NDR64 dcerpc_bind_ack unmarshalling failures

[David Disseldorp]

Hi,

NDR64 DCERPC binds currently fail against Windows Server "8" Beta due
to errors when unmarshalling bind_ack PDUs.

dcerpc bind ack is currently defined as follows:
typedef struct {
	uint16 max_xmit_frag;
	uint16 max_recv_frag;
	uint32 assoc_group_id;
	[value(strlen(secondary_address)+1)] uint16 secondary_address_size;
	[charset(DOS)] uint8 secondary_address[secondary_address_size];
	[flag(NDR_ALIGN4)]    DATA_BLOB _pad1;
	uint8 num_results;
	dcerpc_ack_ctx ctx_list[num_results];
	[flag(NDR_REMAINING)] DATA_BLOB auth_info;
} dcerpc_bind_ack;

This is compiled by pidl into:
static enum ndr_err_code ndr_pull_dcerpc_bind_ack(struct ndr_pull *ndr, int ndr_flags, struct dcerpc_bind_ack *r)
{
...
        if (ndr_flags & NDR_SCALARS) {
...
                { 
                        uint32_t _flags_save_DATA_BLOB = ndr->flags;
                        ndr_set_flags(&ndr->flags, LIBNDR_FLAG_REMAINING);
                        NDR_CHECK(ndr_pull_DATA_BLOB(ndr, NDR_SCALARS, &r->auth_info));
                        ndr->flags = _flags_save_DATA_BLOB;
                } 
                NDR_CHECK(ndr_pull_trailer_align(ndr, 4));

With the NDR_REMAINING flag set, ndr_pull_DATA_BLOB pulls all trailing
packet bytes into r->auth_info, leaving ndr->offset == ndr->data_size.
My Windows Server "8" Beta bind_ack response is 323 bytes which causes
the subsequent ndr_pull_trailer_align() call to fail with
NDR_ERR_BUFSIZE.

Removing ndr_pull_trailer_align() from ParseStructPullPrimitives()
results in successful NDR64 bind_ack unmarshalling and allows the
bind to complete, however appears to be contrary to MS-RPCE
2.2.5.3.4.1 requirements.

Any IDL experts able to point me in the right direction here?

Cheers, David