Correctly dissect LSA security descriptors, at least as they appear
inside a Netlogon security descriptor. Correctly dissect NT security descriptors as they appear inside an LSA security descriptor (at least as those appear inside a Netlogon security descriptor) - they get sent over the wire, apparently, as an opaque blob from the point of view of DCE RPC, at least from one capture I've seen, they do *not* get sent over the wire in DCE RPC NDR syntax. svn path=/trunk/; revision=5212
This commit is contained in:
parent
2233aa8f3e
commit
677ad9ee25
|
@ -3,7 +3,7 @@
|
|||
* Copyright 2001, Tim Potter <tpot@samba.org>
|
||||
* 2002 Added LSA command dissectors Ronnie Sahlberg
|
||||
*
|
||||
* $Id: packet-dcerpc-lsa.c,v 1.19 2002/04/18 10:40:30 sahlberg Exp $
|
||||
* $Id: packet-dcerpc-lsa.c,v 1.20 2002/04/22 01:07:19 guy Exp $
|
||||
*
|
||||
* Ethereal - Network traffic analyzer
|
||||
* By Gerald Combs <gerald@ethereal.com>
|
||||
|
@ -212,6 +212,28 @@ lsa_dissect_LSA_SECRET(tvbuff_t *tvb, int offset,
|
|||
return offset;
|
||||
}
|
||||
|
||||
static int
|
||||
lsa_dissect_LSA_SECURITY_DESCRIPTOR_data(tvbuff_t *tvb, int offset,
|
||||
packet_info *pinfo, proto_tree *tree,
|
||||
char *drep)
|
||||
{
|
||||
guint32 len;
|
||||
dcerpc_info *di;
|
||||
|
||||
di=pinfo->private_data;
|
||||
if(di->conformant_run){
|
||||
/*just a run to handle conformant arrays, nothing to dissect */
|
||||
return offset;
|
||||
}
|
||||
|
||||
offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
|
||||
hf_lsa_sd_size, &len);
|
||||
|
||||
dissect_nt_sec_desc(tvb, pinfo, offset, tree, len);
|
||||
offset += len;
|
||||
|
||||
return offset;
|
||||
}
|
||||
int
|
||||
lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvbuff_t *tvb, int offset,
|
||||
packet_info *pinfo, proto_tree *parent_tree,
|
||||
|
@ -227,7 +249,12 @@ lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvbuff_t *tvb, int offset,
|
|||
tree = proto_item_add_subtree(item, ett_LSA_SECURITY_DESCRIPTOR);
|
||||
}
|
||||
|
||||
offset = dissect_nt_sec_desc(tvb, pinfo, offset, tree, 0);
|
||||
offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
|
||||
hf_lsa_sd_size, NULL);
|
||||
|
||||
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
|
||||
lsa_dissect_LSA_SECURITY_DESCRIPTOR_data, NDR_POINTER_UNIQUE,
|
||||
"LSA SECURITY DESCRIPTOR data:", -1, 0);
|
||||
|
||||
proto_item_set_len(item, offset-old_offset);
|
||||
return offset;
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
* Routines for SMB \PIPE\spoolss packet disassembly
|
||||
* Copyright 2001-2002, Tim Potter <tpot@samba.org>
|
||||
*
|
||||
* $Id: packet-dcerpc-spoolss.c,v 1.17 2002/04/18 00:29:17 guy Exp $
|
||||
* $Id: packet-dcerpc-spoolss.c,v 1.18 2002/04/22 01:07:19 guy Exp $
|
||||
*
|
||||
* Ethereal - Network traffic analyzer
|
||||
* By Gerald Combs <gerald@ethereal.com>
|
||||
|
@ -996,7 +996,7 @@ static int prs_PRINTER_INFO_2(tvbuff_t *tvb, int offset, packet_info *pinfo,
|
|||
|
||||
offset = prs_uint32(tvb, offset, pinfo, tree, &rel_offset, NULL);
|
||||
|
||||
dissect_nt_sec_desc(tvb, pinfo, struct_start + rel_offset, tree, 0);
|
||||
dissect_nt_sec_desc(tvb, pinfo, struct_start + rel_offset, tree, -1);
|
||||
|
||||
offset = prs_uint32(tvb, offset, pinfo, tree, NULL, "Attributes");
|
||||
|
||||
|
@ -1029,7 +1029,7 @@ static int prs_PRINTER_INFO_3(tvbuff_t *tvb, int offset, packet_info *pinfo,
|
|||
{
|
||||
offset = prs_uint32(tvb, offset, pinfo, tree, NULL, "Flags");
|
||||
|
||||
offset = dissect_nt_sec_desc(tvb, pinfo, offset, tree, 0);
|
||||
offset = dissect_nt_sec_desc(tvb, pinfo, offset, tree, -1);
|
||||
|
||||
return offset;
|
||||
}
|
||||
|
|
46
packet-smb.c
46
packet-smb.c
|
@ -3,7 +3,7 @@
|
|||
* Copyright 1999, Richard Sharpe <rsharpe@ns.aus.com>
|
||||
* 2001 Rewrite by Ronnie Sahlberg and Guy Harris
|
||||
*
|
||||
* $Id: packet-smb.c,v 1.243 2002/04/17 15:11:30 sahlberg Exp $
|
||||
* $Id: packet-smb.c,v 1.244 2002/04/22 01:07:19 guy Exp $
|
||||
*
|
||||
* Ethereal - Network traffic analyzer
|
||||
* By Gerald Combs <gerald@ethereal.com>
|
||||
|
@ -6928,12 +6928,19 @@ dissect_nt_sec_desc_type(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tr
|
|||
return offset;
|
||||
}
|
||||
|
||||
/* this function is also called from DCREPC services and then the NDR syntax must be followed.
|
||||
we assume that owner SID , group SID, SACL DACL objects are always stored in order (when present)
|
||||
and that all of them are aligned on a 4 byte boundary.
|
||||
We no longer use the xxx_offset other than to check that they are non-NULL to be compatible with
|
||||
DCERPC NDR Unique pointer handling.
|
||||
len is no longer used and should be removed */
|
||||
/* This function is also called from DCREPC services; it may be that, in
|
||||
some cases, the NDR syntax must be followed, but that's not the case,
|
||||
for example, for the security descriptor inside an LSA Security
|
||||
Descriptor structure.
|
||||
|
||||
A "len" of -1 means that the NDR syntax must be followed.
|
||||
In that case, we assume that owner SID, group SID, SACL, and DACL objects
|
||||
are always stored in order (when present) and that all of them are aligned
|
||||
on a 4 byte boundary, and we no longer use the xxx_offset other than to
|
||||
check that they are non-NULL to be compatible with DCERPC NDR Unique.
|
||||
|
||||
Otherwise, we use the offsets to see where the owner SID, group SID,
|
||||
SACL, and DACL are stored. */
|
||||
int
|
||||
dissect_nt_sec_desc(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *parent_tree, int len)
|
||||
{
|
||||
|
@ -6947,7 +6954,7 @@ dissect_nt_sec_desc(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *p
|
|||
guint32 dacl_offset;
|
||||
|
||||
if(parent_tree){
|
||||
item = proto_tree_add_text(parent_tree, tvb, offset, 0,
|
||||
item = proto_tree_add_text(parent_tree, tvb, offset, len,
|
||||
"NT Security Descriptor");
|
||||
tree = proto_item_add_subtree(item, ett_smb_sec_desc);
|
||||
}
|
||||
|
@ -6985,27 +6992,40 @@ dissect_nt_sec_desc(tvbuff_t *tvb, packet_info *pinfo, int offset, proto_tree *p
|
|||
|
||||
/*owner SID*/
|
||||
if(owner_sid_offset){
|
||||
offset = dissect_nt_sid(tvb, pinfo, offset, tree, "Owner");
|
||||
if (len == -1)
|
||||
offset = dissect_nt_sid(tvb, pinfo, offset, tree, "Owner");
|
||||
else
|
||||
dissect_nt_sid(tvb, pinfo, old_offset+owner_sid_offset, tree, "Owner");
|
||||
}
|
||||
|
||||
/*group SID*/
|
||||
if(group_sid_offset){
|
||||
offset = dissect_nt_sid(tvb, pinfo, offset, tree, "Group");
|
||||
if (len == -1)
|
||||
offset = dissect_nt_sid(tvb, pinfo, offset, tree, "Group");
|
||||
else
|
||||
dissect_nt_sid(tvb, pinfo, old_offset+group_sid_offset, tree, "Group");
|
||||
}
|
||||
|
||||
/* sacl */
|
||||
if(sacl_offset){
|
||||
offset = dissect_nt_acl(tvb, pinfo, offset, tree, "System (SACL)");
|
||||
if (len == -1)
|
||||
offset = dissect_nt_acl(tvb, pinfo, offset, tree, "System (SACL)");
|
||||
else
|
||||
dissect_nt_acl(tvb, pinfo, old_offset+sacl_offset, tree, "System (SACL)");
|
||||
}
|
||||
|
||||
/* dacl */
|
||||
if(dacl_offset){
|
||||
offset = dissect_nt_acl(tvb, pinfo, offset, tree, "User (DACL)");
|
||||
if (len == -1)
|
||||
offset = dissect_nt_acl(tvb, pinfo, offset, tree, "User (DACL)");
|
||||
else
|
||||
dissect_nt_acl(tvb, pinfo, old_offset+dacl_offset, tree, "User (DACL)");
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
proto_item_set_len(item, offset-old_offset);
|
||||
if (len == -1)
|
||||
proto_item_set_len(item, offset-old_offset);
|
||||
return offset;
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue