zeek/testing/btest/scripts/base/protocols/smb/smb2-read-response-non-zero-reserved1.test at b2a2ad7e1019d9a2d889b024128c431f67b45c6e - Mirror/zeek - git.uphillsecurity.com: We code.

Mirror/zeek

mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00

Arne Welzel b2a2ad7e10 smb2/read: Parse only 1 byte for data_offset, ignore reserved1

A user provided a SMB2 pcap with the reserved1 field of a ReadResponse
set to 1 instead of 0. This confused the padding computation due to
including this byte into the offset. Properly split data_offset and
reserved1 into individual byte fields.

Closes #4730

2025-08-08 16:12:20 +02:00

9 lines

292 B

Text

Raw Blame History

 # @TEST-DOC: Regression test for #4730, ReadResponse not parsed properly.
 #
 # @TEST-EXEC: zeek -b -C -r $TRACES/smb/smb_v2_only_non_zero_reserved1.pcap %INPUT
 # @TEST-EXEC: btest-diff files.log
 # @TEST-EXEC: test ! -f analyzer.log
 # @TEST-EXEC: test ! -f weird.log
 @load base/protocols/smb