 06 76 49 ac 10 6f d3 ac 10   ....@.<.vI..o...
0020  6f fe 01 bd ea 14 5d 01 dc 16 ee 0e f0 a8 80 18   o.....].........
0030  80 26 a8 8e 00 00 01 01 08 0a 00 0e 2b fd 23 8d   .&..........+.#.
0040  66 59 00 00 00 7c ff 53 4d 42 25 00 00 00 00 90   fY...|.SMB%.....
0050  43 88 00 00 00 00 00 00 00 00 00 00 00 00 01 00   C...............
0060  08 56 01 00 05 00 0a 00 00 44 00 00 00 00 00 38   .V.......D.....8
0070  00 00 00 44 00 38 00 00 00 00 00 45 00 00 05 00   ...D.8.....E....
0080  0c 03 10 00 00 00 44 00 00 00 01 00 00 00 b8 10   ......D.........
................................................0x10b8 = 4280
0090  b8 10 75 f4 a2 58 0d 00 5c 50 49 50 45 5c 6e 74   ..u..X..\PIPE\nt
.....0x10b8............0x000d = 13
00a0  73 76 63 73 00 00 01 00 00 00 00 00 00 00 04 5d   svcs...........]

PS: Samba is sending "little-endian" even if running on SPARC so it can not be used as a reference and the "big-endian" SMB server is very rare case.
Comment 1 Stefan Metzmacher 2017-02-15 05:42:44 UTC
(In reply to Jura Sasek from comment #0)

This should already be fixed in master and 4.6.

We could backport the following commit to 4.4 and 4.5
https://git.samba.org/?p=samba.git;a=commitdiff;h=1bfba2c5161c0e27f8c27301f25836
Comment 2 Stefan Metzmacher 2017-02-15 05:43:54 UTC
Created attachment 12930 [details]
Patch for v4-5-test
Comment 3 Stefan Metzmacher 2017-02-15 05:44:24 UTC
Created attachment 12931 [details]
Patch for v4-4-test
Comment 4 Volker Lendecke 2017-02-15 07:38:54 UTC
Comment on attachment 12931 [details]
Patch for v4-4-test

Patch looks right, but it does not have the BUG: entry :-)

Acking nevertheless, Karo, bounce back if that's needed.
Comment 5 Karolin Seeger 2017-02-15 10:42:15 UTC
Pushed to autobuild-v4-{5,4}-test.
Comment 6 Jura Sasek 2017-02-16 07:25:08 UTC
I have tested v4-4 patch in the same setup and now it works fine. Thank you for your quick response.
Comment 7 Karolin Seeger 2017-02-17 11:05:59 UTC
Pushed to both branches.
Closing out bug report.

Thanks!