[cifs-protocol] OPEN_ANDX undocumented flag with 19 word count response

Thu Dec 17 10:24:54 MST 2009

Good morning Zachary - thanks for your questions. We have created the following case to track our work on those:

SRX091217600064 [MS-CIFS] OPEN_ANDX undocumented flag with 19 word count

I expect the lack of documentation in [MS-CIFS] concerning your questions is due to the relationship between CIFS and SMB, and because the flags and fields in question are SMB extensions to CIFS. I will dig deeper into this and will update you as soon as I can.

Here is some initial information for you concerning where the flags and fields in question are documented:

SRX091217600064 [MS-CIFS] OPEN_ANDX undocumented flag with 19 word count

The SMB_COM_OPEN_ANDX.Flags SMB_OPEN_EXTENDED_RESPONSE (0x0010) flag is documented here:

2.2.10 SMB_COM_OPEN_ANDX Client Request Extension
http://msdn.microsoft.com/en-us/library/cc246255.aspx

The WordCount value of 19 is documented here:

3.3.5.6 Receiving an SMB_COM_OPEN_ANDX Request (Obsolete)
http://msdn.microsoft.com/en-us/library/cc246463.aspx

The ServerField is documented here:

2.2.11 SMB_COM_OPEN_ANDX Server Response Extension
http://msdn.microsoft.com/en-us/library/cc246256.aspx

Regards,
Bill Wesse
MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM
8055 Microsoft Way
Charlotte, NC 28273
TEL:  +1(980) 776-8200
CELL: +1(704) 661-5438
FAX:  +1(704) 665-9606

-----Original Message-----
From: Zachary Loafman [mailto:zachary.loafman at isilon.com] 
Sent: Thursday, December 17, 2009 10:18 AM
To: Interoperability Documentation Help
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: OPEN_ANDX undocumented flag with 19 word count response

If the client adds a 0x10 flag in the Flags field of SMB_COM_OPEN_ANDX, a Windows server will send back an alternate 19 WordCount response. Neither the 0x10 flag nor the 19 WordCount response are documented in MS-CIFS.

Wireshark can't handle the flag or response, but netmon seems to document it. The flag is documented as "RESP_EXTENDED_OPEN_ANDX reply", and the reply seems to contain the MaxAccessRights (as the torture test expects, too). Both the flag and response need to be documented, though.

Also, the MS-CIFS OPEN_ANDX documentation doesn't mention ServerFID, but both netmon and wireshark think that the first ULONG worth of the Reserved field is actually "ServerFID," whatever that is.

I've attached a short pcap demonstrating the extended response. You can reproduce this at will with the smbtorture RAW-OPEN test.

--
Zach Loafman | Staff Engineer
Isilon Systems    D +1-206-315-7570    F +1-206-315-7485
www.isilon.com    P +1-206-315-7500    M +1-206-422-3461