[cifs-protocol] OPEN_ANDX undocumented flag with 19 word count response

Bill Wesse billwe at microsoft.com
Thu Dec 17 10:30:17 MST 2009


No problem! Some information on CIFS/SMB (both the technical and legal definitions, which differ) was presented at the Sept '09 SNIA Plugfest, and it may take me a bit to obtain the presentation materials - hopefully that won't take too long.

I will keep you advised!

Regards,
Bill Wesse
MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM
8055 Microsoft Way
Charlotte, NC 28273
TEL:  +1(980) 776-8200
CELL: +1(704) 661-5438
FAX:  +1(704) 665-9606


-----Original Message-----
From: Zachary Loafman [mailto:zachary.loafman at isilon.com] 
Sent: Thursday, December 17, 2009 12:27 PM
To: Bill Wesse
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: RE: OPEN_ANDX undocumented flag with 19 word count response

Bill - Thanks! I apologize for not checking MS-SMB as well, woops.

> -----Original Message-----
> From: Bill Wesse [mailto:billwe at microsoft.com]
> Sent: Thursday, December 17, 2009 9:25 AM
> To: Zachary Loafman
> Cc: pfif at tridgell.net; cifs-protocol at samba.org
> Subject: RE: OPEN_ANDX undocumented flag with 19 word count response
> 
> Good morning Zachary - thanks for your questions. We have created the
> following case to track our work on those:
> 
> SRX091217600064 [MS-CIFS] OPEN_ANDX undocumented flag with 19 word
> count
> 
> I expect the lack of documentation in [MS-CIFS] concerning your
> questions is due to the relationship between CIFS and SMB, and because
> the flags and fields in question are SMB extensions to CIFS. I will dig
> deeper into this and will update you as soon as I can.
> 
> Here is some initial information for you concerning where the flags and
> fields in question are documented:
> 
> SRX091217600064 [MS-CIFS] OPEN_ANDX undocumented flag with 19 word
> count
> 
> The SMB_COM_OPEN_ANDX.Flags SMB_OPEN_EXTENDED_RESPONSE (0x0010) flag is
> documented here:
> 
> 2.2.10 SMB_COM_OPEN_ANDX Client Request Extension
> http://msdn.microsoft.com/en-us/library/cc246255.aspx
> 
> The WordCount value of 19 is documented here:
> 
> 3.3.5.6 Receiving an SMB_COM_OPEN_ANDX Request (Obsolete)
> http://msdn.microsoft.com/en-us/library/cc246463.aspx
> 
> The ServerField is documented here:
> 
> 2.2.11 SMB_COM_OPEN_ANDX Server Response Extension
> http://msdn.microsoft.com/en-us/library/cc246256.aspx
> 
> Regards,
> Bill Wesse
> MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM
> 8055 Microsoft Way
> Charlotte, NC 28273
> TEL:  +1(980) 776-8200
> CELL: +1(704) 661-5438
> FAX:  +1(704) 665-9606
> 
> -----Original Message-----
> From: Zachary Loafman [mailto:zachary.loafman at isilon.com]
> Sent: Thursday, December 17, 2009 10:18 AM
> To: Interoperability Documentation Help
> Cc: pfif at tridgell.net; cifs-protocol at samba.org
> Subject: OPEN_ANDX undocumented flag with 19 word count response
> 
> If the client adds a 0x10 flag in the Flags field of SMB_COM_OPEN_ANDX,
> a Windows server will send back an alternate 19 WordCount response.
> Neither the 0x10 flag nor the 19 WordCount response are documented in
> MS-CIFS.
> 
> Wireshark can't handle the flag or response, but netmon seems to
> document it. The flag is documented as "RESP_EXTENDED_OPEN_ANDX reply",
> and the reply seems to contain the MaxAccessRights (as the torture test
> expects, too). Both the flag and response need to be documented,
> though.
> 
> Also, the MS-CIFS OPEN_ANDX documentation doesn't mention ServerFID,
> but both netmon and wireshark think that the first ULONG worth of the
> Reserved field is actually "ServerFID," whatever that is.
> 
> I've attached a short pcap demonstrating the extended response. You can
> reproduce this at will with the smbtorture RAW-OPEN test.
> 
> --
> Zach Loafman | Staff Engineer
> Isilon Systems    D +1-206-315-7570    F +1-206-315-7485
> www.isilon.com    P +1-206-315-7500    M +1-206-422-3461



More information about the cifs-protocol mailing list