2 files changed, 24 insertions, 11 deletions

diff --git a/ChangeLog b/ChangeLog
index 4e5392760..79658c520 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+20070228
+ - (dtucker) OpenBSD CVS Sync
+   - dtucker@cvs.openbsd.org 2007/02/28 00:55:30
+     [ssh-agent.c]
+     Remove expired keys periodically so they don't remain in memory when
+     the agent is entirely idle, as noted by David R. Piegdon.  This is the
+     simple fix, a more efficient one will be done later.  With markus,
+     deraadt, with & ok djm.
+
 20070225
  - (dtucker) OpenBSD CVS Sync
    - djm@cvs.openbsd.org 2007/02/20 10:25:14
@@ -2764,4 +2773,4 @@
    OpenServer 6 and add osr5bigcrypt support so when someone migrates
    passwords between UnixWare and OpenServer they will still work. OK dtucker@
 
-$Id: ChangeLog,v 1.4623 2007/02/25 09:38:55 dtucker Exp $
+$Id: ChangeLog,v 1.4624 2007/02/28 10:19:58 dtucker Exp $
diff --git a/ssh-agent.c b/ssh-agent.c
index ef95eb878..a3a867c33 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-agent.c,v 1.153 2006/10/06 02:29:19 djm Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.154 2007/02/28 00:55:30 dtucker Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -434,6 +434,7 @@ reaper(void)
                 for (id = TAILQ_FIRST(&tab->idlist); id; id = nxt) {
                         nxt = TAILQ_NEXT(id, next);
                         if (id->death != 0 && now >= id->death) {
+                                debug("expiring key '%s'", id->comment);
                                 TAILQ_REMOVE(&tab->idlist, id, next);
                                 free_identity(id);
                                 tab->nentries--;
@@ -698,9 +699,6 @@ process_message(SocketEntry *e)
         u_int msg_len, type;
         u_char *cp;
 
-        /* kill dead keys */
-        reaper();
-
         if (buffer_len(&e->input) < 5)
                 return;         /* Incomplete message. */
         cp = buffer_ptr(&e->input);
@@ -1016,7 +1014,7 @@ int
 main(int ac, char **av)
 {
         int c_flag = 0, d_flag = 0, k_flag = 0, s_flag = 0;
-        int sock, fd, ch;
+        int sock, fd, ch, result, saved_errno;
         u_int nalloc;
         char *shell, *format, *pidstr, *agentsocket = NULL;
         fd_set *readsetp = NULL, *writesetp = NULL;
@@ -1029,6 +1027,7 @@ main(int ac, char **av)
         extern char *optarg;
         pid_t pid;
         char pidstrbuf[1 + 3 * sizeof pid];
+        struct timeval tv;
 
         /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
         sanitise_stdfd();
@@ -1242,13 +1241,18 @@ skip:
         nalloc = 0;
 
         while (1) {
+                tv.tv_sec = 10;
+                tv.tv_usec = 0;
                 prepare_select(&readsetp, &writesetp, &max_fd, &nalloc);
-                if (select(max_fd + 1, readsetp, writesetp, NULL, NULL) < 0) {
-                        if (errno == EINTR)
+                result = select(max_fd + 1, readsetp, writesetp, NULL, &tv);
+                saved_errno = errno;
+                reaper();       /* remove expired keys */
+                if (result < 0) {
+                        if (saved_errno == EINTR)
                                 continue;
-                        fatal("select: %s", strerror(errno));
-                }
-                after_select(readsetp, writesetp);
+                        fatal("select: %s", strerror(saved_errno));
+                } else if (result > 0)
+                        after_select(readsetp, writesetp);
         }
         /* NOTREACHED */
 }