Fix fortra#2099: handle truncated SMB responses (SessionError + debug log)

When session setup or negotiate response parsing fails (e.g. truncated server
response, no NUL in asciiz field), users previously saw an unhandled
ValueError: subsection not found. Now:

- structure.py: asciiz calcUnpackSize raises descriptive ValueError with
  field name; pass field through code specifier for 'z=""' format.
- smb.py: catch ValueError at all four parse sites (two session-setup paths,
  negotiate + extended-security), LOG.debug the reason, raise SessionError
  (STATUS_LOGON_FAILURE for auth, STATUS_INVALID_PARAMETER for negotiate).
- smbconnection: docstring notes invalid/truncated server response.
- Regression tests: test_structure (asciiz missing NUL, session-like struct),
  test_smb (mock negotiate + session setup, fromString raises -> SessionError).
- IMPLEMENTATION_PLAN_2099.md and ChangeLog entry.

Addresses maintainer feedback on PR fortra#2118 (graceful handling + log + SessionError).

Author: herbenderbler

ChangeLog.md

@@ -5,6 +5,12 @@ Project owner's main page is at www.coresecurity.com.
 Complete list of changes can be found at:
 https://github.com/fortra/impacket/commits/master
 
+## Impacket (unreleased)
+
+1. Library improvements
+
+    * SMB: When session setup or negotiate response parsing fails (e.g. truncated server response), raise SessionError with a clear auth/connection failure instead of an unhandled ValueError; log the parsing reason at debug. Structure layer now raises a descriptive ValueError for missing NUL in asciiz fields. (Fixes #2099)
+
 ## Impacket v0.13.0 (Oct 2025): 
 
 1. Library improvements 

IMPLEMENTATION_PLAN_2099.md

@@ -0,0 +1,145 @@
+# Implementation Plan: Fix Unhandled ValueError during authentication (Issue #2099)
+
+## Summary
+
+When the SMB server sends a truncated or malformed session setup response (e.g. connection drop, timeout), parsing the response can raise `ValueError: subsection not found` from `structure.py` because `bytes.index(b'\x00')` is used for asciiz fields and raises when no NUL byte exists. This is unhelpful for users and should be turned into a clear authentication failure.
+
+**References:** [GitHub Issue #2099](https://github.com/fortra/impacket/issues/2099), [PR #2118](https://github.com/fortra/impacket/pull/2118)
+
+---
+
+## Root cause
+
+1. **`impacket/structure.py`**  
+   In `calcUnpackSize()`, for format `'z'` (asciiz), the code does:
+   ```python
+   return data.index(self.b('\x00'))+1
+   ```
+   If the server sends truncated data (no NUL terminator), `index()` raises `ValueError: subsection not found`, which is opaque.
+
+2. **`impacket/smb.py`**  
+   `login_extended()` and the first session-setup path call `sessionData.fromString(sessionResponse['Data'])` (around lines 3583 and 3656) without catching parsing errors. So any `ValueError` from the structure layer propagates to the user.
+
+3. **Maintainer expectation (from PR #2118)**  
+   - Provide a **descriptive error** in the structure layer (e.g. which field and that the NUL terminator is missing).  
+   - **Handle** that exception in the SMB layer: log the reason (e.g. debug) and raise a proper **SessionError** so callers see an authentication failure, not a raw `ValueError`.
+
+---
+
+## Implementation plan
+
+### Step 1: Descriptive ValueError in `structure.py` (asciiz)
+
+- **File:** `impacket/structure.py`
+- **Location:** `calcUnpackSize()`, asciiz branch (`format[:1] == 'z'`), around line 537–539.
+
+**Change:**
+
+- Wrap the asciiz size calculation in try/except:
+  - On `ValueError` (from `data.index(...)`), re-raise a new `ValueError` with a message that includes the field name and states that the NUL terminator was not found.
+- Use the existing `field` parameter already passed into `calcUnpackSize()` so the message can name the field (e.g. `NativeOS`).
+
+**Example message:**  
+`"Can't find NUL terminator in field '%s'" % (field or 'unknown')`
+
+**Note:** The `'u'` (UTF-16le) branch already raises a clear `ValueError` (line 551); no change needed there unless we want to align wording.
+
+---
+
+### Step 2: Handle parsing errors in SMB session setup
+
+- **Files:** `impacket/smb.py`
+- **Call sites:**  
+  - First session setup (e.g. after negotiate): `sessionData.fromString(sessionResponse['Data'])` around **line 3583**.  
+  - NTLM session setup in `login_extended()`: `sessionData.fromString(sessionResponse['Data'])` around **line 3656**.  
+  - Optionally: negotiation path `_dialects_data.fromString(sessionResponse['Data'])` around **line 2971** for consistency.
+
+**Change:**
+
+- Around each of these `fromString(...)` calls:
+  - Catch `ValueError` (and optionally `Exception` limited to parsing/structure errors if the project prefers).
+  - Log the exception at **debug** level (e.g. `logging.getLogger(__name__).debug(...)`) so the exact reason (e.g. “Can't find NUL terminator in field 'NativeOS'”) is available when debugging.
+  - Raise an appropriate **`SessionError`** so that:
+    - Public API (`smbconnection.login()` etc.) continues to document `SessionError` for authentication failures.
+    - Users see a clear “authentication failed” style error (e.g. NT status `STATUS_LOGON_FAILURE` or a dedicated message) instead of a generic `ValueError`.
+
+**SessionError form:**
+
+- Use existing `smb.SessionError(error_string, error_class, error_code, nt_status=1, packet=None)`.
+- Use an NT status code such as **`STATUS_LOGON_FAILURE`** (already used in `smb.py`, e.g. `0xC000006D`) so that `smbconnection` can translate it to `SessionError` with a standard message.
+- Ensure the high/low 16-bit split matches how `SessionError.__init__` builds the 32-bit code when `nt_status=1` (e.g. `error_code` high word, `error_class` low word → `(error_code << 16) + error_class` = `0xC000006D`).
+
+**Logging:**
+
+- Add `import logging` at top of `smb.py` if not present.
+- Use a module-level logger, e.g. `logger = logging.getLogger(__name__)`.
+- In the except block: `logger.debug("Session setup response parsing failed: %s", e)` (or equivalent).
+
+---
+
+### Step 3: Optional – `smbconnection.py`
+
+- **File:** `impacket/smbconnection.py`
+- **Current behavior:** `login()` already catches `(smb.SessionError, smb3.SessionError)` and re-raises as `SessionError(e.get_error_code(), e.get_error_packet())` (lines 293–294).
+- **Change:** None required for this bug. Once `smb.py` raises `SessionError` for parsing failures, `smbconnection` will propagate it correctly. Optionally document in docstring that authentication can fail due to invalid/truncated server response.
+
+---
+
+## Regression tests
+
+### Test 1: Structure layer – asciiz without NUL (required)
+
+- **File:** `tests/misc/test_structure.py`
+- **Purpose:** Ensure that when unpacking data for an asciiz field that contains no NUL byte, the code raises `ValueError` with a message that mentions the field and “NUL terminator” (or equivalent), and does **not** raise the generic `ValueError: subsection not found`.
+
+**Approach:**
+
+- Define a small structure with a single `'z'` field (or use an existing one).
+- Call `fromString()` with bytes that have no `\x00` (e.g. `b'NoNULhere'`).
+- Assert that `ValueError` is raised and that the exception message contains the field name and a clear reference to the missing NUL terminator.
+
+### Test 2: Structure layer – SMB session response structure (recommended)
+
+- **File:** `tests/misc/test_structure.py` (or a dedicated `tests/SMB_RPC/test_smb_session_parsing.py` if preferred)
+- **Purpose:** Regress the exact code path from the bug: `SMBSessionSetupAndX_Extended_Response_Data.fromString()` with truncated data (no NUL in `NativeOS`).
+
+**Approach:**
+
+- Import `smb.SMBSessionSetupAndX_Extended_Response_Data` and (if needed) set `SecurityBlobLength` on the instance.
+- Build minimal `data` that has the security blob (e.g. length 0) then a string with no NUL (e.g. `b'Truncated'`).
+- Call `fromString(data)` and assert `ValueError` is raised and the message references `NativeOS` and the missing NUL terminator.
+
+### Test 3: SMB layer – SessionError on truncated response (recommended)
+
+- **File:** `tests/SMB_RPC/test_smb.py` or a new unit test file
+- **Purpose:** Ensure that when session setup response parsing fails (e.g. truncated data), the SMB layer raises `SessionError` (or the appropriate public exception) and not a raw `ValueError`.
+
+**Approach (choose one):**
+
+- **Option A (unit, no server):** Patch or mock the code that provides `sessionResponse['Data']` (or the underlying `recvSMB()` / socket) so that it returns truncated data (e.g. no NUL in NativeOS). Call `login()` (or the internal session-setup path) and assert that the raised exception is `SessionError` (or the high-level `smbconnection.SessionError`) with an appropriate error code (e.g. logon failure).
+- **Option B (narrow unit):** Call the same parsing path that `login_extended()` uses (e.g. build `SMBSessionSetupAndX_Extended_Response_Data`, set `SecurityBlobLength`, call `fromString(truncated_data)`), then in a separate test verify that the exception handler in `login_extended()` converts `ValueError` to `SessionError` (e.g. by testing the exception-handling logic in isolation or via a small helper that mimics the try/except).
+
+Implementing **Test 1** and **Test 2** gives strong regression coverage at the structure layer. **Test 3** locks in the SMB behavior and prevents future changes from letting `ValueError` leak out again.
+
+**Tests added in this plan:**  
+- **Test 1 & 2** are implemented in `tests/misc/test_structure.py` as `Test_asciiz_no_nul_raises_clear_error` and pass.  
+- **Test 3** is added as a skipped stub in `tests/SMB_RPC/test_smb.py` (`Test_Issue2099_SessionError_On_Truncated_Response`). Optional: implement by mocking `recvSMB` to return a valid session-setup packet and patching `SMBSessionSetupAndX_Extended_Response_Data.fromString` to raise `ValueError`, then assert `login()` raises `SessionError`.
+
+---
+
+## Order of work
+
+1. Implement **Step 1** (structure.py asciiz descriptive ValueError).
+2. Add **Test 1** (and optionally **Test 2**) and run tests to confirm the new message and that no generic “subsection not found” is raised.
+3. Implement **Step 2** (smb.py catch ValueError, log, raise SessionError).
+4. Add **Test 3** and run full SMB/structure tests.
+5. Optionally add the same handling at the negotiation `fromString` (line 2971) and extend tests if desired. **Done:** negotiation path and extended-security parse in `neg_session` now catch `ValueError`, log at debug, and raise `SessionError` (STATUS_INVALID_PARAMETER) for consistency.
+
+---
+
+## Acceptance criteria
+
+- [x] Parsing session setup response with no NUL in an asciiz field (e.g. `NativeOS`) raises `ValueError` with a message like “Can't find NUL terminator in field 'NativeOS'” (or equivalent), not “subsection not found”.
+- [x] When that parsing fails during SMB login/session setup, the application raises `SessionError` (or the public session error type) with a clear authentication-failure meaning (e.g. STATUS_LOGON_FAILURE), not a raw `ValueError`.
+- [x] The exact parsing failure reason is logged at debug level for troubleshooting.
+- [x] Regression tests (at least Test 1 and Test 2) are in place and pass; Test 3 is recommended for the SMB path.

impacket/smb.py

@@ -2968,11 +2968,19 @@ def parsePacket(smb):
                 self._dialects_parameters = SMBNTLMDialect_Parameters(sessionResponse['Parameters'])
                 self._dialects_data = SMBNTLMDialect_Data()
                 self._dialects_data['ChallengeLength'] = self._dialects_parameters['ChallengeLength']
-                self._dialects_data.fromString(sessionResponse['Data'])
+                try:
+                    self._dialects_data.fromString(sessionResponse['Data'])
+                except ValueError as e:
+                    LOG.debug("Negotiate response parsing failed: %s", e)
+                    raise SessionError("Connection failed: invalid or truncated server response", 0x000D, 0xC000, 1, None)
                 if self._dialects_parameters['Capabilities'] & SMB.CAP_EXTENDED_SECURITY:
                     # Whether we choose it or it is enforced by the server, we go for extended security
                     self._dialects_parameters = SMBExtended_Security_Parameters(sessionResponse['Parameters'])
-                    self._dialects_data = SMBExtended_Security_Data(sessionResponse['Data'])
+                    try:
+                        self._dialects_data = SMBExtended_Security_Data(sessionResponse['Data'])
+                    except ValueError as e:
+                        LOG.debug("Negotiate extended security response parsing failed: %s", e)
+                        raise SessionError("Connection failed: invalid or truncated server response", 0x000D, 0xC000, 1, None)
                     # Let's setup some variable for later use
                     if self._dialects_parameters['SecurityMode'] & SMB.SECURITY_SIGNATURES_REQUIRED:
                          self._SignatureRequired = True
@@ -3580,7 +3588,11 @@ def kerberos_login(self, user, password, domain = '', lmhash = '', nthash = '',
             sessionParameters = SMBSessionSetupAndX_Extended_Response_Parameters(sessionResponse['Parameters'])
             sessionData       = SMBSessionSetupAndX_Extended_Response_Data(flags = smb['Flags2'])
             sessionData['SecurityBlobLength'] = sessionParameters['SecurityBlobLength']
-            sessionData.fromString(sessionResponse['Data'])
+            try:
+                sessionData.fromString(sessionResponse['Data'])
+            except ValueError as e:
+                LOG.debug("Session setup response parsing failed: %s", e)
+                raise SessionError("Authentication failed: invalid or truncated server response", 0x006D, 0xC000, 1, None)
 
             self._action = sessionParameters['Action']
             # If smb sign required, let's enable it for the rest of the connection
@@ -3653,7 +3665,11 @@ def login_extended(self, user, password, domain = '', lmhash = '', nthash = '',
             sessionParameters = SMBSessionSetupAndX_Extended_Response_Parameters(sessionResponse['Parameters'])
             sessionData       = SMBSessionSetupAndX_Extended_Response_Data(flags = smb['Flags2'])
             sessionData['SecurityBlobLength'] = sessionParameters['SecurityBlobLength']
-            sessionData.fromString(sessionResponse['Data'])
+            try:
+                sessionData.fromString(sessionResponse['Data'])
+            except ValueError as e:
+                LOG.debug("Session setup response parsing failed: %s", e)
+                raise SessionError("Authentication failed: invalid or truncated server response", 0x006D, 0xC000, 1, None)
             respToken = SPNEGO_NegTokenResp(sessionData['SecurityBlob'])
 
             # Let's parse some data and keep it to ourselves in case it is asked

impacket/smbconnection.py

@@ -282,7 +282,7 @@ def login(self, user, password, domain = '', lmhash = '', nthash = '', ntlmFallb
                                            Only available for SMBv1.
 
         :return: None
-        :raise SessionError: If encountered an error.
+        :raise SessionError: If encountered an error (e.g. authentication failure, or invalid/truncated server response).
         """
         self._ntlmFallback = ntlmFallback
         try:

impacket/structure.py

@@ -505,7 +505,7 @@ def calcUnpackSize(self, format, data, field = None):
         # code specifier
         two = format.split('=')
         if len(two) >= 2:
-            return self.calcUnpackSize(two[0], data)
+            return self.calcUnpackSize(two[0], data, field)
 
         # length specifier
         two = format.split('-')
@@ -537,7 +537,10 @@ def calcUnpackSize(self, format, data, field = None):
 
         # asciiz specifier
         if format[:1] == 'z':
-            return data.index(self.b('\x00'))+1
+            try:
+                return data.index(self.b('\x00'))+1
+            except ValueError:
+                raise ValueError("Can't find NUL terminator in field '%s'" % (field or 'unknown'))
 
         # asciiz specifier
         if format[:1] == 'u':