xnu-4570.51.1.tar.gz

[apple/xnu.git] / bsd / nfs / krpc_subr.c

diff --git a/bsd/nfs/krpc_subr.c b/bsd/nfs/krpc_subr.c
index 53355a6e47facb702e7e0bf0b6d5b1be1dcd8b5d..7ae7758e00307a0d5eebba6e28ccb5f12351aa82 100644 (file)
--- a/bsd/nfs/krpc_subr.c
+++ b/bsd/nfs/krpc_subr.c
@@ -126,6 +126,7 @@ struct rpc_reply {
 };
 
 #define MIN_REPLY_HDR 16       /* xid, dir, astat, errno */
+#define REPLY_SIZE 24          /* xid, dir, astat, rpu_ok */
 
 /*
  * What is the longest we will wait before re-sending a request?
@@ -189,9 +190,12 @@ krpc_portmap(
                return error;
 
        rdata = mbuf_data(m);
-       *portp = rdata->port;
 
-       if (!rdata->port)
+       if (mbuf_len(m) >= sizeof(*rdata)) {
+               *portp = rdata->port;
+       }
+
+       if (mbuf_len(m) < sizeof(*rdata) || !rdata->port)
                error = EPROGUNAVAIL;
 
        mbuf_freem(m);
@@ -489,8 +493,16 @@ krpc_call(
                                goto out;
                        }
 
+
+                       if (mbuf_len(m) < REPLY_SIZE) {
+                               error = RPC_SYSTEM_ERR;
+                       }
+                       else {
+                               error = ntohl(reply->rp_u.rpu_ok.rp_rstatus);
+                       }
+
                        /* Did the call succeed? */
-                       if ((error = ntohl(reply->rp_u.rpu_ok.rp_rstatus)) != 0) {
+                       if (error != 0) {
                                printf("rpc status=%d\n", error);
                                /* convert rpc error to errno */
                                switch (error) {