Mercurial > dropbear
diff buffer.c @ 1359:665dd8957a67 fuzz
make buf_getstring fail prior to malloc if the buffer is short
author | Matt Johnston <matt@ucc.asn.au> |
---|---|
date | Sat, 20 May 2017 23:39:01 +0800 |
parents | 3fdd8c5a0195 |
children | 5916af64acd4 |
line wrap: on
line diff
--- a/buffer.c Sat May 20 22:47:19 2017 +0800 +++ b/buffer.c Sat May 20 23:39:01 2017 +0800 @@ -209,6 +209,7 @@ unsigned int len; char* ret; + void* src = NULL; len = buf_getint(buf); if (len > MAX_STRING_LEN) { dropbear_exit("String too long"); @@ -217,8 +218,9 @@ if (retlen != NULL) { *retlen = len; } + src = buf_getptr(buf, len); ret = m_malloc(len+1); - memcpy(ret, buf_getptr(buf, len), len); + memcpy(ret, src, len); buf_incrpos(buf, len); ret[len] = '\0';