On Mon, Apr 27, 2009 at 3:38 PM, Harsha <[email protected]> wrote: > I did a quick read of the relevant part of DCE RPC specs, but in all > the cases I saw it always had the size and then the array. In those > cases it is trivial to first extract the size and use the size to > extract the array contents. Here is an example in Wireshark code where the length of the array and then the array are extracted- void ept_lookup( [in] handle_t hEpMapper, [in] unsigned long inquiry_type, [in, ptr] UUID* object, [in, ptr] RPC_IF_ID* Ifid, [in] unsigned long vers_option, [in, out] ept_lookup_handle_t* entry_handle, [in, range(0,500)] unsigned long max_ents, [out] unsigned long* num_ents, [out, length_is(*num_ents), size_is(max_ents)] ept_entry_t entries[], <----- [out] error_status* status );
Related dissecting code that extracts the length of the array and then array is in epm_dissect_ept_map_resp() in packet-dcerpc-epm.c. Unfortunately I don't see any other case where the array comes ahead of its length. Thanks, Harsha _______________________________________________ devel mailing list [email protected] http://mailman.openchange.org/listinfo/devel
