--- libaitrpc/src/cli.c	2010/07/08 07:16:36	1.1.1.1.2.5
+++ libaitrpc/src/cli.c	2010/07/12 08:46:41	1.1.1.1.2.6
@@ -3,7 +3,7 @@
 *  by Michael Pounov <misho@openbsd-bg.org>
 *
 * $Author: misho $
-* $Id: cli.c,v 1.1.1.1.2.5 2010/07/08 07:16:36 misho Exp $
+* $Id: cli.c,v 1.1.1.1.2.6 2010/07/12 08:46:41 misho Exp $
 *
 *************************************************************************/
 #include "global.h"
@@ -263,8 +263,8 @@ rpc_cli_execCall(rpc_cli_t *cli, const char *csModule,
 
 					memcpy(data, in_vals[i].val.string, in_vals[i].val_len);
 					v[i].val.string = (int8_t*) ((void*) data - (void*) v);
-					data += in_vals[i].val_len;
-					Limit += in_vals[i].val_len;
+					data += in_vals[i].val_len + 1;
+					Limit += in_vals[i].val_len + 1;
 					break;
 				default:
 					break;
@@ -300,7 +300,7 @@ rpc_cli_execCall(rpc_cli_t *cli, const char *csModule,
 	}
 	if (!ret)	// receive EOF
 		return 0;
-	if (ret < sizeof(struct tagRPCCall)) {
+	if (ret < sizeof(struct tagRPCRet)) {
 		rpc_SetErr(EMSGSIZE, "Error:: too short RPC packet ...\n");
 		return -4;
 	} else
@@ -309,12 +309,18 @@ rpc_cli_execCall(rpc_cli_t *cli, const char *csModule,
 	if (memcmp(&rrpc->ret_session, cli->cli_parent, sizeof rrpc->ret_session)) {
 		rpc_SetErr(EINVAL, "Error:: get invalid RPC session ...\n");
 		return -5;
-	}
+	} else
+		Limit = sizeof(struct tagRPCRet);
 	if (rrpc->ret_retcode < 0 && rrpc->ret_errno) {
 		rpc_SetErr(rrpc->ret_errno, "Error::Server side: %d %s\n", 
 				rrpc->ret_retcode, strerror(rrpc->ret_errno));
 		return -6;
 	}
+	if (rrpc->ret_argc * sizeof(rpc_val_t) > BUFSIZ - Limit) {
+		rpc_SetErr(EMSGSIZE, "Error:: reply RPC packet is too big ...\n");
+		return -7;
+	} else
+		Limit += rrpc->ret_argc * sizeof(rpc_val_t);
 	// RPC is OK! Go decapsulate variables ...
 	if (rrpc->ret_argc) {
 		*out_argc = rrpc->ret_argc;
@@ -324,13 +330,21 @@ rpc_cli_execCall(rpc_cli_t *cli, const char *csModule,
 			*out_argc = 0;
 			return -1;
 		} else
-			Limit = rrpc->ret_argc * sizeof(rpc_val_t);
-		memcpy(*out_vals, buf + sizeof(struct tagRPCRet), Limit);
+			memcpy(*out_vals, buf + sizeof(struct tagRPCRet), Limit - sizeof(struct tagRPCRet));
 		// RPC received variables types OK!
-		data = (u_char*) buf + sizeof(struct tagRPCRet) + Limit;
+		data = (u_char*) buf + Limit;
 		for (i = 0; i < rrpc->ret_argc; i++)
 			switch ((*out_vals)[i].val_type) {
 				case buffer:
+					if ((*out_vals)[i].val_len > BUFSIZ - Limit) {
+						rpc_SetErr(EMSGSIZE, "Error:: Too big RPC packet ...\n");
+						free(*out_vals);
+						*out_vals = NULL;
+						*out_argc = 0;
+						return -7;
+					} else
+						Limit += (*out_vals)[i].val_len;
+
 					(*out_vals)[i].val.buffer = malloc((*out_vals)[i].val_len);
 					if (!(*out_vals)[i].val.buffer) {
 						rpc_SetErr(errno, "Error:: in prepare RPC reply ...\n");
@@ -343,6 +357,15 @@ rpc_cli_execCall(rpc_cli_t *cli, const char *csModule,
 				       	data += (*out_vals)[i].val_len;
 					break;
 				case string:
+					if ((*out_vals)[i].val_len + 1 > BUFSIZ - Limit) {
+						rpc_SetErr(EMSGSIZE, "Error:: Too big RPC packet ...\n");
+						free(*out_vals);
+						*out_vals = NULL;
+						*out_argc = 0;
+						return -7;
+					} else
+						Limit += (*out_vals)[i].val_len + 1;
+
 					(*out_vals)[i].val.string = (int8_t*) strdup((char*) data);
 					if (!(*out_vals)[i].val.string) {
 						rpc_SetErr(errno, "Error:: in prepare RPC reply ...\n");