2 files changed, 12 insertions, 4 deletions

diff --git a/buffer.c b/buffer.c
index ad04b267e..983f6bc2f 100644
--- a/buffer.c
+++ b/buffer.c
@@ -69,6 +69,7 @@ buffer_append(Buffer *buffer, const void *data, u_int len)
 void *
 buffer_append_space(Buffer *buffer, u_int len)
 {
+        u_int newlen;
         void *p;
 
         if (len > 0x100000)
@@ -98,11 +99,12 @@ restart:
                 goto restart;
         }
         /* Increase the size of the buffer and retry. */
-        buffer->alloc += len + 32768;
-        if (buffer->alloc > 0xa00000)
+        newlen = buffer->alloc + len + 32768;
+        if (newlen > 0xa00000)
                 fatal("buffer_append_space: alloc %u not supported",
-                    buffer->alloc);
-        buffer->buf = xrealloc(buffer->buf, buffer->alloc);
+                    newlen);
+        buffer->buf = xrealloc(buffer->buf, newlen);
+        buffer->alloc = newlen;
         goto restart;
         /* NOTREACHED */
 }
diff --git a/debian/changelog b/debian/changelog
index b194b4296..f93aacd3a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -10,6 +10,12 @@ openssh (1:3.6.1p2-7) UNRELEASED; urgency=low
 
  -- Colin Watson <cjwatson@debian.org>  Thu, 11 Sep 2003 11:45:35 +0100
 
+openssh (1:3.6.1p2-6.0) unstable; urgency=high
+
+  * SECURITY: fix for CAN-2003-0693, buffer allocation error
+
+ -- Michael Stone <mstone@debian.org>  Tue, 16 Sep 2003 08:27:07 -0400
+
 openssh (1:3.6.1p2-6) unstable; urgency=medium
 
   * Use a more CVS-friendly means of setting SSH_VERSION.