From 2844d54f67a17282664c718c4d9633211164ea99 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Wed, 24 Jul 2024 12:44:46 -0700
Subject: [PATCH] Fix handling of zero-length SMB2 error responses

---
 src/analyzer/protocol/smb/smb2-protocol.pac     |   2 +-
 .../out                                         |  13 +++++++++++++
 .../Traces/smb/smb2-zero-byte-error-ioctl.pcap  | Bin 0 -> 29460 bytes
 .../smb/smb2-zero-byte-error-ioctl.test         |  16 ++++++++++++++++
 4 files changed, 30 insertions(+), 1 deletion(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.smb.smb2-zero-byte-error-ioctl/out
 create mode 100644 testing/btest/Traces/smb/smb2-zero-byte-error-ioctl.pcap
 create mode 100644 testing/btest/scripts/base/protocols/smb/smb2-zero-byte-error-ioctl.test

diff --git a/src/analyzer/protocol/smb/smb2-protocol.pac b/src/analyzer/protocol/smb/smb2-protocol.pac
index b922c62f2b..5e7bf673b1 100644
--- a/src/analyzer/protocol/smb/smb2-protocol.pac
+++ b/src/analyzer/protocol/smb/smb2-protocol.pac
@@ -413,7 +413,7 @@ type SMB2_error_response(header: SMB2_Header) = record {
 	byte_count        : uint32;
 	# This is implemented incorrectly and is disabled for now.
 	#error_data        : SMB2_error_data(header, byte_count);
-	stuff : bytestring &restofdata &transient;
+	stuff : bytestring &length=byte_count &transient;
 } &byteorder = littleendian;
 
 type SMB2_logoff_request(header: SMB2_Header) = record {
diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb2-zero-byte-error-ioctl/out b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-zero-byte-error-ioctl/out
new file mode 100644
index 0000000000..f803db64f2
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-zero-byte-error-ioctl/out
@@ -0,0 +1,13 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+smb2_close_request, [credit_charge=1, status=0, command=6, credits=256, flags=0, message_id=8, process_id=65279, tree_id=3905704575, session_id=66137014, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00]
+smb2_close_response, [credit_charge=1, status=0, command=6, credits=256, flags=1, message_id=8, process_id=65279, tree_id=3905704575, session_id=66137014, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [alloc_size=0, eof=0, times=[modified=0.0, modified_raw=116444736000000000, accessed=0.0, accessed_raw=116444736000000000, created=0.0, created_raw=116444736000000000, changed=0.0, changed_raw=116444736000000000], attrs=[read_only=F, hidden=F, system=F, directory=F, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F]]
+smb2_close_request, [credit_charge=1, status=0, command=6, credits=256, flags=0, message_id=21, process_id=65279, tree_id=900627714, session_id=66137014, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00]
+smb2_close_response, [credit_charge=1, status=0, command=6, credits=256, flags=1, message_id=21, process_id=65279, tree_id=900627714, session_id=66137014, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [alloc_size=0, eof=0, times=[modified=0.0, modified_raw=116444736000000000, accessed=0.0, accessed_raw=116444736000000000, created=0.0, created_raw=116444736000000000, changed=0.0, changed_raw=116444736000000000], attrs=[read_only=F, hidden=F, system=F, directory=F, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F]]
+smb2_close_request, [credit_charge=1, status=0, command=6, credits=256, flags=4, message_id=25, process_id=65279, tree_id=1248644238, session_id=66137014, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00]
+smb2_close_response, [credit_charge=1, status=0, command=6, credits=768, flags=5, message_id=25, process_id=65279, tree_id=1248644238, session_id=66137014, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [alloc_size=0, eof=0, times=[modified=0.0, modified_raw=116444736000000000, accessed=0.0, accessed_raw=116444736000000000, created=0.0, created_raw=116444736000000000, changed=0.0, changed_raw=116444736000000000], attrs=[read_only=F, hidden=F, system=F, directory=F, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F]]
+smb2_close_request, [credit_charge=1, status=0, command=6, credits=256, flags=4, message_id=28, process_id=65279, tree_id=1248644238, session_id=66137014, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00]
+smb2_close_response, [credit_charge=1, status=0, command=6, credits=768, flags=5, message_id=28, process_id=65279, tree_id=1248644238, session_id=66137014, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [alloc_size=0, eof=0, times=[modified=0.0, modified_raw=116444736000000000, accessed=0.0, accessed_raw=116444736000000000, created=0.0, created_raw=116444736000000000, changed=0.0, changed_raw=116444736000000000], attrs=[read_only=F, hidden=F, system=F, directory=F, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F]]
+smb2_close_request, [credit_charge=1, status=0, command=6, credits=256, flags=4, message_id=31, process_id=65279, tree_id=1248644238, session_id=66137014, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00]
+smb2_close_response, [credit_charge=1, status=0, command=6, credits=768, flags=5, message_id=31, process_id=65279, tree_id=1248644238, session_id=66137014, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [alloc_size=0, eof=0, times=[modified=0.0, modified_raw=116444736000000000, accessed=0.0, accessed_raw=116444736000000000, created=0.0, created_raw=116444736000000000, changed=0.0, changed_raw=116444736000000000], attrs=[read_only=F, hidden=F, system=F, directory=F, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F]]
+smb2_close_request, [credit_charge=1, status=0, command=6, credits=256, flags=4, message_id=34, process_id=65279, tree_id=1248644238, session_id=66137014, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00]
+smb2_close_response, [credit_charge=1, status=0, command=6, credits=768, flags=5, message_id=34, process_id=65279, tree_id=1248644238, session_id=66137014, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [alloc_size=0, eof=0, times=[modified=0.0, modified_raw=116444736000000000, accessed=0.0, accessed_raw=116444736000000000, created=0.0, created_raw=116444736000000000, changed=0.0, changed_raw=116444736000000000], attrs=[read_only=F, hidden=F, system=F, directory=F, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F]]
diff --git a/testing/btest/Traces/smb/smb2-zero-byte-error-ioctl.pcap b/testing/btest/Traces/smb/smb2-zero-byte-error-ioctl.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..3ffab0867ad80a375de55e06141ffe9dc358dc1e
GIT binary patch
literal 29460
zcmcg#31AdOx~`ri7$QPo5wn0A6xk6JBO4AC6%bfNj%ZNP$B2Oh0>qF7WI;ee5H|#(
z5Q7{dmw4i8!X@IeW}~v8=)=VW6b}+qRNQraD)JC`-`7<&(^E5(%rGxgSW{g+-SyRf
ze1BC}^~9ue&Pf_Bgc#hjQ)>(5X_ewd7tt?!+?3H-1*z`a$4$zaoSQXi!lkL{ox61I
zmg=5rmzSqqKDJBN=<F-AdUQ=6l{M;8G=RkR*j7tb3K4G~H$uGtnW^6w31UXCXFWr3
z%<Sq@^^B|E-tPTQ)OJb~{e<Yn|9UmroQw0@`P~n5tR1gx-<pk!MTP71=`SbXuK0w_
zR$N>o%Suf8dcu8E`CYt=pTr?v9xF)1JJtJH&p;eAOC*VE<MmW{dBh^7wd035A6?UZ
z7cg_yv^Z7#Qmw>`cO@nb&H8L1@qm4n#2}X4HHFo#&$FIBIA#uzEnQ(vF=WdD-tNNW
z#H3F;LxV~tV#&5m{Uxl}5Q+YZ#DZ`3Z{3Ry+4{?0=dZuvcMbcI-}&p$DU%0yXDCzi
z#H54Ev`jP3_Lpe{VUcK~vsZ5Lz!ZWxz(#JRw?b_rvEYXy-U+$h&49a=?_!OKZJIXu
z6m9GN2eh5O?j`zL^BuZvW&ho<|Cqw&)~TAtvj0P~KJW1Lgc)c1Y~s{W+sAzvVcUHS
z?EWV0{_#ntjy~_;!*KFu%esi{KG)h&TK&NJ)Czgi^JcHz&!Uf&9sl@xe&=s@CvOfu
zu^}?v%&pCR_zqxRK;Aq*QQ}G7eC{S*Xx?11J|g`|*)9OyorTFYXC3>i)E_ZmC-@6(
zLqB+)A|lbphCRK(vjE4;0XCYYe5{j~n@)_BnzNdZ@nZCn7^2_l%)xyovH3*H>w&DE
zK5Zf6;3DA~GAwn_;MBCvS9TFDT%Ovcb6T4B@cQdv1NPDM+1t=p?Xv-W4U8kQuVcOX
zK&O<ARbRC}oIZQgGd_$!UbwT#i-pM!UeLaG!oFh*ldY2<&XgF?#ih`DFQ3lSI0zt7
z=dEAZ;7LZE*~GA1?i^w)=p7Uz#X4F0UtWxk5<|Rs3QFw7=IvzJBaW_xQ})Ikr(HsH
z>zdUiJ8eu_R*!Docpm~fQlU4OtoeCX`BVFqEc}M!hY)uUXw;}vBP$`nwdT6Co@<(>
zHEEQDdc0NC-Q`MpqGOtSO@}t^^CwOjnVmCcTz*dW$Z`22Z|Q$S`jy>#^eV{9$(o!q
za@^SbiIZ}uC)4g%L0@NL_eE~-AmQgHyms#myL9x~#A)}wF~H~-1B{^!gpr|aPXApA
zjLxVtn>@5qWz5)AY{U%k5cWu^Nm%)kX%BJ4-+$>*GAU4T`jkEsylgKLY@eTvulrut
zf9KV!GGF*}yQ8D~ci2_N(IOt%<w|ymI9FWrIN*y8c0-m(#c@^3X3zbh-KLDiyT;wy
z^OEa(Y)>BY`jc(D{qNCcSC2a9=gOCHuiXOglRb(PN$P&P@O~tS6#Mu}aTVr_oyC=+
zo9Ka($K7yF2<p-F?+;$|`L`JlM7n#79dnxc$Ad-g(&~Ach&jK$UnTVk-|mEX(A($V
zQ)FlDnA2+G2G1?1Gn*JzU-wvIl$;ETkz)P&8_=Aw(}!U-@wb`Q40R+^eKupvX&&dQ
zH|Dh66&Q0kar^&^IkLb0J~4d2_`R;>KbB2u^WVj<_HdoZy(+HH{`8Hf|GD+sYd^l`
zrN5XyL0y}6?E;-g8n@<U*5)qmfw&d-<I_^-uxTIa-Dg*4+!`1Ij3F_=xVwQc5|ukL
zZcTsVMb8l!o7s$8;v*He-tmuH${r~-aW8+a?Qu}qL#&e=kP!G(So95<>f^v~*`&I5
zxEf1Yt=qTPb&Pip88&EeW@d&Bd2UhhDAkC!Xk=BK-wZX%Z~EotoiBR*(u@U&H@SAa
zY2qIX7WY8BIgWU9;$6gI84C_|FFSq^4o-h0MzIowy8iWs3eQ;7nN1Aq4)-`a-h3Gp
zBgHyVI>3u@yTq{CX<fGxqKeT*fd%M#Yp4Gp!UrZivWNlVfLJ@{gS0vO*2E=Q)>^-5
z%DOo_;^%DFilqrt@UI8TbBjtw{q5WP*EimG<Q3iUcrjjNpwdY8qggl6RrE%n?<>+o
zf8^e{vm5@o&_<~5tUA7nw*`w+S7f2(Y_vKCIZL&CmPizZ$J*WRosd!grmg$;t?=49
zz~@8Endcp^%`NjF23g;iNjty>qlRW3y4`1MXAHVC1{irUz?j!S7}HcZATQp#ufj7N
zb!O8ZE{w9hFb;3L%ZNeJ9w{}}ghO6?<V$<FT4-L-G2sBx9dWElpkq)dUiinL?cV#>
z7Fk=<imZ+6imVm!Mb@L57;KlsC`b7b{_#nTb*^+Z!9UKoSjVG~NXEYh(IO+1j!134
z*_O3%{R5+ZdG*li-(36Js8Hk>FYXnS#S}44<RdcPDl)||aU<5pE(f*l6hlF>{y+$x
ze!n6Aa8iqpe%|ukjONGsCl+~w?9I#V=a<8`wBB+}$Kw6GyDk#eMc%ro8IN`wVa`ay
zJ89Y&55J=!(HKZ}1!jlAXNgJBTBtN^%i1xg?|)}b`ez4jXqETn#ZR<|=VPR}rsv*-
ze-C@@KfI6rX2yYYXZqrR8IKY3$J6f?Ci%zXGEZrBaWlmHWAEG}{SH2tgIJL7ivxR9
zN9o%K7gu;Tpw1kC@wj^eF&3-|ijiU+Yk9(pF<xSb9MiWM!<j<)_Vm^Nd~bBz@ScgE
zez^9#e{_9S#{Bce+BRvwWyBX+T|azs?5i#9%BR__Q3g|A?aF-mGI=UO#LePnh?_eR
zH^q0~OIaYtWaw<XPhZZsnH~d-ZZW_Z*gzQX+18P3CKv9m@N7n%IlvxI2|I3XcKOFm
zWsj5^ablO(9);2#BH!s-@Fy!#p^>{xX58HW$Io}%u;i_TsojobcKBC8d+A#pu(~=T
zB$G!VVr7UMM0-J5Odq@WO`nei@Fm@yXLB;q;LA>Mat=B9cAl3n)8S`@J|El0?jw<t
zWA;>d9>p<p07kL<9-EV!f?|M^FZt$r_el(qVd_nD(y6!Ex9mBh$D59?y+3>G!1DJR
zmCq>o>e;^K$%0W)rf0>4IADKG-Q16U_rZDQ0DGq^d;9hb?6tn)IkmZuv@T3Obo#rd
ze)hi4ryD2#9*hD596u)<j6XLJhV!{*{yP<(FQF&q0A1~uy4tkY;D*!{xRDMM$aT?!
zbHEMgO003(I00YdoSkrNCvwASV|ChFaHYd%W$$SoR2AZb@mn`K4ReNK)Kicri%DWC
zKBr=o)G1kL&%(~!wBG6q{amA)p|4;4ZiVMl+{PT>>wDe#y*U1i_xJTjT9;POzoan5
z`uU2ZQV-C<4EXvSG_uUpgYI*<dbk6P*!L7(_x`7qk6R*CiR+xHP*sk;IQ&mMZ1&tw
znd+1-(5%Usp^!gP&dk3AoY@M_oci`{DL-YW4uW%LSPU?3ivpuYeEU{7a*S*s47YL-
z`r}Dp@bQp2fS120URL<?QrQE%+y^E)cnN!mDyKi5tz3%^K~G=`hnMG7H5aB|O~btd
z>=v9KzGrOgMaFSX%4;YfH^zCT6xI^EhIYBBpw&LB#k4#B@M`{{V)8rQQ(W?G+uhAq
zA4wFQk_X%^;{o-<-nNyu+GAAKdljDl#X05x-X3*Nw0S$&;O$oM_G|F=r#aV1J;7&Z
zD&B53^`yYU*3*^fNiaR}*@lT_U;9XYB#0)qet3>pdt2>o^*tDSju=ret{`W`<VjN}
zPetU?{Rplb>cr&qz0gg>oc_8tw>+Pm{${Au4fIk({RHRqj2K|di~^%Zd^0#4Ip#GG
zMqgz%a{A_vD?AsW&TMkpYN<F~Zg5)K1Du|`!YjvIX%BJG^i}Ova_=oVPG{@Jyrq-V
z!uDBx%^>@lX10%FYGWssp`KEC0TrV&>r9LdJSP)%N1v`xb?R_wT&3q>)R_bLKF3{P
z^Zg}%zL)2hR+sE1-v^^Pwf<NPzn+UmZj?I2yaH&9i;O=^T8FySb5i-O?^DlV+u8kO
ze}7dX=>C3$I<whdYmfVn>~F~gqrb1{{(iOE?5|aB*xdU(tNW?TQ2h-jKDAd8P|5`1
zvTd!;HBsNOU~VE@_{a4cS+=xmoRhgkTV&|7Fcqcl7t2hMi>1g(B1gUJgDJP2SUSH;
z#X8MIynB?5EBRi4o;$JBPe;753qO!p%JZpchxbgyipgjkr3$yblp1U?G!?T(c`ZMA
zWhQ!ej~Io|%TVu)9u(MXNjc(D`~!QD+uNTwuoG==#@`+A)kx!S$?n?RN3l0|=-02N
zO54Lv7lQAY=8|nD#v3uf*ck(iJu$#|I|_^%@f93U&8h0J#|I6BQ6=5Xp7YcuReDyT
z&TNh&Vv!KN5K}g%_>UvXuP~1M{E%0UQt4M>xHG0OL@F?B63A5F+>p;-Oy=BBh$@_=
z&mKl*Voc0yQt7G2F|!#H#b);;_J2W<e@uKdv$T2vpS6B!dQA2oeJ=qwO3}znv;SIv
zaQojAjo2yFGnPKDuk$M@o5{-skTFv3FTnHEqx-l9@nyN6jY@)ZzdQyQOQOK25nnzM
zjvOl*2;+HWCHmX}U_gz6Ie;^m+uEGD%%3yL9^lNdQ>GlEuhZw^@wEaIdOlDeXK)V^
z`$*q$_O-aFudf08nCYHu^W$ZMAN#<Md&rO9|6TSK{8*s)5ztrN*)!{FHam_)y{<=J
zBlh!qYIB#ivHcvA0~J#lixvd;^U4@tY>xs1e(nlKjyIyifYFq$9`e`KerXQd9@8(Z
z^lU?&Il#}KlYYMGl;P*n9`N(KuJB@%NenT`>E|?;j;Tosm442o=bICD7NlRhbYSPP
zGu#in+~|v&=wky!$9mSfGjUCCaSPs9?<*(|IYAki=x6U<R9V+r^c0&D&--&?X&Z2&
zmYkS=T*?KR7J(CGXf)(nv{SB!_T&xJa^*ZVJ7M7VPoDjx?3XrI-}Um*WFO_lX)DxP
z^ilLXVt&+u9}~%sFZ}I+v7OvA$C~3Yz&IHNMveHQv!7pukR$HmGuKsJ7~DT$q9484
zp)%sVpas$%;K!afy>dK4UqYiH_k!>&X(y8(e|h@xwiExp<wSg|O|2*1*Ke-mN2Gf}
zPHvRD>*U70Ha9jH+?ZHez3^6Y<BHK<ZY%~jFk*-1hEpcjtQWd!ZZzFkXqAl39g<db
zL4MAS^H+qoPqPvIj+7e<Zv{7ABR39@^|Qs|;M{mQ1{i;h0;5J89utlnuQw0|_d=M+
zjdL%pjCe0d*#q3D@r_U92J8`fFQ|!)Dc7f*exy!&i!<E|%EJ>q*B1)TXfJ4W$I80)
zf~MMh8fEb5HSp=U{e05K%cnBMr;vL=;p!pUy`aj{tUpt!yHB*<?NzQkfYr?LWDDev
zn3s6ZXxT{c@>FdHuRoW=4=~mS8?*iv1B|LDFlt0?`*7sg)j$}|y`bN9s*HFqXrZ(R
zc)4hkDM#qNAiZ|WF{?gaa*xCGt7-750fvJC-8)lq?ge2k8L$^L?e_E*=`G&g@NZ#V
z+;8ms4Qwj-en+sqpw5?9*0mS(C!4qYO``r?B7T3fY-DM5=??OC)>~3f^jYv0Pv9ct
zUQoDt(rc}zo(d=!63f2!k^FG(1yMhGFQ|#y3(A|EHF+}5tDqf1H^KIT`a?I7a=LU!
zZSL~($mv6Pa!}76b#Quc3^0a7fl(t4Jrj-`!x{*KzfWS~Si2b*O;KkypVN35eRb0_
z@KyPnUHcssWe;$=;0IF<vCH|KhIyL80)mYh-dG!o(;2D_U*Y7m+zaA0F618eMVH$h
z&^%#T*Ip2B@pf2HPaKmfcp8cNTGX}9eV=JIw_o(<_VV*es~?(AZg-n4^#yJ(QQQu>
z@1ymlOFhSxeer$jwG-dI&mbiN`@0zZ?T9+FxrSr4bx*hZ`x~Rb*}A_Ah6nWbuwh^C
zzK`ywE<^P<oLDr)C!TlThv#V55$d}{)cCG0_kCz3CYH{3ZaM$wJ`msK<vx&}=dkRH
zciQ^m-K_p7(?oapOK<GVNUsrsI%I2{GcZw?PePZG#;%9v*XFJmgxGcRvnQo4VfROA
z|KRhH${1j5jt1k@XY0d}V`~gBwnc$aBR*RfjvRk)AdCSHj$YNR($fKT=71QSB1A97
z;6?s1SosxV@JZjiO8J%e+~BCf!aG>fneBIM&U9XttJ?4tfialZ#3RdieOW{?7y<_*
z3P8@f*is_DrvAv!L?s*fd91tdxzUVuV!!)7>T$ts{;_VwpwjAx?e*$Q2K&W2zHI9E
z4k5=f1s1j*!-;ii6h|e!$IWxppVkF&Z@PBGp(R&s?(^{O!?!N^_Crp;kSM<yrxJTa
z9;Y70+Utt%Imi06Z8*GW9s`V)QDD@FPg{p0N81L%xZB~E?rSSO*P+fFz;Bq^=Jzyz
zek*%`-#35Zm1C(KH^eWY_?;}BA}W3tsy2K@AisGH-+hp=psCGo(?6*I<_`GB@;As#
zEJKaGBm72h`*Qn(_sc}R(%)0nDf0ftUX>m${xb*g{(JWfoA=imy#KzmdeJz}$u8U{
z^$XoD#n`+QjchaZtMS9tZ#cXk03e+-?|F`TCI6Y^uW#frKiLn?dt@ok>-QKD5UQkJ
z%y{5|ej=T>EE-pv``Gi02M4qK{15u!oXEr&6$6aCC@^Zo!I9y}k>5ZV`fVlp>uz9t
z106D(@jx6@@nDaCJW%#PJlOD&DTi2Z`YRf?Q*%{DvyO6^YQt9q#sgkMk7%hbqJNt4
z03$d~^D5_<J)=*ZWA;p&yTkms``GiP)r*^xyFc6|bph@!Q``+XW{0bbaJZ}aNpUrI
zd5+TQF`M57Pr=6QQs^O4jxKIqo4YcD9Q_zURjrFGqb`DTbZHDQ9*Y8_Mtlq-)i1}B
z4TLd(Zi_^Y_URk>oLt!h9Q~h*OgTc&$y-R!sK#tL4y%UjB9NoJhVMLP*x$!$PTr+|
zo&26<^E=a@-zzh~@1Mx;xp-iqKftG#gWvG$&~x%|^%xDmsXxtcI?MWBryn?R@y?-7
z?QHhc>HY6@wN)E*PCf{Fh?w6$f!{xp-v>(k{Aqb`eh-TQ#%)nx)QAJc;mDEIKp1?F
zn~D5B0E~-JXEw*+Q18Gmmi7R@7uR~_SWe$Wqaojc=X{qbnlYF&F8>tBZ(fs#JjlLK
z&dE*xqym_^YQ~b|6%$M6x|w|vAG}5;>W)_xs8iJ8s2eLiLr`Zn=iOE>_x<E{$u|bK
ze=Myod!O8{d_(FG`da~RLx)zPIge3b-e-sUbQlh|8ANo_V>i!HcZKQ;&bx`txppc_
z9;b-b(3;DBzg({;b4?=DZ~x<YA3rcfI2RxHcF*0B`P`;!zx(7LN7)|NC0Q~b;U)_b
zk7c5ssc%}9iTa)keMcHY%HFTdT_q4hPJZ|}+PD8c;6eH<e#ODIO^nhQV3b9HQ6oM?
z&+C_CNdsXx=kaX@Mm~>M_CO42Jl>Qe^gLeAtLyXst6<Skdne(}<GG)p@#v3c3<*Au
zKXg-_<NWMiTzk9OKNhSKrPYtjVl4Pd+0+*cLXY#hZ}sUSoLCTQ9#0+UaUO>uQm}cv
z7!)~2ADIP?uID)a!BDSHtO(7~vtod8b`%&j;sdpoinv~f94#9Nqe|I}F>^jJR-w*p
zj`N{@qoC{oj_$n9v`6UQC@{t|)#sPmugtx8A*ygU<MCl+CicI}kUD>(P-ydte?!3W
zF2Snx;MD>0Y9Thu)cpA|+5(M+{Eb4m{qJe_4Ilcq2%$=SonJ}W%rR#$WQ=rNd*ncE
z?&|j7%<1?4=x3wHf{$x=#Q<Yu6c{z){ep1h$ZH^s=arS{b58;T4;&HwMnTyFocZTy
zQ;yKTQD~)5>*GwkeI5Hq->Fj5B=)sW2KbFSv&nC3kr3p^CgV3q<?U?WL0^yj$J^J(
z5O3i-mfvrXuoi1$aejE7-3Q5U=lj^|w71|G?DE!p2Zfk9CZoz{NH)qm4Y?3m#{?YO
zDcIkOaL$d<jy<*HGrhi-I;^W-m*V%6`dS5J7hFGfCMOQGt){R-{8rsmACAUww#j2@
zH`>qXYq!IG+Skly2r<(=$Bu8tJHxBnmsXdzv!5Y;hYrg10Uh5${>J3Yd@Wl^O<$XW
zzD63SmSAjOoyRz}?*Z9Y#9`%YY}<^555@qaBnk}tO^3PR$g!k>Ff_GjkKwoC{aDb5
z+4LQ2ue*r8Q)2A*uFfm1USiKVKU3TX?;od4AeH%ktj*DFuu{0(zXR8j*CnrgQgXxc
z{nqmFucuzTcE6?Ty2K@ZiE)9+{jWiILr948uirS2<uc?{9w5n>kYYcl`u>It;t_uH
z;p8ma;vUl7$X+hi6B`=iZAo5R_?M0Mvj2sx225aS$1!|3+lR--v3;g+V?uOu1{(^!
zFu5`X_CFIou1y3Ve|`6e*N<1y2ZGNV?vDY+>?km5#Jh*Xkz;-XVSG<FK_VZw0OK9h
znFGe+Dj~?njYlw7b-YW+_y~JoEWTp9DTh_;^gBHk?*dwDLL${S7M;mhJU}*Wf2QG6
z^N#%J-8*9tzfeMZ|CYe@JgHJ7V|N>MPknM=>`q9D*9gAS9AlmO0$aReciS*=yz#<l
zSP0sg{F5O;+PiRgo$+@r?Ok%K|Fg;3#M0`ejX8Fwzbfqw?yW-nU5Q%A_#3Xhqm92^
zpDD6mkxF~8bS;HlhMdX+B<%-@I1V@dhHGEOU#@Fh0nfrj$&T?u@V7$y<1auk8Fux?
z-*D~PF!8q>_K!6FE^S<!yKX(>?>ox=v^{+wc>G-(1B~@iVAP0rUXgxWw;V4v5JnYv
z$;9}ZG&1sMA!QH5-+2XIIaWz~gnkw}UxGGB{M9i?K`7qIn&zF8518+GpM@?6vtO4A
zt3`Gc@$|wlakMN(I0eONH^$Qp%xjovzYj)NdOD-dY|dw0sqP2tcpC2?PuF3sXIT#8
z>GId4{b0Mb@I~;+QvXj1=^~u7@n{=zxb}-So;Lky5SL*^+Sec3oror$R-m15?aO#N
z2G{HPcBpwcd?#qKJByF$y?tL7!V`7UM>O6DWT!vEs^0h<uAf97pXo>RCq7d$(VzYW
zf9iu{W^+Ck>hJ$9%c;#>zlibqE#JD@YWh_0_<Sq|7{{Z)s1a}7BY6Q%)FFo}`^<G!
z7sfW*m83l`1IDAMGn@9XiiIG*H>LW|kCi<TpQm;(<*@wzc7UEA7sA@9$V~OkD?`nX
z=i^@bI6JTNG#s1B>Gym;njw|fwNn>{gFg*3pTPKNB1xIp7bYhzyxu#{y-0ptuiPp6
zIs+Kd5fJ3jUIj%ST|TSQ^8)J3W?Z(`xaZk%d9Ht4Ucaccdil$Y%ddWg4$3vEr|E;J
z<vRPX<FYe0)~B~<<MK@fB`2wZ&9|KDqEulQx?f*lfPy{kb%YF*?bJo}^-KR2NnLK*
P$r~5LwNvzQk#_t)MBGl6

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/smb/smb2-zero-byte-error-ioctl.test b/testing/btest/scripts/base/protocols/smb/smb2-zero-byte-error-ioctl.test
new file mode 100644
index 0000000000..058d17c29e
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/smb/smb2-zero-byte-error-ioctl.test
@@ -0,0 +1,16 @@
+# @TEST-DOC: Tests handling of PDUs containing error ioctls with byte lengths of zero
+# @TEST-EXEC: zeek -b -r $TRACES/smb/smb2-zero-byte-error-ioctl.pcap %INPUT 2>&1 >out
+# @TEST-EXEC: ! test -f analyzer.log
+# @TEST-EXEC: btest-diff out
+
+@load base/protocols/smb
+
+event smb2_close_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID)
+{
+    print "smb2_close_request", hdr;
+}
+
+event smb2_close_response(c: connection, hdr: SMB2::Header, response: SMB2::CloseResponse)
+{
+    print "smb2_close_response", hdr, response;
+}