ruby_smb 3.3.17 → 3.3.19

data/lib/ruby_smb/smb1/packet/trans2/find_information_level/find_info_standard.rb

@@ -0,0 +1,39 @@
+module RubySMB
+  module SMB1
+    module Packet
+      module Trans2
+        module FindInformationLevel
+          # SMB_INFO_STANDARD find result entry, as defined in
+          # [MS-CIFS 2.2.8.1.1 SMB_INFO_STANDARD](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-cifs/b7cc0966-f87d-41a6-aa1a-48526a9cc729).
+          # Used by TRANS2_FIND_FIRST2/FIND_NEXT2 on legacy servers
+          # (e.g. Windows 95/98/ME) that don't support NT LANMAN info levels.
+          #
+          # Unlike NT info levels, these entries have no next_offset field;
+          # they are packed sequentially with a variable-length filename.
+          # The optional leading ResumeKey (4 bytes) is only present when the
+          # SMB_FIND_RETURN_RESUME_KEYS flag is set in the request; this
+          # implementation does not set that flag and so omits the field.
+          class FindInfoStandard < BinData::Record
+            CLASS_LEVEL = FindInformationLevel::SMB_INFO_STANDARD
+
+            endian :little
+
+            uint16  :creation_date,    label: 'Creation Date (SMB_DATE)'
+            uint16  :creation_time,    label: 'Creation Time (SMB_TIME)'
+            uint16  :last_access_date, label: 'Last Access Date (SMB_DATE)'
+            uint16  :last_access_time, label: 'Last Access Time (SMB_TIME)'
+            uint16  :last_write_date,  label: 'Last Write Date (SMB_DATE)'
+            uint16  :last_write_time,  label: 'Last Write Time (SMB_TIME)'
+            uint32  :data_size,        label: 'File Data Size'
+            uint32  :allocation_size,  label: 'Allocation Size'
+            uint16  :file_attributes,  label: 'File Attributes'
+            uint8   :file_name_length, label: 'File Name Length',
+                    initial_value: -> { file_name.to_s.bytesize }
+            string  :file_name,        label: 'File Name',
+                    read_length: -> { file_name_length }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/ruby_smb/smb1/packet/trans2/find_information_level.rb

@@ -38,6 +38,7 @@ module RubySMB
 
           require 'ruby_smb/smb1/packet/trans2/find_information_level/find_file_both_directory_info'
           require 'ruby_smb/smb1/packet/trans2/find_information_level/find_file_full_directory_info'
+          require 'ruby_smb/smb1/packet/trans2/find_information_level/find_info_standard'
         end
       end
     end

data/lib/ruby_smb/smb1/packet/trans2/win9x_framing.rb

@@ -0,0 +1,68 @@
+module RubySMB
+  module SMB1
+    module Packet
+      module Trans2
+        # Shared workaround for pre-NT / LAN Manager-era servers (observed on
+        # Windows 9x / ME) that pack `trans2_parameters` directly after
+        # `byte_count` with no 4-byte-alignment pad, and `trans2_data` with
+        # whatever padding they feel like — always smaller than the NT-style
+        # alignment BinData unconditionally assumes via {DataBlock#pad1_length}
+        # and {DataBlock#pad2_length}. When that happens both sections land in
+        # the wrong place and `eos`, `sid`, `last_name_offset`, and every
+        # entry in the data buffer come back garbled.
+        #
+        # Fixing this in BinData itself (by having pad1/pad2 consult
+        # `parameter_block.parameter_offset` / `data_offset`) is the natural
+        # design, but cross-field lookups during field-read callbacks corrupt
+        # BinData's registered-class resolution cache, causing unrelated
+        # Trans2 responses to round-trip their `parameter_block` / `data_block`
+        # through the base classes instead of the concrete subclasses. So
+        # instead we surface the raw response bytes at the call site and let
+        # the response slice both sections from the offsets the server
+        # reported in its `parameter_block`.
+        #
+        # Mix into any {RubySMB::SMB1::Packet::Trans2} response whose caller
+        # holds on to the raw response bytes. The response itself must have
+        # the standard {Trans2::Response::ParameterBlock} shape
+        # (`parameter_offset` / `parameter_count` / `data_offset` /
+        # `data_count`) and a `data_block` with `trans2_parameters` and
+        # `trans2_data.buffer` fields — every concrete Trans2 response does.
+        #
+        # Same slicing pattern as {RubySMB::Rap::NetShareEnum#parse_net_share_enum_response}
+        # uses for the sibling Trans (not Trans2) response type.
+        module Win9xFraming
+          # Returns `[effective_trans2_parameters, effective_trans2_data_bytes]`
+          # when the server's layout differs from BinData's, or `[nil, nil]`
+          # when BinData already read the full buffer (standard NT-era servers).
+          #
+          # When a non-nil pair is returned, callers should prefer the override
+          # values over the BinData-parsed ones:
+          #
+          #   params_ovr, data_ovr = response.win9x_trans2_overrides(raw)
+          #   params = params_ovr || response.data_block.trans2_parameters
+          #   data   = data_ovr   || response.data_block.trans2_data.buffer.to_binary_s
+          #
+          # @param raw_response [String] the raw bytes the response was read from.
+          # @return [Array(BinData::Record, String), Array(nil, nil)]
+          def win9x_trans2_overrides(raw_response)
+            declared_data = parameter_block.data_count.to_i
+            parsed_data   = data_block.trans2_data.buffer.to_binary_s.bytesize
+            return [nil, nil] if declared_data.zero? || parsed_data == declared_data
+
+            param_offset = parameter_block.parameter_offset.to_i
+            param_count  = parameter_block.parameter_count.to_i
+            data_offset  = parameter_block.data_offset.to_i
+            return [nil, nil] if raw_response.bytesize < data_offset + declared_data
+            return [nil, nil] if raw_response.bytesize < param_offset + param_count
+
+            params_bytes = raw_response.byteslice(param_offset, param_count)
+            params_class = data_block.trans2_parameters.class
+            params       = params_class.read(params_bytes)
+            data_bytes   = raw_response.byteslice(data_offset, declared_data)
+            [params, data_bytes]
+          end
+        end
+      end
+    end
+  end
+end

data/lib/ruby_smb/smb1/packet/trans2.rb

@@ -8,6 +8,7 @@ module RubySMB
         require 'ruby_smb/smb1/packet/trans2/query_information_level'
         require 'ruby_smb/smb1/packet/trans2/query_fs_information_level'
         require 'ruby_smb/smb1/packet/trans2/data_block'
+        require 'ruby_smb/smb1/packet/trans2/win9x_framing'
         require 'ruby_smb/smb1/packet/trans2/subcommands'
         require 'ruby_smb/smb1/packet/trans2/request'
         require 'ruby_smb/smb1/packet/trans2/request_secondary'

data/lib/ruby_smb/smb1/packet/tree_connect_request.rb

@@ -15,7 +15,7 @@ module RubySMB
 
         # The {RubySMB::SMB1::DataBlock} specific to this packet type.
         class DataBlock < RubySMB::SMB1::DataBlock
-          stringz :password, label: 'Password Field', initial_value: '', length: -> { parent.parameter_block.password_length }
+          string :password, label: 'Password Field', initial_value: "\x00", length: -> { parent.parameter_block.password_length }
           choice  :path, selection: -> { parent.smb_header.flags2.unicode } do
             stringz   0
             stringz16 1

data/lib/ruby_smb/smb1/packet/tree_connect_response.rb

@@ -9,15 +9,24 @@ module RubySMB
         # A SMB1 Parameter Block as defined by the {SessionSetupResponse}
         class ParameterBlock < RubySMB::SMB1::ParameterBlock
           and_x_block                :andx_block
-          optional_support           :optional_support
+          optional_support           :optional_support,    onlyif: -> { word_count >= 3 }
           directory_access_mask      :access_rights,       label: 'Maximal Share Access Rights', onlyif: -> { word_count >= 5 }
           directory_access_mask      :guest_access_rights, label: 'Guest Share Access Rights',   onlyif: -> { word_count == 7 }
         end
 
         # Represents the specific layout of the DataBlock for a {SessionSetupResponse} Packet.
+        # Windows 95/98/ME may return a minimal DataBlock without the native file system.
         class DataBlock < RubySMB::SMB1::DataBlock
           stringz   :service,             label: 'Service Type'
           stringz   :native_file_system,  label: 'Native File System'
+
+          # Override to handle Win95 responses that may omit native_file_system.
+          def do_read(io)
+            byte_count.do_read(io)
+            return unless byte_count > 0
+            service.do_read(io)
+            native_file_system.do_read(io) if byte_count > service.num_bytes
+          end
         end
 
         smb_header        :smb_header

data/lib/ruby_smb/smb1/packet.rb

@@ -22,6 +22,8 @@ module RubySMB
       require 'ruby_smb/smb1/packet/trans'
       require 'ruby_smb/smb1/packet/trans2'
       require 'ruby_smb/smb1/packet/nt_trans'
+      require 'ruby_smb/smb1/packet/open_andx_request'
+      require 'ruby_smb/smb1/packet/open_andx_response'
       require 'ruby_smb/smb1/packet/nt_create_andx_request'
       require 'ruby_smb/smb1/packet/nt_create_andx_response'
       require 'ruby_smb/smb1/packet/read_andx_request'

data/lib/ruby_smb/smb1/pipe.rb

@@ -36,6 +36,8 @@ module RubySMB
           extend RubySMB::Dcerpc::Icpr
         when 'efsrpc', '\\efsrpc'
           extend RubySMB::Dcerpc::Efsrpc
+        when 'lanman', 'LANMAN', '\\PIPE\\LANMAN', '\\lanman'
+          extend RubySMB::Rap::NetShareEnum
         end
         super(tree: tree, response: response, name: name)
       end

data/lib/ruby_smb/smb1/tree.rb

@@ -3,6 +3,11 @@ module RubySMB
     # An SMB1 connected remote Tree, as returned by a
     # [RubySMB::SMB1::Packet::TreeConnectRequest]
     class Tree
+      # Exposes #net_share_enum directly on the tree for callers that need
+      # RAP against \PIPE\LANMAN without opening the pipe (Win9x servers do
+      # not permit OPEN_ANDX on it).
+      include RubySMB::Rap::NetShareEnum
+
       # The client this Tree is connected through
       # @!attribute [rw] client
       #   @return [RubySMB::Client]
@@ -102,9 +107,11 @@ module RubySMB
       # @raise [RubySMB::Error::UnexpectedStatusCode] if the response NTStatus is not STATUS_SUCCESS
       def list(directory: '\\', pattern: '*', unicode: true,
                type: RubySMB::SMB1::Packet::Trans2::FindInformationLevel::FindFileFullDirectoryInfo)
+        info_standard = (type == RubySMB::SMB1::Packet::Trans2::FindInformationLevel::FindInfoStandard)
+
         find_first_request = RubySMB::SMB1::Packet::Trans2::FindFirst2Request.new
         find_first_request = set_header_fields(find_first_request)
-        find_first_request.smb_header.flags2.unicode  = 1 if unicode
+        find_first_request.smb_header.flags2.unicode  = 1 if unicode && !info_standard
 
         search_path = directory.dup
         search_path << '\\' unless search_path.end_with?('\\')
@@ -120,7 +127,7 @@ module RubySMB
         t2_params.flags.resume_keys           = 0
         t2_params.information_level           = type::CLASS_LEVEL
         t2_params.filename                    = search_path
-        t2_params.search_count                = 10
+        t2_params.search_count                = info_standard ? 255 : 10
 
         find_first_request = set_find_params(find_first_request)
 
@@ -137,13 +144,19 @@ module RubySMB
           raise RubySMB::Error::UnexpectedStatusCode, response.status_code
         end
 
-        results = response.results(type, unicode: unicode)
+        t2p_override, t2d_override = response.win9x_trans2_overrides(raw_response)
+        results = if t2d_override
+                    response.results(type, unicode: unicode, buffer: t2d_override)
+                  else
+                    response.results(type, unicode: unicode)
+                  end
 
-        eos   = response.data_block.trans2_parameters.eos
-        sid   = response.data_block.trans2_parameters.sid
-        last  = results.last.file_name
+        effective_params = t2p_override || response.data_block.trans2_parameters
+        eos   = effective_params.eos
+        sid   = effective_params.sid
+        last  = results.last&.file_name
 
-        while eos.zero?
+        while eos.zero? && last
           find_next_request = RubySMB::SMB1::Packet::Trans2::FindNext2Request.new
           find_next_request = set_header_fields(find_next_request)
           find_next_request.smb_header.flags2.unicode   = 1 if unicode
@@ -171,8 +184,10 @@ module RubySMB
             raise RubySMB::Error::UnexpectedStatusCode, response.status_code
           end
 
-          results += response.results(type, unicode: unicode)
+          batch = response.results(type, unicode: unicode)
+          break if batch.empty?
 
+          results += batch
           eos   = response.data_block.trans2_parameters.eos
           last  = results.last.file_name
         end
@@ -195,6 +210,9 @@ module RubySMB
 
       def _open(filename:, flags: nil, options: nil, disposition: RubySMB::Dispositions::FILE_OPEN,
                 impersonation: RubySMB::ImpersonationLevels::SEC_IMPERSONATE, read: true, write: false, delete: false)
+        unless client.server_supports_nt_smbs
+          return _open_andx(filename: filename, disposition: disposition, read: read, write: write)
+        end
         nt_create_andx_request = RubySMB::SMB1::Packet::NtCreateAndxRequest.new
         nt_create_andx_request = set_header_fields(nt_create_andx_request)
 
@@ -272,6 +290,91 @@ module RubySMB
         end
       end
 
+      # Open a file or pipe using SMB_COM_OPEN_ANDX (0x2D), the LAN Manager 1.0
+      # open command used by Windows 95/98/ME and other servers that don't
+      # advertise the NT SMBs capability. Accepts the same NT-style disposition
+      # constants as {#_open} and maps them to the OpenMode encoding defined in
+      # MS-CIFS 2.2.4.41.1.
+      #
+      # @param filename [String] path to the file on the share
+      # @param disposition [Integer] a RubySMB::Dispositions constant
+      # @param read [Boolean] request read access
+      # @param write [Boolean] request write access
+      # @return [RubySMB::SMB1::File, RubySMB::SMB1::Pipe] the opened resource
+      # @raise [RubySMB::Error::InvalidPacket] if the response is not valid
+      # @raise [RubySMB::Error::UnexpectedStatusCode] if the response NTStatus is not STATUS_SUCCESS
+      def _open_andx(filename:, disposition:, read: true, write: false)
+        request = RubySMB::SMB1::Packet::OpenAndxRequest.new
+        request = set_header_fields(request)
+        request.smb_header.flags2.unicode = 0
+
+        access = 0x0040 # sharing: deny-nothing
+        if read && write
+          access |= 0x02
+        elsif write
+          access |= 0x01
+        end
+
+        request.parameter_block.access_mode       = access
+        # search_attributes / file_attributes are SMB_FILE_ATTRIBUTES BitField
+        # records, not plain uint16s — assign through #read to avoid BinData's
+        # each_pair-on-Integer NoMethodError when given a literal mask.
+        request.parameter_block.search_attributes.read([0x0016].pack('v'))
+        request.parameter_block.file_attributes.read([(write ? 0x0020 : 0x0000)].pack('v'))
+        request.parameter_block.open_mode         = nt_disposition_to_open_mode(disposition)
+
+        fname = filename.dup
+        fname.prepend('\\') unless fname.start_with?('\\')
+        request.data_block.file_name = fname
+
+        raw_response = client.send_recv(request)
+        response = RubySMB::SMB1::Packet::OpenAndxResponse.read(raw_response)
+        unless response.valid?
+          raise RubySMB::Error::InvalidPacket.new(
+            expected_proto: RubySMB::SMB1::SMB_PROTOCOL_ID,
+            expected_cmd:   RubySMB::SMB1::Packet::OpenAndxResponse::COMMAND,
+            packet:         response
+          )
+        end
+        unless response.status_code == WindowsError::NTStatus::STATUS_SUCCESS
+          raise RubySMB::Error::UnexpectedStatusCode, response.status_code
+        end
+
+        build_open_andx_handle(filename, response)
+      end
+
+      # Map an NT-style disposition (RubySMB::Dispositions) to an
+      # SMB_COM_OPEN_ANDX OpenMode word. FileExistsOpts is bits 0-1
+      # (0=fail, 1=open, 2=truncate); CreateFile is bit 4.
+      def nt_disposition_to_open_mode(disposition)
+        case disposition
+        when RubySMB::Dispositions::FILE_OPEN         then 0x0001
+        when RubySMB::Dispositions::FILE_CREATE       then 0x0010
+        when RubySMB::Dispositions::FILE_OPEN_IF      then 0x0011
+        when RubySMB::Dispositions::FILE_OVERWRITE    then 0x0002
+        when RubySMB::Dispositions::FILE_OVERWRITE_IF,
+             RubySMB::Dispositions::FILE_SUPERSEDE    then 0x0012
+        else
+          raise RubySMB::Error::RubySMBError,
+                "Unsupported disposition for SMB_COM_OPEN_ANDX: #{disposition}"
+        end
+      end
+
+      def build_open_andx_handle(filename, response)
+        unless response.parameter_block.resource_type == RubySMB::SMB1::ResourceType::DISK
+          raise RubySMB::Error::RubySMBError,
+                "SMB_COM_OPEN_ANDX resource type 0x#{response.parameter_block.resource_type.to_s(16)} not supported"
+        end
+        file = RubySMB::SMB1::File.allocate
+        file.tree         = self
+        file.name         = filename
+        file.fid          = response.parameter_block.fid
+        file.size         = response.parameter_block.file_data_size
+        file.size_on_disk = response.parameter_block.file_data_size
+        file.attributes   = response.parameter_block.file_attributes
+        file
+      end
+
       # Sets ParameterBlock options for FIND_FIRST2 and
       # FIND_NEXT2 requests. In particular we need to do this
       # to tell the server to ignore the Trans2DataBlock as we are
@@ -281,7 +384,8 @@ module RubySMB
         request.parameter_block.data_offset            = 0
         request.parameter_block.total_parameter_count  = request.parameter_block.parameter_count
         request.parameter_block.max_parameter_count    = request.parameter_block.parameter_count
-        request.parameter_block.max_data_count         = 16_384
+        max_data = [16_384, client.server_max_buffer_size].min
+        request.parameter_block.max_data_count         = max_data
         request
       end
 

data/lib/ruby_smb/version.rb

@@ -1,3 +1,3 @@
 module RubySMB
-  VERSION = '3.3.17'.freeze
+  VERSION = '3.3.19'.freeze
 end

data/lib/ruby_smb.rb

@@ -23,6 +23,7 @@ module RubySMB
   require 'ruby_smb/dispatcher'
   require 'ruby_smb/version'
   require 'ruby_smb/smb2'
+  require 'ruby_smb/rap'
   require 'ruby_smb/smb1'
   require 'ruby_smb/client'
   require 'ruby_smb/crypto'

data/spec/lib/ruby_smb/client_spec.rb

@@ -754,7 +754,7 @@ RSpec.describe RubySMB::Client do
       it 'sets the expected fields of the SessionRequest packet' do
         name         = 'NBNAMESPEC'
         called_name  = 'NBNAMESPEC      '
-        calling_name = "               \x00"
+        calling_name = "WORKSTATION    \x00"
 
         session_packet = client.session_request_packet(name)
         expect(session_packet).to be_a(RubySMB::Nbss::SessionRequest)
@@ -2438,6 +2438,7 @@ RSpec.describe RubySMB::Client do
           end
         end
       end
+
     end
   end
 

data/spec/lib/ruby_smb/rap/net_share_enum_spec.rb

@@ -0,0 +1,185 @@
+require 'spec_helper'
+
+RSpec.describe RubySMB::Rap::NetShareEnum do
+  let(:client) { instance_double(RubySMB::Client) }
+  let(:tree) { instance_double(RubySMB::SMB1::Tree, id: 1, client: client) }
+  let(:pipe) do
+    captured_tree = tree
+    p = RubySMB::SMB1::Pipe.allocate
+    p.instance_variable_set(:@tree, captured_tree)
+    p.define_singleton_method(:tree) { captured_tree }
+    p.extend(described_class)
+    p
+  end
+
+  def build_rap_response(status:, entries: [])
+    resp = RubySMB::SMB1::Packet::Trans::Response.new
+    params = RubySMB::Rap::NetShareEnum::Response.new(
+      status: status, converter: 0, entry_count: entries.length, available: entries.length
+    )
+    data = entries.map do |e|
+      si = RubySMB::Rap::NetShareEnum::ShareInfo1.new(
+        netname: e[:name], pad1: 0, share_type: e[:type], remark_offset: 0
+      )
+      si.to_binary_s
+    end.join
+    resp.data_block.trans_parameters = params.to_binary_s
+    resp.data_block.trans_data = data
+    resp.to_binary_s
+  end
+
+  describe '.new request layout' do
+    it 'encodes the RAP NetShareEnum opcode, descriptors, level and buffer size' do
+      bytes = RubySMB::Rap::NetShareEnum::Request.new.to_binary_s
+      expect(bytes[0, 2]).to eq([0].pack('v'))         # opcode
+      expect(bytes[2, 6]).to eq("WrLeh\x00")            # param descriptor
+      expect(bytes[8, 7]).to eq("B13BWz\x00")           # data descriptor
+      expect(bytes[15, 2]).to eq([1].pack('v'))         # info level 1
+      expect(bytes[17, 2]).to eq([0x1000].pack('v'))    # receive buffer size
+    end
+  end
+
+  describe '#net_share_enum' do
+    it 'returns the parsed share list on RAP status 0' do
+      entries = [
+        { name: 'IPC$', type: 0x0003 }, # STYPE_IPC
+        { name: 'DATA', type: 0x0000 }  # STYPE_DISKTREE
+      ]
+      allow(client).to receive(:send_recv).and_return(build_rap_response(status: 0, entries: entries))
+      expect(pipe.net_share_enum).to eq([
+        { name: 'IPC$', type: 'IPC' },
+        { name: 'DATA', type: 'DISK' }
+      ])
+    end
+
+    it 'stringifies all MS-RAP 2.5.14 base share types' do
+      entries = [
+        { name: 'DSK',  type: 0x0000 },
+        { name: 'PRN',  type: 0x0001 },
+        { name: 'DEV',  type: 0x0002 },
+        { name: 'IPC$', type: 0x0003 }
+      ]
+      allow(client).to receive(:send_recv).and_return(build_rap_response(status: 0, entries: entries))
+      expect(pipe.net_share_enum.map { |s| s[:type] }).to eq(%w[DISK PRINTER DEVICE IPC])
+    end
+
+    it 'appends SPECIAL / TEMPORARY modifiers to the base type string' do
+      entries = [
+        { name: 'HIDDEN$', type: 0x0000 | RubySMB::Rap::NetShareEnum::STYPE_SPECIAL },
+        { name: 'TMP',     type: 0x0000 | RubySMB::Rap::NetShareEnum::STYPE_TEMPORARY },
+        { name: 'IPCH$',   type: 0x0003 | RubySMB::Rap::NetShareEnum::STYPE_SPECIAL |
+                                          RubySMB::Rap::NetShareEnum::STYPE_TEMPORARY }
+      ]
+      allow(client).to receive(:send_recv).and_return(build_rap_response(status: 0, entries: entries))
+      expect(pipe.net_share_enum.map { |s| s[:type] }).to eq([
+        'DISK|SPECIAL',
+        'DISK|TEMPORARY',
+        'IPC|SPECIAL|TEMPORARY'
+      ])
+    end
+
+    it 'formats an unknown base type code as UNKNOWN(0xXXXX)' do
+      entries = [{ name: 'Q', type: 0x0007 }]
+      allow(client).to receive(:send_recv).and_return(build_rap_response(status: 0, entries: entries))
+      expect(pipe.net_share_enum.first[:type]).to eq('UNKNOWN(0x0007)')
+    end
+
+    it 'sends a Trans request targeting \\PIPE\\LANMAN with the tree id' do
+      allow(client).to receive(:send_recv) do |request|
+        expect(request).to be_a(RubySMB::SMB1::Packet::Trans::Request)
+        expect(request.smb_header.tid).to eq(tree.id)
+        expect(request.smb_header.flags2.unicode).to eq(0)
+        expect(request.data_block.name.to_s).to eq("\\PIPE\\LANMAN".b)
+        expect(request.data_block.trans_parameters.to_s).to eq(RubySMB::Rap::NetShareEnum::Request.new.to_binary_s)
+        build_rap_response(status: 0)
+      end
+      pipe.net_share_enum
+    end
+
+    it 'raises RubySMBError when the RAP status is non-zero' do
+      allow(client).to receive(:send_recv).and_return(build_rap_response(status: 5))
+      expect {
+        pipe.net_share_enum
+      }.to raise_error(RubySMB::Error::RubySMBError, /RAP NetShareEnum failed with status 0x5/)
+    end
+
+    it 'raises InvalidPacket when the RAP params are truncated' do
+      resp = RubySMB::SMB1::Packet::Trans::Response.new
+      resp.data_block.trans_parameters = "\x00\x00\x00"
+      resp.data_block.trans_data = ''
+      allow(client).to receive(:send_recv).and_return(resp.to_binary_s)
+      expect {
+        pipe.net_share_enum
+      }.to raise_error(RubySMB::Error::InvalidPacket)
+    end
+
+    it 'raises UnexpectedStatusCode when the SMB status is not success' do
+      resp = RubySMB::SMB1::Packet::Trans::Response.new
+      resp.smb_header.nt_status = WindowsError::NTStatus::STATUS_ACCESS_DENIED.value
+      resp.data_block.trans_parameters = RubySMB::Rap::NetShareEnum::Response.new(
+        status: 0, converter: 0, entry_count: 0, available: 0
+      ).to_binary_s
+      resp.data_block.trans_data = ''
+      allow(client).to receive(:send_recv).and_return(resp.to_binary_s)
+      expect {
+        pipe.net_share_enum
+      }.to raise_error(RubySMB::Error::UnexpectedStatusCode)
+    end
+  end
+
+  describe 'Win9x-style response layout (no 4-byte pad before trans_parameters)' do
+    it 'slices trans_parameters using the server-reported parameter_offset' do
+      # Win9x packs parameters at offset 55 (immediately after byte_count)
+      # rather than padding to a 4-byte boundary. Build a response matching
+      # that layout by hand.
+      entry = RubySMB::Rap::NetShareEnum::ShareInfo1.new(
+        netname: 'ABCDEFGHIJKL', pad1: 0, share_type: 0, remark_offset: 0
+      ).to_binary_s
+      params = RubySMB::Rap::NetShareEnum::Response.new(
+        status: 0, converter: 0, entry_count: 1, available: 1
+      ).to_binary_s
+
+      # 32-byte SMB1 header (command=0x25 SMB_COM_TRANSACTION, status=0).
+      header = "\xffSMB\x25".b + ("\x00".b * 27)
+      parameter_offset = 32 + 1 + 20 + 2                # right after byte_count
+      data_offset      = parameter_offset + params.bytesize
+
+      parameter_block = [
+        params.bytesize,          # total_parameter_count
+        entry.bytesize,           # total_data_count
+        0,                        # reserved
+        params.bytesize,          # parameter_count
+        parameter_offset,         # parameter_offset (55 - no pad)
+        0,                        # parameter_displacement
+        entry.bytesize,           # data_count
+        data_offset,              # data_offset
+        0                         # data_displacement
+      ].pack('v9') + "\x00\x00".b # setup_count + reserved2
+
+      byte_count = [params.bytesize + entry.bytesize].pack('v')
+      raw = header + "\x0a".b + parameter_block + byte_count + params + entry
+      # BinData's default Trans::Response#pad1_length forces a 4-byte align
+      # and reads trans_parameters starting 1 byte past what the server sent.
+      # Pad the tail so BinData's (mis-aligned) read doesn't hit EOF before
+      # our parser takes over with the server-reported offsets.
+      raw << "\x00".b * 8
+
+      allow(client).to receive(:send_recv).and_return(raw)
+      shares = pipe.net_share_enum
+      expect(shares.length).to eq(1)
+      expect(shares[0][:name]).to eq('ABCDEFGHIJKL')
+      expect(shares[0][:type]).to eq('DISK')
+    end
+  end
+
+  describe 'SMB1::Pipe integration' do
+    it 'extends the pipe with NetShareEnum when opened as \\PIPE\\LANMAN' do
+      # Use a minimal response to drive Pipe#initialize through File#initialize.
+      nt_resp = RubySMB::SMB1::Packet::NtCreateAndxResponse.new
+      nt_resp.parameter_block.fid = 0x1001
+      nt_resp.parameter_block.resource_type = RubySMB::SMB1::ResourceType::BYTE_MODE_PIPE
+      p = RubySMB::SMB1::Pipe.new(tree: tree, response: nt_resp, name: '\\PIPE\\LANMAN')
+      expect(p).to respond_to(:net_share_enum)
+    end
+  end
+end