[cifs-protocol] Bug in MS-WINSRA section "2.2.10.1 Name Record"

Bill Wesse billwe at microsoft.com
Fri Jan 29 08:03:46 MST 2010 

Good morning Stefan - I am including our below initial response, since I missed CC: dochelp at microsoft.com on the first one.

-----Original Message-----
From: Bill Wesse 
Sent: Friday, January 29, 2010 9:59 AM
To: 'metze at samba.org'
Cc: MSSolve Case Email; 'pfif at tridgell.net'; 'cifs-protocol at samba.org'
Subject: [REG:110012953632586] [MS-WINSRA] 2.2.10.1 Name Record Padding field description incorrect

Good morning Stefan - thanks for your comments. I have created the below case to track the issue. One of my team members will contact you shortly!

110012953632586 [MS-WINSRA] 2.2.10.1 Name Record Padding field description incorrect


Regards,
Bill Wesse
MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM
8055 Microsoft Way
Charlotte, NC 28273
Email:	billwe at microsoft.com
Tel: 	+1(980) 776-8200
Cell: 	+1(704) 661-5438
Fax: 	+1(704) 665-9606


-----Original Message-----
From: Stefan (metze) Metzmacher [mailto:metze at samba.org] 
Sent: Friday, January 29, 2010 9:25 AM
To: Interoperability Documentation Help
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: CAR: Bug in MS-WINSRA section "2.2.10.1 Name Record"

Hi,

I found a bug in MS-WINSRA section "2.2.10.1 Name Record".

It says:

> Padding (variable): If the Name field is not 4-byte aligned, this 
> Padding field will be added to pad to 4-byte alignment. If the Name 
> field itself is 4-byte aligned, then there is no Padding field. This 
> field MUST be ignored upon receipt.

This is wrong!

The documentation would indicate this:

pad_len = ((offset & (4-1)) == 0 ? 0 : (4 - (offset & (4-1))))

But Windows Servers (at least 2003 SP1 and 2008) use this:

pad_len = 4 - (offset & (4-1));

The difference is the case where the name field is already 4 byte aligned. In that case Windows adds 4 bytes instead of 0 bytes of aligment.

See frame 75 in the attached capture (172.31.9.211 is a windows 2008 server and 172.31.9.1 a modified smbtorture).
The name length is 20 and there're 4 extra bytes before the Reserved1 field.

metze

More information about the cifs-protocol mailing list