From 30de92f3f7436161daf05637797724173d0a52b9 Mon Sep 17 00:00:00 2001
From: Joshua Rogers <MegaManSec@users.noreply.github.com>
Date: Mon, 8 Sep 2025 22:18:21 +0000
Subject: [PATCH] negotiate_kerberos_auth: Properly align NDR data (#2186)

Resolves sporadic Negotiate/Kerberos auth failures that manifested
as proxy 407 loops or helper errors when decoding PAC data, depending
on ticket layout.

Previously, the parser advanced bpos by the remainder:
(bpos += bpos %n)
instead of padding to the next multiple of n.

For example, n = 4:
    bpos=5 (r=1): current: 6 (wrong), correct: 8
    bpos=6 (r=2): current: 8 (accidentally right)
    bpos=7 (r=3): current: 10 (wrong), correct: 8
---
 src/auth/negotiate/kerberos/negotiate_kerberos_pac.cc | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/src/auth/negotiate/kerberos/negotiate_kerberos_pac.cc b/src/auth/negotiate/kerberos/negotiate_kerberos_pac.cc
index 1d6c0a0199..0403fcfd7d 100644
--- a/src/auth/negotiate/kerberos/negotiate_kerberos_pac.cc
+++ b/src/auth/negotiate/kerberos/negotiate_kerberos_pac.cc
@@ -55,11 +55,8 @@ check_k5_err(krb5_context context, const char *function, krb5_error_code code);
 void
 align(int n)
 {
-    if ( bpos % n != 0 ) {
-        int al;
-        al = (bpos/n);
-        bpos = bpos+(bpos-n*al);
-    }
+    if (const auto r = bpos % n)
+        bpos += (n - r);
 }
 
 void
-- 
2.47.3