[cifs-protocol] [MS-SMB2] Clarification regarding client handling of invalid DataLength of SMB2_ENCRYPTION_CAPABILITIES negotiate context

[Philipp Gesang]

Hello dochelp team,

recently we observed a buggy SMB server that when using protocol
version 3.11 sends negotiate protocol responses with a DataLength
attribute in the SMB2_ENCRYPTION_CAPABILITIES negotiate context
that includes the padding. This was causing Samba’s SMB client
library to terminate the connection with an
INVALID_NETWORK_RESPONSE error, while Windows clients continued.
(As this happened on someone else’s infrastructure we have no
information about the OS versions of those clients or whether
they too connected using SMB 3.11.)

While the issue was being investigated, Ralph Böhme from the
Samba team pointed out that [MS-SMB2], §2.2.3 does not specify
whether this should be treated as a violation of the protocol.
It is clear that this response is invalid wrt. to the spec which
says that the DataLength field gives “The length, in bytes, of
the Data field”. However, the spec does not explicitly prescribe
a client behavior when encountering malformed values while
processing the SMB2_ENCRYPTION_CAPABILITIES as part of a response
(§2.2.4.1.2).

We would like a clarification regarding the expected behavior of
the SMB client in this situation: Is it justified to abort as
Samba currently does or may the client ignore an invalid
DataLength if the remaining values of the response are sound?

Thanks,
Philipp Gesang

References:

- https://lists.samba.org/archive/samba/2019-February/221136.html
- https://lists.samba.org/archive/samba-technical/2019-February/132741.html
- https://security.netapp.com/advisory/ntap-20190227-0001/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20190301/a06e8409/signature.sig>