The 17-bit length field in the header contains the number of

bytes which follow the header, not the full packet size.

    [Yes, the length field is either 17-bits, or (per the RFCs) it is a
    16-bit length field preceeded by an 8-bit flags field of which only
    the low-order bit may be used.  If that bit is set, then add 65536 to
    the 16-bit length field.  (In other words, it's a 17-bit unsigned
    length field.)
    ...unless, of course, the transport is native TCP [port 445] in which
    case the length field *might* be 24-bits wide.]

Anyway, the change is a very minor one.  We were including the four bytes
of the header in the length count and, as a result, sending four bytes of
garbage at the end of the SESSION REQUEST packet.

Small fix in function cli_session_request().
(This used to be commit d08471688b65371eb3de73b03a8ffaee86659ba0)

1 files changed, 8 insertions, 1 deletions

diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 8ddd116679..4be63b8f2e 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -902,7 +902,14 @@ BOOL cli_session_request(struct cli_state *cli,
 	name_mangle(cli->calling.name, p, cli->calling.name_type);
 	len += name_len(p);
 
-	/* setup the packet length */
+        /* setup the packet length
+         * Remove four bytes from the length count, since the length
+         * field in the NBT Session Service header counts the number
+         * of bytes which follow.  The cli_send_smb() function knows
+         * about this and accounts for those four bytes.
+         * CRH.
+         */
+        len -= 4;
 	_smb_setlen(cli->outbuf,len);
 	SCVAL(cli->outbuf,0,0x81);