From 9f1c8b2f8fe1722815af1cfb152c3f48aa9848ce Mon Sep 17 00:00:00 2001
From: Matt Johnston <matt@ucc.asn.au>
Date: Sat, 20 May 2017 23:39:01 +0800
Subject: [PATCH] make buf_getstring fail prior to malloc if the buffer is
 short

--HG--
branch : fuzz
---
 buffer.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/buffer.c b/buffer.c
index 0ca50b4a..a462374e 100644
--- a/buffer.c
+++ b/buffer.c
@@ -209,6 +209,7 @@ char* buf_getstring(buffer* buf, unsigned int *retlen) {
 
 	unsigned int len;
 	char* ret;
+	void* src = NULL;
 	len = buf_getint(buf);
 	if (len > MAX_STRING_LEN) {
 		dropbear_exit("String too long");
@@ -217,8 +218,9 @@ char* buf_getstring(buffer* buf, unsigned int *retlen) {
 	if (retlen != NULL) {
 		*retlen = len;
 	}
+	src = buf_getptr(buf, len);
 	ret = m_malloc(len+1);
-	memcpy(ret, buf_getptr(buf, len), len);
+	memcpy(ret, src, len);
 	buf_incrpos(buf, len);
 	ret[len] = '\0';
 
-- 
GitLab