[cifs-protocol] [MS-SMB2] Clarification regarding client handling of invalid DataLength of SMB2_ENCRYPTION_CAPABILITIES negotiate context
philipp.gesang at intra2net.com
Fri Mar 1 09:28:53 UTC 2019
Hello dochelp team,
recently we observed a buggy SMB server that when using protocol
version 3.11 sends negotiate protocol responses with a DataLength
attribute in the SMB2_ENCRYPTION_CAPABILITIES negotiate context
that includes the padding. This was causing Samba’s SMB client
library to terminate the connection with an
INVALID_NETWORK_RESPONSE error, while Windows clients continued.
(As this happened on someone else’s infrastructure we have no
information about the OS versions of those clients or whether
they too connected using SMB 3.11.)
While the issue was being investigated, Ralph Böhme from the
Samba team pointed out that [MS-SMB2], §2.2.3 does not specify
whether this should be treated as a violation of the protocol.
It is clear that this response is invalid wrt. to the spec which
says that the DataLength field gives “The length, in bytes, of
the Data field”. However, the spec does not explicitly prescribe
a client behavior when encountering malformed values while
processing the SMB2_ENCRYPTION_CAPABILITIES as part of a response
We would like a clarification regarding the expected behavior of
the SMB client in this situation: Is it justified to abort as
Samba currently does or may the client ignore an invalid
DataLength if the remaining values of the response are sound?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the cifs-protocol