diff options
-rw-r--r-- | source3/rpc_client/rpc_transport_np.c | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/source3/rpc_client/rpc_transport_np.c b/source3/rpc_client/rpc_transport_np.c index 623a8b37cf..de734fe17d 100644 --- a/source3/rpc_client/rpc_transport_np.c +++ b/source3/rpc_client/rpc_transport_np.c @@ -206,6 +206,7 @@ static NTSTATUS rpc_np_read_recv(struct tevent_req *req, ssize_t *preceived) struct rpc_np_trans_state { uint16_t setup[2]; + uint32_t max_rdata_len; uint8_t *rdata; uint32_t rdata_len; }; @@ -228,6 +229,8 @@ static struct tevent_req *rpc_np_trans_send(TALLOC_CTX *mem_ctx, return NULL; } + state->max_rdata_len = max_rdata_len; + SSVAL(state->setup+0, 0, TRANSACT_DCERPCCMD); SSVAL(state->setup+1, 0, np_transport->fnum); @@ -257,10 +260,24 @@ static void rpc_np_trans_done(struct tevent_req *subreq) status = cli_trans_recv(subreq, state, NULL, 0, NULL, NULL, 0, NULL, &state->rdata, 0, &state->rdata_len); TALLOC_FREE(subreq); + if (NT_STATUS_EQUAL(status, NT_STATUS_BUFFER_TOO_SMALL)) { + status = NT_STATUS_OK; + } if (!NT_STATUS_IS_OK(status)) { tevent_req_nterror(req, status); return; } + + if (state->rdata_len > state->max_rdata_len) { + tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + + if (state->rdata_len == 0) { + tevent_req_nterror(req, NT_STATUS_PIPE_BROKEN); + return; + } + tevent_req_done(req); } |