From 0cf1c8554296d999dec20d0175eb28d87433dbca Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Thu, 13 Apr 2017 16:19:23 +0200
Subject: Revert "buffer: Validate the length before before memory allocation"

This reverts commit 57550e6211c19c634a319bed59d39b28d020dcd1.
---
 src/buffer.c | 21 ++-------------------
 1 file changed, 2 insertions(+), 19 deletions(-)

(limited to 'src')

diff --git a/src/buffer.c b/src/buffer.c
index d1a727ae..0c776698 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -848,12 +848,10 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer,
         char **cstring;
         void **data;
     } o;
-    size_t len, rlen, max_len;
+    size_t len, rlen;
     va_list ap_copy;
     int count;
 
-    max_len = ssh_buffer_get_len(buffer);
-
     /* copy the argument list in case a rollback is needed */
     va_copy(ap_copy, ap);
 
@@ -905,16 +903,10 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer,
                 break;
             }
             len = ntohl(u32len);
-            if (len > max_len - 1) {
+            if (len > UINT_MAX - 1){
                 rc = SSH_ERROR;
                 break;
             }
-
-            rc = ssh_buffer_validate_length(buffer, len);
-            if (rc != SSH_OK) {
-                break;
-            }
-
             *o.cstring = malloc(len + 1);
             if (*o.cstring == NULL){
                 rc = SSH_ERROR;
@@ -933,15 +925,6 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer,
         }
         case 'P':
             len = va_arg(ap, size_t);
-            if (len > max_len - 1) {
-                rc = SSH_ERROR;
-                break;
-            }
-
-            rc = ssh_buffer_validate_length(buffer, len);
-            if (rc != SSH_OK) {
-                break;
-            }
 
             o.data = va_arg(ap, void **);
             count++;
-- 
cgit v1.2.3