From 97b84c82201ffc0689f64622125698eabc419c54 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 6 Apr 2010 12:22:54 +0200
Subject: [PATCH] s3:rpc_transport_np: handle trans rdata like the output of a
 normal read

Inspired by bug #7159.

metze
(cherry picked from commit 911287285cc4c8485b75edfad3c1ece901a69b0b)
(cherry picked from commit e2739a2bf37e654c37cbea6e510f63a7ce4adfea)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 2ce1bcd4e4430f311decb73b659c9b615d5bb4e9)
---
 source3/rpc_client/rpc_transport_np.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/source3/rpc_client/rpc_transport_np.c b/source3/rpc_client/rpc_transport_np.c
index fe3303095d7..ab3a2550e8f 100644
--- a/source3/rpc_client/rpc_transport_np.c
+++ b/source3/rpc_client/rpc_transport_np.c
@@ -214,6 +214,7 @@ static NTSTATUS rpc_np_read_recv(struct async_req *req, ssize_t *preceived)
 
 struct rpc_np_trans_state {
 	uint16_t setup[2];
+	uint32_t max_rdata_len;
 	uint8_t *rdata;
 	uint32_t rdata_len;
 };
@@ -236,6 +237,8 @@ static struct async_req *rpc_np_trans_send(TALLOC_CTX *mem_ctx,
 		return NULL;
 	}
 
+	state->max_rdata_len = max_rdata_len;
+
 	SSVAL(state->setup+0, 0, TRANSACT_DCERPCCMD);
 	SSVAL(state->setup+1, 0, np_transport->fnum);
 
@@ -266,10 +269,24 @@ static void rpc_np_trans_done(struct async_req *subreq)
 	status = cli_trans_recv(subreq, state, NULL, NULL, NULL, NULL,
 				&state->rdata, &state->rdata_len);
 	TALLOC_FREE(subreq);
+	if (NT_STATUS_EQUAL(status, NT_STATUS_BUFFER_TOO_SMALL)) {
+		status = NT_STATUS_OK;
+	}
 	if (!NT_STATUS_IS_OK(status)) {
 		async_req_nterror(req, status);
 		return;
 	}
+
+	if (state->rdata_len > state->max_rdata_len) {
+		async_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
+		return;
+	}
+
+	if (state->rdata_len == 0) {
+		async_req_nterror(req, NT_STATUS_PIPE_BROKEN);
+		return;
+	}
+
 	async_req_done(req);
 }
 
-- 
2.47.3