--- libaitrpc/src/cli.c	2010/06/28 17:10:39	1.1.1.1.2.4
+++ libaitrpc/src/cli.c	2011/08/18 15:08:03	1.3
@@ -3,9 +3,46 @@
 *  by Michael Pounov <misho@openbsd-bg.org>
 *
 * $Author: misho $
-* $Id: cli.c,v 1.1.1.1.2.4 2010/06/28 17:10:39 misho Exp $
+* $Id: cli.c,v 1.3 2011/08/18 15:08:03 misho Exp $
 *
-*************************************************************************/
+**************************************************************************
+The ELWIX and AITNET software is distributed under the following
+terms:
+
+All of the documentation and software included in the ELWIX and AITNET
+Releases is copyrighted by ELWIX - Sofia/Bulgaria <info@elwix.org>
+
+Copyright 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011
+	by Michael Pounov <misho@elwix.org>.  All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+3. All advertising materials mentioning features or use of this software
+   must display the following acknowledgement:
+This product includes software developed by Michael Pounov <misho@elwix.org>
+ELWIX - Embedded LightWeight unIX and its contributors.
+4. Neither the name of AITNET nor the names of its contributors
+   may be used to endorse or promote products derived from this software
+   without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY AITNET AND CONTRIBUTORS ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
+*/
 #include "global.h"
 
 
@@ -214,7 +251,7 @@ rpc_cli_execCall(rpc_cli_t *cli, const char *csModule,
 	fd_set fds;
 	u_char buf[BUFSIZ], str[MAXPATHLEN + UCHAR_MAX + 1], *data;
 	struct tagRPCCall *rpc = (struct tagRPCCall*) buf;
-	struct tagRPCRet *rrpc;
+	struct tagRPCRet *rrpc = NULL;
 	int ret = 0, Limit = 0;
 	register int i;
 	rpc_val_t *v;
@@ -239,8 +276,12 @@ rpc_cli_execCall(rpc_cli_t *cli, const char *csModule,
 	Limit = sizeof(struct tagRPCCall);
 	if (in_argc) {
 		v = (rpc_val_t*) (buf + sizeof(struct tagRPCCall));
+		if (in_argc * sizeof(rpc_val_t) > BUFSIZ - Limit) {
+			rpc_SetErr(EMSGSIZE, "Error:: in prepare RPC packet values (-7) ...\n");
+			return -7;
+		} else
+			Limit += in_argc * sizeof(rpc_val_t);
 		memcpy(v, in_vals, in_argc * sizeof(rpc_val_t));
-		Limit += in_argc * sizeof(rpc_val_t);
 		data = (u_char*) v + in_argc * sizeof(rpc_val_t);
 		for (i = 0; i < in_argc; i++) {
 			switch (in_vals[i].val_type) {
@@ -256,7 +297,7 @@ rpc_cli_execCall(rpc_cli_t *cli, const char *csModule,
 					Limit += in_vals[i].val_len;
 					break;
 				case string:
-					if (Limit + in_vals[i].val_len + 1 > BUFSIZ) {
+					if (Limit + in_vals[i].val_len > BUFSIZ) {
 						ret = -7;
 						break;
 					}
@@ -280,7 +321,7 @@ rpc_cli_execCall(rpc_cli_t *cli, const char *csModule,
 		return -1;
 	}
 	if (ret != Limit) {
-		rpc_SetErr(EBADMSG, "Error:: in send RPC request, should be send %d bytes, really is %d\n", 
+		rpc_SetErr(ECANCELED, "Error:: in send RPC request, should be send %d bytes, really is %d\n", 
 				Limit, ret);
 		return -9;
 	}
@@ -298,23 +339,30 @@ rpc_cli_execCall(rpc_cli_t *cli, const char *csModule,
 		LOGERR;
 		return -3;
 	}
-	if (!ret)	// receive EOF
+	if (!ret)	/* receive EOF! */
 		return 0;
-	if (ret < sizeof(struct tagRPCCall)) {
+	if (ret < sizeof(struct tagRPCRet)) {
 		rpc_SetErr(EMSGSIZE, "Error:: too short RPC packet ...\n");
 		return -4;
 	} else
 		rrpc = (struct tagRPCRet*) buf;
-	// check RPC packet session info
+	/* check RPC packet session info */
 	if (memcmp(&rrpc->ret_session, cli->cli_parent, sizeof rrpc->ret_session)) {
 		rpc_SetErr(EINVAL, "Error:: get invalid RPC session ...\n");
 		return -5;
-	}
+	} else
+		Limit = sizeof(struct tagRPCRet);
 	if (rrpc->ret_retcode < 0 && rrpc->ret_errno) {
-		rpc_SetErr(rrpc->ret_errno, "Error::Server side: %s\n", strerror(rrpc->ret_errno));
+		rpc_SetErr(rrpc->ret_errno, "Error::Server side: %d %s\n", 
+				rrpc->ret_retcode, strerror(rrpc->ret_errno));
 		return -6;
 	}
-	// RPC is OK! Go decapsulate variables ...
+	if (rrpc->ret_argc * sizeof(rpc_val_t) > BUFSIZ - Limit) {
+		rpc_SetErr(EMSGSIZE, "Error:: reply RPC packet is too big ...\n");
+		return -7;
+	} else
+		Limit += rrpc->ret_argc * sizeof(rpc_val_t);
+	/* RPC is OK! Go decapsulate variables ... */
 	if (rrpc->ret_argc) {
 		*out_argc = rrpc->ret_argc;
 		*out_vals = calloc(rrpc->ret_argc, sizeof(rpc_val_t));
@@ -323,13 +371,21 @@ rpc_cli_execCall(rpc_cli_t *cli, const char *csModule,
 			*out_argc = 0;
 			return -1;
 		} else
-			Limit = rrpc->ret_argc * sizeof(rpc_val_t);
-		memcpy(*out_vals, buf + sizeof(struct tagRPCRet), Limit);
-		// RPC received variables types OK!
-		data = (u_char*) buf + sizeof(struct tagRPCRet) + Limit;
+			memcpy(*out_vals, buf + sizeof(struct tagRPCRet), Limit - sizeof(struct tagRPCRet));
+		/* RPC received variables types OK! */
+		data = (u_char*) buf + Limit;
 		for (i = 0; i < rrpc->ret_argc; i++)
 			switch ((*out_vals)[i].val_type) {
 				case buffer:
+					if ((*out_vals)[i].val_len > BUFSIZ - Limit) {
+						rpc_SetErr(EMSGSIZE, "Error:: Too big RPC packet ...\n");
+						free(*out_vals);
+						*out_vals = NULL;
+						*out_argc = 0;
+						return -7;
+					} else
+						Limit += (*out_vals)[i].val_len;
+
 					(*out_vals)[i].val.buffer = malloc((*out_vals)[i].val_len);
 					if (!(*out_vals)[i].val.buffer) {
 						rpc_SetErr(errno, "Error:: in prepare RPC reply ...\n");
@@ -342,15 +398,25 @@ rpc_cli_execCall(rpc_cli_t *cli, const char *csModule,
 				       	data += (*out_vals)[i].val_len;
 					break;
 				case string:
-					(*out_vals)[i].val.string = (int8_t*) strdup((char*) data);
+					if ((*out_vals)[i].val_len > BUFSIZ - Limit) {
+						rpc_SetErr(EMSGSIZE, "Error:: Too big RPC packet ...\n");
+						free(*out_vals);
+						*out_vals = NULL;
+						*out_argc = 0;
+						return -7;
+					} else
+						Limit += (*out_vals)[i].val_len;
+
+					(*out_vals)[i].val.string = malloc((*out_vals)[i].val_len);
 					if (!(*out_vals)[i].val.string) {
 						rpc_SetErr(errno, "Error:: in prepare RPC reply ...\n");
 						free(*out_vals);
 						*out_vals = NULL;
 						*out_argc = 0;
 						return -1;
-					}
-				       	data += (*out_vals)[i].val_len + 1;
+					} else
+						memcpy((*out_vals)[i].val.string, data, (*out_vals)[i].val_len);
+				       	data += (*out_vals)[i].val_len;
 					break;
 				default:
 					break;