r4161: two more fixes for NT4 clients. Bugs found by kukks.

 - nt4 doesn't setup the pfc flags correctly for rpc packet types
   other than normal requests, so don't check for fragmented packets
   unless they are of type request

 - ensure we give STATUS_BUFFER_OVERFLOW when we return a partial
   fragment in SMBtrans requests on ncacn_np
(This used to be commit 83ebffec3215c58c5cebf1a7c9a58904854203c8)

1 files changed, 6 insertions, 2 deletions

diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c
index 3afe5f1dc5..6e608fd30b 100644
--- a/source4/rpc_server/dcerpc_server.c
+++ b/source4/rpc_server/dcerpc_server.c
@@ -849,7 +849,8 @@ NTSTATUS dcesrv_input_process(struct dcesrv_connection *dce_conn)
 	dce_partial_advance(dce_conn, blob.length);
 
 	/* see if this is a continued packet */
-	if (!(call->pkt.pfc_flags & DCERPC_PFC_FLAG_FIRST)) {
+	if (call->pkt.ptype == DCERPC_PKT_REQUEST &&
+	    !(call->pkt.pfc_flags & DCERPC_PFC_FLAG_FIRST)) {
 		struct dcesrv_call_state *call2 = call;
 		uint32_t alloc_size;
 
@@ -895,7 +896,8 @@ NTSTATUS dcesrv_input_process(struct dcesrv_connection *dce_conn)
 
 	/* this may not be the last pdu in the chain - if its isn't then
 	   just put it on the call_list and wait for the rest */
-	if (!(call->pkt.pfc_flags & DCERPC_PFC_FLAG_LAST)) {
+	if (call->pkt.ptype == DCERPC_PKT_REQUEST &&
+	    !(call->pkt.pfc_flags & DCERPC_PFC_FLAG_LAST)) {
 		DLIST_ADD_END(dce_conn->call_list, call, struct dcesrv_call_state *);
 		return NT_STATUS_OK;
 	}
@@ -998,6 +1000,8 @@ NTSTATUS dcesrv_output(struct dcesrv_connection *dce_conn,
 	if (rep->data.length == 0) {
 		/* we're done with this section of the call */
 		DLIST_REMOVE(call->replies, rep);
+	} else {
+		return STATUS_BUFFER_OVERFLOW;
 	}
 
 	if (call->replies == NULL) {