NDR64 dcerpc_bind_ack unmarshalling failures

Stefan (metze) Metzmacher metze at samba.org
Tue Apr 3 10:21:57 MDT 2012 

Hi David,

> NDR64 DCERPC binds currently fail against Windows Server "8" Beta due
> to errors when unmarshalling bind_ack PDUs.
> 
> dcerpc bind ack is currently defined as follows:
> typedef struct {
> 	uint16 max_xmit_frag;
> 	uint16 max_recv_frag;
> 	uint32 assoc_group_id;
> 	[value(strlen(secondary_address)+1)] uint16 secondary_address_size;
> 	[charset(DOS)] uint8 secondary_address[secondary_address_size];
> 	[flag(NDR_ALIGN4)]    DATA_BLOB _pad1;
> 	uint8 num_results;
> 	dcerpc_ack_ctx ctx_list[num_results];
> 	[flag(NDR_REMAINING)] DATA_BLOB auth_info;
> } dcerpc_bind_ack;
> 
> This is compiled by pidl into:
> static enum ndr_err_code ndr_pull_dcerpc_bind_ack(struct ndr_pull *ndr, int ndr_flags, struct dcerpc_bind_ack *r)
> {
> ...
>         if (ndr_flags & NDR_SCALARS) {
> ...
>                 { 
>                         uint32_t _flags_save_DATA_BLOB = ndr->flags;
>                         ndr_set_flags(&ndr->flags, LIBNDR_FLAG_REMAINING);
>                         NDR_CHECK(ndr_pull_DATA_BLOB(ndr, NDR_SCALARS, &r->auth_info));
>                         ndr->flags = _flags_save_DATA_BLOB;
>                 } 
>                 NDR_CHECK(ndr_pull_trailer_align(ndr, 4));
> 
> With the NDR_REMAINING flag set, ndr_pull_DATA_BLOB pulls all trailing
> packet bytes into r->auth_info, leaving ndr->offset == ndr->data_size.
> My Windows Server "8" Beta bind_ack response is 323 bytes which causes
> the subsequent ndr_pull_trailer_align() call to fail with
> NDR_ERR_BUFSIZE.
> 
> Removing ndr_pull_trailer_align() from ParseStructPullPrimitives()
> results in successful NDR64 bind_ack unmarshalling and allows the
> bind to complete, however appears to be contrary to MS-RPCE
> 2.2.5.3.4.1 requirements.
> 
> Any IDL experts able to point me in the right direction here?

What has that to do with NDR64? As far as I know NDR64 is only used for
the payload
not for the DCERPC pdus.

Can you post a capture?

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120403/454877d9/attachment.pgp>

More information about the samba-technical mailing list