From 274f575b2419800ef1a69f303088711eebb73b1a Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Wed, 14 Jan 2009 12:58:13 +0100
Subject: Check the fragment size the server has sent us

---
 source3/rpc_client/cli_pipe.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'source3/rpc_client/cli_pipe.c')

diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index bc0d163aa0..0a208bae36 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -343,6 +343,13 @@ static NTSTATUS cli_pipe_get_current_pdu(struct rpc_pipe_client *cli, RPC_HDR *p
 		return NT_STATUS_BUFFER_TOO_SMALL;
 	}
 
+	if (prhdr->frag_len > cli->max_recv_frag) {
+		DEBUG(0, ("cli_pipe_get_current_pdu: Server sent fraglen %d,"
+			  " we only allow %d\n", (int)prhdr->frag_len,
+			  (int)cli->max_recv_frag));
+		return NT_STATUS_BUFFER_TOO_SMALL;
+	}
+
 	/* Ensure we have frag_len bytes of data. */
 	if (current_pdu_len < prhdr->frag_len) {
 		if (!rpc_grow_buffer(current_pdu, prhdr->frag_len)) {
@@ -2938,6 +2945,9 @@ static NTSTATUS rpc_pipe_open_np(struct cli_state *cli,
 	result->srv_name_slash = talloc_asprintf_strupper_m(
 		result, "\\\\%s", result->desthost);
 
+	result->max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
+	result->max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
+
 	if ((result->desthost == NULL) || (result->srv_name_slash == NULL)) {
 		TALLOC_FREE(result);
 		return NT_STATUS_NO_MEMORY;
-- 
cgit