make buf_getstring fail prior to malloc if the buffer is short

--HG-- branch : fuzz
author: Matt Johnston <matt@ucc.asn.au> 2017-05-20 23:39:01 +0800
committer: Matt Johnston <matt@ucc.asn.au> 2017-05-20 23:39:01 +0800
commit: 9f1c8b2f8fe1722815af1cfb152c3f48aa9848ce (patch)
tree: 9567c6546fdc310522bd829e9f10d065dceccd9d /buffer.c
parent: c1694230516fe1c3d78e4fd23aebd5fbc00ce21c (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/buffer.c b/buffer.c
index 0ca50b4..a462374 100644
--- a/buffer.c
+++ b/buffer.c
@@ -209,6 +209,7 @@ char* buf_getstring(buffer* buf, unsigned int *retlen) {
 
 	unsigned int len;
 	char* ret;
+	void* src = NULL;
 	len = buf_getint(buf);
 	if (len > MAX_STRING_LEN) {
 		dropbear_exit("String too long");
@@ -217,8 +218,9 @@ char* buf_getstring(buffer* buf, unsigned int *retlen) {
 	if (retlen != NULL) {
 		*retlen = len;
 	}
+	src = buf_getptr(buf, len);
 	ret = m_malloc(len+1);
-	memcpy(ret, buf_getptr(buf, len), len);
+	memcpy(ret, src, len);
 	buf_incrpos(buf, len);
 	ret[len] = '\0';
author	Matt Johnston <matt@ucc.asn.au>	2017-05-20 23:39:01 +0800
committer	Matt Johnston <matt@ucc.asn.au>	2017-05-20 23:39:01 +0800
commit	9f1c8b2f8fe1722815af1cfb152c3f48aa9848ce (patch)
tree	9567c6546fdc310522bd829e9f10d065dceccd9d /buffer.c
parent	c1694230516fe1c3d78e4fd23aebd5fbc00ce21c (diff)