dcerpc_util: let dcerpc_pull_auth_trailer() ignore data_and_pad for bind, alter, auth3

Sometimes Windows sends 3 presentation contexts (NDR32, NDR64,
BindTimeFeatureNegotiation) in the first BIND of an association.

Binding an additional connection to the association seems to
reuse the BIND buffer and just changes the num_contexts field from
3 to 2 and leaves the BindTimeFeatureNegotiation context as padding
in places.

Note, the auth_pad_length field is send as 0 in that case,
which means we need to ignore it completely, as well as any
padding before the auth header.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 85b2dcd938)

librpc/rpc/dcerpc_util.c

@@ -362,10 +362,9 @@ NTSTATUS dcerpc_pull_auth_trailer(const struct ncacn_packet *pkt,
 	 *
 	 * See also bug #11982.
 	 */
-	if (auth_data_only && data_and_pad == 0 &&
-	    auth->auth_pad_length > 0) {
+	if (auth_data_only) {
 		/*
-		 * we need to ignore invalid auth_pad_length
+		 * We need to ignore auth_pad_length
 		 * values for BIND_*, ALTER_* and AUTH3 pdus.
 		 */
 		auth->auth_pad_length = 0;
@@ -385,34 +384,6 @@ NTSTATUS dcerpc_pull_auth_trailer(const struct ncacn_packet *pkt,
 		return NT_STATUS_RPC_PROTOCOL_ERROR;
 	}
 
-	if (auth_data_only && data_and_pad > auth->auth_pad_length) {
-		DBG_WARNING(__location__ ": ERROR: auth_data_only pad length mismatch. "
-			    "Client sent a longer BIND packet than expected by %"PRIu16" bytes "
-			    "(pkt_trailer->length=%zu - auth_length=%"PRIu16") "
-			    "= %"PRIu16" auth_pad_length=%"PRIu8"\n",
-			    data_and_pad - auth->auth_pad_length,
-			    pkt_trailer->length,
-			    auth_length,
-			    data_and_pad,
-			    auth->auth_pad_length);
-		talloc_free(ndr);
-		ZERO_STRUCTP(auth);
-		return NT_STATUS_RPC_PROTOCOL_ERROR;
-	}
-
-	if (auth_data_only && data_and_pad != auth->auth_pad_length) {
-		DBG_WARNING(__location__ ": ERROR: auth_data_only pad length mismatch. "
-			    "Calculated %"PRIu16" (pkt_trailer->length=%zu - auth_length=%"PRIu16") "
-			    "but auth_pad_length=%"PRIu8"\n",
-			    data_and_pad,
-			    pkt_trailer->length,
-			    auth_length,
-			    auth->auth_pad_length);
-		talloc_free(ndr);
-		ZERO_STRUCTP(auth);
-		return NT_STATUS_RPC_PROTOCOL_ERROR;
-	}
-
 	DBG_DEBUG("auth_pad_length %"PRIu8"\n",
 		  auth->auth_pad_length);
 

selftest/knownfail.d/dcerpc-auth-pad

@@ -1,11 +1,5 @@
-^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_full_pad_ntlm_alter
-^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_full_pad_ntlm_auth3
 ^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_full_pad_spnego_alter
 ^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_full_pad_spnego_auth3
-^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_mid_pad_ntlm_alter
-^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_mid_pad_ntlm_auth3
-^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_mid_pad_spnego_alter
-^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_mid_pad_spnego_auth3
 ^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_pad_auth3_align2_ntlm
 ^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_pad_auth3_align2_spnego
 ^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_pad_ntlm_2889_alter