--- libaitrpc/src/cli.c 2011/05/02 23:12:08 1.2 +++ libaitrpc/src/cli.c 2011/07/14 02:36:57 1.2.2.2 @@ -3,7 +3,7 @@ * by Michael Pounov * * $Author: misho $ -* $Id: cli.c,v 1.2 2011/05/02 23:12:08 misho Exp $ +* $Id: cli.c,v 1.2.2.2 2011/07/14 02:36:57 misho Exp $ * ************************************************************************** The ELWIX and AITNET software is distributed under the following @@ -251,7 +251,7 @@ rpc_cli_execCall(rpc_cli_t *cli, const char *csModule, fd_set fds; u_char buf[BUFSIZ], str[MAXPATHLEN + UCHAR_MAX + 1], *data; struct tagRPCCall *rpc = (struct tagRPCCall*) buf; - struct tagRPCRet *rrpc; + struct tagRPCRet *rrpc = NULL; int ret = 0, Limit = 0; register int i; rpc_val_t *v; @@ -276,8 +276,12 @@ rpc_cli_execCall(rpc_cli_t *cli, const char *csModule, Limit = sizeof(struct tagRPCCall); if (in_argc) { v = (rpc_val_t*) (buf + sizeof(struct tagRPCCall)); + if (in_argc * sizeof(rpc_val_t) > BUFSIZ - Limit) { + rpc_SetErr(EMSGSIZE, "Error:: in prepare RPC packet values (-7) ...\n"); + return -7; + } else + Limit += in_argc * sizeof(rpc_val_t); memcpy(v, in_vals, in_argc * sizeof(rpc_val_t)); - Limit += in_argc * sizeof(rpc_val_t); data = (u_char*) v + in_argc * sizeof(rpc_val_t); for (i = 0; i < in_argc; i++) { switch (in_vals[i].val_type) { @@ -293,15 +297,15 @@ rpc_cli_execCall(rpc_cli_t *cli, const char *csModule, Limit += in_vals[i].val_len; break; case string: - if (Limit + in_vals[i].val_len + 1 > BUFSIZ) { + if (Limit + in_vals[i].val_len > BUFSIZ) { ret = -7; break; } memcpy(data, in_vals[i].val.string, in_vals[i].val_len); v[i].val.string = (int8_t*) ((void*) data - (void*) v); - data += in_vals[i].val_len + 1; - Limit += in_vals[i].val_len + 1; + data += in_vals[i].val_len; + Limit += in_vals[i].val_len; break; default: break; @@ -335,14 +339,14 @@ rpc_cli_execCall(rpc_cli_t *cli, const char *csModule, LOGERR; return -3; } - if (!ret) // receive EOF + if (!ret) /* receive EOF! */ return 0; if (ret < sizeof(struct tagRPCRet)) { rpc_SetErr(EMSGSIZE, "Error:: too short RPC packet ...\n"); return -4; - } else - rrpc = (struct tagRPCRet*) buf; - // check RPC packet session info + } + rrpc = (struct tagRPCRet*) buf; + /* check RPC packet session info */ if (memcmp(&rrpc->ret_session, cli->cli_parent, sizeof rrpc->ret_session)) { rpc_SetErr(EINVAL, "Error:: get invalid RPC session ...\n"); return -5; @@ -358,7 +362,7 @@ rpc_cli_execCall(rpc_cli_t *cli, const char *csModule, return -7; } else Limit += rrpc->ret_argc * sizeof(rpc_val_t); - // RPC is OK! Go decapsulate variables ... + /* RPC is OK! Go decapsulate variables ... */ if (rrpc->ret_argc) { *out_argc = rrpc->ret_argc; *out_vals = calloc(rrpc->ret_argc, sizeof(rpc_val_t)); @@ -368,7 +372,7 @@ rpc_cli_execCall(rpc_cli_t *cli, const char *csModule, return -1; } else memcpy(*out_vals, buf + sizeof(struct tagRPCRet), Limit - sizeof(struct tagRPCRet)); - // RPC received variables types OK! + /* RPC received variables types OK! */ data = (u_char*) buf + Limit; for (i = 0; i < rrpc->ret_argc; i++) switch ((*out_vals)[i].val_type) { @@ -394,27 +398,25 @@ rpc_cli_execCall(rpc_cli_t *cli, const char *csModule, data += (*out_vals)[i].val_len; break; case string: - if ((*out_vals)[i].val_len + 1 > BUFSIZ - Limit) { + if ((*out_vals)[i].val_len > BUFSIZ - Limit) { rpc_SetErr(EMSGSIZE, "Error:: Too big RPC packet ...\n"); free(*out_vals); *out_vals = NULL; *out_argc = 0; return -7; } else - Limit += (*out_vals)[i].val_len + 1; + Limit += (*out_vals)[i].val_len; - (*out_vals)[i].val.string = (int8_t*) strdup((char*) data); + (*out_vals)[i].val.string = malloc((*out_vals)[i].val_len); if (!(*out_vals)[i].val.string) { rpc_SetErr(errno, "Error:: in prepare RPC reply ...\n"); free(*out_vals); *out_vals = NULL; *out_argc = 0; return -1; - } else { - /* sanity check ... preserve null byte */ - (*out_vals)[i].val.string[(*out_vals)[i].val_len] = 0; - } - data += (*out_vals)[i].val_len + 1; + } else + memcpy((*out_vals)[i].val.string, data, (*out_vals)[i].val_len); + data += (*out_vals)[i].val_len; break; default: break;