[cifs-protocol] [MS-NNS]: Active Directory Web Services violating documented payload size limit

Garming Sam garming at catalyst.net.nz
Tue Dec 4 22:27:45 UTC 2018


When observing traffic sent from the ADWS server, data messages returned
via the NegotiateStream protocol has observable payload max sizes of
0x0000FC30 consistently (triggering this is possible by asking for a
large search result which must be broken down into multiple data messages).


'[MS-NNS]: 2.2.2 Data Message' indicates that the maximum value for this
field is 0x0000FC00 (64,512). However, ADWS clearly returns answers
which are greater. Noticeably, when this payload is decrypted via
GSSAPI, the payload size nearly always goes from 0xFC30 to 0xFC00
(indicating a 0x30 length header). Sometimes the decrypted data is
slightly less, but the total payload size always caps at 0xFC30.

>From what I understand, the documentation does not seem to be correct.
The documented payload size seems to be a reference to the unencrypted
payload length.

Can this behaviour in regards to encrypted payload lengths be clarified
(and documented)?



More information about the cifs-protocol mailing list