[cifs-protocol] RE: CAR - SMB2 Write and Read in Windows 7
John Dunning
johndun at microsoft.com
Mon Jul 6 08:08:04 MDT 2009
Hello Stefan,
Thank you for your question regarding SMB2. I will have one of my colleagues get back to you so that we can start working on this.
Thanks
John Dunning
Senior Escalation Engineer Microsoft Corporation
US-CSS DSC PROTOCOL TEAM
Email: johndun at microsoft.com
Tele: (469)775-7008
-----Original Message-----
From: Stefan (metze) Metzmacher [mailto:metze at samba.org]
Sent: Monday, July 06, 2009 3:45 AM
To: Interoperability Documentation Help
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: CAR - SMB2 Write and Read in Windows 7
Hi,
I'm working on SMB2 support for Samba and noticed a strange behavior regarding the maximum read and write sizes in SMB2.
Section "3.3.5.13 Receiving an SMB2 WRITE Request" says the server must return STATUS_INVALID_PARAMETER if the length isn't in the configured range (which is reported to the client in the NEGOTIATE response).
The same applies to SMB2 Read requests.
However a Windows 7 server doesn't behave like this.
(I tested this with Windows 7 RC Build 7100).
I've attached 3 network captures to this mail, which demonstrate the wrong behavior.
SMB2-CONNECT-w7rc-smb2.002.writesize-01.pcap:
- We run our SMB2-CONNECT torture test like this:
bin/smbtorture -Utest%test -p 445 //172.31.9.212/torture \
SMB2-CONNECT --option=torture:smb2maxwrite=65537
(I manually excluded the SMB 2.100 dialect in our code)
- In Frame 5 SMB 2.002 is negotiated and the server returns MaxReadSize
and MaxWriteSize as 65536 (0x00010000).
- The Frames 17-71 (wireshark reassembles them in Frame 71) there's a
SMB2 Write request with length 65537 (0x00010001).
- And the SMB2 Write response in Frame 72 returns STATUS_BUFFER_OVERFLOW
instead of STATUS_INVALID_PARAMETER. (Then our test closes the tcp
connection)
- Now we run our SMB2-CONNECT torture test like this:
bin/smbtorture -Utest%test -p 445 //172.31.9.212/torture \
SMB2-CONNECT --option=torture:smb2maxwrite=65536
- The SMB2 Write response in Frame 147 returns STATUS_OK, which is
correct.
- Also the SMB2 Read response (reassembled) in Frame 285, gets
STATUS_OK.
SMB2-CONNECT-w7rc-smb2.002.writesize-strange-02.pcap:
- Here I manually modified the write/read sizes in the SMB2-CONNECT
torture test and ignored any errors.
So that we write 65537 bytes and read 65536 bytes.
(I also manually excluded the SMB 2.100 dialect in our code)
- The SMB2 Write request (reassembled in Frame 142) writes 65537
bytes and gets STATUS_BUFFER_OVERFLOW.
- The SMB2 GetInfo response in Frame 146 returns the allocation size
and end of file both as 65536, which indicates that the SMB2 Write
was just truncated to 65536.
- The SMB2 Read request in Frame 155 asks for the first 65536 bytes of
the file.
- The SMB2 Read response (reassembled) in Frame 223 proves that the
truncated Write as it returns the exactly same bytes, which were
written before.
SMB2-CONNECT-w7rc-smb2.100.writesize-01.pcap:
- The behavior in SMB 2.100 mode is even more strange...
- We run our SMB2-CONNECT torture test like this:
bin/smbtorture -Utest%test -p 445 //172.31.9.212/torture \
SMB2-CONNECT --option=torture:smb2maxwrite=1048576
- In Frame 9 SMB 2.100 is negotiated and the server returns MaxReadSize
and MaxWriteSize as 1048576 (0x00100000).
- We try a SMB2 Write with length 1048576 (reassembled) in Frame 784,
but get STATUS_INVALID_PARAMETER in Frame 787. (Our test closes the
connection at this point.
- We run our SMB2-CONNECT torture test like this:
bin/smbtorture -Utest%test -p 445 //172.31.9.212/torture \
SMB2-CONNECT --option=torture:smb2maxwrite=1048576
- In Frame 795 SMB 2.100 is negotiated and the server returns
MaxReadSize and MaxWriteSize as 1048576 (0x00100000).
- We try a SMB2 Write with length 65537 (reassembled) in Frame 859,
but get STATUS_INVALID_PARAMETER in Frame 861. (Our test closes the
connection at this point.
- We run our SMB2-CONNECT torture test like this:
bin/smbtorture -Utest%test -p 445 //172.31.9.212/torture \
SMB2-CONNECT --option=torture:smb2maxwrite=65536
- In Frame 869 SMB 2.100 is negotiated and the server returns
MaxReadSize and MaxWriteSize as 1048576 (0x00100000).
- We try a SMB2 Write with length 65536 (reassembled) in Frame 933.
- The SMB2 Write response in Frame 935 returns STATUS_OK, which is
correct.
- Also the SMB2 Read response (reassembled) in Frame 1073, gets
STATUS_OK.
The major problem is that a client in SMB 2.100 mode can't rely on the values returned in the NEGOTIATE response. I think it would be very, very good if this could be fixed in the final version of Windows 7!
metze
(Samba Team and PFIF member)
More information about the cifs-protocol
mailing list