[cifs-protocol] [MS-SMB2] Clarification regarding client handling of invalid DataLength of SMB2_ENCRYPTION_CAPABILITIES negotiate context [119030119723829]
Obaid Farooqi
obaidf at microsoft.com
Fri Mar 1 17:39:09 UTC 2019
Hi Philipp:
Thanks for contacting Microsoft. I have created a case to track this issue. A member of the open specifications team will be in touch soon.
Regards,
Obaid Farooqi
Escalation Engineer | Microsoft
-----Original Message-----
From: Philipp Gesang <philipp.gesang at intra2net.com>
Sent: Friday, March 1, 2019 3:29 AM
To: Interoperability Documentation Help <dochelp at microsoft.com>
Cc: cifs-protocol at lists.samba.org; slow at samba.org
Subject: [MS-SMB2] Clarification regarding client handling of invalid DataLength of SMB2_ENCRYPTION_CAPABILITIES negotiate context
Hello dochelp team,
recently we observed a buggy SMB server that when using protocol version 3.11 sends negotiate protocol responses with a DataLength attribute in the SMB2_ENCRYPTION_CAPABILITIES negotiate context that includes the padding. This was causing Samba’s SMB client library to terminate the connection with an INVALID_NETWORK_RESPONSE error, while Windows clients continued.
(As this happened on someone else’s infrastructure we have no information about the OS versions of those clients or whether they too connected using SMB 3.11.)
While the issue was being investigated, Ralph Böhme from the Samba team pointed out that [MS-SMB2], §2.2.3 does not specify whether this should be treated as a violation of the protocol.
It is clear that this response is invalid wrt. to the spec which says that the DataLength field gives “The length, in bytes, of the Data field”. However, the spec does not explicitly prescribe a client behavior when encountering malformed values while processing the SMB2_ENCRYPTION_CAPABILITIES as part of a response (§2.2.4.1.2).
We would like a clarification regarding the expected behavior of the SMB client in this situation: Is it justified to abort as Samba currently does or may the client ignore an invalid DataLength if the remaining values of the response are sound?
Thanks,
Philipp Gesang
References:
- https://lists.samba.org/archive/samba/2019-February/221136.html
- https://lists.samba.org/archive/samba-technical/2019-February/132741.html
- https://security.netapp.com/advisory/ntap-20190227-0001/
More information about the cifs-protocol
mailing list