summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
Diffstat (limited to 'source3')
-rw-r--r--source3/include/ntdomain.h2
-rw-r--r--source3/rpc_server/srv_pipe_hnd.c18
2 files changed, 19 insertions, 1 deletions
diff --git a/source3/include/ntdomain.h b/source3/include/ntdomain.h
index 2d6a358391..7ac4dcefd1 100644
--- a/source3/include/ntdomain.h
+++ b/source3/include/ntdomain.h
@@ -89,7 +89,7 @@ typedef struct _input_data {
* pdu is seen, then the data is copied into the in_data
* structure. The maximum size of this is 0x1630 (RPC_MAX_PDU_FRAG_LEN).
*/
- unsigned char current_in_pdu[RPC_MAX_PDU_FRAG_LEN];
+ uint8_t *current_in_pdu;
/*
* The amount of data needed to complete the in_pdu.
diff --git a/source3/rpc_server/srv_pipe_hnd.c b/source3/rpc_server/srv_pipe_hnd.c
index 4cbe8d67a3..56c4a317e5 100644
--- a/source3/rpc_server/srv_pipe_hnd.c
+++ b/source3/rpc_server/srv_pipe_hnd.c
@@ -192,6 +192,15 @@ static ssize_t fill_rpc_header(pipes_struct *p, char *data, size_t data_to_copy)
(unsigned int)data_to_copy, (unsigned int)len_needed_to_complete_hdr,
(unsigned int)p->in_data.pdu_received_len ));
+ if (p->in_data.current_in_pdu == NULL) {
+ p->in_data.current_in_pdu = talloc_array(p, uint8_t,
+ RPC_HEADER_LEN);
+ }
+ if (p->in_data.current_in_pdu == NULL) {
+ DEBUG(0, ("talloc failed\n"));
+ return -1;
+ }
+
memcpy((char *)&p->in_data.current_in_pdu[p->in_data.pdu_received_len], data, len_needed_to_complete_hdr);
p->in_data.pdu_received_len += len_needed_to_complete_hdr;
@@ -312,6 +321,14 @@ static ssize_t unmarshall_rpc_header(pipes_struct *p)
prs_mem_free(&rpc_in);
+ p->in_data.current_in_pdu = TALLOC_REALLOC_ARRAY(
+ p, p->in_data.current_in_pdu, uint8_t, p->hdr.frag_len);
+ if (p->in_data.current_in_pdu == NULL) {
+ DEBUG(0, ("talloc failed\n"));
+ set_incoming_fault(p);
+ return -1;
+ }
+
return 0; /* No extra data processed. */
}
@@ -635,6 +652,7 @@ static void process_complete_pdu(pipes_struct *p)
/*
* Reset the lengths. We're ready for a new pdu.
*/
+ TALLOC_FREE(p->in_data.current_in_pdu);
p->in_data.pdu_needed_len = 0;
p->in_data.pdu_received_len = 0;
}