--- libaitrpc/src/srv.c	2010/07/08 12:29:38	1.1.1.1.2.20
+++ libaitrpc/src/srv.c	2011/03/15 16:48:31	1.1.1.1.2.24
@@ -3,7 +3,7 @@
 *  by Michael Pounov <misho@openbsd-bg.org>
 *
 * $Author: misho $
-* $Id: srv.c,v 1.1.1.1.2.20 2010/07/08 12:29:38 misho Exp $
+* $Id: srv.c,v 1.1.1.1.2.24 2011/03/15 16:48:31 misho Exp $
 *
 *************************************************************************/
 #include "global.h"
@@ -58,19 +58,41 @@ rpc_srv_dispatchCall(void *arg)
 			rpc_SetErr(EINVAL, "Error:: get invalid RPC session ...\n");
 			ret = -5;
 			goto makeReply;
-		}
+		} else
+			Limit = sizeof(struct tagRPCCall);
 		// RPC is OK! Go decapsulate variables ...
 		if (rpc->call_argc) {
-			v = (rpc_val_t*) (buf + sizeof(struct tagRPCCall));
+			v = (rpc_val_t*) (buf + Limit);
+			// check RPC packet length
+			if (rpc->call_argc * sizeof(rpc_val_t) > BUFSIZ - Limit) {
+				rpc_SetErr(EMSGSIZE, "Error:: Too big RPC packet ...\n");
+				ret = -5;
+				goto makeReply;
+			} else
+				Limit += rpc->call_argc * sizeof(rpc_val_t);
 			// RPC received variables types OK!
 			data = (u_char*) v + rpc->call_argc * sizeof(rpc_val_t);
 			for (i = 0; i < rpc->call_argc; i++) {
 				switch (v[i].val_type) {
 					case buffer:
+						if (v[i].val_len > BUFSIZ - Limit) {
+							rpc_SetErr(EMSGSIZE, "Error:: Too big RPC packet ...\n");
+							ret = -5;
+							goto makeReply;
+						} else
+							Limit += v[i].val_len;
+
 						v[i].val.buffer = data;
 					       	data += v[i].val_len;
 						break;
 					case string:
+						if (v[i].val_len + 1 > BUFSIZ - Limit) {
+							rpc_SetErr(EMSGSIZE, "Error:: Too big RPC packet ...\n");
+							ret = -5;
+							goto makeReply;
+						} else
+							Limit += v[i].val_len;
+
 						v[i].val.string = (int8_t*) data;
 						data += v[i].val_len + 1;
 						break;
@@ -159,7 +181,7 @@ makeReply:
 			break;
 		}
 		if (ret != Limit) {
-			rpc_SetErr(EBADMSG, "Error:: in send RPC request, should be send %d bytes, "
+			rpc_SetErr(ECANCELED, "Error:: in send RPC request, should be send %d bytes, "
 					"really is %d\n", Limit, ret);
 			ret = -9;
 			break;
@@ -274,7 +296,7 @@ makeReply:
 			break;
 		}
 		if (ret != sizeof buf) {
-			rpc_SetErr(EBADMSG, "Error:: in send BLOB reply, should be send %d bytes, "
+			rpc_SetErr(ECANCELED, "Error:: in send BLOB reply, should be send %d bytes, "
 					"really is %d\n", sizeof buf, ret);
 			ret = -9;
 			break;
@@ -580,12 +602,12 @@ rpc_srv_initServer(u_int regProgID, u_int regProcID, i
 	} else
 		memset(srv->srv_clients, 0, srv->srv_numcli * sizeof(rpc_cli_t));
 
+	pthread_mutex_init(&srv->srv_mtx, NULL);
+
 	rpc_srv_registerCall(srv, NULL, CALL_SRVSHUTDOWN, 0);
 	rpc_srv_registerCall(srv, NULL, CALL_SRVCLIENTS, 0);
 	rpc_srv_registerCall(srv, NULL, CALL_SRVCALLS, 0);
 	rpc_srv_registerCall(srv, NULL, CALL_SRVSESSIONS, 0);
-
-	pthread_mutex_init(&srv->srv_mtx, NULL);
 	return srv;
 }
 
@@ -609,8 +631,10 @@ rpc_srv_endServer(rpc_srv_t * __restrict srv)
 	rpc_srv_endBLOBServer(srv);
 
 	for (i = 0, c = srv->srv_clients; i < srv->srv_numcli && c; i++, c++)
-		if (c->cli_sa.sa_family)
+		if (c->cli_sa.sa_family) {
 			shutdown(c->cli_sock, SHUT_RDWR);
+			close(c->cli_sock);
+		}
 	close(srv->srv_server.cli_sock);
 
 	if (srv->srv_clients) {