I've decoded the blob at the end of create requests and responses.
It's a 'chained blob' format, consisting of a list of blobs with
string tag names on each blob. The two tags that I have seen are
'ExtA' and 'MxAc'. The ExtA tag is for a blob containing a set of
extended attributes to put on the file, in chained ea_list format.
At first I thought the MxAc blob was a security descriptor, but it
turns out to be a placeholder that asks the server to return the
maximum allowed access mask in the create reply. The server then adds
a MxAc blob containing 8 bytes, the 2nd 4 bytes is the maximum access
mask, the first 4 bytes are unknown (I've only seen zeros).
The chained blob format itself is like this:
uint32 chain_offset /* offset to next blob */
uint16 tag_offset /* offset to tag name */
uint32 tag_length /* length of the tag name */
uint16 data_offset /* offset to blob data */
uint32 data_length /* length of blob data */
TAG /* ascii string tag, not terminated */
uint32 pad?
DATA /* the blob data */
padding to 8 byte alignment
I've only seen 4 char tag names, but given the tag name length
is included the format seems to support other lengths.
On the last blob in the chain the chain_offset is zero.
Cheers, Tridge
