From 2544377af4f8d7e102452372bd8ebe030996e4b7 Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@dahyabhai.net>
Date: Tue, 27 Aug 2013 14:19:22 -0400
Subject: Sanity check the request size correctly

Use the amount of data that we could have read as the upper bound on
reasonable-looking request lengths.
---
 src/disp-nis.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

(limited to 'src')

diff --git a/src/disp-nis.c b/src/disp-nis.c
index a5716fe..ce78462 100644
--- a/src/disp-nis.c
+++ b/src/disp-nis.c
@@ -81,7 +81,7 @@ struct dispatch_client {
 		client_replying_final,
 	} client_state;
 	/* The client's request while we're reading it. */
-	char client_inbuf[4096];
+	char client_inbuf[8192];
 	ssize_t client_inbuf_used;
 	char *client_query;
 	ssize_t client_query_size;
@@ -717,8 +717,9 @@ client_read(struct plugin_state *state, struct dispatch_client *client)
 		len = ntohl(nlen);
 		last = ((len & 0x80000000) != 0);
 		len &= 0x7fffffff;
-		if (len > 0x10000) {
-			/* Disconnect, because that's just ridiculous. */
+		if (len > sizeof(client->client_inbuf) - 4) {
+			/* Disconnect, because that's more data than we could
+			 * have read. */
 			slapi_log_error(SLAPI_LOG_FATAL,
 					state->plugin_desc->spd_id,
 					"client fragment claims to be %d bytes "
-- 
cgit