This was found by running SMBTorture test SMB2-GETINFO. In this test the client creates a SMB2_CREATE message with NameOffset set to 0. The client should set NameOffset to a correct value when opening a root share.
The following is taken from [MS-SMB2]
(In section 2.2.13 SMB2_CREATE Request)
NameOffset (2 bytes): The offset, in bytes, from the beginning of the SMB2 header to the 8-byte aligned file name. If SMB2_FLAGS_DFS_OPERATIONS is set in the Flags field of the SMB2 header, the file name can be prefixed with DFS link information that will be removed during DFS name normalization as specified in section 18.104.22.168. Otherwise, the file name is relative to the share that is identified by the TreeId in the SMB2 header. The NameOffset field SHOULD be set to the offset of the Buffer field from the beginning of the SMB2 header. The file name (after DFS normalization if needed) MUST conform to the specification of a relative pathname in [MS-FSCC] section 2.1.5. A zero length file name indicates a request to open the root of the share.
*** This bug has been marked as a duplicate of bug 7963 ***