libcli/auth: don't allow any unexpected upgrades of negotiate_flags

Only remove the unsupported flags from state->current_flags for
the next try...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit a9040c8ce76cb9911c4c0c5d623cc479e49f460d)

diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index 154906342b7bf18b060f80f2e72c056ed2be56eb..1a19662075111c28f763b1d5a9f4189fd38bff65 100644 (file)
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -1478,14 +1478,16 @@ static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq)
        }
 
        if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)) {
-               uint32_t tmp_flags = state->context->client.proposed_flags;
-               if ((state->current_flags == tmp_flags) &&
-                   (state->creds->negotiate_flags != tmp_flags))
-               {
+               uint32_t prop_f = state->context->client.proposed_flags;
+               uint32_t cli_f = state->current_flags;
+               uint32_t srv_f = state->creds->negotiate_flags;
+               uint32_t nego_f = cli_f & srv_f;
+
+               if (cli_f == prop_f && nego_f != prop_f) {
                        /*
                         * lets retry with the negotiated flags
                         */
-                       state->current_flags = state->creds->negotiate_flags;
+                       state->current_flags = nego_f;
                        netlogon_creds_cli_auth_challenge_start(req);
                        return;
                }