diff options
author | Colin Watson <cjwatson@debian.org> | 2003-09-19 09:29:59 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2003-09-19 09:29:59 +0000 |
commit | 9dcbace70ec41ea21cd291e70bf6fd1bbd255a9e (patch) | |
tree | 4f3eaf0a295bfcf24e4c45bfce929b870d393ebf | |
parent | 9784e8f89704e17080b2d42ceeeef54ae73d51dd (diff) |
Merge even more buffer allocation fixes from upstream (CAN-2003-0682,
#211434).
-rw-r--r-- | buffer.c | 1 | ||||
-rw-r--r-- | deattack.c | 6 | ||||
-rw-r--r-- | debian/changelog | 7 | ||||
-rw-r--r-- | misc.c | 11 | ||||
-rw-r--r-- | session.c | 16 | ||||
-rw-r--r-- | ssh-agent.c | 15 |
6 files changed, 35 insertions, 21 deletions
@@ -39,6 +39,7 @@ buffer_free(Buffer *buffer) | |||
39 | { | 39 | { |
40 | if (buffer->alloc > 0) { | 40 | if (buffer->alloc > 0) { |
41 | memset(buffer->buf, 0, buffer->alloc); | 41 | memset(buffer->buf, 0, buffer->alloc); |
42 | buffer->alloc = 0; | ||
42 | xfree(buffer->buf); | 43 | xfree(buffer->buf); |
43 | } | 44 | } |
44 | } | 45 | } |
diff --git a/deattack.c b/deattack.c index 0442501e7..8b55d6686 100644 --- a/deattack.c +++ b/deattack.c | |||
@@ -18,7 +18,7 @@ | |||
18 | */ | 18 | */ |
19 | 19 | ||
20 | #include "includes.h" | 20 | #include "includes.h" |
21 | RCSID("$OpenBSD: deattack.c,v 1.18 2002/03/04 17:27:39 stevesk Exp $"); | 21 | RCSID("$OpenBSD: deattack.c,v 1.19 2003/09/18 08:49:45 markus Exp $"); |
22 | 22 | ||
23 | #include "deattack.h" | 23 | #include "deattack.h" |
24 | #include "log.h" | 24 | #include "log.h" |
@@ -100,12 +100,12 @@ detect_attack(u_char *buf, u_int32_t len, u_char *IV) | |||
100 | 100 | ||
101 | if (h == NULL) { | 101 | if (h == NULL) { |
102 | debug("Installing crc compensation attack detector."); | 102 | debug("Installing crc compensation attack detector."); |
103 | h = (u_int16_t *) xmalloc(l * HASH_ENTRYSIZE); | ||
103 | n = l; | 104 | n = l; |
104 | h = (u_int16_t *) xmalloc(n * HASH_ENTRYSIZE); | ||
105 | } else { | 105 | } else { |
106 | if (l > n) { | 106 | if (l > n) { |
107 | h = (u_int16_t *) xrealloc(h, l * HASH_ENTRYSIZE); | ||
107 | n = l; | 108 | n = l; |
108 | h = (u_int16_t *) xrealloc(h, n * HASH_ENTRYSIZE); | ||
109 | } | 109 | } |
110 | } | 110 | } |
111 | 111 | ||
diff --git a/debian/changelog b/debian/changelog index 9a61869a6..60844b097 100644 --- a/debian/changelog +++ b/debian/changelog | |||
@@ -1,3 +1,10 @@ | |||
1 | openssh (1:3.6.1p2-9) unstable; urgency=high | ||
2 | |||
3 | * Merge even more buffer allocation fixes from upstream (CAN-2003-0682; | ||
4 | closes: #211434). | ||
5 | |||
6 | -- Colin Watson <cjwatson@debian.org> Fri, 19 Sep 2003 10:25:25 +0100 | ||
7 | |||
1 | openssh (1:3.6.1p2-8) unstable; urgency=high | 8 | openssh (1:3.6.1p2-8) unstable; urgency=high |
2 | 9 | ||
3 | * Merge more buffer allocation fixes from new upstream version 3.7.1p1 | 10 | * Merge more buffer allocation fixes from new upstream version 3.7.1p1 |
@@ -308,18 +308,21 @@ addargs(arglist *args, char *fmt, ...) | |||
308 | { | 308 | { |
309 | va_list ap; | 309 | va_list ap; |
310 | char buf[1024]; | 310 | char buf[1024]; |
311 | int nalloc; | ||
311 | 312 | ||
312 | va_start(ap, fmt); | 313 | va_start(ap, fmt); |
313 | vsnprintf(buf, sizeof(buf), fmt, ap); | 314 | vsnprintf(buf, sizeof(buf), fmt, ap); |
314 | va_end(ap); | 315 | va_end(ap); |
315 | 316 | ||
317 | nalloc = args->nalloc; | ||
316 | if (args->list == NULL) { | 318 | if (args->list == NULL) { |
317 | args->nalloc = 32; | 319 | nalloc = 32; |
318 | args->num = 0; | 320 | args->num = 0; |
319 | } else if (args->num+2 >= args->nalloc) | 321 | } else if (args->num+2 >= nalloc) |
320 | args->nalloc *= 2; | 322 | nalloc *= 2; |
321 | 323 | ||
322 | args->list = xrealloc(args->list, args->nalloc * sizeof(char *)); | 324 | args->list = xrealloc(args->list, nalloc * sizeof(char *)); |
325 | args->nalloc = nalloc; | ||
323 | args->list[args->num++] = xstrdup(buf); | 326 | args->list[args->num++] = xstrdup(buf); |
324 | args->list[args->num] = NULL; | 327 | args->list[args->num] = NULL; |
325 | } | 328 | } |
@@ -844,8 +844,9 @@ static void | |||
844 | child_set_env(char ***envp, u_int *envsizep, const char *name, | 844 | child_set_env(char ***envp, u_int *envsizep, const char *name, |
845 | const char *value) | 845 | const char *value) |
846 | { | 846 | { |
847 | u_int i, namelen; | ||
848 | char **env; | 847 | char **env; |
848 | u_int envsize; | ||
849 | u_int i, namelen; | ||
849 | 850 | ||
850 | /* | 851 | /* |
851 | * Find the slot where the value should be stored. If the variable | 852 | * Find the slot where the value should be stored. If the variable |
@@ -862,12 +863,13 @@ child_set_env(char ***envp, u_int *envsizep, const char *name, | |||
862 | xfree(env[i]); | 863 | xfree(env[i]); |
863 | } else { | 864 | } else { |
864 | /* New variable. Expand if necessary. */ | 865 | /* New variable. Expand if necessary. */ |
865 | if (i >= (*envsizep) - 1) { | 866 | envsize = *envsizep; |
866 | if (*envsizep >= 1000) | 867 | if (i >= envsize - 1) { |
867 | fatal("child_set_env: too many env vars," | 868 | if (envsize >= 1000) |
868 | " skipping: %.100s", name); | 869 | fatal("child_set_env: too many env vars"); |
869 | (*envsizep) += 50; | 870 | envsize += 50; |
870 | env = (*envp) = xrealloc(env, (*envsizep) * sizeof(char *)); | 871 | env = (*envp) = xrealloc(env, envsize * sizeof(char *)); |
872 | *envsizep = envsize; | ||
871 | } | 873 | } |
872 | /* Need to set the NULL pointer at end of array beyond the new slot. */ | 874 | /* Need to set the NULL pointer at end of array beyond the new slot. */ |
873 | env[i + 1] = NULL; | 875 | env[i + 1] = NULL; |
diff --git a/ssh-agent.c b/ssh-agent.c index eb593de73..a936134fe 100644 --- a/ssh-agent.c +++ b/ssh-agent.c | |||
@@ -767,7 +767,7 @@ process_message(SocketEntry *e) | |||
767 | static void | 767 | static void |
768 | new_socket(sock_type type, int fd) | 768 | new_socket(sock_type type, int fd) |
769 | { | 769 | { |
770 | u_int i, old_alloc; | 770 | u_int i, old_alloc, new_alloc; |
771 | 771 | ||
772 | if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0) | 772 | if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0) |
773 | error("fcntl O_NONBLOCK: %s", strerror(errno)); | 773 | error("fcntl O_NONBLOCK: %s", strerror(errno)); |
@@ -778,25 +778,26 @@ new_socket(sock_type type, int fd) | |||
778 | for (i = 0; i < sockets_alloc; i++) | 778 | for (i = 0; i < sockets_alloc; i++) |
779 | if (sockets[i].type == AUTH_UNUSED) { | 779 | if (sockets[i].type == AUTH_UNUSED) { |
780 | sockets[i].fd = fd; | 780 | sockets[i].fd = fd; |
781 | sockets[i].type = type; | ||
782 | buffer_init(&sockets[i].input); | 781 | buffer_init(&sockets[i].input); |
783 | buffer_init(&sockets[i].output); | 782 | buffer_init(&sockets[i].output); |
784 | buffer_init(&sockets[i].request); | 783 | buffer_init(&sockets[i].request); |
784 | sockets[i].type = type; | ||
785 | return; | 785 | return; |
786 | } | 786 | } |
787 | old_alloc = sockets_alloc; | 787 | old_alloc = sockets_alloc; |
788 | sockets_alloc += 10; | 788 | new_alloc = sockets_alloc + 10; |
789 | if (sockets) | 789 | if (sockets) |
790 | sockets = xrealloc(sockets, sockets_alloc * sizeof(sockets[0])); | 790 | sockets = xrealloc(sockets, new_alloc * sizeof(sockets[0])); |
791 | else | 791 | else |
792 | sockets = xmalloc(sockets_alloc * sizeof(sockets[0])); | 792 | sockets = xmalloc(new_alloc * sizeof(sockets[0])); |
793 | for (i = old_alloc; i < sockets_alloc; i++) | 793 | for (i = old_alloc; i < new_alloc; i++) |
794 | sockets[i].type = AUTH_UNUSED; | 794 | sockets[i].type = AUTH_UNUSED; |
795 | sockets[old_alloc].type = type; | 795 | sockets_alloc = new_alloc; |
796 | sockets[old_alloc].fd = fd; | 796 | sockets[old_alloc].fd = fd; |
797 | buffer_init(&sockets[old_alloc].input); | 797 | buffer_init(&sockets[old_alloc].input); |
798 | buffer_init(&sockets[old_alloc].output); | 798 | buffer_init(&sockets[old_alloc].output); |
799 | buffer_init(&sockets[old_alloc].request); | 799 | buffer_init(&sockets[old_alloc].request); |
800 | sockets[old_alloc].type = type; | ||
800 | } | 801 | } |
801 | 802 | ||
802 | static int | 803 | static int |