At 06:25 PM 11/25/99 +0100, Florian Lohoff <flo@xxxxxxxxxx> wrote:
OK, I can see what the problem is.
I have fixed the immediate problem, and will commit some changed to prevent
the SIGSEGV.
However, the real problem is: I forgot about UNICODE strings. The
\PIPE\LANMAN is in there as a UNICODE string, and the Strings are Unicode
bit is set in the SMB header. Damn!
Will need a routine to convert? Hmmm, will need a unicode_display routine ...?
>On Thu, Nov 25, 1999 at 11:12:46AM -0600, Gilbert Ramirez wrote:
>> On Thu, Nov 25, 1999 at 03:12:54PM +0100, Florian Lohoff wrote:
>> >
>> > I can reproduce this easily - Out lan seems to be full
>> > of this Frames :)
>>
>> Can you make small trace using tcpdump (using the -s and -w flags),
>> load it into ethereal, and if it fails, send it us?
>
>*Grin* I have a trace (140k) which triggers the bug - Currently i have
>no clue WHICH packet triggers it so i could easily filter it out
>and or do a new trace with "tcpdump" ...
>
>The trace contains some "pw protected" http traffic so i wouldnt like
>to give it out.
>
>Ok - I debugged into ethereal until i got some more infos on the
>wrong packet ...
>
>(gdb) run
>Starting program: /tmp/ethereal-0.7.8/ethereal
>
>Breakpoint 2, dissect_transact_smb (pd=0x81d1838 "", offset=64,
fd=0x81d4288, parent=0x0, tree=0x76, si={tid = 134893952, uid = 4, mid = 0,
pid = 0, conversation = 0x0, request_val = 0x40005fe1}, max_data=-72548351,
SMB_offset=135836632, errcode=135790592, dirn=-1073749980) at
packet-smb.c:9096
>(gdb) print *fd
>$3 = {next = 0x0, prev = 0x0, num = 1, pkt_len = 150, cap_len = 150,
rel_secs = 118, rel_usecs = 97, abs_secs = 943523947, abs_usecs = 237211,
del_secs = 116, del_usecs = 109, file_off = 40, cinfo = 0x816aeb4, row =
49, lnk_t = 1, passed_dfilter = 1076958832, encoding = CHAR_ASCII,
pseudo_header = {x25 = {flags = 0 '\000'}, ngsniffer_atm = {AppTrafType = 0
'\000', AppHLType = 0 '\000', Vpi = 0, Vci = 0, channel = 0, cells = 0,
aal5t_u2u = 0, aal5t_len = 0, aal5t_chksum = 0}, ascend = {type = 0, user =
'\000' <repeats 26 times>, "\004\000\000\000øD\035\b", '\000' <repeats 29
times>, sess = 0, call_num = "\000\000\000\000\004\000\000\000(E\035\b",
'\000' <repeats 40 times>, "\004\000\000\000XE\035\b\000\000\000", chunk =
0, task = 0}, lapd = {from_network_to_user = 0}}}
>(gdb)
>
>Then i extracted all packets with the len of "150" from the dump by
>
>/usr/sbin/tcpdump -x -r SMB-BugTrigger len == 150 -w f
>
>The resulting file (2 packets) is attached ...
>
>Flo
>--
>Florian Lohoff flo@xxxxxxxxxx +49-5241-470566
> ... The failure can be random; however, when it does occur, it is
> catastrophic and is repeatable ... Cisco Field Notice
>
>Attachment Converted: "c:\eudora\attach\buggy-packets"
>
Regards
-------
Richard Sharpe, sharpe@xxxxxxxxxx, Master Linux Administrator :-),
Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org)
Co-author, SAMS Teach Yourself Samba in 24 Hours
Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course
