27 files changed, 127 insertions, 124 deletions
diff --git a/ChangeLog b/ChangeLog
index 04275b22c..20d034a6e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -104,6 +104,20 @@
   - deraadt@cvs.openbsd.org 2006/03/20 21:11:53
     [ttymodes.c]
     spacing
+   - djm@cvs.openbsd.org 2006/03/25 00:05:41
+     [auth-bsdauth.c auth-skey.c auth.c auth2-chall.c channels.c]
+     [clientloop.c deattack.c gss-genr.c kex.c key.c misc.c moduli.c]
+     [monitor.c monitor_wrap.c packet.c scard.c sftp-server.c ssh-agent.c]
+     [ssh-keyscan.c ssh.c sshconnect.c sshconnect2.c sshd.c uuencode.c]
+     [xmalloc.c xmalloc.h]
+     introduce xcalloc() and xasprintf() failure-checked allocations 
+     functions and use them throughout openssh
+     xcalloc is particularly important because malloc(nmemb * size) is a
+     dangerous idiom (subject to integer overflow) and it is time for it 
+     to die
+     feedback and ok deraadt@
 20060325
 - OpenBSD CVS Sync
@@ -4361,4 +4375,4 @@
   - (djm) Trim deprecated options from INSTALL. Mention UsePAM
   - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
-$Id: ChangeLog,v 1.4272 2006/03/26 03:10:34 djm Exp $
+$Id: ChangeLog,v 1.4273 2006/03/26 03:19:21 djm Exp $
diff --git a/auth-bsdauth.c b/auth-bsdauth.c
index f48b43174..2ccbc9d43 100644
--- a/auth-bsdauth.c
+++ b/auth-bsdauth.c
@@ -68,9 +68,8 @@ bsdauth_query(void *ctx, char **name, char **infotxt,
        *name = xstrdup("");
        *infotxt = xstrdup("");
        *numprompts = 1;
-        *prompts = xmalloc(*numprompts * sizeof(char *));
+        *prompts = xcalloc(*numprompts, sizeof(char *));
-        *echo_on = xmalloc(*numprompts * sizeof(u_int));
+        *echo_on = xcalloc(*numprompts, sizeof(u_int));
-        (*echo_on)[0] = 0;
        (*prompts)[0] = xstrdup(challenge);
        return 0;
diff --git a/auth-skey.c b/auth-skey.c
index ce8c1a809..3e6a06db7 100644
--- a/auth-skey.c
+++ b/auth-skey.c
@@ -53,15 +53,10 @@ skey_query(void *ctx, char **name, char **infotxt,
        *name  = xstrdup("");
        *infotxt  = xstrdup("");
        *numprompts = 1;
-        *prompts = xmalloc(*numprompts * sizeof(char *));
+        *prompts = xcalloc(*numprompts, sizeof(char *));
-        *echo_on = xmalloc(*numprompts * sizeof(u_int));
+        *echo_on = xcalloc(*numprompts, sizeof(u_int));
-        (*echo_on)[0] = 0;
-        len = strlen(challenge) + strlen(SKEY_PROMPT) + 1;
+        xasprintf(*prompts, "%s%s", challenge, SKEY_PROMPT);
-        p = xmalloc(len);
-        strlcpy(p, challenge, len);
-        strlcat(p, SKEY_PROMPT, len);
-        (*prompts)[0] = p;
        return 0;
 }
diff --git a/auth.c b/auth.c
index 85c6f8d1d..aa6d66075 100644
--- a/auth.c
+++ b/auth.c
@@ -340,7 +340,8 @@ auth_root_allowed(char *method)
 static char *
 expand_authorized_keys(const char *filename, struct passwd *pw)
 {
-        char *file, *ret;
+        char *file, ret[MAXPATHLEN];
+        int i;
        file = percent_expand(filename, "h", pw->pw_dir,
            "u", pw->pw_name, (char *)NULL);
@@ -352,14 +353,11 @@ expand_authorized_keys(const char *filename, struct passwd *pw)
        if (*file == '/')
                return (file);
-        ret = xmalloc(MAXPATHLEN);
+        i = snprintf(ret, sizeof(ret), "%s/%s", pw->pw_dir, file);
-        if (strlcpy(ret, pw->pw_dir, MAXPATHLEN) >= MAXPATHLEN ||
+        if (i < 0 || (size_t)i >= sizeof(ret))
-            strlcat(ret, "/", MAXPATHLEN) >= MAXPATHLEN ||
-            strlcat(ret, file, MAXPATHLEN) >= MAXPATHLEN)
                fatal("expand_authorized_keys: path too long");
        xfree(file);
-        return (ret);
+        return (xstrdup(ret));
 }
 char *
diff --git a/auth2-chall.c b/auth2-chall.c
index 8860a94c5..d54ee2856 100644
--- a/auth2-chall.c
+++ b/auth2-chall.c
@@ -290,7 +290,7 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt)
        if (nresp > 100)
                fatal("input_userauth_info_response: too many replies");
        if (nresp > 0) {
-                response = xmalloc(nresp * sizeof(char *));
+                response = xcalloc(nresp, sizeof(char *));
                for (i = 0; i < nresp; i++)
                        response[i] = packet_get_string(NULL);
        }
diff --git a/channels.c b/channels.c
index 1ff7152a8..0e7d5cf58 100644
--- a/channels.c
+++ b/channels.c
@@ -249,7 +249,7 @@ channel_new(char *ctype, int type, int rfd, int wfd, int efd,
        /* Do initial allocation if this is the first call. */
        if (channels_alloc == 0) {
                channels_alloc = 10;
-                channels = xmalloc(channels_alloc * sizeof(Channel *));
+                channels = xcalloc(channels_alloc, sizeof(Channel *));
                for (i = 0; i < channels_alloc; i++)
                        channels[i] = NULL;
        }
@@ -274,8 +274,7 @@ channel_new(char *ctype, int type, int rfd, int wfd, int efd,
                        channels[i] = NULL;
        }
        /* Initialize and return new channel. */
-        c = channels[found] = xmalloc(sizeof(Channel));
+        c = channels[found] = xcalloc(1, sizeof(Channel));
-        memset(c, 0, sizeof(Channel));
        buffer_init(&c->input);
        buffer_init(&c->output);
        buffer_init(&c->extended);
@@ -2842,7 +2841,7 @@ x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
        }
        /* Allocate a channel for each socket. */
-        *chanids = xmalloc(sizeof(**chanids) * (num_socks + 1));
+        *chanids = xcalloc(num_socks + 1, sizeof(**chanids));
        for (n = 0; n < num_socks; n++) {
                sock = socks[n];
                nc = channel_new("x11 listener",
diff --git a/clientloop.c b/clientloop.c
index 36a4a64ae..aa4ebb3aa 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -820,8 +820,7 @@ client_process_control(fd_set * readset)
                return;
        }
-        cctx = xmalloc(sizeof(*cctx));
+        cctx = xcalloc(1, sizeof(*cctx));
-        memset(cctx, 0, sizeof(*cctx));
        cctx->want_tty = (flags & SSHMUX_FLAG_TTY) != 0;
        cctx->want_subsys = (flags & SSHMUX_FLAG_SUBSYS) != 0;
        cctx->want_x_fwd = (flags & SSHMUX_FLAG_X11_FWD) != 0;
@@ -836,7 +835,7 @@ client_process_control(fd_set * readset)
        env_len = MIN(env_len, 4096);
        debug3("%s: receiving %d env vars", __func__, env_len);
        if (env_len != 0) {
-                cctx->env = xmalloc(sizeof(*cctx->env) * (env_len + 1));
+                cctx->env = xcalloc(env_len + 1, sizeof(*cctx->env));
                for (i = 0; i < env_len; i++)
                        cctx->env[i] = buffer_get_string(&m, &len);
                cctx->env[i] = NULL;
diff --git a/deattack.c b/deattack.c
index bf4451b88..746ff5d43 100644
--- a/deattack.c
+++ b/deattack.c
@@ -93,7 +93,7 @@ detect_attack(u_char *buf, u_int32_t len)
        if (h == NULL) {
                debug("Installing crc compensation attack detector.");
-                h = (u_int16_t *) xmalloc(l * HASH_ENTRYSIZE);
+                h = (u_int16_t *) xcalloc(l, HASH_ENTRYSIZE);
                n = l;
        } else {
                if (l > n) {
diff --git a/gss-genr.c b/gss-genr.c
index 8d75ee5c7..9cedfcdc3 100644
--- a/gss-genr.c
+++ b/gss-genr.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: gss-genr.c,v 1.7 2006/03/20 04:07:49 djm Exp $        */
+/*      $OpenBSD: gss-genr.c,v 1.8 2006/03/25 00:05:41 djm Exp $        */
 /*
 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -135,9 +135,7 @@ ssh_gssapi_last_error(Gssctxt *ctxt, OM_uint32 *major_status,
 void
 ssh_gssapi_build_ctx(Gssctxt **ctx)
 {
-        *ctx = xmalloc(sizeof (Gssctxt));
+        *ctx = xcalloc(1, sizeof (Gssctxt));
-        (*ctx)->major = 0;
-        (*ctx)->minor = 0;
        (*ctx)->context = GSS_C_NO_CONTEXT;
        (*ctx)->name = GSS_C_NO_NAME;
        (*ctx)->oid = GSS_C_NO_OID;
diff --git a/kex.c b/kex.c
index 91081b18e..030df6be0 100644
--- a/kex.c
+++ b/kex.c
@@ -82,7 +82,7 @@ kex_buf2prop(Buffer *raw, int *first_kex_follows)
        int i;
        char **proposal;
-        proposal = xmalloc(PROPOSAL_MAX * sizeof(char *));
+        proposal = xcalloc(PROPOSAL_MAX, sizeof(char *));
        buffer_init(&b);
        buffer_append(&b, buffer_ptr(raw), buffer_len(raw));
@@ -217,8 +217,7 @@ kex_setup(char *proposal[PROPOSAL_MAX])
 {
        Kex *kex;
-        kex = xmalloc(sizeof(*kex));
+        kex = xcalloc(1, sizeof(*kex));
-        memset(kex, 0, sizeof(*kex));
        buffer_init(&kex->peer);
        buffer_init(&kex->my);
        kex_prop2buf(&kex->my, proposal);
@@ -379,8 +378,7 @@ kex_choose_conf(Kex *kex)
        /* Algorithm Negotiation */
        for (mode = 0; mode < MODE_MAX; mode++) {
-                newkeys = xmalloc(sizeof(*newkeys));
+                newkeys = xcalloc(1, sizeof(*newkeys));
-                memset(newkeys, 0, sizeof(*newkeys));
                kex->newkeys[mode] = newkeys;
                ctos = (!kex->server && mode == MODE_OUT) || (kex->server && mode == MODE_IN);
                nenc  = ctos ? PROPOSAL_ENC_ALGS_CTOS  : PROPOSAL_ENC_ALGS_STOC;
diff --git a/key.c b/key.c
index d6dd3abea..0d29593b0 100644
--- a/key.c
+++ b/key.c
@@ -49,9 +49,8 @@ key_new(int type)
        Key *k;
        RSA *rsa;
        DSA *dsa;
-        k = xmalloc(sizeof(*k));
+        k = xcalloc(1, sizeof(*k));
        k->type = type;
-        k->flags = 0;
        k->dsa = NULL;
        k->rsa = NULL;
        switch (k->type) {
@@ -231,8 +230,7 @@ key_fingerprint_hex(u_char *dgst_raw, u_int dgst_raw_len)
        char *retval;
        u_int i;
-        retval = xmalloc(dgst_raw_len * 3 + 1);
+        retval = xcalloc(1, dgst_raw_len * 3 + 1);
-        retval[0] = '\0';
        for (i = 0; i < dgst_raw_len; i++) {
                char hex[4];
                snprintf(hex, sizeof(hex), "%02x:", dgst_raw[i]);
@@ -254,7 +252,7 @@ key_fingerprint_bubblebabble(u_char *dgst_raw, u_int dgst_raw_len)
        char *retval;
        rounds = (dgst_raw_len / 2) + 1;
-        retval = xmalloc(sizeof(char) * (rounds*6));
+        retval = xcalloc((rounds * 6), sizeof(char));
        retval[j++] = 'x';
        for (i = 0; i < rounds; i++) {
                u_int idx0, idx1, idx2, idx3, idx4;
@@ -824,7 +822,7 @@ key_demote(const Key *k)
 {
        Key *pk;
-        pk = xmalloc(sizeof(*pk));
+        pk = xcalloc(1, sizeof(*pk));
        pk->type = k->type;
        pk->flags = k->flags;
        pk->dsa = NULL;
diff --git a/misc.c b/misc.c
index 1949dd4b3..bf7b1ed66 100644
--- a/misc.c
+++ b/misc.c
@@ -172,9 +172,8 @@ strdelim(char **s)
 struct passwd *
 pwcopy(struct passwd *pw)
 {
-        struct passwd *copy = xmalloc(sizeof(*copy));
+        struct passwd *copy = xcalloc(1, sizeof(*copy));
-        memset(copy, 0, sizeof(*copy));
        copy->pw_name = xstrdup(pw->pw_name);
        copy->pw_passwd = xstrdup(pw->pw_passwd);
        copy->pw_gecos = xstrdup(pw->pw_gecos);
@@ -697,8 +696,7 @@ tohex(const u_char *d, u_int l)
        u_int i, hl;
        hl = l * 2 + 1;
-        r = xmalloc(hl);
+        r = xcalloc(1, hl);
-        *r = '\0';
        for (i = 0; i < l; i++) {
                snprintf(b, sizeof(b), "%02x", d[i]);
                strlcat(r, b, hl);
diff --git a/moduli.c b/moduli.c
index d53806ea6..f6f15a2a4 100644
--- a/moduli.c
+++ b/moduli.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: moduli.c,v 1.12 2005/07/17 07:17:55 djm Exp $ */
+/* $OpenBSD: moduli.c,v 1.13 2006/03/25 00:05:41 djm Exp $ */
 /*
 * Copyright 1994 Phil Karn <karn@qualcomm.com>
 * Copyright 1996-1998, 2003 William Allen Simpson <wsimpson@greendragon.com>
@@ -301,21 +301,10 @@ gen_candidates(FILE *out, u_int32_t memory, u_int32_t power, BIGNUM *start)
                largewords = (largememory << SHIFT_MEGAWORD);
        }
-        TinySieve = calloc(tinywords, sizeof(u_int32_t));
+        TinySieve = xcalloc(tinywords, sizeof(u_int32_t));
-        if (TinySieve == NULL) {
-                error("Insufficient memory for tiny sieve: need %u bytes",
-                    tinywords << SHIFT_BYTE);
-                exit(1);
-        }
        tinybits = tinywords << SHIFT_WORD;
-        SmallSieve = calloc(smallwords, sizeof(u_int32_t));
+        SmallSieve = xcalloc(smallwords, sizeof(u_int32_t));
-        if (SmallSieve == NULL) {
-                error("Insufficient memory for small sieve: need %u bytes",
-                    smallwords << SHIFT_BYTE);
-                xfree(TinySieve);
-                exit(1);
-        }
        smallbits = smallwords << SHIFT_WORD;
        /*
diff --git a/monitor.c b/monitor.c
index 97b420fc3..7409be32b 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1625,8 +1625,7 @@ mm_get_kex(Buffer *m)
        void *blob;
        u_int bloblen;
-        kex = xmalloc(sizeof(*kex));
+        kex = xcalloc(1, sizeof(*kex));
-        memset(kex, 0, sizeof(*kex));
        kex->session_id = buffer_get_string(m, &kex->session_id_len);
        if ((session_id2 == NULL) ||
            (kex->session_id_len != session_id2_len) ||
@@ -1796,9 +1795,8 @@ monitor_init(void)
        struct monitor *mon;
        int pair[2];
-        mon = xmalloc(sizeof(*mon));
+        mon = xcalloc(1, sizeof(*mon));
-        mon->m_pid = 0;
        monitor_socketpair(pair);
        mon->m_recvfd = pair[0];
diff --git a/monitor_wrap.c b/monitor_wrap.c
index e5a65491d..cd340360a 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -859,8 +859,8 @@ mm_chall_setup(char **name, char **infotxt, u_int *numprompts,
        *name = xstrdup("");
        *infotxt = xstrdup("");
        *numprompts = 1;
-        *prompts = xmalloc(*numprompts * sizeof(char *));
+        *prompts = xcalloc(*numprompts, sizeof(char *));
-        *echo_on = xmalloc(*numprompts * sizeof(u_int));
+        *echo_on = xcalloc(*numprompts, sizeof(u_int));
        (*echo_on)[0] = 0;
 }
@@ -953,11 +953,7 @@ mm_skey_query(void *ctx, char **name, char **infotxt,
        mm_chall_setup(name, infotxt, numprompts, prompts, echo_on);
-        len = strlen(challenge) + strlen(SKEY_PROMPT) + 1;
+        xasprintf(*prompts, "%s%s", challenge, SKEY_PROMPT);
-        p = xmalloc(len);
-        strlcpy(p, challenge, len);
-        strlcat(p, SKEY_PROMPT, len);
-        (*prompts)[0] = p;
        xfree(challenge);
        return (0);
diff --git a/packet.c b/packet.c
index 0121f8aee..40c6b1d2b 100644
--- a/packet.c
+++ b/packet.c
@@ -877,7 +877,7 @@ packet_read_seqnr(u_int32_t *seqnr_p)
        char buf[8192];
        DBG(debug("packet_read()"));
-        setp = (fd_set *)xmalloc(howmany(connection_in+1, NFDBITS) *
+        setp = (fd_set *)xcalloc(howmany(connection_in+1, NFDBITS),
            sizeof(fd_mask));
        /* Since we are blocking, ensure that all written packets have been sent. */
@@ -1419,7 +1419,7 @@ packet_write_wait(void)
 {
        fd_set *setp;
-        setp = (fd_set *)xmalloc(howmany(connection_out + 1, NFDBITS) *
+        setp = (fd_set *)xcalloc(howmany(connection_out + 1, NFDBITS),
            sizeof(fd_mask));
        packet_write_poll();
        while (packet_have_data_to_write()) {
diff --git a/scard.c b/scard.c
index 7cffc2d4e..c0c22aa73 100644
--- a/scard.c
+++ b/scard.c
@@ -382,7 +382,7 @@ sc_get_keys(const char *id, const char *pin)
                key_free(k);
                return NULL;
        }
-        keys = xmalloc((nkeys+1) * sizeof(Key *));
+        keys = xcalloc((nkeys+1), sizeof(Key *));
        n = key_new(KEY_RSA1);
        BN_copy(n->rsa->n, k->rsa->n);
diff --git a/sftp-server.c b/sftp-server.c
index cf3458120..a6add52aa 100644
--- a/sftp-server.c
+++ b/sftp-server.c
@@ -712,7 +712,7 @@ process_readdir(void)
                Stat *stats;
                int nstats = 10, count = 0, i;
-                stats = xmalloc(nstats * sizeof(Stat));
+                stats = xcalloc(nstats, sizeof(Stat));
                while ((dp = readdir(dirp)) != NULL) {
                        if (count >= nstats) {
                                nstats *= 2;
diff --git a/ssh-agent.c b/ssh-agent.c
index 7feb898dd..67bde5560 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -109,8 +109,8 @@ int max_fd = 0;
 pid_t parent_pid = -1;
 /* pathname and directory for AUTH_SOCKET */
-char socket_name[1024];
+char socket_name[MAXPATHLEN];
-char socket_dir[1024];
+char socket_dir[MAXPATHLEN];
 /* locking */
 int locked = 0;
@@ -803,10 +803,7 @@ new_socket(sock_type type, int fd)
                }
        old_alloc = sockets_alloc;
        new_alloc = sockets_alloc + 10;
-        if (sockets)
+        sockets = xrealloc(sockets, new_alloc * sizeof(sockets[0]));
-                sockets = xrealloc(sockets, new_alloc * sizeof(sockets[0]));
-        else
-                sockets = xmalloc(new_alloc * sizeof(sockets[0]));
        for (i = old_alloc; i < new_alloc; i++)
                sockets[i].type = AUTH_UNUSED;
        sockets_alloc = new_alloc;
diff --git a/ssh-keyscan.c b/ssh-keyscan.c
index c7296938b..07b679442 100644
--- a/ssh-keyscan.c
+++ b/ssh-keyscan.c
@@ -54,7 +54,7 @@ int maxfd;
 extern char *__progname;
 fd_set *read_wait;
-size_t read_wait_size;
+size_t read_wait_nfdset;
 int ncon;
 int nonfatal_fatal = 0;
 jmp_buf kexjmp;
@@ -634,10 +634,10 @@ conloop(void)
        } else
                seltime.tv_sec = seltime.tv_usec = 0;
-        r = xmalloc(read_wait_size);
+        r = xcalloc(read_wait_nfdset, sizeof(fd_mask));
-        memcpy(r, read_wait, read_wait_size);
+        e = xcalloc(read_wait_nfdset, sizeof(fd_mask));
-        e = xmalloc(read_wait_size);
+        memcpy(r, read_wait, read_wait_nfdset * sizeof(fd_mask));
-        memcpy(e, read_wait, read_wait_size);
+        memcpy(e, read_wait, read_wait_nfdset * sizeof(fd_mask));
        while (select(maxfd, r, NULL, e, &seltime) == -1 &&
            (errno == EAGAIN || errno == EINTR))
@@ -804,12 +804,10 @@ main(int argc, char **argv)
                fatal("%s: not enough file descriptors", __progname);
        if (maxfd > fdlim_get(0))
                fdlim_set(maxfd);
-        fdcon = xmalloc(maxfd * sizeof(con));
+        fdcon = xcalloc(maxfd, sizeof(con));
-        memset(fdcon, 0, maxfd * sizeof(con));
-        read_wait_size = howmany(maxfd, NFDBITS) * sizeof(fd_mask);
+        read_wait_nfdset = howmany(maxfd, NFDBITS);
-        read_wait = xmalloc(read_wait_size);
+        read_wait = xcalloc(read_wait_nfdset, sizeof(fd_mask));
-        memset(read_wait, 0, read_wait_size);
        if (fopt_count) {
                Linebuf *lb;
diff --git a/ssh.c b/ssh.c
index 0c950745b..f34be679c 100644
--- a/ssh.c
+++ b/ssh.c
@@ -687,7 +687,7 @@ main(int ac, char **av)
        if (options.rhosts_rsa_authentication ||
            options.hostbased_authentication) {
                sensitive_data.nkeys = 3;
-                sensitive_data.keys = xmalloc(sensitive_data.nkeys *
+                sensitive_data.keys = xcalloc(sensitive_data.nkeys, 
                    sizeof(Key));
                PRIV_START;
@@ -1250,7 +1250,8 @@ env_permitted(char *env)
        int i;
        char name[1024], *cp;
-        strlcpy(name, env, sizeof(name));
+        if (strlcpy(name, env, sizeof(name)) >= sizeof(name))
+                fatal("env_permitted: name too long");
        if ((cp = strchr(name, '=')) == NULL)
                return (0);
diff --git a/sshconnect.c b/sshconnect.c
index 33961e4dc..8d4928a82 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -68,7 +68,6 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)
        int pin[2], pout[2];
        pid_t pid;
        char strport[NI_MAXSERV];
-        size_t len;
        /* Convert the port number into a string. */
        snprintf(strport, sizeof strport, "%hu", port);
@@ -80,10 +79,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)
         * Use "exec" to avoid "sh -c" processes on some platforms
         * (e.g. Solaris)
         */
-        len = strlen(proxy_command) + 6;
+        xasprintf(&tmp, "exec %s", proxy_command);
-        tmp = xmalloc(len);
-        strlcpy(tmp, "exec ", len);
-        strlcat(tmp, proxy_command, len);
        command_string = percent_expand(tmp, "h", host,
            "p", strport, (char *)NULL);
        xfree(tmp);
@@ -211,7 +207,7 @@ timeout_connect(int sockfd, const struct sockaddr *serv_addr,
        fd_set *fdset;
        struct timeval tv;
        socklen_t optlen;
-        int fdsetsz, optval, rc, result = -1;
+        int optval, rc, result = -1;
        if (timeout <= 0)
                return (connect(sockfd, serv_addr, addrlen));
@@ -225,10 +221,8 @@ timeout_connect(int sockfd, const struct sockaddr *serv_addr,
        if (errno != EINPROGRESS)
                return (-1);
-        fdsetsz = howmany(sockfd + 1, NFDBITS) * sizeof(fd_mask);
+        fdset = (fd_set *)xcalloc(howmany(sockfd + 1, NFDBITS),
-        fdset = (fd_set *)xmalloc(fdsetsz);
+            sizeof(fd_mask));
-        memset(fdset, 0, fdsetsz);
        FD_SET(sockfd, fdset);
        tv.tv_sec = timeout;
        tv.tv_usec = 0;
@@ -957,8 +951,7 @@ ssh_put_password(char *password)
                return;
        }
        size = roundup(strlen(password) + 1, 32);
-        padded = xmalloc(size);
+        padded = xcalloc(1, size);
-        memset(padded, 0, size);
        strlcpy(padded, password, size);
        packet_put_string(padded, size);
        memset(padded, 0, size);
diff --git a/sshconnect2.c b/sshconnect2.c
index f8d21489e..c3501c2a5 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1029,8 +1029,7 @@ pubkey_prepare(Authctxt *authctxt)
                if (key && key->type == KEY_RSA1)
                        continue;
                options.identity_keys[i] = NULL;
-                id = xmalloc(sizeof(*id));
+                id = xcalloc(1, sizeof(*id));
-                memset(id, 0, sizeof(*id));
                id->key = key;
                id->filename = xstrdup(options.identity_files[i]);
                TAILQ_INSERT_TAIL(&files, id, next);
@@ -1054,8 +1053,7 @@ pubkey_prepare(Authctxt *authctxt)
                                }
                        }
                        if (!found && !options.identities_only) {
-                                id = xmalloc(sizeof(*id));
+                                id = xcalloc(1, sizeof(*id));
-                                memset(id, 0, sizeof(*id));
                                id->key = key;
                                id->filename = comment;
                                id->ac = ac;
@@ -1336,9 +1334,7 @@ userauth_hostbased(Authctxt *authctxt)
                return 0;
        }
        len = strlen(p) + 2;
-        chost = xmalloc(len);
+        xasprintf(&chost, "%s.", p);
-        strlcpy(chost, p, len);
-        strlcat(chost, ".", len);
        debug2("userauth_hostbased: chost %s", chost);
        xfree(p);
diff --git a/sshd.c b/sshd.c
index bb830161e..28e8c1aa3 100644
--- a/sshd.c
+++ b/sshd.c
@@ -891,7 +891,7 @@ main(int ac, char **av)
 {
        extern char *optarg;
        extern int optind;
-        int opt, j, i, fdsetsz, on = 1;
+        int opt, j, i, on = 1;
        int sock_in = -1, sock_out = -1, newsock = -1;
        pid_t pid;
        socklen_t fromlen;
@@ -1110,7 +1110,7 @@ main(int ac, char **av)
        debug("sshd version %.100s", SSH_RELEASE);
        /* load private host keys */
-        sensitive_data.host_keys = xmalloc(options.num_host_key_files *
+        sensitive_data.host_keys = xcalloc(options.num_host_key_files,
            sizeof(Key *));
        for (i = 0; i < options.num_host_key_files; i++)
                sensitive_data.host_keys[i] = NULL;
@@ -1212,7 +1212,7 @@ main(int ac, char **av)
                debug("setgroups() failed: %.200s", strerror(errno));
        if (rexec_flag) {
-                rexec_argv = xmalloc(sizeof(char *) * (rexec_argc + 2));
+                rexec_argv = xcalloc(rexec_argc + 2, sizeof(char *));
                for (i = 0; i < rexec_argc; i++) {
                        debug("rexec_argv[%d]='%s'", i, saved_argv[i]);
                        rexec_argv[i] = saved_argv[i];
@@ -1391,7 +1391,7 @@ main(int ac, char **av)
                        if (listen_socks[i] > maxfd)
                                maxfd = listen_socks[i];
                /* pipes connected to unauthenticated childs */
-                startup_pipes = xmalloc(options.max_startups * sizeof(int));
+                startup_pipes = xcalloc(options.max_startups, sizeof(int));
                for (i = 0; i < options.max_startups; i++)
                        startup_pipes[i] = -1;
@@ -1404,9 +1404,8 @@ main(int ac, char **av)
                                sighup_restart();
                        if (fdset != NULL)
                                xfree(fdset);
-                        fdsetsz = howmany(maxfd+1, NFDBITS) * sizeof(fd_mask);
+                        fdset = (fd_set *)xcalloc(howmany(maxfd + 1, NFDBITS),
-                        fdset = (fd_set *)xmalloc(fdsetsz);
+                            sizeof(fd_mask));
-                        memset(fdset, 0, fdsetsz);
                        for (i = 0; i < num_listen_socks; i++)
                                FD_SET(listen_socks[i], fdset);
@@ -1713,8 +1712,7 @@ main(int ac, char **av)
        packet_set_nonblocking();
        /* allocate authentication context */
-        authctxt = xmalloc(sizeof(*authctxt));
+        authctxt = xcalloc(1, sizeof(*authctxt));
-        memset(authctxt, 0, sizeof(*authctxt));
        authctxt->loginmsg = &loginmsg;
diff --git a/uuencode.c b/uuencode.c
index 314eb92f3..feda6a016 100644
--- a/uuencode.c
+++ b/uuencode.c
@@ -57,9 +57,14 @@ uudecode(const char *src, u_char *target, size_t targsize)
 void
 dump_base64(FILE *fp, u_char *data, u_int len)
 {
-        char *buf = xmalloc(2*len);
+        char *buf;;
        int i, n;
+        if (len > 65536) {
+                fprintf(fp, "dump_base64: len > 65536\n");
+                return;
+        }
+        buf = xmalloc(2*len);
        n = uuencode(data, len, buf, 2*len);
        for (i = 0; i < n; i++) {
                fprintf(fp, "%c", buf[i]);
diff --git a/xmalloc.c b/xmalloc.c
index 64e439853..6d56781d9 100644
--- a/xmalloc.c
+++ b/xmalloc.c
@@ -31,6 +31,22 @@ xmalloc(size_t size)
 }
 void *
+xcalloc(size_t nmemb, size_t size)
+{
+        void *ptr;
+        if (nmemb && size && SIZE_T_MAX / nmemb < size)
+                fatal("xcalloc: nmemb * size > SIZE_T_MAX");
+        if (size == 0 || nmemb == 0)
+                fatal("xcalloc: zero size");
+        ptr = calloc(nmemb, size);
+        if (ptr == NULL)
+                fatal("xcalloc: out of memory (allocating %lu bytes)",
+                    (u_long)(size * nmemb));
+        return ptr;
+}
+void *
 xrealloc(void *ptr, size_t new_size)
 {
        void *new_ptr;
@@ -65,3 +81,19 @@ xstrdup(const char *str)
        strlcpy(cp, str, len);
        return cp;
 }
+int
+xasprintf(char **ret, const char *fmt, ...)
+{
+        va_list ap;
+        int i;
+        va_start(ap, fmt);
+        i = vasprintf(ret, fmt, ap);
+        va_end(ap);
+        if (i < 0 || *ret == NULL)
+                fatal("xasprintf: could not allocate memory");
+        return (i);
+}
diff --git a/xmalloc.h b/xmalloc.h
index 7ac4b13d6..b6d521a66 100644
--- a/xmalloc.h
+++ b/xmalloc.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: xmalloc.h,v 1.9 2002/06/19 00:27:55 deraadt Exp $     */
+/*      $OpenBSD: xmalloc.h,v 1.10 2006/03/25 00:05:41 djm Exp $        */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -20,8 +20,12 @@
 #define XMALLOC_H
 void    *xmalloc(size_t);
+void    *xcalloc(size_t, size_t);
 void    *xrealloc(void *, size_t);
 void     xfree(void *);
 char    *xstrdup(const char *);
+int      xasprintf(char **, const char *, ...)
+                __attribute__((__format__ (printf, 2, 3)))
+                __attribute__((__nonnull__ (2)));
 #endif                          /* XMALLOC_H */