From 16e834a98abda521a51b8954d216c0025f934e4c Mon Sep 17 00:00:00 2001
From: Simon Tatham <anakin@pobox.com>
Date: Mon, 2 Dec 2013 19:26:36 +0000
Subject: [PATCH] Fix breakage of SSH-2 packet decompression by r10070.

The line that resets st->pktin->length to cover only the semantic
payload of the SSH message was overwriting the modification to
st->pktin->length performed by the optional decompression step. I
didn't notice because I don't habitually enable compression.

[originally from svn r10103]
[r10070 == 9f5d51a4ac3c10efbefa9b10facb5386e02a6aca]
---
 ssh.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/ssh.c b/ssh.c
index 0f318075..8bcb1e85 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1711,6 +1711,9 @@ static struct Packet *ssh2_rdpkt(Ssh ssh, unsigned char **data, int *datalen)
 
     st->pktin->sequence = st->incoming_sequence++;
 
+    st->pktin->length = st->packetlen - st->pad;
+    assert(st->pktin->length >= 0);
+
     /*
      * Decompress packet payload.
      */
@@ -1739,7 +1742,7 @@ static struct Packet *ssh2_rdpkt(Ssh ssh, unsigned char **data, int *datalen)
      */
     st->pktin->type = st->pktin->data[5];
     st->pktin->body = st->pktin->data + 6;
-    st->pktin->length = st->packetlen - 6 - st->pad;
+    st->pktin->length -= 6;
     assert(st->pktin->length >= 0);    /* one last double-check */
 
     if (ssh->logctx)