SMB NtTransCreate should decode extended response

SMB Nt Transact Create can have an extended response like
SMB Nt Create, as described in MS-SMB 2.2.7.1.2

Bug: 12477
Change-Id: Id1d7b96a1eb336b8c45bcb9af7b7d1b9b42c662a
Reviewed-on: https://code.wireshark.org/review/15577
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Reviewed-by: Anders Broman <a.broman58@gmail.com>

1 files changed, 43 insertions, 1 deletions

diff --git a/epan/dissectors/packet-smb.c b/epan/dissectors/packet-smb.c
index e132b52e4a..01dcb88650 100644
--- a/epan/dissectors/packet-smb.c
+++ b/epan/dissectors/packet-smb.c
@@ -8474,6 +8474,13 @@ dissect_nt_trans_param_request(tvbuff_t *tvb, packet_info *pinfo, int offset, pr
 		offset = dissect_nt_security_flags(tvb, tree, offset);
 		bc -= 1;
 
+		/* May need to skip alignment padding. */
+		if (offset&1) {
+			/* pad byte */
+			proto_tree_add_item(tree, hf_smb_padding, tvb, offset, 1, ENC_NA);
+			offset += 1;
+		}
+
 		/* file name */
 		fn = get_unicode_or_ascii_string(tvb, &offset, si->unicode, &fn_len, TRUE, TRUE, &bc);
 		if (fn != NULL) {
@@ -8781,12 +8788,13 @@ dissect_nt_transaction_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tr
 	}
 	offset += 2;
 
-	/* this is a padding byte */
+#if 0	/* XXX this is a padding byte?  I don't think so. -gwr */
 	if (offset&1) {
 		/* pad byte */
 	        proto_tree_add_item(tree, hf_smb_padding, tvb, offset, 1, ENC_NA);
 		offset += 1;
 	}
+#endif
 
 	/* if there were any setup bytes, decode them */
 	if (sc) {
@@ -8794,6 +8802,13 @@ dissect_nt_transaction_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tr
 		offset += sc*2;
 	}
 
+	/*
+	 * Do we really need to even look at the byte count here?
+	 * Servers normally use byte_count only when assembling the
+	 * setup, parameters, and data segments.  Once we know
+	 * how long each of those are, we should dissect them
+	 * using the lengths determined during assembly.
+	 */
 	BYTE_COUNT;
 
 	/* reassembly of SMB NT Transaction data payload.
@@ -8975,6 +8990,7 @@ dissect_nt_trans_param_response(tvbuff_t *tvb, packet_info *pinfo,
 	smb_fid_info_t         *fid_info = NULL;
 	guint16                 ftype;
 	guint8                  isdir;
+	guint8                  ext_resp = 0;
 
 	DISSECTOR_ASSERT(si);
 
@@ -9009,6 +9025,7 @@ dissect_nt_trans_param_response(tvbuff_t *tvb, packet_info *pinfo,
 		offset += 1;
 
 		/* reserved byte */
+		ext_resp = tvb_get_guint8(tvb, offset);
 	        proto_tree_add_item(tree, hf_smb_reserved, tvb, offset, 1, ENC_NA);
 		offset += 1;
 
@@ -9065,6 +9082,31 @@ dissect_nt_trans_param_response(tvbuff_t *tvb, packet_info *pinfo,
 		proto_tree_add_item(tree, hf_smb_is_directory, tvb, offset, 1, ENC_LITTLE_ENDIAN);
 		offset += 1;
 
+		/* decode extended response per [MS-SMB] 2.2.7.1.2
+		   (volume_guid, file_id, max_acc, guest_acc)
+		   Just like dissect_nt_create_andx_response */
+		if (ext_resp != 0) {
+			proto_tree *tr = NULL;
+
+			/* The first field is a Volume GUID ... */
+			proto_tree_add_item(tree, hf_smb_volume_guid,
+					    tvb, offset, 16, ENC_NA);
+			offset += 16;
+
+			/* The file ID comes next */
+			proto_tree_add_item(tree, hf_smb_file_id_64bit,
+					    tvb, offset, 8, ENC_LITTLE_ENDIAN);
+			offset += 8;
+
+			tr = proto_tree_add_subtree(tree, tvb, offset, 4,
+				ett_smb_nt_access_mask, NULL, "Maximal Access Rights");
+			offset = dissect_smb_access_mask(tvb, tr, offset);
+
+			tr = proto_tree_add_subtree(tree, tvb, offset, 4,
+				ett_smb_nt_access_mask, NULL, "Guest Maximal Access Rights");
+			offset = dissect_smb_access_mask(tvb, tr, offset);
+		}
+
 		/* Try to remember the type of this fid so that we can dissect
 		 * any future security descriptor (access mask) properly
 		 */