summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2003-09-19 09:29:59 +0000
committerColin Watson <cjwatson@debian.org>2003-09-19 09:29:59 +0000
commit9dcbace70ec41ea21cd291e70bf6fd1bbd255a9e (patch)
tree4f3eaf0a295bfcf24e4c45bfce929b870d393ebf
parent9784e8f89704e17080b2d42ceeeef54ae73d51dd (diff)
Merge even more buffer allocation fixes from upstream (CAN-2003-0682,
#211434).
-rw-r--r--buffer.c1
-rw-r--r--deattack.c6
-rw-r--r--debian/changelog7
-rw-r--r--misc.c11
-rw-r--r--session.c16
-rw-r--r--ssh-agent.c15
6 files changed, 35 insertions, 21 deletions
diff --git a/buffer.c b/buffer.c
index 3099234bd..1627b1343 100644
--- a/buffer.c
+++ b/buffer.c
@@ -39,6 +39,7 @@ buffer_free(Buffer *buffer)
39{ 39{
40 if (buffer->alloc > 0) { 40 if (buffer->alloc > 0) {
41 memset(buffer->buf, 0, buffer->alloc); 41 memset(buffer->buf, 0, buffer->alloc);
42 buffer->alloc = 0;
42 xfree(buffer->buf); 43 xfree(buffer->buf);
43 } 44 }
44} 45}
diff --git a/deattack.c b/deattack.c
index 0442501e7..8b55d6686 100644
--- a/deattack.c
+++ b/deattack.c
@@ -18,7 +18,7 @@
18 */ 18 */
19 19
20#include "includes.h" 20#include "includes.h"
21RCSID("$OpenBSD: deattack.c,v 1.18 2002/03/04 17:27:39 stevesk Exp $"); 21RCSID("$OpenBSD: deattack.c,v 1.19 2003/09/18 08:49:45 markus Exp $");
22 22
23#include "deattack.h" 23#include "deattack.h"
24#include "log.h" 24#include "log.h"
@@ -100,12 +100,12 @@ detect_attack(u_char *buf, u_int32_t len, u_char *IV)
100 100
101 if (h == NULL) { 101 if (h == NULL) {
102 debug("Installing crc compensation attack detector."); 102 debug("Installing crc compensation attack detector.");
103 h = (u_int16_t *) xmalloc(l * HASH_ENTRYSIZE);
103 n = l; 104 n = l;
104 h = (u_int16_t *) xmalloc(n * HASH_ENTRYSIZE);
105 } else { 105 } else {
106 if (l > n) { 106 if (l > n) {
107 h = (u_int16_t *) xrealloc(h, l * HASH_ENTRYSIZE);
107 n = l; 108 n = l;
108 h = (u_int16_t *) xrealloc(h, n * HASH_ENTRYSIZE);
109 } 109 }
110 } 110 }
111 111
diff --git a/debian/changelog b/debian/changelog
index 9a61869a6..60844b097 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
1openssh (1:3.6.1p2-9) unstable; urgency=high
2
3 * Merge even more buffer allocation fixes from upstream (CAN-2003-0682;
4 closes: #211434).
5
6 -- Colin Watson <cjwatson@debian.org> Fri, 19 Sep 2003 10:25:25 +0100
7
1openssh (1:3.6.1p2-8) unstable; urgency=high 8openssh (1:3.6.1p2-8) unstable; urgency=high
2 9
3 * Merge more buffer allocation fixes from new upstream version 3.7.1p1 10 * Merge more buffer allocation fixes from new upstream version 3.7.1p1
diff --git a/misc.c b/misc.c
index 512fb22fb..84c94f9b6 100644
--- a/misc.c
+++ b/misc.c
@@ -308,18 +308,21 @@ addargs(arglist *args, char *fmt, ...)
308{ 308{
309 va_list ap; 309 va_list ap;
310 char buf[1024]; 310 char buf[1024];
311 int nalloc;
311 312
312 va_start(ap, fmt); 313 va_start(ap, fmt);
313 vsnprintf(buf, sizeof(buf), fmt, ap); 314 vsnprintf(buf, sizeof(buf), fmt, ap);
314 va_end(ap); 315 va_end(ap);
315 316
317 nalloc = args->nalloc;
316 if (args->list == NULL) { 318 if (args->list == NULL) {
317 args->nalloc = 32; 319 nalloc = 32;
318 args->num = 0; 320 args->num = 0;
319 } else if (args->num+2 >= args->nalloc) 321 } else if (args->num+2 >= nalloc)
320 args->nalloc *= 2; 322 nalloc *= 2;
321 323
322 args->list = xrealloc(args->list, args->nalloc * sizeof(char *)); 324 args->list = xrealloc(args->list, nalloc * sizeof(char *));
325 args->nalloc = nalloc;
323 args->list[args->num++] = xstrdup(buf); 326 args->list[args->num++] = xstrdup(buf);
324 args->list[args->num] = NULL; 327 args->list[args->num] = NULL;
325} 328}
diff --git a/session.c b/session.c
index c75fea966..ec4a23ac5 100644
--- a/session.c
+++ b/session.c
@@ -844,8 +844,9 @@ static void
844child_set_env(char ***envp, u_int *envsizep, const char *name, 844child_set_env(char ***envp, u_int *envsizep, const char *name,
845 const char *value) 845 const char *value)
846{ 846{
847 u_int i, namelen;
848 char **env; 847 char **env;
848 u_int envsize;
849 u_int i, namelen;
849 850
850 /* 851 /*
851 * Find the slot where the value should be stored. If the variable 852 * Find the slot where the value should be stored. If the variable
@@ -862,12 +863,13 @@ child_set_env(char ***envp, u_int *envsizep, const char *name,
862 xfree(env[i]); 863 xfree(env[i]);
863 } else { 864 } else {
864 /* New variable. Expand if necessary. */ 865 /* New variable. Expand if necessary. */
865 if (i >= (*envsizep) - 1) { 866 envsize = *envsizep;
866 if (*envsizep >= 1000) 867 if (i >= envsize - 1) {
867 fatal("child_set_env: too many env vars," 868 if (envsize >= 1000)
868 " skipping: %.100s", name); 869 fatal("child_set_env: too many env vars");
869 (*envsizep) += 50; 870 envsize += 50;
870 env = (*envp) = xrealloc(env, (*envsizep) * sizeof(char *)); 871 env = (*envp) = xrealloc(env, envsize * sizeof(char *));
872 *envsizep = envsize;
871 } 873 }
872 /* Need to set the NULL pointer at end of array beyond the new slot. */ 874 /* Need to set the NULL pointer at end of array beyond the new slot. */
873 env[i + 1] = NULL; 875 env[i + 1] = NULL;
diff --git a/ssh-agent.c b/ssh-agent.c
index eb593de73..a936134fe 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -767,7 +767,7 @@ process_message(SocketEntry *e)
767static void 767static void
768new_socket(sock_type type, int fd) 768new_socket(sock_type type, int fd)
769{ 769{
770 u_int i, old_alloc; 770 u_int i, old_alloc, new_alloc;
771 771
772 if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0) 772 if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0)
773 error("fcntl O_NONBLOCK: %s", strerror(errno)); 773 error("fcntl O_NONBLOCK: %s", strerror(errno));
@@ -778,25 +778,26 @@ new_socket(sock_type type, int fd)
778 for (i = 0; i < sockets_alloc; i++) 778 for (i = 0; i < sockets_alloc; i++)
779 if (sockets[i].type == AUTH_UNUSED) { 779 if (sockets[i].type == AUTH_UNUSED) {
780 sockets[i].fd = fd; 780 sockets[i].fd = fd;
781 sockets[i].type = type;
782 buffer_init(&sockets[i].input); 781 buffer_init(&sockets[i].input);
783 buffer_init(&sockets[i].output); 782 buffer_init(&sockets[i].output);
784 buffer_init(&sockets[i].request); 783 buffer_init(&sockets[i].request);
784 sockets[i].type = type;
785 return; 785 return;
786 } 786 }
787 old_alloc = sockets_alloc; 787 old_alloc = sockets_alloc;
788 sockets_alloc += 10; 788 new_alloc = sockets_alloc + 10;
789 if (sockets) 789 if (sockets)
790 sockets = xrealloc(sockets, sockets_alloc * sizeof(sockets[0])); 790 sockets = xrealloc(sockets, new_alloc * sizeof(sockets[0]));
791 else 791 else
792 sockets = xmalloc(sockets_alloc * sizeof(sockets[0])); 792 sockets = xmalloc(new_alloc * sizeof(sockets[0]));
793 for (i = old_alloc; i < sockets_alloc; i++) 793 for (i = old_alloc; i < new_alloc; i++)
794 sockets[i].type = AUTH_UNUSED; 794 sockets[i].type = AUTH_UNUSED;
795 sockets[old_alloc].type = type; 795 sockets_alloc = new_alloc;
796 sockets[old_alloc].fd = fd; 796 sockets[old_alloc].fd = fd;
797 buffer_init(&sockets[old_alloc].input); 797 buffer_init(&sockets[old_alloc].input);
798 buffer_init(&sockets[old_alloc].output); 798 buffer_init(&sockets[old_alloc].output);
799 buffer_init(&sockets[old_alloc].request); 799 buffer_init(&sockets[old_alloc].request);
800 sockets[old_alloc].type = type;
800} 801}
801 802
802static int 803static int