[cifs-protocol] Bug in MS-WINSRA section "2.2.10.1 Name Record"

Edgar Olougouna edgaro at microsoft.com
Thu Feb 11 16:10:55 MST 2010 

Hi Stefan,

We completed our investigation on the Padding issue regarding the name record in MS-WINSRA. The product team confirmed the observed behavior. 

As a result, the definition of the Padding field will be updated to reflect the following. The change will appear in a future release of the document.

MS-WINSRA section "2.2.10.1 Name Record".

Current definition:

Padding (variable): If the Name field is not 4-byte aligned, this Padding field will be added to pad to 4-byte alignment. If the Name field itself is 4-byte aligned, then there is no Padding field. This field MUST be ignored upon receipt.

Update similar to:

Padding (variable):  If the Name field is not 4-byte aligned, the Padding field is padded to 4-byte alignment. If the Name field itself is 4-byte aligned, then the Padding field is padded with 4 bytes. This field MUST be ignored upon receipt.

Best regards,

Edgar


-----Original Message-----
From: Stefan (metze) Metzmacher [mailto:metze at samba.org] 
Sent: Friday, January 29, 2010 8:25 AM
To: Interoperability Documentation Help
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: CAR: Bug in MS-WINSRA section "2.2.10.1 Name Record"

Hi,

I found a bug in MS-WINSRA section "2.2.10.1 Name Record".

It says:

> Padding (variable): If the Name field is not 4-byte aligned, this 
> Padding field will be added to pad to 4-byte alignment. If the Name 
> field itself is 4-byte aligned, then there is no Padding field. This 
> field MUST be ignored upon receipt.

This is wrong!

The documentation would indicate this:

pad_len = ((offset & (4-1)) == 0 ? 0 : (4 - (offset & (4-1))))

But Windows Servers (at least 2003 SP1 and 2008) use this:

pad_len = 4 - (offset & (4-1));

The difference is the case where the name field is already 4 byte aligned. In that case Windows adds 4 bytes instead of 0 bytes of aligment.

See frame 75 in the attached capture (172.31.9.211 is a windows 2008 server and 172.31.9.1 a modified smbtorture).
The name length is 20 and there're 4 extra bytes before the Reserved1 field.

metze

More information about the cifs-protocol mailing list