diff options
| -rw-r--r-- | buffer.c | 25 | ||||
| -rw-r--r-- | channels.c | 5 | ||||
| -rw-r--r-- | debian/changelog | 27 |
3 files changed, 46 insertions, 11 deletions
| @@ -12,7 +12,7 @@ | |||
| 12 | */ | 12 | */ |
| 13 | 13 | ||
| 14 | #include "includes.h" | 14 | #include "includes.h" |
| 15 | RCSID("$OpenBSD: buffer.c,v 1.16 2002/06/26 08:54:18 markus Exp $"); | 15 | RCSID("$OpenBSD: buffer.c,v 1.18 2003/09/16 21:02:39 markus Exp $"); |
| 16 | 16 | ||
| 17 | #include "xmalloc.h" | 17 | #include "xmalloc.h" |
| 18 | #include "buffer.h" | 18 | #include "buffer.h" |
| @@ -23,8 +23,11 @@ RCSID("$OpenBSD: buffer.c,v 1.16 2002/06/26 08:54:18 markus Exp $"); | |||
| 23 | void | 23 | void |
| 24 | buffer_init(Buffer *buffer) | 24 | buffer_init(Buffer *buffer) |
| 25 | { | 25 | { |
| 26 | buffer->alloc = 4096; | 26 | const u_int len = 4096; |
| 27 | buffer->buf = xmalloc(buffer->alloc); | 27 | |
| 28 | buffer->alloc = 0; | ||
| 29 | buffer->buf = xmalloc(len); | ||
| 30 | buffer->alloc = len; | ||
| 28 | buffer->offset = 0; | 31 | buffer->offset = 0; |
| 29 | buffer->end = 0; | 32 | buffer->end = 0; |
| 30 | } | 33 | } |
| @@ -34,8 +37,10 @@ buffer_init(Buffer *buffer) | |||
| 34 | void | 37 | void |
| 35 | buffer_free(Buffer *buffer) | 38 | buffer_free(Buffer *buffer) |
| 36 | { | 39 | { |
| 37 | memset(buffer->buf, 0, buffer->alloc); | 40 | if (buffer->alloc > 0) { |
| 38 | xfree(buffer->buf); | 41 | memset(buffer->buf, 0, buffer->alloc); |
| 42 | xfree(buffer->buf); | ||
| 43 | } | ||
| 39 | } | 44 | } |
| 40 | 45 | ||
| 41 | /* | 46 | /* |
| @@ -69,6 +74,7 @@ buffer_append(Buffer *buffer, const void *data, u_int len) | |||
| 69 | void * | 74 | void * |
| 70 | buffer_append_space(Buffer *buffer, u_int len) | 75 | buffer_append_space(Buffer *buffer, u_int len) |
| 71 | { | 76 | { |
| 77 | u_int newlen; | ||
| 72 | void *p; | 78 | void *p; |
| 73 | 79 | ||
| 74 | if (len > 0x100000) | 80 | if (len > 0x100000) |
| @@ -98,11 +104,12 @@ restart: | |||
| 98 | goto restart; | 104 | goto restart; |
| 99 | } | 105 | } |
| 100 | /* Increase the size of the buffer and retry. */ | 106 | /* Increase the size of the buffer and retry. */ |
| 101 | buffer->alloc += len + 32768; | 107 | newlen = buffer->alloc + len + 32768; |
| 102 | if (buffer->alloc > 0xa00000) | 108 | if (newlen > 0xa00000) |
| 103 | fatal("buffer_append_space: alloc %u not supported", | 109 | fatal("buffer_append_space: alloc %u not supported", |
| 104 | buffer->alloc); | 110 | newlen); |
| 105 | buffer->buf = xrealloc(buffer->buf, buffer->alloc); | 111 | buffer->buf = xrealloc(buffer->buf, newlen); |
| 112 | buffer->alloc = newlen; | ||
| 106 | goto restart; | 113 | goto restart; |
| 107 | /* NOTREACHED */ | 114 | /* NOTREACHED */ |
| 108 | } | 115 | } |
diff --git a/channels.c b/channels.c index 1937b0244..218744d1a 100644 --- a/channels.c +++ b/channels.c | |||
| @@ -229,12 +229,13 @@ channel_new(char *ctype, int type, int rfd, int wfd, int efd, | |||
| 229 | if (found == -1) { | 229 | if (found == -1) { |
| 230 | /* There are no free slots. Take last+1 slot and expand the array. */ | 230 | /* There are no free slots. Take last+1 slot and expand the array. */ |
| 231 | found = channels_alloc; | 231 | found = channels_alloc; |
| 232 | channels_alloc += 10; | ||
| 233 | if (channels_alloc > 10000) | 232 | if (channels_alloc > 10000) |
| 234 | fatal("channel_new: internal error: channels_alloc %d " | 233 | fatal("channel_new: internal error: channels_alloc %d " |
| 235 | "too big.", channels_alloc); | 234 | "too big.", channels_alloc); |
| 235 | channels = xrealloc(channels, | ||
| 236 | (channels_alloc + 10) * sizeof(Channel *)); | ||
| 237 | channels_alloc += 10; | ||
| 236 | debug2("channel: expanding %d", channels_alloc); | 238 | debug2("channel: expanding %d", channels_alloc); |
| 237 | channels = xrealloc(channels, channels_alloc * sizeof(Channel *)); | ||
| 238 | for (i = found; i < channels_alloc; i++) | 239 | for (i = found; i < channels_alloc; i++) |
| 239 | channels[i] = NULL; | 240 | channels[i] = NULL; |
| 240 | } | 241 | } |
diff --git a/debian/changelog b/debian/changelog index 2799cfdd9..9a61869a6 100644 --- a/debian/changelog +++ b/debian/changelog | |||
| @@ -1,3 +1,30 @@ | |||
| 1 | openssh (1:3.6.1p2-8) unstable; urgency=high | ||
| 2 | |||
| 3 | * Merge more buffer allocation fixes from new upstream version 3.7.1p1 | ||
| 4 | (closes: #211324). | ||
| 5 | |||
| 6 | -- Colin Watson <cjwatson@debian.org> Wed, 17 Sep 2003 03:07:19 +0100 | ||
| 7 | |||
| 8 | openssh (1:3.6.1p2-7) unstable; urgency=high | ||
| 9 | |||
| 10 | * Update debconf template translations: | ||
| 11 | - French (thanks, Christian Perrier; closes: #208801). | ||
| 12 | - Japanese (thanks, Kenshi Muto; closes: #210380). | ||
| 13 | * Some small improvements to the English templates courtesy of Christian | ||
| 14 | Perrier. I've manually unfuzzied a few translations where it was | ||
| 15 | obvious, on Christian's advice, but the others will have to be updated. | ||
| 16 | * Document how to generate an RSA1 host key (closes: #141703). | ||
| 17 | * Incorporate NMU fix for early buffer expansion vulnerability, | ||
| 18 | CAN-2003-0693 (closes: #211205). Thanks to Michael Stone. | ||
| 19 | |||
| 20 | -- Colin Watson <cjwatson@debian.org> Tue, 16 Sep 2003 14:32:28 +0100 | ||
| 21 | |||
| 22 | openssh (1:3.6.1p2-6.0) unstable; urgency=high | ||
| 23 | |||
| 24 | * SECURITY: fix for CAN-2003-0693, buffer allocation error | ||
| 25 | |||
| 26 | -- Michael Stone <mstone@debian.org> Tue, 16 Sep 2003 08:27:07 -0400 | ||
| 27 | |||
| 1 | openssh (1:3.6.1p2-6) unstable; urgency=medium | 28 | openssh (1:3.6.1p2-6) unstable; urgency=medium |
| 2 | 29 | ||
| 3 | * Use a more CVS-friendly means of setting SSH_VERSION. | 30 | * Use a more CVS-friendly means of setting SSH_VERSION. |