[cifs-protocol] OPEN_ANDX undocumented flag with 19 word count response

Zachary Loafman zachary.loafman at isilon.com
Thu Dec 17 08:17:32 MST 2009

If the client adds a 0x10 flag in the Flags field of
SMB_COM_OPEN_ANDX, a Windows server will send back an alternate 19
WordCount response. Neither the 0x10 flag nor the 19 WordCount
response are documented in MS-CIFS.

Wireshark can't handle the flag or response, but netmon seems to
document it. The flag is documented as "RESP_EXTENDED_OPEN_ANDX
reply", and the reply seems to contain the MaxAccessRights (as the
torture test expects, too). Both the flag and response need to be
documented, though.

Also, the MS-CIFS OPEN_ANDX documentation doesn't mention ServerFID,
but both netmon and wireshark think that the first ULONG worth of the
Reserved field is actually "ServerFID," whatever that is.

I've attached a short pcap demonstrating the extended response. You
can reproduce this at will with the smbtorture RAW-OPEN test.

Zach Loafman | Staff Engineer
Isilon Systems    D +1-206-315-7570    F +1-206-315-7485
www.isilon.com    P +1-206-315-7500    M +1-206-422-3461

-------------- next part --------------
A non-text attachment was scrubbed...
Name: openx_extended.pcap
Type: application/cap
Size: 994 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20091217/6e4d675b/attachment.pcap>

More information about the cifs-protocol mailing list