From 1fdd8fa2fded1985fbfc6aa67394eebcdbb6a2fc Mon Sep 17 00:00:00 2001
From: Noel Power <noel.power@suse.com>
Date: Apr 06 2020 10:05:40 +0000
Subject: Use ndr_pull_steal_switch_value for modern samba versions


commit bc56b10aea999284458dcc293b54cf65288e325d attempted to
fix the build error resulting from removal of 'ndr_pull_get_switch'

This change uses the new replacement method
'ndr_pull_steal_switch_value' however depending on the samba version
the ndr_pull_steal_switch_value abi is different.

Note: ndr_pull_steal_switch_value is used since samba 4.10 for
      the affected methods

Note: the following methods have been refreshed from samba-4.12 generated
      code;

    o ndr_pull_security_ace_object_type
    o ndr_pull_security_ace_object_inherited_type
    o ndr_pull_security_ace_object_ctr

Signed-off-by: Noel Power <noel.power@suse.com>

Reviewed-by: Pavel Březina <pbrezina@redhat.com>

---

diff --git a/src/external/samba.m4 b/src/external/samba.m4
index 7faebd6..9778ab9 100644
--- a/src/external/samba.m4
+++ b/src/external/samba.m4
@@ -130,10 +130,17 @@ int main(void)
         AC_DEFINE_UNQUOTED(SMB_IDMAP_DOMAIN_HAS_DOM_SID, 1,
                            [Samba's struct idmap_domain has dom_sid member])
         AC_MSG_NOTICE([Samba's struct idmap_domain has dom_sid member])
+        if test $samba_minor_version -ge 12 ; then
+            AC_DEFINE_UNQUOTED(SMB_HAS_NEW_NDR_PULL_STEAL_SWITCH, 1,
+                               [Samba's new push/pull switch functions])
+            AC_MSG_NOTICE([Samba has support for new ndr_push_steal_switch_value and ndr_pull_steal_switch_value functions])
+        else
+            AC_MSG_NOTICE([Samba supports old ndr_pull_steal_switch_value and ndr_pull_steal_switch_value functions])
+        fi
     else
         AC_MSG_NOTICE([Samba's struct idmap_domain does not have dom_sid member])
+        AC_MSG_NOTICE([Samba supports old ndr_pull_steal_switch_value and ndr_pull_steal_switch_value functions])
     fi
-
 fi
 
 SAVE_CFLAGS=$CFLAGS
diff --git a/src/providers/ad/ad_gpo_ndr.c b/src/providers/ad/ad_gpo_ndr.c
index 8f405aa..069d552 100644
--- a/src/providers/ad/ad_gpo_ndr.c
+++ b/src/providers/ad/ad_gpo_ndr.c
@@ -105,9 +105,14 @@ ndr_pull_security_ace_object_type(struct ndr_pull *ndr,
                                   union security_ace_object_type *r)
 {
     uint32_t level;
-    level = ndr_token_peek(&ndr->switch_list, r);
     NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
     if (ndr_flags & NDR_SCALARS) {
+        /* This token is not used again (except perhaps below in the NDR_BUFFERS case) */
+#ifdef SMB_HAS_NEW_NDR_PULL_STEAL_SWITCH
+        NDR_CHECK(ndr_pull_steal_switch_value(ndr, r, &level));
+#else
+        level = ndr_pull_steal_switch_value(ndr, r);
+#endif
         NDR_CHECK(ndr_pull_union_align(ndr, 4));
         switch (level) {
         case SEC_ACE_OBJECT_TYPE_PRESENT: {
@@ -117,14 +122,6 @@ ndr_pull_security_ace_object_type(struct ndr_pull *ndr,
             break; }
         }
     }
-    if (ndr_flags & NDR_BUFFERS) {
-        switch (level) {
-        case SEC_ACE_OBJECT_TYPE_PRESENT:
-            break;
-        default:
-            break;
-        }
-    }
     return NDR_ERR_SUCCESS;
 }
 
@@ -135,9 +132,14 @@ ndr_pull_security_ace_object_inherited_type(struct ndr_pull *ndr,
                                             union security_ace_object_inherited_type *r)
 {
     uint32_t level;
-    level = ndr_token_peek(&ndr->switch_list, r);
     NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
     if (ndr_flags & NDR_SCALARS) {
+        /* This token is not used again (except perhaps below in the NDR_BUFFERS case) */
+#ifdef SMB_HAS_NEW_NDR_PULL_STEAL_SWITCH
+        NDR_CHECK(ndr_pull_steal_switch_value(ndr, r, &level));
+#else
+        level = ndr_pull_steal_switch_value(ndr, r);
+#endif
         NDR_CHECK(ndr_pull_union_align(ndr, 4));
         switch (level) {
         case SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT: {
@@ -149,14 +151,6 @@ ndr_pull_security_ace_object_inherited_type(struct ndr_pull *ndr,
             break; }
         }
     }
-    if (ndr_flags & NDR_BUFFERS) {
-        switch (level) {
-        case SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT:
-            break;
-        default:
-            break;
-        }
-    }
     return NDR_ERR_SUCCESS;
 }
 
@@ -198,9 +192,14 @@ ndr_pull_security_ace_object_ctr(struct ndr_pull *ndr,
                                  union security_ace_object_ctr *r)
 {
     uint32_t level;
-    level = ndr_token_peek(&ndr->switch_list, r);
     NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
     if (ndr_flags & NDR_SCALARS) {
+        /* This token is not used again (except perhaps below in the NDR_BUFFERS case) */
+#ifdef SMB_HAS_NEW_NDR_PULL_STEAL_SWITCH
+        NDR_CHECK(ndr_pull_steal_switch_value(ndr, r, &level));
+#else
+        level = ndr_pull_steal_switch_value(ndr, r);
+#endif
         NDR_CHECK(ndr_pull_union_align(ndr, 4));
         switch (level) {
         case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT: {
@@ -224,6 +223,14 @@ ndr_pull_security_ace_object_ctr(struct ndr_pull *ndr,
         }
     }
     if (ndr_flags & NDR_BUFFERS) {
+        if (!(ndr_flags & NDR_SCALARS)) {
+            /* We didn't get it above, and the token is not needed after this. */
+#ifdef SMB_HAS_NEW_NDR_PULL_STEAL_SWITCH
+            NDR_CHECK(ndr_pull_steal_switch_value(ndr, r, &level));
+#else
+            level = ndr_pull_steal_switch_value(ndr, r);
+#endif
+        }
         switch (level) {
         case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
             NDR_CHECK(ndr_pull_security_ace_object