s3:rpc_transport_np: handle trans rdata like the output of a normal read

Inspired by bug #7159.

metze
(cherry picked from commit 911287285cc4c8485b75edfad3c1ece901a69b0b)
(cherry picked from commit e2739a2bf37e654c37cbea6e510f63a7ce4adfea)

diff --git a/source3/rpc_client/rpc_transport_np.c b/source3/rpc_client/rpc_transport_np.c
index 1b9c7fc2120eb1353abad017c75ea6968b9abd6a..df7a96f2a1f2cb061c7e121579b57352c5c8ffac 100644 (file)
--- a/source3/rpc_client/rpc_transport_np.c
+++ b/source3/rpc_client/rpc_transport_np.c
@@ -206,6 +206,7 @@ static NTSTATUS rpc_np_read_recv(struct tevent_req *req, ssize_t *preceived)
 
 struct rpc_np_trans_state {
        uint16_t setup[2];
+       uint32_t max_rdata_len;
        uint8_t *rdata;
        uint32_t rdata_len;
 };
@@ -228,6 +229,8 @@ static struct tevent_req *rpc_np_trans_send(TALLOC_CTX *mem_ctx,
                return NULL;
        }
 
+       state->max_rdata_len = max_rdata_len;
+
        SSVAL(state->setup+0, 0, TRANSACT_DCERPCCMD);
        SSVAL(state->setup+1, 0, np_transport->fnum);
 
@@ -257,10 +260,24 @@ static void rpc_np_trans_done(struct tevent_req *subreq)
        status = cli_trans_recv(subreq, state, NULL, NULL, NULL, NULL,
                                &state->rdata, &state->rdata_len);
        TALLOC_FREE(subreq);
+       if (NT_STATUS_EQUAL(status, NT_STATUS_BUFFER_TOO_SMALL)) {
+               status = NT_STATUS_OK;
+       }
        if (!NT_STATUS_IS_OK(status)) {
                tevent_req_nterror(req, status);
                return;
        }
+
+       if (state->rdata_len > state->max_rdata_len) {
+               tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
+               return;
+       }
+
+       if (state->rdata_len == 0) {
+               tevent_req_nterror(req, NT_STATUS_PIPE_BROKEN);
+               return;
+       }
+
        tevent_req_done(req);
 }