https://bugzilla.novell.com/show_bug.cgi?id=247090 ------- Comment #28 from sfrench@us.ibm.com 2007-06-08 14:09 MST ------- OK - this makes sense now and shows multiple server bugs in one frame (see frame 18) not just one server bug. a) The frame length is 139 (135 not counting the RFC1001 length field itself) while the frame length should be 107 for an SMB NTCreateX (open) response. b) The wct (size of parameter area) is 0x2A but should be 0x22 c) the bcc is either in the wrong place or unitialized (the length of the data area is over 18,000 bytes but should be zero). If the wct were correct (0x22) then the bcc would be zero and there would be 32 bytes of junk sent at the end of the frame (which is incorrect, but probably harmless), but since wct is incorrect the bcc is huge (probably unitialized) and followed by a small amount of junk. While it is possible to parse such a frame by hand guessing what the server was trying to do - allowing frames to copy beyond the end of the buffer could be a security exposure. If you can let us know a reference number for the EMC bug, I can put a note about this in the cifs documentation so we can alert customers to apply the security fix to their server. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.