changeset 1359:665dd8957a67 fuzz

make buf_getstring fail prior to malloc if the buffer is short
author Matt Johnston <matt@ucc.asn.au>
date Sat, 20 May 2017 23:39:01 +0800
parents 6b89eb92f872
children 16f45f2df38f
files buffer.c
diffstat 1 files changed, 3 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/buffer.c	Sat May 20 22:47:19 2017 +0800
+++ b/buffer.c	Sat May 20 23:39:01 2017 +0800
@@ -209,6 +209,7 @@
 
 	unsigned int len;
 	char* ret;
+	void* src = NULL;
 	len = buf_getint(buf);
 	if (len > MAX_STRING_LEN) {
 		dropbear_exit("String too long");
@@ -217,8 +218,9 @@
 	if (retlen != NULL) {
 		*retlen = len;
 	}
+	src = buf_getptr(buf, len);
 	ret = m_malloc(len+1);
-	memcpy(ret, buf_getptr(buf, len), len);
+	memcpy(ret, src, len);
 	buf_incrpos(buf, len);
 	ret[len] = '\0';