make xmit size adjustable per bind request

oiweiwei · oiweiwei · commit 7c69d9bcbab1 · 2025-11-11T14:01:21.000+01:00
diff --git a/config/config.go b/config/config.go
@@ -169,7 +169,10 @@ type Config struct {
 	Protocol string `json:"protocol"`
 
 	// The transfer encoding to use (ndr20, ndr64)
-	TrasnferEncoding string `json:"transfer_encoding"`
+	TransferEncoding string `json:"transfer_encoding"`
+
+	// The transfer window size.
+	TransportXmitSize int `json:"transport_xmit_size"`
 
 	// The flag that indicates whether credentials and mechanisms should be
 	// included into connection options. If GlobalCredentials is true, then
@@ -203,7 +206,8 @@ func New() *Config {
 	cfg.Auth.KRB5.DisablePAFXFAST = true
 	cfg.Auth.KRB5.AnyServiceClassSPN = true
 
-	cfg.TrasnferEncoding = "ndr20"
+	cfg.TransferEncoding = "ndr20"
+	cfg.TransportXmitSize = dcerpc.DefaultXmitSize
 
 	return cfg
 }
@@ -373,7 +377,7 @@ func (cfg *Config) ClientOptions(ctx context.Context) []dcerpc.Option {
 
 	options := []dcerpc.Option{}
 
-	switch cfg.TrasnferEncoding {
+	switch cfg.TransferEncoding {
 	case "ndr20":
 		options = append(options, dcerpc.WithNDR20())
 	case "ndr64":
@@ -513,6 +517,10 @@ func (cfg *Config) getDialOptions() []dcerpc.Option {
 		options = append(options, dcerpc.WithSMBDialer(smb2.NewDialer(dialer...)))
 	}
 
+	if cfg.TransportXmitSize > 0 {
+		options = append(options, dcerpc.WithFragmentSize(cfg.TransportXmitSize))
+	}
+
 	if !cfg.useGlobalCredentials {
 		if cfg.useMachineAccount {
 			for _, cred := range cfg.MachineAccountCredentials() {
@@ -733,9 +741,9 @@ func (cfg *Config) ParseServerAddr() error {
 			switch extra {
 			// transfer encoding.
 			case "ndr20":
-				cfg.TrasnferEncoding = "ndr20"
+				cfg.TransferEncoding = "ndr20"
 			case "ndr64":
-				cfg.TrasnferEncoding = "ndr64"
+				cfg.TransferEncoding = "ndr64"
 			// auth type keywords.
 			case "spnego":
 				cfg.Auth.SPNEGO = true
@@ -806,10 +814,14 @@ func (cfg *Config) Validate() error {
 		}
 	}
 
-	if err := ValidateTransferEncoding(cfg.TrasnferEncoding); err != nil {
+	if err := ValidateTransferEncoding(cfg.TransferEncoding); err != nil {
 		return err
 	}
 
+	if cfg.TransportXmitSize <= 1024 {
+		return fmt.Errorf("transport xmit size must be greater than 1024")
+	}
+
 	if err := ValidateAuthLevel(cfg.Auth.Level); err != nil {
 		return err
 	}
diff --git a/config/flag/command_line.go b/config/flag/command_line.go
@@ -18,7 +18,8 @@ func BindFlags(c *config.Config, flagSet *flag.FlagSet) {
 
 	flagSet.DurationVar(&c.Timeout, "timeout", c.Timeout, "timeout")
 
-	flagSet.StringVar(&c.TrasnferEncoding, "transfer-encoding", c.TrasnferEncoding, "transfer encoding: ndr20, ndr64")
+	flagSet.StringVar(&c.TransferEncoding, "transfer-encoding", c.TransferEncoding, "transfer encoding: ndr20, ndr64")
+	flagSet.IntVar(&c.TransportXmitSize, "transport-xmit-size", c.TransportXmitSize, "transport xmit size")
 
 	flagSet.StringVar(&c.Credential.Password, "password", c.Credential.Password, "password to authenticate with")
 	flagSet.StringVar(&c.Credential.NTHash, "nthash", c.Credential.NTHash, "NT hash to authenticate with")
diff --git a/dcerpc/pdu.go b/dcerpc/pdu.go
@@ -106,7 +106,7 @@ type AlterContext struct {
 }
 
 func (pdu *AlterContext) Size() int {
-	size := 8 + 1
+	size := 8 + 4
 	for _, ctx := range pdu.ContextList {
 		size += ctx.Size()
 	}
@@ -214,7 +214,7 @@ type Bind struct {
 }
 
 func (pdu *Bind) Size() int {
-	size := 8 + 1
+	size := 8 + 4
 	for _, ctx := range pdu.ContextList {
 		size += ctx.Size()
 	}
@@ -325,6 +325,8 @@ func (pdu *BindNak) Error() string {
 		return "bind: authentication type was not recognized"
 	case InvalidChecksum:
 		return "bind: invalid checksum"
+	case ProtocolVersionNotSupported:
+		return "bind: protocol version not supported"
 	default:
 		return "bind: unknown error"
 	}
diff --git a/dcerpc/transport.go b/dcerpc/transport.go
@@ -150,41 +150,6 @@ func (c *transport) ExportSMBSecurity(o *Security) {
 			o.SetAttribute(gssapi.AttributeSMBEffectiveSessionKey, pipe.SessionKey())
 		}
 	}
-
-}
-
-// writePacketFragmentedAuth writes the packet with fragmented authentication data.
-func (c *transport) writePacketFragmentedAuth(ctx context.Context, call Call, pkt *Packet) error {
-
-	authData, maxSize := pkt.AuthData, c.settings.MaxXmitFrag-pkt.PDUHeaderSize()
-
-	// https://pubs.opengroup.org/onlinepubs/9629399/chap12.htm:
-	//
-	// If pfc_flags does not have PFC_LAST_FRAG set and rpc_vers_minor is 1,
-	// then the PDU has fragmented auth_verifier data. The server will assemble
-	// the data concatenating sequentially each auth_verifier field until a
-	// PDU is sent with PFC_LAST_FRAG flag set. This completed buffer is then
-	// used as auth_verifier data.
-
-	for {
-
-		if pkt.Set(PacketFlagLastFrag); len(authData) > maxSize {
-			pkt.AuthData, authData = authData[:maxSize], authData[maxSize:]
-			pkt.Header.RPCVersionMinor = 1
-			pkt.Unset(PacketFlagLastFrag)
-		}
-
-		// write bind pdu.
-		if err := c.WritePacket(ctx, call, pkt); err != nil {
-			return fmt.Errorf("alter context: write packet: %w", err)
-		}
-
-		if pkt.Unset(PacketFlagFirstFrag); len(pkt.AuthData) <= maxSize {
-			break
-		}
-	}
-
-	return nil
 }
 
 // AlterContext function establishes new presentation or security (or both) context(s).
@@ -229,7 +194,7 @@ func (c *transport) AlterContext(ctx context.Context, opts ...Option) (Conn, err
 	}
 
 	// write alter-context pdu.
-	if err := c.writePacketFragmentedAuth(ctx, call, pkt); err != nil {
+	if err := c.WritePacket(ctx, call, pkt); err != nil {
 		return nil, err
 	}
 
@@ -279,14 +244,14 @@ func (c *transport) AlterContext(ctx context.Context, opts ...Option) (Conn, err
 			// replace type with auth3.
 			pkt.PDU = &Auth3{}
 			// write auth3 pdu.
-			if err = c.writePacketFragmentedAuth(ctx, call, pkt); err != nil {
+			if err = c.WritePacket(ctx, call, pkt); err != nil {
 				return nil, fmt.Errorf("alter context: auth3: write packet: %w", err)
 			}
 			// no response is assumed.
 			break
 		}
 		// write alter_context request.
-		if err = c.writePacketFragmentedAuth(ctx, call, pkt); err != nil {
+		if err = c.WritePacket(ctx, call, pkt); err != nil {
 			return nil, fmt.Errorf("alter context: write packet: %w", err)
 		}
 		// read alter_context response.
@@ -420,8 +385,19 @@ func (c *transport) Bind(ctx context.Context, opts ...Option) (Conn, error) {
 	if pkt.AuthData, err = o.Security.Init(ctx, nil); err != nil {
 		return nil, fmt.Errorf("bind: %w", err)
 	}
+
+	// XXX: adjust max xmit frag size if auth data is too large.
+	if len(pkt.AuthData) > c.settings.MaxXmitFrag-pkt.PDUHeaderSize() {
+		c.logger.Warn().Int("auth_data_size", len(pkt.AuthData)).
+			Int("previous_max_xmit_frag", c.settings.MaxXmitFrag).
+			Msg("adjusting max xmit frag size to fit auth data")
+		c.settings.MaxXmitFrag = len(pkt.AuthData) + pkt.PDUHeaderSize()
+		// reset buffered connector.
+		c.cc = c.cc.Resized(c.settings.FragmentSize())
+	}
+
 	// write bind pdu.
-	if err = c.writePacketFragmentedAuth(ctx, call, pkt); err != nil {
+	if err = c.WritePacket(ctx, call, pkt); err != nil {
 		return nil, fmt.Errorf("bind: write packet: %w", err)
 	}
 	// read bind response (bind-ack, bind-nak).
@@ -499,14 +475,14 @@ func (c *transport) Bind(ctx context.Context, opts ...Option) (Conn, error) {
 			// replace type with auth3.
 			pkt.PDU = &Auth3{}
 			// write auth3 pdu.
-			if err = c.writePacketFragmentedAuth(ctx, call, pkt); err != nil {
+			if err = c.WritePacket(ctx, call, pkt); err != nil {
 				return nil, fmt.Errorf("bind: alter context: auth3: write packet: %w", err)
 			}
 			// no response is assumed.
 			break
 		}
 		// write alter_context request.
-		if err = c.writePacketFragmentedAuth(ctx, call, pkt); err != nil {
+		if err = c.WritePacket(ctx, call, pkt); err != nil {
 			return nil, fmt.Errorf("bind: alter context: write packet: %w", err)
 		}
 		// read alter_context response.
diff --git a/dcerpc/types.go b/dcerpc/types.go
@@ -152,6 +152,7 @@ const (
 	AbstractSyntaxNotSupported           ProviderReason = 0x0001
 	ProposedTransferSyntaxesNotSupported ProviderReason = 0x0002
 	LocalLimitExceeded                   ProviderReason = 0x0003
+	ProtocolVersionNotSupported          ProviderReason = 0x0004
 	AuthTypeNotRecognized                ProviderReason = 0x0008
 	InvalidChecksum                      ProviderReason = 0x0009
 

Original file line number	Diff line number	Diff line change
`@@ -106,7 +106,7 @@ type AlterContext struct {`
`106`	`106`	`}`
`107`	`107`
`108`	`108`	`func (pdu *AlterContext) Size() int {`
`109`		`- size := 8 + 1`
	`109`	`+ size := 8 + 4`
`110`	`110`	`for _, ctx := range pdu.ContextList {`
`111`	`111`	`size += ctx.Size()`
`112`	`112`	`}`
`@@ -214,7 +214,7 @@ type Bind struct {`
`214`	`214`	`}`
`215`	`215`
`216`	`216`	`func (pdu *Bind) Size() int {`
`217`		`- size := 8 + 1`
	`217`	`+ size := 8 + 4`
`218`	`218`	`for _, ctx := range pdu.ContextList {`
`219`	`219`	`size += ctx.Size()`
`220`	`220`	`}`
`@@ -325,6 +325,8 @@ func (pdu *BindNak) Error() string {`
`325`	`325`	`return "bind: authentication type was not recognized"`
`326`	`326`	`case InvalidChecksum:`
`327`	`327`	`return "bind: invalid checksum"`
	`328`	`+ case ProtocolVersionNotSupported:`
	`329`	`+ return "bind: protocol version not supported"`
`328`	`330`	`default:`
`329`	`331`	`return "bind: unknown error"`
`330`	`332`	`}`