[cifs-protocol] [MS-SMB2] Clarification regarding client handling of invalid DataLength of SMB2_ENCRYPTION_CAPABILITIES negotiate context [119030119723829]
Obaid Farooqi
obaidf at microsoft.com
Tue Mar 5 00:44:35 UTC 2019
Hi Philipp:
The processing of the SMB2_ENCRYPTION_CAPABILITIES is defined in section 3.2.5.2 in MS-SMB2.
As far the length of the context is concerned in the DataLength field, the client performs the following check:
If DataLength is < size of SMB2_ENCRYPTION_CAPABILITIES
then return error to the application.
I'll file a bug against the MS-SMB2 document to add this step in the processing steps for negotiate context for SMB2_ENCRYPTION_CAPABILITIES.
Please let me know if this does not answer your question.
Regards,
Obaid Farooqi
Escalation Engineer | Microsoft
-----Original Message-----
From: Obaid Farooqi
Sent: Monday, March 4, 2019 10:52 AM
To: 'Philipp Gesang' <philipp.gesang at intra2net.com>
Cc: 'cifs-protocol at lists.samba.org' <cifs-protocol at lists.samba.org>; 'slow at samba.org' <slow at samba.org>; MSSolve Case Email <casemail at microsoft.com>
Subject: RE: [MS-SMB2] Clarification regarding client handling of invalid DataLength of SMB2_ENCRYPTION_CAPABILITIES negotiate context [119030119723829]
Hi Philipp:
I'll help you with this issue and will be in touch as soon as I have an answer.
Do you by chance have a network traces of this issue?
Regards,
Obaid Farooqi
Escalation Engineer | Microsoft
-----Original Message-----
From: Obaid Farooqi
Sent: Friday, March 1, 2019 11:39 AM
To: 'Philipp Gesang' <philipp.gesang at intra2net.com>
Cc: cifs-protocol at lists.samba.org; slow at samba.org; MSSolve Case Email <casemail at microsoft.com>
Subject: RE: [MS-SMB2] Clarification regarding client handling of invalid DataLength of SMB2_ENCRYPTION_CAPABILITIES negotiate context [119030119723829]
Hi Philipp:
Thanks for contacting Microsoft. I have created a case to track this issue. A member of the open specifications team will be in touch soon.
Regards,
Obaid Farooqi
Escalation Engineer | Microsoft
-----Original Message-----
From: Philipp Gesang <philipp.gesang at intra2net.com>
Sent: Friday, March 1, 2019 3:29 AM
To: Interoperability Documentation Help <dochelp at microsoft.com>
Cc: cifs-protocol at lists.samba.org; slow at samba.org
Subject: [MS-SMB2] Clarification regarding client handling of invalid DataLength of SMB2_ENCRYPTION_CAPABILITIES negotiate context
Hello dochelp team,
recently we observed a buggy SMB server that when using protocol version 3.11 sends negotiate protocol responses with a DataLength attribute in the SMB2_ENCRYPTION_CAPABILITIES negotiate context that includes the padding. This was causing Samba’s SMB client library to terminate the connection with an INVALID_NETWORK_RESPONSE error, while Windows clients continued.
(As this happened on someone else’s infrastructure we have no information about the OS versions of those clients or whether they too connected using SMB 3.11.)
While the issue was being investigated, Ralph Böhme from the Samba team pointed out that [MS-SMB2], §2.2.3 does not specify whether this should be treated as a violation of the protocol.
It is clear that this response is invalid wrt. to the spec which says that the DataLength field gives “The length, in bytes, of the Data field”. However, the spec does not explicitly prescribe a client behavior when encountering malformed values while processing the SMB2_ENCRYPTION_CAPABILITIES as part of a response (§2.2.4.1.2).
We would like a clarification regarding the expected behavior of the SMB client in this situation: Is it justified to abort as Samba currently does or may the client ignore an invalid DataLength if the remaining values of the response are sound?
Thanks,
Philipp Gesang
References:
- https://lists.samba.org/archive/samba/2019-February/221136.html
- https://lists.samba.org/archive/samba-technical/2019-February/132741.html
- https://security.netapp.com/advisory/ntap-20190227-0001/
More information about the cifs-protocol
mailing list