SMB Dissector for TRANS2_QUERY_FS_INFO displays truncated FS Name & Label
Summary
When parsing a TRANS2_QUERY_FS_INFO response with information level set to SMB_QUERY_FS_ATTRIBUTE_INFO (0x0105), the FS Name field is parsed incorrectly. Instead of displaying the full name (in my case "NTFS"), it displays only the first letter, "N". The same thing happens with information level SMB_QUERY_FS_VOLUME_INFO (0x0102) and its Label field.
Steps to reproduce
This issue was found with a custom SMB client implementation. The following caused the issue:
- The TRANS2_QUERY_FS_INFO request was sent with the unicode flag in the SMB header UNSET (meaning ASCII strings)
- The server echoes this flag value back in the response
- Regardless of the flag, the FS Name (or Label) string is in unicode (as specified in MS-CIFS sections 2.2.8.2.6 and 2.2.8.2.3)
What is the current bug behavior?
Presumably, Wireshark assumes the string is ASCII because of the flag. Therefore it tries to parse it as ASCII. Because SMB uses little-endian unicode, the second byte of the first character is 0x00. This causes Wireshark to treat it as the null terminator, and we're left with only the first character.
What is the expected correct behavior?
Wireshark should treat these fields as unicode regardless of the flag value, because this is how they're specified by Microsoft. If the string is parsed as unicode, the correct result will be produced.
Sample capture file
wireshark_trans2_bug_filtered.pcapng
Relevant logs and/or screenshots
Build information
3.4.0 (v3.4.0-0-g9733f173ea5e)
Compiled (64-bit) with Qt 5.15.1, with libpcap, with GLib 2.52.3, with zlib
1.2.11, with SMI 0.4.8, with c-ares 1.15.0, with Lua 5.2.4, with GnuTLS 3.6.3
and PKCS #11 support, with Gcrypt 1.8.3, with MIT Kerberos, with MaxMind DB
resolver, with nghttp2 1.39.2, with brotli, with LZ4, with Zstandard, with
Snappy, with libxml2 2.9.9, with QtMultimedia, with automatic updates using
WinSparkle 0.5.7, with AirPcap, with SpeexDSP (using bundled resampler).
Running on 64-bit Windows 10 (2004), build 19041, with Intel(R) Core(TM)
i5-7600K CPU @ 3.80GHz (with SSE4.2), with 16314 MB of physical memory, with
locale Hebrew_Israel.utf8, with light display mode, without HiDPI, with Npcap
version 1.00, based on libpcap version 1.9.1, with GnuTLS 3.6.3, with Gcrypt
1.8.3, with brotli 1.0.2, without AirPcap, binary plugins supported (21 loaded).
Built using Microsoft Visual Studio 2019 (VC++ 14.27, build 29112).