Created attachment 11965 [details] wireshark trace showing non-null 'reserved' field. (In the attachment capture from a Windows 10 server). Packet 21 is a FindFirst response. In the list of files returned, look into the "Downloaded Program Files" entry. The short name length is 16 (0x10), followed by a 0x1f in the 'Reserved' field.
From MS-CIFS 2.2.8.1.7 SMB_FIND_FILE_BOTH_DIRECTORY_INFO SMB_FIND_FILE_BOTH_DIRECTORY_INFO[SearchCount] { ULONG NextEntryOffset; ULONG FileIndex; FILETIME CreationTime; FILETIME LastAccessTime; FILETIME LastWriteTime; FILETIME LastChangeTime; LARGE_INTEGER EndOfFile; LARGE_INTEGER AllocationSize; SMB_EXT_FILE_ATTR ExtFileAttributes; ULONG FileNameLength; ULONG EaSize; UCHAR ShortNameLength; UCHAR Reserved; WCHAR ShortName[12]; SMB_STRING FileName; } clilist.c is reading ShortNameLength as an SVAL read instead of a CVAL read. Patch to follow.
Created attachment 11971 [details] git-am fix for 4.4.next, 4.3.next. Cherry-pick from master.
Reassigning to Karolin for inclusion in 4.3 and 4.4.
*** Bug 11831 has been marked as a duplicate of this bug. ***
Pushed to autobuild-v4-[4|3]-test.
(In reply to Karolin Seeger from comment #5) Pushed to both branches. Closing out bug report. Thanks!
This was fixed in Samba 4.3.9 and 4.4.3. A downstream ticket reports this in Debian's 4.2.10+dfsg-0, but this might be the result of backporting: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820794