In ndr_push_nbt_res_rec() in libcli/nbt/nbtname.c we go lke this: NDR_CHECK(ndr_push_set_switch_value(ndr, &r->rdata, ((((r->rr_type) == NBT_QTYPE_NETBIOS) && ((r->rdata).data.length == 2))?0:r->rr_type))); NDR_CHECK(ndr_push_nbt_rdata(ndr, NDR_SCALARS, &r->rdata)); The first line is trying to determine whether this is really a WACK packet (it has other bugs we'll ignore here) by peeking into r->rdata.data.length. The trouble is we don't set r->rdata until the next line. We don't notice it in fuzzing because the push is overwriting the same memory that we pulled from, so It was briefly an IDL macro, then moved here with dce310ef4ec2eedb496e814cf341ad7caab821af.
What we really need is to look at the opcode to see if it's WACK, but by the time we get here we've forgotten that. It seems PIDL isn't really up to the task here, and we need to turn a whole lot more of NBT stack into manually maintained code.
This bug was referenced in samba master: edad945339f6401b2566efddd33f47195e2637c3