[OpenAFS] Re: Mystery AFS/Kerberos packet

Jeffrey Altman jaltman@columbia.edu
Fri, 23 Jan 2004 09:47:53 -0500


This is a multi-part message in MIME format.
--------------090500050708080908070707
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

What operating system is the client running on?
Is this a K4 request being produced from OpenAFS on Windows?

I have suspected that there is a threading problem in the OpenAFS for 
Windows
client which is overwriting buffers being written to the network but 
have been unable
to catch it reliably.   If you have a system which is consistently 
producing bad data
at a known point it would be good to see if we can trace it down.

Jeffrey Altman


John Hascall wrote:

>>6303373b766d61124537XXXXXXXX0000494153544154452e4544550067710e403f6166730000
>>
>  c . 7 ; v m a . E 7 u s e r . . I A S T A T E . E D U . g q . @ ? a f s . .
>
>
>>I'm not sure, but the tail bit of it looks like part of a krb4 initial
>>ticket request by "user" for "afs@IASTATE.EDU", with lifetime 5 hours
>>15 minutes, around 21 January 2004 (assuming little-endian).
>>
>
>Yes, I've been convinced that this is a valid V4 packet whose
>first two bytes (04 03) were somehow corrupted with 10 garbage
>bytes (63 03 37 3b 76 6d 61 12 45 37) and I went off on a wrong
>tangent upon seeing the 0x6X first byte).  At this point, I'm going
>to assume the user has either munged hardware or DLLs.
>
>It's really quite interesting to dump out rejected packets,
>you see some fascinating crap, here's another:
>
><04><03>__vmware_user__D2521F2GPKdgDby9P77qlo_w*glhuA3un*!sh!<00><00>IASTATE.EDU<00>^HN<0e>@?afs<00><00
>
>(a 53 character principal name is too long for k4)
>(curious how both of these invalid packets used '?', 5h15m, for the lifetime).
>
>
>John
>_______________________________________________
>OpenAFS-info mailing list
>OpenAFS-info@openafs.org
>https://lists.openafs.org/mailman/listinfo/openafs-info
>

--------------090500050708080908070707
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
  <title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
<font face="Bitstream Cyberbit">What operating system is the client
running on?<br>
Is this a K4 request being produced from OpenAFS on Windows?<br>
<br>
I have suspected that there is a threading problem in the OpenAFS for
Windows<br>
client which is overwriting buffers being written to the network but
have been unable<br>
to catch it reliably.&nbsp;&nbsp; If you have a system which is consistently
producing bad data<br>
at a known point it would be good to see if we can trace it down.<br>
<br>
Jeffrey Altman<br>
<br>
<br>
John Hascall wrote:</font>
<blockquote cite="mid200401231435.IAA31736@pvtest.ait.iastate.edu"
 type="cite">
  <blockquote type="cite">
    <pre wrap=""><font face="Bitstream Cyberbit">6303373b766d61124537XXXXXXXX0000494153544154452e4544550067710e403f6166730000
</font></pre>
  </blockquote>
  <pre wrap=""><!----><font face="Bitstream Cyberbit">  c . 7 ; v m a . E 7 u s e r . . I A S T A T E . E D U . g q . @ ? a f s . .

</font></pre>
  <blockquote type="cite">
    <pre wrap=""><font face="Bitstream Cyberbit">I'm not sure, but the tail bit of it looks like part of a krb4 initial
ticket request by "user" for <a class="moz-txt-link-rfc2396E" href="mailto:afs@IASTATE.EDU">"afs@IASTATE.EDU"</a>, with lifetime 5 hours
15 minutes, around 21 January 2004 (assuming little-endian).
</font></pre>
  </blockquote>
  <pre wrap=""><!----><font face="Bitstream Cyberbit">
Yes, I've been convinced that this is a valid V4 packet whose
first two bytes (04 03) were somehow corrupted with 10 garbage
bytes (63 03 37 3b 76 6d 61 12 45 37) and I went off on a wrong
tangent upon seeing the 0x6X first byte).  At this point, I'm going
to assume the user has either munged hardware or DLLs.

It's really quite interesting to dump out rejected packets,
you see some fascinating crap, here's another:

&lt;04&gt;&lt;03&gt;__vmware_user__D2521F2GPKdgDby9P77qlo_w*glhuA3un*!sh!&lt;00&gt;&lt;00&gt;IASTATE.EDU&lt;00&gt;^HN&lt;0e&gt;@?afs&lt;00&gt;&lt;00

(a 53 character principal name is too long for k4)
(curious how both of these invalid packets used '?', 5h15m, for the lifetime).


John
_______________________________________________
OpenAFS-info mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OpenAFS-info@openafs.org">OpenAFS-info@openafs.org</a>
<a class="moz-txt-link-freetext" href="https://lists.openafs.org/mailman/listinfo/openafs-info">https://lists.openafs.org/mailman/listinfo/openafs-info</a>
</font></pre>
</blockquote>
</body>
</html>

--------------090500050708080908070707--