[cifs-protocol] Bug in MS-WINSRA section "2.2.10.1 Name Record"

Edgar Olougouna edgaro at microsoft.com
Thu Feb 4 11:04:44 MST 2010 

Stefan,

Could you send me which build of Windows 2008 you ran the tests corresponding to the network traces you provided?
To determine the version, service pack and build number:
Start > Run > msinfo32
On the System Summary, the Version item provides that information.

Best regards,

Edgar


-----Original Message-----
From: Edgar Olougouna 
Sent: Monday, February 01, 2010 9:39 AM
To: Stefan (metze) Metzmacher; Bill Wesse
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: RE: Bug in MS-WINSRA section "2.2.10.1 Name Record"

Hi Stefan,

I am taking care of this case and will update you as soon as I have news.

Best regards,

Edgar



-----Original Message-----
From: Bill Wesse 
Sent: Saturday, January 30, 2010 7:37 AM
To: Stefan (metze) Metzmacher
Cc: pfif at tridgell.net; cifs-protocol at samba.org; Edgar Olougouna
Subject: [REG:110012953632586] RE: Bug in MS-WINSRA section "2.2.10.1 Name Record"

Thanks Stefan - forwarding this email to Edgar, who owns the case.

110012953632586

Regards,
Bill Wesse
MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM
8055 Microsoft Way
Charlotte, NC 28273
Email:	billwe at microsoft.com
Tel: 	+1(980) 776-8200
Cell: 	+1(704) 661-5438
Fax: 	+1(704) 665-9606

-----Original Message-----
From: Stefan (metze) Metzmacher [mailto:metze at samba.org] 
Sent: Saturday, January 30, 2010 4:40 AM
To: Bill Wesse
Cc: pfif at tridgell.net; cifs-protocol at samba.org; Interoperability Documentation Help
Subject: Re: Bug in MS-WINSRA section "2.2.10.1 Name Record"

Hi Bill,

there's one additional bug regarding the Name length.

>
> Name (variable): Name terminates with a 0x00 byte. It may include a 
> NetBIOS scope identifier, as specified in [RFC1001]. The maximum 
> length of the Name field is 255 bytes including the 0x00 byte. If no 
> NetBIOS scope is included, then the length of the name is 17 including 
> the 0x00 byte.

When a windows server gets a name with length == 255 it removes the last character of the scope before storing it.

Windows returns a name with length 254 when it returns the name again.

See the attached capture (172.31.9.211 is Windows 2008 and 172.31.9.1 is a modified smbtorture).

Frame 19 smbtorture => windows 2008 name length 255 Frame 25 windows 2008 => smbtorture name length 254

metze
> Good morning Stefan - I am including our below initial response, since I missed CC: dochelp at microsoft.com on the first one.
> 
> -----Original Message-----
> From: Bill Wesse
> Sent: Friday, January 29, 2010 9:59 AM
> To: 'metze at samba.org'
> Cc: MSSolve Case Email; 'pfif at tridgell.net'; 'cifs-protocol at samba.org'
> Subject: [REG:110012953632586] [MS-WINSRA] 2.2.10.1 Name Record 
> Padding field description incorrect
> 
> Good morning Stefan - thanks for your comments. I have created the below case to track the issue. One of my team members will contact you shortly!
> 
> 110012953632586 [MS-WINSRA] 2.2.10.1 Name Record Padding field 
> description incorrect
> 
> 
> Regards,
> Bill Wesse
> MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM
> 8055 Microsoft Way
> Charlotte, NC 28273
> Email:	billwe at microsoft.com
> Tel: 	+1(980) 776-8200
> Cell: 	+1(704) 661-5438
> Fax: 	+1(704) 665-9606
> 
> 
> -----Original Message-----
> From: Stefan (metze) Metzmacher [mailto:metze at samba.org]
> Sent: Friday, January 29, 2010 9:25 AM
> To: Interoperability Documentation Help
> Cc: pfif at tridgell.net; cifs-protocol at samba.org
> Subject: CAR: Bug in MS-WINSRA section "2.2.10.1 Name Record"
> 
> Hi,
> 
> I found a bug in MS-WINSRA section "2.2.10.1 Name Record".
> 
> It says:
> 
>> Padding (variable): If the Name field is not 4-byte aligned, this 
>> Padding field will be added to pad to 4-byte alignment. If the Name 
>> field itself is 4-byte aligned, then there is no Padding field. This 
>> field MUST be ignored upon receipt.
> 
> This is wrong!
> 
> The documentation would indicate this:
> 
> pad_len = ((offset & (4-1)) == 0 ? 0 : (4 - (offset & (4-1))))
> 
> But Windows Servers (at least 2003 SP1 and 2008) use this:
> 
> pad_len = 4 - (offset & (4-1));
> 
> The difference is the case where the name field is already 4 byte aligned. In that case Windows adds 4 bytes instead of 0 bytes of aligment.
> 
> See frame 75 in the attached capture (172.31.9.211 is a windows 2008 server and 172.31.9.1 a modified smbtorture).
> The name length is 20 and there're 4 extra bytes before the Reserved1 field.

More information about the cifs-protocol mailing list