librpc/rpc: let dcerpc_read_ncacn_packet_next_vector() handle fragments without any...

DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED don't have any payload by
default. In order to receive them via dcerpc_read_ncacn_packet_send/recv
we need to allow fragments with frag_len == DCERPC_NCACN_PAYLOAD_OFFSET.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15446

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit 5c724a3e156ae734e4d187bf9639d895bb011834)

diff --git a/librpc/rpc/dcerpc_util.c b/librpc/rpc/dcerpc_util.c
index c3997eb1b19f1f6e76b9f7dcb39a91e151118cd0..e3c81b6194ae898078b9c93f6544b199e454a370 100644 (file)
--- a/librpc/rpc/dcerpc_util.c
+++ b/librpc/rpc/dcerpc_util.c
@@ -565,9 +565,14 @@ static int dcerpc_read_ncacn_packet_next_vector(struct tstream_context *stream,
 
                ofs = state->buffer.length;
 
-               if (frag_len < ofs) {
+               if (frag_len <= ofs) {
                        /*
-                        * something is wrong, let the caller deal with it
+                        * With frag_len == ofs, we are done, this is likely
+                        * a DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED
+                        * without any payload.
+                        *
+                        * Otherwise it's a broken packet and we
+                        * let the caller deal with it.
                         */
                        *_vector = NULL;
                        *_count = 0;