From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 7 Aug 2023 14:16:27 +0000 (+0200)
Subject: librpc/rpc: let dcerpc_read_ncacn_packet_next_vector() handle fragments without any... 
X-Git-Tag: samba-4.17.11~58
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4233de9bd485f45dc44b19fc6fd7221c6bb9e2e0;p=thirdparty%2Fsamba.git

librpc/rpc: let dcerpc_read_ncacn_packet_next_vector() handle fragments without any payload

DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED don't have any payload by
default. In order to receive them via dcerpc_read_ncacn_packet_send/recv
we need to allow fragments with frag_len == DCERPC_NCACN_PAYLOAD_OFFSET.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15446

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit 5c724a3e156ae734e4d187bf9639d895bb011834)
---

diff --git a/librpc/rpc/dcerpc_util.c b/librpc/rpc/dcerpc_util.c
index c3997eb1b19..e3c81b6194a 100644
--- a/librpc/rpc/dcerpc_util.c
+++ b/librpc/rpc/dcerpc_util.c
@@ -565,9 +565,14 @@ static int dcerpc_read_ncacn_packet_next_vector(struct tstream_context *stream,
 
 		ofs = state->buffer.length;
 
-		if (frag_len < ofs) {
+		if (frag_len <= ofs) {
 			/*
-			 * something is wrong, let the caller deal with it
+			 * With frag_len == ofs, we are done, this is likely
+			 * a DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED
+			 * without any payload.
+			 *
+			 * Otherwise it's a broken packet and we
+			 * let the caller deal with it.
 			 */
 			*_vector = NULL;
 			*_count = 0;