[cifs-protocol] 118120419417044 [MS-NNS]: Active Directory Web Services violating documented payload size limit

[Sreekanth Nadendla]

Dochelp in Bcc

Hello Garming Sam, 
Thank you for your inquiry about Microsoft Open Specifications. We have created an incident # 118120419417044 for investigating this issue. One of the Open specifications team member will contact you shortly.


Regards,
Sreekanth Nadendla
Microsoft Windows Open Specifications

-----Original Message-----
From: Garming Sam <garming at catalyst.net.nz> 
Sent: Tuesday, December 4, 2018 5:28 PM
To: Interoperability Documentation Help <dochelp at microsoft.com>
Cc: cifs-protocol at lists.samba.org
Subject: [MS-NNS]: Active Directory Web Services violating documented payload size limit

Hi,

When observing traffic sent from the ADWS server, data messages returned via the NegotiateStream protocol has observable payload max sizes of
0x0000FC30 consistently (triggering this is possible by asking for a large search result which must be broken down into multiple data messages).

https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmsdn.microsoft.com%2Fen-us%2Flibrary%2Fcc236740.aspx&data=02%7C01%7Csrenaden%40microsoft.com%7C1059027d89814fc59f0008d65a37cb26%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636795593014180584&sdata=9SC4T5AhmeAh1Ol3Sw9aXPPb%2FfEszJdPdx3HHsV66MI%3D&reserved=0

'[MS-NNS]: 2.2.2 Data Message' indicates that the maximum value for this field is 0x0000FC00 (64,512). However, ADWS clearly returns answers which are greater. Noticeably, when this payload is decrypted via GSSAPI, the payload size nearly always goes from 0xFC30 to 0xFC00 (indicating a 0x30 length header). Sometimes the decrypted data is slightly less, but the total payload size always caps at 0xFC30.

>From what I understand, the documentation does not seem to be correct.
The documented payload size seems to be a reference to the unencrypted payload length.

Can this behaviour in regards to encrypted payload lengths be clarified (and documented)?

Cheers,

Garming