From b2a2ad7e1019d9a2d889b024128c431f67b45c6e Mon Sep 17 00:00:00 2001
From: Arne Welzel <arne.welzel@corelight.com>
Date: Fri, 8 Aug 2025 15:42:15 +0200
Subject: [PATCH] smb2/read: Parse only 1 byte for data_offset, ignore
 reserved1

A user provided a SMB2 pcap with the reserved1 field of a ReadResponse
set to 1 instead of 0. This confused the padding computation due to
including this byte into the offset. Properly split data_offset and
reserved1 into individual byte fields.

Closes #4730
---
 src/analyzer/protocol/smb/smb2-com-read.pac     |   5 +++--
 .../files.log                                   |  11 +++++++++++
 testing/btest/Traces/README                     |   3 +++
 .../smb/smb_v2_only_non_zero_reserved1.pcap     | Bin 0 -> 40934 bytes
 .../smb2-read-response-non-zero-reserved1.test  |   9 +++++++++
 5 files changed, 26 insertions(+), 2 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.smb.smb2-read-response-non-zero-reserved1/files.log
 create mode 100644 testing/btest/Traces/smb/smb_v2_only_non_zero_reserved1.pcap
 create mode 100644 testing/btest/scripts/base/protocols/smb/smb2-read-response-non-zero-reserved1.test

diff --git a/src/analyzer/protocol/smb/smb2-com-read.pac b/src/analyzer/protocol/smb/smb2-com-read.pac
index d9b2d7cf7f..4f0e7548ed 100644
--- a/src/analyzer/protocol/smb/smb2-com-read.pac
+++ b/src/analyzer/protocol/smb/smb2-com-read.pac
@@ -93,10 +93,11 @@ type SMB2_read_request(header: SMB2_Header) = record {
 
 type SMB2_read_response(header: SMB2_Header) = record {
 	structure_size    : uint16;
-	data_offset       : uint16;
+	data_offset       : uint8;
+	reserved1         : uint8;
 	data_len          : uint32;
 	data_remaining    : uint32;
-	reserved          : uint32;
+	reserved2         : uint32;
 	pad               : padding to data_offset - header.head_length;
 	data              : bytestring &length=data_len;
 } &let {
diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb2-read-response-non-zero-reserved1/files.log b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-read-response-non-zero-reserved1/files.log
new file mode 100644
index 0000000000..fe939ef5e9
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb2-read-response-non-zero-reserved1/files.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	files
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	fuid	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid
+#types	time	string	string	addr	port	addr	port	string	count	set[string]	string	string	interval	bool	bool	count	count	count	count	bool	string
+XXXXXXXXXX.XXXXXX	FmcSEk2dq4v0hewpM4	CHhAvVGS1DHFjwGM9	172.31.112.17	57829	172.31.112.16	445	SMB	0	(empty)	text/plain	Test.txt	0.000000	T	F	189	189	0	0	F	-
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Traces/README b/testing/btest/Traces/README
index ec244576a9..a01d06902b 100644
--- a/testing/btest/Traces/README
+++ b/testing/btest/Traces/README
@@ -53,3 +53,6 @@ Trace Index/Sources:
 - ldap/adduser1.pcap ldap/adduser1-ntlm.pcap
   Provided by Mohan-Dhawan on #4275
   https://github.com/zeek/zeek/issues/4275
+- smb_v2_only_non_zero_reserved1.pcap
+  Provided by @predator89090 on #4730
+  https://github.com/zeek/zeek/issues/4730
diff --git a/testing/btest/Traces/smb/smb_v2_only_non_zero_reserved1.pcap b/testing/btest/Traces/smb/smb_v2_only_non_zero_reserved1.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..a30eecffe3fc85ffcfdde0f4ffebfb8a89cc35ce
GIT binary patch
literal 40934
zcmeHQ2Y6IP*Ph+%hL8YhOO>*erAZ(SNB|*)5(0!I^cqU&kc3bKrG$V+{6G{%X#y%1
zL_rY&Q8d^9jRpA-grHPGKmiLNqWtHbyOX^;d-v`_z8~~?oPB2R-CNF_^PV&3oS9qp
zzaMOR#>h;}QB2H0KVDuxZq&deBTJxlRDWZIhT-q~8xIVA%IL>B7+JKfTpY{uW$cw&
zIl)wej-4{>h_bXe0ZMuAU%MDnz?jiw-fZyk@iQ1qMo>JNs-_593SEU_+Lxf1^BAas
zs$s{mQ^f_fl8EZby!0D4&j0F4v0R#wwV)PJB_0`TXe+PD<4L00IW@>?iMd~qG?A#x
zCJLw$6(gHytDr-r3Q_rxPGhXYjUL?+a<NvW$8Ib{xpCvhUwpj|Gp6*kcI{>jZyFKF
zjC8m)vT1mD$!fcH?Ktp#dm33AIs;XKyaXl^Ds3-^X_W+1=O|0dFbGwCy=WMaPa#^7
zq)}9fmeEiz?JLmAUad)sL|a#j)4KW>@fs({l7YZPZl=W388?iK{gpZRp^Vr|o#ubC
zY2Uu9kH1%j6Un1*rB1jp^*_scA1)!E$ENWkhD`PKz1!DdHXGNB4<EaxO?WF`fBJ1Q
z<hL{$Yx<UL{9sc4l@No`$X6d!R{d$Kvg)Hc+W)!6;SJZ+zpGwW_T-Gr5hKTBjmXRx
zla-O)F)=!#WlUVo_z^=VjmQ`?Dl0p81Q2|l5IjR%pt=~xAzPr9akLC8F0gh;tzr$0
z4dViAa7K`C<6lBlyNNh<NNe?&nWGL9{kYDxfI9DA2wt>eeb{~BTW99bHUgI!jX_4{
zWAq93VRUSLPQk#ew4QZ+>i+1<|Jk(gSdR+{3oE>B{cb=}*BV_5%eFbR`$pNwbevCp
z88ql);8u94myu-=d#Em!GbC*vx13?lmSgQeR`?y{{;M^p8KRx#c36(La>H_heT*)a
z(+uS8R)eLM<y@sB?v&*?<DXwUvCk_{p3R7ObL!+zep*?v)s<ca(Qgi2->}7%=e{vM
znF-uYTp|Ol!RjXUGqPgZg6d**pWA|fzU+Kkepg&jdnTbD5?h-SdsabT!P>xTvmm}1
zttrKm)m0@G3QhH8$@a4d)ufXC*fzY)nhN3N)IIFk#-@fTJ-c@6(Ib_#$JkT(e#c8r
zwXgWI;T>o-5VCIVZ)6kbKvWk?%Sih#WX+Z=t@g|)OUwhXv{k==q#;VkT8Xhj*jcc>
zC0SM*wl@({*$<*cS*l6w9D8QYneaKM*7*1v49_@=HRlV{oFX9@$okSJhL#oc=O5qp
z=+>x-OO8KIKY4kCJ;K`3nh>-H>rEeYGiA-dDzQGSGfQD%_AOy7l_jzWGK3H|iA|+X
zQ#PJuv*BzgEqz#Hb}t*lvgmkaZy3v=eGzn&>(ORS8fBQDQ%3>#*9REcE)oV+HZ<c~
zwqPwoi+P~9pw4CjKe%-{2y0v@z{fAOp^+!zMHrep@SP2<xzHJVCf^tlo^K4}>UcKa
z7-Y&fmJ=!f@hbG$K+6_}7KV>$S(83}X<3avQ|-SWrDYI(u9MO$=09{?sATx|7i`_j
zRJZ+hA+hqx`z!1b>gY^Ljij_EhQLiB<#eS_GK*)KYywxn7y^7U%O$l;CiUc&s8Rbo
zYFx9dXPehN)9UE11E1{ZJ8$}ze~FGJJlV*uXNGM5?d7*{^54g7e91ha9X}RMA620r
zPkwE=d~w#)d){reaLTJK7Qb51G54XTY6V6IZ~48}mIbXY`j_}0$9ZL0Ju>1kY$RdY
zjPPzr$TwwC+^i$$8^0oWdZ(PzC}_r|nOSdtKK;@QkKb52HQ>1rQxN*H`Ng7huY6s!
z0!P8DJB>85)wGT(`xN$A+J2aIPBZ7|RcCXQrFA7T>!5EofesrXn>Cp!FYe6xwFWCY
zKRspmXTHBLdbi5qRWlWzQiDBnS9n#JFca)vcrxemx6>Oh05!0?b`-gNtW%YHAzNt+
z(dvb*D-{>itpRppE`ScpQM2nq{jdt(%t&QQk$d4Ecjce`=))hcwS9Ex^Kp?aG8J|k
zvVrt*uZn@>wcx4hanAdWHnN9_JgN)OGt$21Kqoo_UAG1S{V+J+eTZ|GDswJ?R&x$D
z3;(h3@b?2gK45y{+~hQ$rAK~_2_mBu=6J(U%K%Il6KBvPstcxTZK0Z&K1`TS<d|OJ
zoJ~`67NEk^%y%;eOx2uC8Mmcgtq&4kOlUi0PyaC!n#a;{*9{g%qX4He&3-->j&(<Z
z1PLr-jO<(5kLn`9mo|%*1Z{kU1hI8No2`{45I89bpQ{A?EY%kzc*5YTDM1taaU~K2
zDQIA`$%7S5Vx!50=CToVETj$Bm$ss&v>UvYRvBvieWYzp(jFqiL6!TBp(yPDq|N$S
z>NgXkENy(rIs;EqmP1Idk##HjjXUdnyi%v>+y3J_^@LBuqR&UXyf%WUXjx|t$Wy^G
z9Oi8=OKDkwYRRUP0W>^ftg?OoUwO*Pxa4~Ge|6uet@h2gWue6vcmsyFg#nF5VAs=0
z)A_UyRn|0{oOTeJ&gtx|X<J3o^aj#&g%RyJ*(9Oql?GM_KLpL8c-xEN+fl&LgTzq_
zT1S=q3T90zY4x;wdKVYihN@>xP7xKIX^L;STu(}J4UMwg(;HL_W5EpyI07vlj1F;H
zoiu6DG{x{_PRK1r-u8VpM)6~f>=h!5Dq&<~t8A6sV)QC$%@T8obCfHzhF|K4?8kR2
z-UzEAt~Jk?JbY`|hEW*}-ijO6wBZOPA~*IJksZDiXqFkL8<P)nG}}sOzDk-Y0`LD-
z#xQPUvYL1J8NvJ5OB<*CIez5sH|kwFU180SeS#cbf>BK7dd?xv9Fq#pbBcx`wkn#a
z78MuNHxOr`v2Oq?F{z;VAWVydV>1<@Kg47;XUbm3H$^neM!A$Z_5>C70_s+(h-`UO
zH&YcQhE{?Ya+50jnD$ALX=0yxxl5X;siHa$$90<)KO9SWds@danb?jZ+KHz1^od<3
zVOyg|noi0{zEtOdv7cw%Gwg>{Vc*#2uD~t^jW@FUNHA2{6B)**6$Ab3Zq9a5-w<VK
zXCm}NE;j^iL!8>CfxhrW-lE@+-B8e7@Ecn~lYO0Pe0u#UjioG!aN=>aqYF5(FPGBt
zC8}1c0xj66K$ljz{iUk*>!B%<dz`0L(5@(=Ju7VxTKo6}D5S8x{vilSE(My{LYkOG
zgivMgV#u*o)#?ZBOvMEaFsT?4`vHg=+RK^{{lMSe=B@UF`80cgBKiT0aT?86JW5OS
zgG|cVCb4mR_?trmG|Wnjq3z!Gi{1ZE{bJtOg^w=3&s?i%{szBRYtKIb{?SWCk^2p{
zLmOcebfeD^Xd|b+bH8XnQ=M^LNgKf*P3H7Vq7T_tp}Jpqs}0eAz|r6=Bcn*qtBZX+
zVymWQA8}pDJ|5%taSR+8hB?~@dIw|ZEdkg~#S8o3gMH;_$G4uJtl~I~uZbRlAEHO9
z`9c>#ZyZgv990xgeAQNBj?0K-2<O&7Gi6F~ZpVkWgFWT#`%Bdh8CGL%Jx#JHlc#Wk
zDtlF9QQEiA)r51B^*k13iQh!J3W}=*W{ggmJYrWc)ooP0)m1+_mJEhjZ_%s9)4A}f
zXd6q|iIpmf(4m%Bb;g*n=5+iTV#HfrmZeG8zI1#JZ|T<f*NWwKawQAlm7ChPl%_qk
zPbq1@%}P`9kLn^vyZ0^cwnr2c%N_QE3++oQEzxg1mFmY4b^KXR?wco5tCPuRPi8_t
zG)~B?KshM%gW_!;P<y2}$<iGc6Q%5}p6xCzuN1$jxS(-!vh={%dwIk5i;1LiDzG-;
zl|-=g)GH}_^U5oM{xqt2RBzTR1yT#}N+^NK!lPHR;yCIePSZT}Ls%#L`p_I*1gmQy
zm_TzJ-XSRL<nM+cd>M)-zN|P%1Hp>eP6Y^lKnUuLI==&gIgdJf+s4hKEQv2;)Ok5x
zp`_6Ik!UTZ4XARIW%Fz`w6u}<vd~7%0Zyy0=wbNf%N(N-C5Q4XwXjXFruM*)cKAdi
z+d|t><=DbrN;}G>E$=FAd(0A9w({7*X2=|hjNMxff%mNzNO5?Ik^M{rP+g=rnRX0P
zWPd41@n)1ok)oy&0=KE95D^kwdFwYy8zB>@E$9ax@n#~V7YH2Z2z=p;z}+<4ryx+N
zJ2gq^fI9@d?f0ccAd#4W<cJ-&f<Qi<hw5SjlhaOcOP1y&nuG}iiWkypbbVGJ;6vd9
zKDs5}?C{aFnHL+r-CX3wE};`0j!trp?s3*hlj(w^uhCs~I1)Y&mWtvHM~11o^Kv!8
zk$lm=J<azw`AE#mZKmFKUvCquNkE{=Ud<3>tEEGQd`9eW&hANpG=8b)SVH-3&t8q9
zbV=m1pTZY<V~0%Df$)kV@5E*?cEGyWjtG6Lb0V-5pf$L!i6zhvRM{>K(P^iER`v|Z
z3O*t$_=!AhXs^ZK$KWTUB|NORXq9$Oq&;zg9to=xJu`>atyBeCTG>18F4?b#CUQ%?
z0yI&8Xl8$tUR1Se+TTyb1z~%EsHdoEQ5y1?ONgi{BLfa22blDt>i6I<r;M}C!}dm5
zIwTW^A+N=A7TiWvZ#gVYRD~4t7MNIX0v^?+pC{RBYvJ4>xwxQd8l;Hjm&y&*Wy=k>
z<12D5PdS^relE`;S&8m6s(DmbQWYhJR)mFGY2Dpi>K9(l8G){#r)SZg=1gJHK-vEh
zUH@<zC}-d2Y%5LEqAVT963W3{7Jwi3{=r+6OY0vx5Et+ZXzxz@hna-vv&09gY`5$Q
zTOBRC?Krl$pxGcG8grUXqv;~G-3C!cBJ8#j-|aa*HDbmxRuHluFBURVuz^3FIF{~P
zej@D*IL@i+Yy-^(kqvwej<YUt+AbW67~w6)m?^OmsT&86aDsot|Ho+w|Bit%IIg!y
z*9X_t#Q1B%cn`-|b7T`xf^lWuu4jye57xr;Q{qr(Wb*^Z)FffLC(6<(k~j=ntz;>Z
z4-P1~7U3<2rS-uLmzmg9auukuEgMGL>S^KJDYCdAyfdVTeH%a;+Nf>WOmjHGmIZ#L
z^}%MeLN$|F$p;6qhiH8>Re7$+TVK4_OJ5BBg)gSnk}D)w7u(f7+V9}fLZ6Dy_s*Lg
zZ4Ia!65-AKJ*<7mauZul0;0O)a0}ATLJQfooNXzbZkSKXB`pM+zX3mnA+i=k|MXT1
z!bf|W;VVRQRK!f5mH%R_BQ4>ZtJ;@KX}O!Km8w7seO#Rh<GO09YJX|aB=C5#(zm)j
z5s|I$k#n&ZvENF+#dR++1L^L%7c>>}w27^!b5P~}!k)I-wE9a@ZgD{buBr#dT%^+&
zo2b^5AC1RFe*tnRp887!OEn1ealDK?wmB8BewbMAL>QsE7+GxEIc{VVosBGlE~+P;
z2J4mX0zpH0nRQ`g-m)GnvEF{@<e{}|*Dmk>Ph0`4SDvB#il9Mtv506}eaRxu7<Me%
z5_T`Z)OyMY6hog=Q<S20blQ1P%$cH6)R}#WecKV$X?V(L2z4>_b4#EYNfcX9i>MNh
zxL>A$CXdsIYMgppet4~#FX!2FdY-DGMCAv=j`?Q|6ZItB^t_s)i=;ntNhhl${oz=5
z<8`8%3rSA|xk|d5DC$VsNR!80qWY&=()^dye7Q*4SfX;)u;ZN-b>7jFbl5sIMHfkb
z;*w5MNqROTbJ=@Dbq6H9ueGbBQ;4FDq<3rbxPzz`swKVrnn~{t%_b5R#d;OXz+6jR
z$n1QFCR078!S~V^{Fz><N6{VLdp1@1;h@p94Sw78p`eG4SMIl?`LUF>eXlNgu11US
z#R>biPyBxLX917ST-Rp9o*6jLL}!xQqBZn`s;}!x8zxDs=vBe&j!PSC8tr=`{`E_#
z11j$slo{2e^Dn(C6>d0ObJjCQ($|g4spKkcjJ~u@C25uZs`Q0BF7259V}7f;sm_Rn
zpGVhST>be8D}4@}$*r@e=f%yl=N658n^Fr|xA(kZQr(&5+`|k*(k?*S?2f7)2Co^n
zY)exsg*VIPx!g|dk9&zs!toFeHzWG;WXaw>?)Cdy^B$8Q6ue6G{~nKf)%q}f(!smV
zEhxID-A4i4D(+ldXI0s9xhtQ#vAqAR1H&K8bw$6eKKd6q`W;m0!@m{2v!d<@p#N~M
zf6?a%Fe~}0oL9^Ko_=)Gy@S6Cc=5m&GZwvj<+pnetTy{q|Ly%c6SMkVc13@wKKhq9
z`s(|C5J&%<f7VzH=pP>VFZvGj`}F(ibAz?P;5FrsK6`$9y=Dy-d_1<WT7{N|di%ec
zab?cuuITT4)1>#PV>8Lm@~BdGL`LTFtAu{2yGI?xs7?4H;dyLem97kZS8meDjav>K
z3jOG6_k)MKE~-jTI*Mcee;##21ih{=Yq%sU&lj3n_a*k5_Ro{`k1Zy>$2xy@=~Wa_
z`c0#V@-bx17|CtQ<*`mNP!hV5_1d%R^0w<Y1kC((x@p+_u!L5)T3d?8IuDJCY_j7_
z&tJd{%HQ>|PIW+pp;g(c3;r)0eDz~l6i}95eP>0z0D%A9i;&gznOaZaw`)DWb>I5$
z?*IPu?yI$$Klp7a!H@p6PLs_MOV5KDlz$5NbGMoFo~ez{?ByTtOYFaqzz=cvOs()}
zVircW{N?rMY+Lp8sxz-9w0LU%w1xLMd$im1Ol{@X_pa}kpOQTL((}plevfT(d!MO2
zR^!RJ8@A0pbgkMan*xu9S%pUzy<^6!OMD-GqS`|+raS*kt>EfTKU14AseRF(8#lFh
zd-9Ugryfc16A!6w+O=)&vWrRY0WJ8H1^Q+kDVa47)b#=~GFLV$jahf;c>RMi@8v|_
z(`w4cPgkE~y(4D5x7E<5tFFY4e*5WPyJR;hQ~mau_1$GozEiaJ23v6Vy$ds1cP*05
zdQMS?RZ~Zf!gR*JW(^Q{Isa3+lt(PV`!~*+l0NI{THA$L?+7}xqkh<t*KrWcI&`~k
z{uw2iH6Q02s~ziZ!d<QZu>3Rf9TUr?)CpCZ$ut@=ZPAjf{GCoor;7_B-z8Zsv0H(e
zAx1rkO_PXx{vGp7)v%iiA``ATiCmj+RDCsKhB7S9_1ddE4==Zas~c#C&!yASi*_pA
zd^;6O?)<GzZJ>B=$A_ugvGTKAuPeaX_P?*2nEeV3WGARb`ZU%wHK(y=A*}7_!ytY0
ziP>AB@5N4j?Lz<LYi&P1^7iVorA*9bJwIk#Rcnpib~*nsiP@h7{%T?xRlbHpZ-w{`
z;O7LYz^5Te|BcJGMD!u>gLj2<dELGh!d+sv=40Qpf6n+lDPU&S=FI#HMGE*DZ-ux%
zefNe7zl;b&Gq4q~+n;(Ws?4sTYuaUQD?L=~()-dP-;J^)*F|p~WCb0ARqjO*v^ABg
zx4jkj9Vqj_bP^SrUUS-(L)F_}33~NGh)M;j;!0d0Hc)9rpL(o4y>O)`Rk^*2B~LJT
z+dI*oh3F87Jn=&t>H?(ee4uL>SGZxQ@3W@i(#mG<tf;>dhB5Xir+3qaaim<r*UfjZ
zWqy7!10$mD-{{sbns02=c=WPX{IVC=4gXMgfYBW6s%{ijLRR6i?&k5t?kx{6Dn`xs
zY0-Dq+!HUhJotQ@IhF26CU$J&gk>+Z9o+xHB~SbjadpD*+nb4%pL_1LUmI3>%zPyN
z(}?fKej;aLg_CN0x_)$v7}&$V0}S3P=xbC!`A-H{no;Ynz3oQ#+5MZ3$i!aU8GmwD
z?{PbE9L)OaE)xr-Zi?!XotSMcB(vt(Npjudf~ezU)}gU|d3)c;{s~?i{;3Av?M*Z{
z8Wd9Y6YL8)I}v-G+w(8U9%_2uo*DjFE-vi>qBnM%*fly5RSpU4eA-n&l>NGMNQgQf
zW$D5I(Y}kkkwRyd8NY362<`F~BDmBLIzGQwpTN+~|22qPK1gr8IMeqpaoOHNB3$+j
z-(B>uIDaOH9;og~H){0Y^npay9^G3>T1v*kr&1&O>`NR_1uk3rRuad<JCxAz;wkl`
zTS-a+7*23ennK3$4c0e(qI)aJ?_7z)RZ65ZWIz>4L-2lvpby7@ntUsX<2ih9S*Ke`
zoLK)S-a%5rGhp3Iu<B%Y*8ppdzY11Lt<B@-pEcu#=-_q8i*(-k<u1Fsxax&p0z%7I
ze7lNm+@&|WHFg`sPhU3oXjk)dD_Q}&HHvia(TtG{m<Mrl8nL{e8}I?pVQ!y3^VSNg
za5Aoj3l2j+)4fOY4{oRGcN788{RAlP)(ZNp6(=p-qj~do+Q!b|tt=qL%t~f=X2B@w
zzwTldcQ&_skl1x|pBXd6rv1r5AF8tAf1N{Z4>!QU3SJ^u6Uc;6rQCvEKwxVn^)^0v
zS$`#E`AhSHC|nef$2FM!k@aJn7ZhV9ib?<~+Lt)65m5{h6ye#i4HU06Ftc}wKU9fF
zBYVx(+C4?|w^*gi&r=6q^^;p-42O`0K<#dJCYJUIXGg0gWwikz-|<!utWPU>&Y#g6
zL2~Jpn|K%LaK*nhGPAGf7*v;3<-@eUxFPRzHspbgmTigbnYz>(^u`v@XG>*i6ff;~
zuZJgT`VkS4mT-#hzJi>0<k^3Aq9yLiMQVhlDA3nblJHsDfa;>JCv0sbeW`4Ud+^ho
zmh@bJb_$}WFPcp=!;52POkHHo!SOG|@p3u{)kP-@(r$obrw|EWxb&SB4g8>!rhjt!
zPIpS<El)xx>X@U)G15C8cO=Yl4k|dE(b&wA=?AKet)Y$W9tm3|I=*_WyKgUG8@mXc
z8iLf;Q<i9lV>1<R`$7bb9M<qNlrI@m)h@njW&u7BY7JHNp>09ixQq%i2DZC<WS5*u
z`wSt|`geLS>)1osZW{E^!{@5+30{51kKG-VGz912em<>Zqs$X0ZhyCB=ebqiJbYng
zQ464j7j|nM+obx|@gYm&ItZ-@WLw^C)_G%RI^#B=ewu}%x^J)fXMJ}PvVpykkJAK_
zjI6K$Z;=fqB5Od&UZC?F;tY3&qsls`yTjW`I_KlRF08m9`UT=FL_4K7mFT>dy(Lc`
z11WupfzUagbk5DyzloWVU**-MV_i%)fc5OPDrZMib<r=-xNHis9=Z-*im?yXp!yLH
z0#t8VM@m1LlTyCStQ<E-Y!l`<;5j_NJutO%YKMW7a;Hw3IvlU2!+sp0U9`;3ho9wo
zJQO*I(9n5NNIOZ9JTyl3q%imqOib%VA$aAX=)7ioqn;FrKvuah*hPWUXnUTW2G)5Y
zyF~{<A^IG(JX!}PaI6M;BtrS+c;NtT;02SIDDGdGtL&#KIj16iJ6_(W@Bjqko2n6%
zZpW;bZshiqt+FS|0tbGyY)e!s5S-tTH*{5PPwJOOdW#_JPYb~uyBt`m=Tyzi$dSV~
zAcy@xRUj)6bS!BnFN*C6M8sC{Ta6I*Ip`@z%D;i&Glbw`+KuYsOy=3*Bpc+xxq%;r
zyX%Btu&2k6y>)Xu%n=8&69I>9o0)YUflK${IzFq?F@o`R3dWhlVbI7WTz0p^D{nb0
z?eMC4ly0DomvH8R+IJ^~ly#6oD^SBa(c6|%Ra+|7ZB(^h?BFhG&Eu3DNvoCN5je*C
zzt9axqKJo@ur405a_&KnmjVgPgb(t>S0O#3B)=30JcuIJ<7k7hWY|Y+G^Llc0acDE
zh9}ZZKsM`7m3<&kubY3i3?>LHi#`Q?gHw75P7!#wQN=onCkaFXeXB1POQJTAIM=o>
zm(tQo6-6NKN9zJ{Y{z45GV-|0gyJpo@LfP&ZeQ)Y;y}<|`mW9Yq<AO&tIFcthv%;O
zX++~oGqxrMM0MFPt7=%vr;mRj?-%EZB{Vi08lw%UE<Wc8TY}UVlmuo<aY6Ge?sHCa
zT22}RLg9R~12s<?qeq+l;^>^w_VdI-MgknyXl`cj(*dZmjj_$?W^kNctg<o6TbgH4
z-g1mM4jH$R(|$;;D{w6G7AxQF*~XxyI679w+<v;(3rO@3Nu=ZV6D1w++#@P=U*aI7
zw-r43eQ&L=ik)XI%%fZA`h8!H`DqpA6x#>wq}cunI81<W%>7H9yydX8em@{zJ-nA5
z^7_!$Ucy<4ubCN{PtPDJf?_LkDO`s4!q&a@PTu={$LlAAZa4?@CA<)R3oisqnlaa`
z^V+KPGF(qDtMo+i`RN(&tZ0a9ErGL7ar)cTeM9|PP;VtHt^e&zY{388>`QO`FAxZs
zr`wl0NIK@Rz0Ce&-Tf*80Z)CY3<t=wcM$rLB>{(~2Xy-q`9bnur&Kzk80lAW{#m~W
z;?VM8E@#1Q4&^O}rR_`oA2sVejM!1aS@Bt~>`NRRuYMSDraqNU5)~!-93y{zji?0U
z&+vfgTB3rvH&iJi(0i8C%W_1&S0Vbh^iEqziUg7XRf@!z?oE=gP$8O!KL#wI%!#IZ
z;dg;Da7lW>toKUZ&Jsm6x|onUMvO4`ujEB`gyJc-yYqK?uhkO$M`=OZ->JP6#<S5>
zkw4V2pX7<JTYDw1<6?Q;|3y1A<Y~-p_`4U)I<MqS_lK?~yr;5ZWHr~KEZsVhR|tNM
zPq(;#C9k)-Dy`>ECQRVD8`+oMdTv>l$eh<0yw@eNv43C5d%IrA>$p3@+dhCR%qZ|m
z$uH?f=w!(&sr($`-~T#7%N7d`jqBXT6C=fw0C1RnT-6sTo(zs(wj~;u94v84LU_j`
z^!CqmBXm~@XPyc9MNqD>gkoz25nDY_=^|0#Idemnk+~{{s00ZrzGZ#&B6K;9=m||k
zN#}8|apSq;h}I=3bRu*&2@7ty(SBqbJDnr+;CO6<rCpBk)ytw%B#Jyjck5JK5VJ~T
zQCo;g{rk(&->ooSUGkrl^zw}51-}*{&}H-K)9Tu%3ypLN`B)TdVwZT`g2@mA+IoT7
z+C^uex@0MD*}9`G$9<f<t><GaFEq|WGrTqL+QQ*%gioK&DPf&sA`@aFQhIdln#@eB
zPxtgLozlDaO11LB<}v9QtI3`OauQyAL97R7m81W<q&E{%HL$_-7gLIG^gqw^Fy@J;
zXlwAnV}S4|?JEkmoMX|SUWmbn$PS?~qNPtnM5Hk)!Y86-WSKEpVM8-Bb4^2YbB5y8
z@*KQpXP09O=@e8K@Mhamox!u5D+*`hVvfX^^Uw-!$5Shw_EW<(S#Y2P83P38=aggX
zXg{ip6|G386f4iL@fTr5K0eJ4(Sd-+&Uo<-+82!d3gfk(x($qPC&p_u@Mp7#6;ugT
zBg?U+#gV&qn56Qr-}X*~fbs#vVD^6|;p<Qr{f(n@v8&nbbS`Cb4BX6b=&$p?Q0al-
zCMQI|sQhDi%qmLc79o*)`D@;4l1PZG^xs*5w5g??8LXpt;-;)}80V-<BY(Z=rF01&
zwF{?d4^IKt+sPY|(!+rwMFfXf0<*e}{oREJ1l%BSn0-Wr8BJTPilJ$XfrMG$;9*4O
z4o@#ZiWww@jve-pa8{i8B68+ud1B+G9m3_H*zl$CzGz{GSBaZ^Is{ef&PFylJ($}e
z{<U89&-F29$qo+?H$iI?LEiE9YS|9S$MfQe8?_xSxm(u`drJ7I6A~|`IsNP$c^dW!
zJA{C+KZ=eeb~vSpt{sMOJ3Oqy3{x{pXliC5VHWy6MF}cy(-dzxEX~vm?69!Azg|+&
zOTt;{?*pkvZKI?j5Gfm|?ANE#TcV;^^MT@m*cL=3R8R?BsLM+qiHf50g~z&=ttb+l
z_lTEi+sf+otiBQzH7}$WXAiG<P7`_1Ag(S(PwprMmV>=|Jqz5h?P_kEFLbk<^iXgk
zd-&KEQI?ci=vil{^VaO~#=(u~Q8&xYtL1bN?x%%KN-fgUETN~bNTv(#n|X{uoRMNE
zjpl9rB`Qj4TLx(?*V7C-4P@Tjqn^WZf`%q&(k&dC?y3%ikrQ1fi1tH<{46<g%wf^*
zGT3&ID4J9K^%xr<F{T*vfD&T{V<1yTpUgmsjADliO6*XOX_@A)8UeV-SCPw?qLL4R
zY8wI-$rt$Ovx<E5djPh9u>txND{+eIKe!{8Qx>zq3yEUrih~M8`n>?#4iUvfx~F^-
ziH$0$(#Y1@21%mw&SEzRbe1c08eMo02?&0u|3sK~4%#NWS)Zgw#y1Ojz5e3y(@#9`
z<s&a))=%qiTBm`ay*SqG*)45{1a<bBbpB{Iy)q=o+N466=E7oUQ3qRr4wkwZ<lX<#
ztUC$bC>u9p+NqRL?Urx<ZP?&$V<U))mIOH<PX)_=|7ey&aZ6v&^uD`v=O_ki+Uknp
zg4T7&?eO{k6GX+olMnlactBO|T2Sns58h6_c8bxMG<CDxUTV>ugb%a58BYWo7y4iu
z{d$`*YsaJx$sM{UrgUuIu~WxRw2bf2zI{Ssy!g-&%AS%fVvn*+NMSd6bW0G{r3DGO
z_}V4g&-jSd+BE9KKds^xqewQeTYTrPJ-T-9IWQr;d!HU1Xh+_4e?G|V(Ytq8Y9j2C
zdN%WUl>S7-(CcM(fgqTfRY7n3x|BLZ@WG=H_b6HQuU}yNy8mDR#d_W_E%?AyXZ(7R
zS~<SNtk=pi-pY5SZDsL!-B^?%8HH9X0<#r=)s00}KqjY)-711<Af_9OE)&Ji=jg_w
zArfO+vB(QDLnSg=u?S>-&ex4aRk?i0D*1F{5hzxht4pyOr>OqhXWdwIl_=g-MOT%>
zBvF-Ew7jH$BkY3A*s8j!yo)oIq!N_^LhCvR2oxlP*8EI%NofWBUXE=QUZIywUDai5
zxWt&2je*SazjPU^&KXnx3AC<_S%~7P&AK+0DKVyHV<7W`KA8~`87&**WZu-Zh#Fiz
z^(!`YZ44A^Y|*7ylT%c`Hd5EdDiOs8#_Fnaq$H}Aje*RV@w%$4#Tiq-QBl{%nh?eJ
zD*L+s-?v8TR!&i!EW$Vn`DFx3h9_Mn<L3pmekEE7^b1u=>Tq#*lq95LuYO3bkytw}
z4i7HGHc$-f?W>nqkJhB<obiLqkUnb0Tr%R?TuAlHL3DdSBvG6>$X^e(I-FuxRcD9I
zZRL|e$gyAIn9&z#Jx8>3U>hR|sTv9+Ul*`}KJs`_T)AAAySkh^byR`<TKE(J<?EM^
zsJSa7S~}c~mAF$4j@3#9eT)gf-St9U?=eoIsO3FC#%HH4neh@CE$;y`+lY)qJ{Q}l
z$FXWBY0~Xz2^8Par)c98)qlyR>ph~0Vj<llfk7{-OUG(tn;?m*<vl>=Te^I&BWiul
znDozV?jux7qFD3E0KHs`9*3fg?puI&lrp-rbCJ=F{QUu#KT=65#)xp;D-to(%JCgW
zy;fH6R`|^8(OYb#4YhK;jUPP<kALp~bAySJDnajfVx_Yzdt*qJ$d#Y{@hd-^zUb+O
z$mWrTa6`CHWMs7KwH356bzKF$HlB8t<mTJxOl^Ec&TbxYgX$v3)Dx?C8?OkR>~2VM
z411tk*m{0AebN3XNI{<n`%?Mk`5V%YG>r5alheX+O$j_b_CYy4o>p_7*55v!l8L9!
zmg&ZpEU8mzWmh0GWQ}fYX}~*G8<qdijV-A}vE7fljxAeaOv^udK_*8cqvan#Cif>@
z|JaDj*GeUyZgvHVQ}rn}<P=-0DC+vhbfVaIuvsq}H|7-Ow5T?pi=ou}&?s*8^aWb?
z5iN(4bh`f*Nz6nEHpSQS(LTkyk_Vb8wXcoz9u%MXPS<<qYEpC_Ux3W=qiV)n0@dAI
z$QTuDy18F3qPXaEIlXIclO)De`5H}OxxL9H$d0C;eJM}E39!YoihU)Hmblh|z<?z<
ztoc(py=!hwz+v`ImCT}ZW#T56!Eogo*E(p5gBNc(Y-2zERu+(=du(~VYaNp{an9VA
zn1S0+`BjP`MCHgm>KT0}!^9QjDH0V`nn>CT^mKipj9oZS+A`5`;O1BdH8)PyNZh1{
zam`#+X-2q(wcuu}KX1<M^@W?|rh7*<H!j#rm9SAIsoau3aODP1{|ZYM*9U<O3ZFi6
zb5#@Aoam(H#swSx4;R^2RM-dyhX;&8>%^fAajjoTlfaFz+MDHOa_6#o)_1Rjjnc~%
z>$5P1Yh;jVy*`y`5*5Yz)@Ed`W~nMFd-SPHm#8Ruq8s1K4pLKTpR6m<eG(OwixyOd
zkwm?^=w_8`cusN<S~^O(;E(5#yIPigM!5=iQMB-M9}8N!K&=d<V^O6m+>E89H)FW%
zspQp&_S>FzEyN8A_6*s(TanOKhptAw+nz|1d1OQ+5x)VZ<hCbYWQs~_-nE6pZ_{m0
t5bHS-3pXR7x{Q8i+h#b6WjXibdEAin+3Gw9#X<C>C{O#TVXYgI{ts90BS`=N

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/smb/smb2-read-response-non-zero-reserved1.test b/testing/btest/scripts/base/protocols/smb/smb2-read-response-non-zero-reserved1.test
new file mode 100644
index 0000000000..6d2858a8c8
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/smb/smb2-read-response-non-zero-reserved1.test
@@ -0,0 +1,9 @@
+# @TEST-DOC: Regression test for #4730, ReadResponse not parsed properly.
+#
+# @TEST-EXEC: zeek -b -C -r $TRACES/smb/smb_v2_only_non_zero_reserved1.pcap %INPUT
+# @TEST-EXEC: btest-diff files.log
+# @TEST-EXEC: test ! -f analyzer.log
+# @TEST-EXEC: test ! -f weird.log
+
+@load base/protocols/smb
+