From bef660cfee205ddc3e22674054f8c1a35b78bcb1 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 13 Nov 2020 10:55:43 +0100
Subject: [PATCH] dcesrv_core: fix the auth3 for large ntlmssp messages

I know finding any real logic in reading the patch,
doesn't really show what's going on. I tried hard
to simplify it, but this is the only way I found
that fixed the test_auth_pad_ntlm_2889_auth3 test
without breaking other tests...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 8b8e4ff1b19ba06821d774d0e1a8b1cad7f06120)
---
 librpc/rpc/dcesrv_auth.c             | 18 +++++++++---------
 librpc/rpc/dcesrv_core.c             |  6 ++++++
 selftest/knownfail.d/dcerpc-auth-pad |  1 -
 3 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/librpc/rpc/dcesrv_auth.c b/librpc/rpc/dcesrv_auth.c
index 5c3190a82eb..c5dbec973d1 100644
--- a/librpc/rpc/dcesrv_auth.c
+++ b/librpc/rpc/dcesrv_auth.c
@@ -130,6 +130,12 @@ static bool dcesrv_auth_prepare_gensec(struct dcesrv_call_state *call)
 	auth->auth_level = call->in_auth_info.auth_level;
 	auth->auth_context_id = call->in_auth_info.auth_context_id;
 
+	if (auth->auth_level == DCERPC_AUTH_LEVEL_CONNECT &&
+	    !call->conn->got_explicit_auth_level_connect)
+	{
+		call->conn->default_auth_level_connect = auth;
+	}
+
 	cb->auth.become_root();
 	status = cb->auth.gensec_prepare(
 		auth,
@@ -379,12 +385,6 @@ NTSTATUS dcesrv_auth_complete(struct dcesrv_call_state *call, NTSTATUS status)
 	}
 	auth->auth_finished = true;
 
-	if (auth->auth_level == DCERPC_AUTH_LEVEL_CONNECT &&
-	    !call->conn->got_explicit_auth_level_connect)
-	{
-		call->conn->default_auth_level_connect = auth;
-	}
-
 	if (call->pkt.ptype != DCERPC_PKT_AUTH3) {
 		return NT_STATUS_OK;
 	}
@@ -620,12 +620,12 @@ bool dcesrv_auth_pkt_pull(struct dcesrv_call_state *call,
 		return false;
 	}
 
-	if (!auth->auth_finished) {
-		call->fault_code = DCERPC_NCA_S_PROTO_ERROR;
+	if (auth->auth_invalid) {
 		return false;
 	}
 
-	if (auth->auth_invalid) {
+	if (!auth->auth_finished) {
+		call->fault_code = DCERPC_NCA_S_PROTO_ERROR;
 		return false;
 	}
 
diff --git a/librpc/rpc/dcesrv_core.c b/librpc/rpc/dcesrv_core.c
index 0c8c7ebb17c..ebe6e662202 100644
--- a/librpc/rpc/dcesrv_core.c
+++ b/librpc/rpc/dcesrv_core.c
@@ -2338,7 +2338,13 @@ static NTSTATUS dcesrv_process_ncacn_packet(struct dcesrv_connection *dce_conn,
 		dcesrv_default_auth_state_prepare_request(call);
 
 		if (call->auth_state->auth_started &&
+		    !call->auth_state->auth_invalid &&
 		    !call->auth_state->auth_finished) {
+			/*
+			 * We have this check here instead of
+			 * relying on the check in dcesrv_auth_pkt_pull()
+			 * because the fault should have context_id=0
+			 */
 			return dcesrv_fault_disconnect(call,
 					DCERPC_NCA_S_PROTO_ERROR);
 		}
diff --git a/selftest/knownfail.d/dcerpc-auth-pad b/selftest/knownfail.d/dcerpc-auth-pad
index cbfd1442c86..4c77d622737 100644
--- a/selftest/knownfail.d/dcerpc-auth-pad
+++ b/selftest/knownfail.d/dcerpc-auth-pad
@@ -1,4 +1,3 @@
 ^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_pad_auth3_align2_ntlm
 ^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_pad_auth3_align2_spnego
-^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_pad_ntlm_2889_auth3
 ^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_tail_pad_spnego_auth3
-- 
2.47.2