diff --git a/common-kex.c b/common-kex.c
index f355560219aee2318b2cf81673281438664ab75c..0e477da8cb2dac2293bfb39c5e2b5f428977de56 100644
--- a/common-kex.c
+++ b/common-kex.c
@@ -534,8 +534,10 @@ void recv_msg_kexinit() {
 	    buf_putstring(ses.kexhashbuf,
 			ses.transkexinit->data, ses.transkexinit->len);
 		/* I_S, the payload of the server's SSH_MSG_KEXINIT */
-	    buf_setpos(ses.payload, 0);
-	    buf_putstring(ses.kexhashbuf, ses.payload->data, ses.payload->len);
+	    buf_setpos(ses.payload, ses.payload_beginning);
+	    buf_putstring(ses.kexhashbuf, 
+	    	buf_getptr(ses.payload, ses.payload->len-ses.payload->pos),
+	    	ses.payload->len-ses.payload->pos);
 		ses.requirenext = SSH_MSG_KEXDH_REPLY;
 	} else {
 		/* SERVER */
@@ -549,8 +551,10 @@ void recv_msg_kexinit() {
 				(unsigned char*)LOCAL_IDENT, local_ident_len);
 
 		/* I_C, the payload of the client's SSH_MSG_KEXINIT */
-	    buf_setpos(ses.payload, 0);
-	    buf_putstring(ses.kexhashbuf, ses.payload->data, ses.payload->len);
+	    buf_setpos(ses.payload, ses.payload_beginning);
+	    buf_putstring(ses.kexhashbuf, 
+	    	buf_getptr(ses.payload, ses.payload->len-ses.payload->pos),
+	    	ses.payload->len-ses.payload->pos);
 
 		/* I_S, the payload of the server's SSH_MSG_KEXINIT */
 	    buf_putstring(ses.kexhashbuf,
diff --git a/packet.c b/packet.c
index b477a07ea712b5a4861711541ce57b622732e01c..d38d8f4099f26a906c3c5ff90e5b11cc9df7677c 100644
--- a/packet.c
+++ b/packet.c
@@ -314,18 +314,21 @@ void decrypt_packet() {
 	if (is_compress_recv()) {
 		/* decompress */
 		ses.payload = buf_decompress(ses.readbuf, len);
+		buf_setpos(ses.payload, 0);
+		ses.payload_beginning = 0;
+		buf_free(ses.readbuf);
 	} else 
 #endif
 	{
+		ses.payload = ses.readbuf;
+		ses.payload_beginning = ses.payload->pos;
+		buf_setlen(ses.payload, ses.payload->pos + len);
 		/* copy payload */
-		ses.payload = buf_new(len);
-		memcpy(ses.payload->data, buf_getptr(ses.readbuf, len), len);
-		buf_incrlen(ses.payload, len);
+		//ses.payload = buf_new(len);
+		//memcpy(ses.payload->data, buf_getptr(ses.readbuf, len), len);
+		//buf_incrlen(ses.payload, len);
 	}
-
-	buf_free(ses.readbuf);
 	ses.readbuf = NULL;
-	buf_setpos(ses.payload, 0);
 
 	ses.recvseq++;
 
diff --git a/session.h b/session.h
index 85dba3be469228dd66f076264be6f22435e7d9f3..0780d51d4b320012ba5aba90f3c9fae1fc283c9d 100644
--- a/session.h
+++ b/session.h
@@ -127,6 +127,7 @@ struct sshsession {
 	struct Queue writequeue; /* A queue of encrypted packets to send */
 	buffer *readbuf; /* From the wire, decrypted in-place */
 	buffer *payload; /* Post-decompression, the actual SSH packet */
+	unsigned int payload_beginning;
 	unsigned int transseq, recvseq; /* Sequence IDs */
 
 	/* Packet-handling flags */