--- libaitrpc/src/srv.c	2010/07/08 13:05:50	1.1.1.1.2.21
+++ libaitrpc/src/srv.c	2010/07/12 08:46:41	1.1.1.1.2.22
@@ -3,7 +3,7 @@
 *  by Michael Pounov <misho@openbsd-bg.org>
 *
 * $Author: misho $
-* $Id: srv.c,v 1.1.1.1.2.21 2010/07/08 13:05:50 misho Exp $
+* $Id: srv.c,v 1.1.1.1.2.22 2010/07/12 08:46:41 misho Exp $
 *
 *************************************************************************/
 #include "global.h"
@@ -58,19 +58,41 @@ rpc_srv_dispatchCall(void *arg)
 			rpc_SetErr(EINVAL, "Error:: get invalid RPC session ...\n");
 			ret = -5;
 			goto makeReply;
-		}
+		} else
+			Limit = sizeof(struct tagRPCCall);
 		// RPC is OK! Go decapsulate variables ...
 		if (rpc->call_argc) {
-			v = (rpc_val_t*) (buf + sizeof(struct tagRPCCall));
+			v = (rpc_val_t*) (buf + Limit);
+			// check RPC packet length
+			if (rpc->call_argc * sizeof(rpc_val_t) > BUFSIZ - Limit) {
+				rpc_SetErr(EMSGSIZE, "Error:: Too big RPC packet ...\n");
+				ret = -5;
+				goto makeReply;
+			} else
+				Limit += rpc->call_argc * sizeof(rpc_val_t);
 			// RPC received variables types OK!
 			data = (u_char*) v + rpc->call_argc * sizeof(rpc_val_t);
 			for (i = 0; i < rpc->call_argc; i++) {
 				switch (v[i].val_type) {
 					case buffer:
+						if (v[i].val_len > BUFSIZ - Limit) {
+							rpc_SetErr(EMSGSIZE, "Error:: Too big RPC packet ...\n");
+							ret = -5;
+							goto makeReply;
+						} else
+							Limit += v[i].val_len;
+
 						v[i].val.buffer = data;
 					       	data += v[i].val_len;
 						break;
 					case string:
+						if (v[i].val_len + 1 > BUFSIZ - Limit) {
+							rpc_SetErr(EMSGSIZE, "Error:: Too big RPC packet ...\n");
+							ret = -5;
+							goto makeReply;
+						} else
+							Limit += v[i].val_len;
+
 						v[i].val.string = (int8_t*) data;
 						data += v[i].val_len + 1;
 						break;