mirror of
https://github.com/clearml/dropbear
synced 2025-03-03 10:41:39 +00:00
make buf_getstring fail prior to malloc if the buffer is short
--HG-- branch : fuzz
This commit is contained in:
Matt Johnston
parent
c169423051
commit
9f1c8b2f8f
4
buffer.c
4
buffer.c
@ -209,6 +209,7 @@ char* buf_getstring(buffer* buf, unsigned int *retlen) {
|
|||||||
|
|
||||||
unsigned int len;
|
unsigned int len;
|
||||||
char* ret;
|
char* ret;
|
||||||
|
void* src = NULL;
|
||||||
len = buf_getint(buf);
|
len = buf_getint(buf);
|
||||||
if (len > MAX_STRING_LEN) {
|
if (len > MAX_STRING_LEN) {
|
||||||
dropbear_exit("String too long");
|
dropbear_exit("String too long");
|
||||||
@ -217,8 +218,9 @@ char* buf_getstring(buffer* buf, unsigned int *retlen) {
|
|||||||
if (retlen != NULL) {
|
if (retlen != NULL) {
|
||||||
*retlen = len;
|
*retlen = len;
|
||||||
}
|
}
|
||||||
|
src = buf_getptr(buf, len);
|
||||||
ret = m_malloc(len+1);
|
ret = m_malloc(len+1);
|
||||||
memcpy(ret, buf_getptr(buf, len), len);
|
memcpy(ret, src, len);
|
||||||
buf_incrpos(buf, len);
|
buf_incrpos(buf, len);
|
||||||
ret[len] = '\0';
|
ret[len] = '\0';
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user