diff options
Diffstat (limited to 'source3')
-rw-r--r-- | source3/include/ntdomain.h | 2 | ||||
-rw-r--r-- | source3/rpc_server/srv_pipe_hnd.c | 18 |
2 files changed, 19 insertions, 1 deletions
diff --git a/source3/include/ntdomain.h b/source3/include/ntdomain.h index 2d6a358391..7ac4dcefd1 100644 --- a/source3/include/ntdomain.h +++ b/source3/include/ntdomain.h @@ -89,7 +89,7 @@ typedef struct _input_data { * pdu is seen, then the data is copied into the in_data * structure. The maximum size of this is 0x1630 (RPC_MAX_PDU_FRAG_LEN). */ - unsigned char current_in_pdu[RPC_MAX_PDU_FRAG_LEN]; + uint8_t *current_in_pdu; /* * The amount of data needed to complete the in_pdu. diff --git a/source3/rpc_server/srv_pipe_hnd.c b/source3/rpc_server/srv_pipe_hnd.c index 4cbe8d67a3..56c4a317e5 100644 --- a/source3/rpc_server/srv_pipe_hnd.c +++ b/source3/rpc_server/srv_pipe_hnd.c @@ -192,6 +192,15 @@ static ssize_t fill_rpc_header(pipes_struct *p, char *data, size_t data_to_copy) (unsigned int)data_to_copy, (unsigned int)len_needed_to_complete_hdr, (unsigned int)p->in_data.pdu_received_len )); + if (p->in_data.current_in_pdu == NULL) { + p->in_data.current_in_pdu = talloc_array(p, uint8_t, + RPC_HEADER_LEN); + } + if (p->in_data.current_in_pdu == NULL) { + DEBUG(0, ("talloc failed\n")); + return -1; + } + memcpy((char *)&p->in_data.current_in_pdu[p->in_data.pdu_received_len], data, len_needed_to_complete_hdr); p->in_data.pdu_received_len += len_needed_to_complete_hdr; @@ -312,6 +321,14 @@ static ssize_t unmarshall_rpc_header(pipes_struct *p) prs_mem_free(&rpc_in); + p->in_data.current_in_pdu = TALLOC_REALLOC_ARRAY( + p, p->in_data.current_in_pdu, uint8_t, p->hdr.frag_len); + if (p->in_data.current_in_pdu == NULL) { + DEBUG(0, ("talloc failed\n")); + set_incoming_fault(p); + return -1; + } + return 0; /* No extra data processed. */ } @@ -635,6 +652,7 @@ static void process_complete_pdu(pipes_struct *p) /* * Reset the lengths. We're ready for a new pdu. */ + TALLOC_FREE(p->in_data.current_in_pdu); p->in_data.pdu_needed_len = 0; p->in_data.pdu_received_len = 0; } |