Date:        11/19/97 7:48:44 PM
From:        Christian Starkjohann <cs@HAL.KPH.TUWIEN.AC.AT>
Subject:     NT blue screen
To:          ("<CIFS@DISCUSS.MICROSOFT.COM>"@LOCAL)

Hi,
while developing a CIFS client, I have found a message sequence that crashes
an NT 4.0 (service pack 2) machine. Although I was looking hard, I have not
found what might be wrong with my requests. The dialog is as follows (on TCP
port 139):

Netbios session request:
 <- Tx: 81 00 00 44: 20 43 4b 46 44 45 4e 45 43 46 44 45 46 46 43 46 47 45
46 46 43 43 41 43 41 43 41 43 41 43 41 43 41 00 20 46 4b 45 42 46 41 45 49 45
50 45 45 43 41 43 41 43 41 43 41 43 41 43 41 43 41 43 41 43 41 43 41 00
 -> Rx: 82 00 00 00:

SMB_COM_NEGOTIATE:
 <- Tx: 00 00 00 52: ff 53 4d 42 72 00 00 00 00 18 03 00 00 00 00 00 00 00
00 00 00 00 00 00 ff ff 00 00 ff ff 00 00 00 2f 00 02 50 43 20 4e 45 54 57 4f
52 4b 20 50 52 4f 47 52 41 4d 20 31 2e 30 00 02 4c 4d 31 2e 32 58 30 30 32
00 02 4e 54 20 4c 4d 20 30 2e 31 32 00
 -> Rx: 00 00 00 61: ff 53 4d 42 72 00 00 00 00 98 03 00 00 00 00 00 00 00
00 00 00 00 00 00 ff ff 00 00 ff ff 00 00 11 02 00 03 32 00 01 00 04 11 00 00
00 00 01 00 00 00 00 00 fd 43 00 00 70 29 ab 77 49 f5 bc 01 c4 ff 08 1c 00
fb da 8b ff 8a a7 32 bf 57 00 4f 00 52 00 4b 00 47 00 52 00 4f 00 55 00 50 00
00 00

SMB_COM_SESSION_SETUP_ANDX (user 'gast' password 'gast'):
 <- Tx: 00 00 00 55: ff 53 4d 42 73 00 00 00 00 18 03 00 00 00 00 00 00 00
00 00 00 00 00 00 ff ff 00 00 64 00 01 00 0d ff 00 02 50 04 00 01 00 00 00 00
00 00 00 05 00 00 00 00 00 00 00 94 02 00 00 18 00 67 61 73 74 00 67 61 73
74 00 00 6d 79 4f 53 00 53 48 41 52 49 54 59 00
 -> Rx: 00 00 00 55: ff 53 4d 42 73 00 00 00 00 98 03 00 00 00 00 00 00 00
00 00 00 00 00 00 ff ff 00 00 00 08 01 00 03 ff 00 55 00 02 00 2c 00 57 69 6e
64 6f 77 73 20 4e 54 20 34 2e 30 00 4e 54 20 4c 41 4e 20 4d 61 6e 61 67 65
72 20 34 2e 30 00 57 4f 52 4b 47 52 4f 55 50 00

SMB_COM_TREE_CONNECT_ANDX ('\\ZERBERUS\D'):
 <- Tx: 00 00 00 3c: ff 53 4d 42 75 00 00 00 00 18 03 00 00 00 00 00 00 00
00 00 00 00 00 00 ff ff 00 00 00 08 02 00 04 ff 00 02 50 00 00 01 00 11 00 00
5c 5c 5a 45 52 42 45 52 55 53 5c 44 00 41 3a 00
 -> Rx: 00 00 00 30: ff 53 4d 42 75 00 00 00 00 98 03 00 00 00 00 00 00 00
00 00 00 00 00 00 00 08 00 00 00 08 02 00 03 ff 00 30 00 01 00 07 00 41 3a 00
46 41 54 00

SMB_COM_QUERY_INFORMATION:
 <- Tx: 00 00 00 25: ff 53 4d 42 08 00 00 00 00 18 03 00 00 00 00 00 00 00
00 00 00 00 00 00 00 08 00 00 00 08 03 00 00 02 00 04 00
 -> Rx: 00 00 00 37: ff 53 4d 42 08 00 00 00 00 98 03 00 00 00 00 00 00 00
00 00 00 00 00 00 00 08 00 00 00 08 03 00 0a 10 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00

SMB_COM_QUERY_INFORMATION (same request as before):
 <- Tx: 00 00 00 25: ff 53 4d 42 08 00 00 00 00 18 03 00 00 00 00 00 00 00
00 00 00 00 00 00 00 08 00 00 00 08 04 00 00 02 00 04 00
 -> Rx: 00 00 00 37: ff 53 4d 42 08 00 00 00 00 98 03 00 00 00 00 00 00 00
00 00 00 00 00 00 00 08 00 00 00 08 04 00 0a 10 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00

SMB_COM_TRANSACTION2/TRANS2_QUERY_FS_INFORMATION:
 <- Tx: 00 00 00 48: ff 53 4d 42 32 00 00 00 00 18 03 00 00 00 00 00 00 00
00 00 00 00 00 00 00 08 00 00 00 08 05 00 0f 02 00 00 00 40 00 00 08 00 00 00
00 00 00 00 00 00 00 02 00 44 00 00 00 48 00 01 00 03 00 07 00 00 00 00 01
00 00 00

This last message has crashed the NT box (blue screen). The variations I
have tried:
different numbers for MaxParameterCount/MaxDataCount
different alignment of data/parameter blocks
giving a timeout
different flags in the SMB header

The only thing that helps is to replace all SMB_COM_TRANSACTION2 messages by
their core equivalents. It's always the first SMB_COM_TRANSACTION2 message
regardless of the subcommand (I have tried TRANS2_FIND_FIRST2,
TRANS2_QUERY_FS_INFORMATION and TRANS2_QUERY_PATH_INFORMATION). The evil SMB
in detail:

ff 53 4d 42
32                      SMB_COM_TRANSACTION2
00 00 00 00             no error
18                      flags
03 00                   flags2
00 00 00 00 00 00 00 00 00 00 00 00
00 08                   tid
00 00                   pid
00 08                   uid
05 00                   mid
0f                      word count
02 00                   total parameter count (bytes)
00 00                   total data count (bytes)
40 00                   max parameter count
00 08                   max data count
00 00                   max setup count
00 00                   flags
00 00 00 00             timeout
00 00                   reserved
02 00                   parameter count in this SMB (bytes)
44 00                   parameter offset
00 00                   data count in this smb (bytes)
48 00                   data offset
01 00                   setup count
03 00                   setup: TRANS2_QUERY_FS_INFORMATION
07 00                   data count
--
00 00 00                three bytes of padding
01 00                   information level: SMB_INFO_ALLOCATION
00 00                   two bytes of padding (for non-existing data block)

Does anyone have an idea what's wrong? BTW, the same sequence of messages
works well with samba.

Bye, Christian.

--
Christian Starkjohann <cs@hal.kph.tuwien.ac.at>
or <cs@ds1.kph.tuwien.ac.at>, finger for PGP Public Key.
PGP fingerprint: DF FD 40 60 91 6A 14 1C  CD 2C E9 07 38 AE CB 4E

----------------------------------------------------------------
Users Guide http://www.microsoft.com/sitebuilder/resource/mailfaq.asp
contains important info including how to unsubscribe.  Save time, search
the archives at http://discuss.microsoft.com/archives/index.html