Mercurial > dropbear
comparison buffer.c @ 1359:665dd8957a67 fuzz
make buf_getstring fail prior to malloc if the buffer is short
| author | Matt Johnston <matt@ucc.asn.au> |
|---|---|
| date | Sat, 20 May 2017 23:39:01 +0800 |
| parents | 3fdd8c5a0195 |
| children | 5916af64acd4 |
comparison
equal
deleted
inserted
replaced
| 1358:6b89eb92f872 | 1359:665dd8957a67 |
|---|---|
| 207 * may be longer than what is returned by strlen */ | 207 * may be longer than what is returned by strlen */ |
| 208 char* buf_getstring(buffer* buf, unsigned int *retlen) { | 208 char* buf_getstring(buffer* buf, unsigned int *retlen) { |
| 209 | 209 |
| 210 unsigned int len; | 210 unsigned int len; |
| 211 char* ret; | 211 char* ret; |
| 212 void* src = NULL; | |
| 212 len = buf_getint(buf); | 213 len = buf_getint(buf); |
| 213 if (len > MAX_STRING_LEN) { | 214 if (len > MAX_STRING_LEN) { |
| 214 dropbear_exit("String too long"); | 215 dropbear_exit("String too long"); |
| 215 } | 216 } |
| 216 | 217 |
| 217 if (retlen != NULL) { | 218 if (retlen != NULL) { |
| 218 *retlen = len; | 219 *retlen = len; |
| 219 } | 220 } |
| 221 src = buf_getptr(buf, len); | |
| 220 ret = m_malloc(len+1); | 222 ret = m_malloc(len+1); |
| 221 memcpy(ret, buf_getptr(buf, len), len); | 223 memcpy(ret, src, len); |
| 222 buf_incrpos(buf, len); | 224 buf_incrpos(buf, len); |
| 223 ret[len] = '\0'; | 225 ret[len] = '\0'; |
| 224 | 226 |
| 225 return ret; | 227 return ret; |
| 226 } | 228 } |