aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndreas Schneider <asn@cryptomilk.org>2017-04-13 16:19:23 +0200
committerAndreas Schneider <asn@cryptomilk.org>2017-04-13 16:19:23 +0200
commit0cf1c8554296d999dec20d0175eb28d87433dbca (patch)
treede8b1ba34e737e608e76a28f6780daf80b6a2721
parent57550e6211c19c634a319bed59d39b28d020dcd1 (diff)
downloadlibssh-0cf1c8554296d999dec20d0175eb28d87433dbca.tar.gz
libssh-0cf1c8554296d999dec20d0175eb28d87433dbca.tar.xz
libssh-0cf1c8554296d999dec20d0175eb28d87433dbca.zip
Revert "buffer: Validate the length before before memory allocation"
This reverts commit 57550e6211c19c634a319bed59d39b28d020dcd1.
-rw-r--r--src/buffer.c21
1 files changed, 2 insertions, 19 deletions
diff --git a/src/buffer.c b/src/buffer.c
index d1a727ae..0c776698 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -848,12 +848,10 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer,
char **cstring;
void **data;
} o;
- size_t len, rlen, max_len;
+ size_t len, rlen;
va_list ap_copy;
int count;
- max_len = ssh_buffer_get_len(buffer);
-
/* copy the argument list in case a rollback is needed */
va_copy(ap_copy, ap);
@@ -905,16 +903,10 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer,
break;
}
len = ntohl(u32len);
- if (len > max_len - 1) {
+ if (len > UINT_MAX - 1){
rc = SSH_ERROR;
break;
}
-
- rc = ssh_buffer_validate_length(buffer, len);
- if (rc != SSH_OK) {
- break;
- }
-
*o.cstring = malloc(len + 1);
if (*o.cstring == NULL){
rc = SSH_ERROR;
@@ -933,15 +925,6 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer,
}
case 'P':
len = va_arg(ap, size_t);
- if (len > max_len - 1) {
- rc = SSH_ERROR;
- break;
- }
-
- rc = ssh_buffer_validate_length(buffer, len);
- if (rc != SSH_OK) {
- break;
- }
o.data = va_arg(ap, void **);
count++;