[cifs-protocol] OPEN_ANDX undocumented flag with 19 word count response
zachary.loafman at isilon.com
Thu Dec 17 08:17:32 MST 2009
If the client adds a 0x10 flag in the Flags field of
SMB_COM_OPEN_ANDX, a Windows server will send back an alternate 19
WordCount response. Neither the 0x10 flag nor the 19 WordCount
response are documented in MS-CIFS.
Wireshark can't handle the flag or response, but netmon seems to
document it. The flag is documented as "RESP_EXTENDED_OPEN_ANDX
reply", and the reply seems to contain the MaxAccessRights (as the
torture test expects, too). Both the flag and response need to be
Also, the MS-CIFS OPEN_ANDX documentation doesn't mention ServerFID,
but both netmon and wireshark think that the first ULONG worth of the
Reserved field is actually "ServerFID," whatever that is.
I've attached a short pcap demonstrating the extended response. You
can reproduce this at will with the smbtorture RAW-OPEN test.
Zach Loafman | Staff Engineer
Isilon Systems D +1-206-315-7570 F +1-206-315-7485
www.isilon.com P +1-206-315-7500 M +1-206-422-3461
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 994 bytes
Desc: not available
More information about the cifs-protocol