diff options
| -rw-r--r-- | buffer.c | 1 | ||||
| -rw-r--r-- | deattack.c | 6 | ||||
| -rw-r--r-- | debian/changelog | 7 | ||||
| -rw-r--r-- | misc.c | 11 | ||||
| -rw-r--r-- | session.c | 16 | ||||
| -rw-r--r-- | ssh-agent.c | 15 |
6 files changed, 35 insertions, 21 deletions
| @@ -39,6 +39,7 @@ buffer_free(Buffer *buffer) | |||
| 39 | { | 39 | { |
| 40 | if (buffer->alloc > 0) { | 40 | if (buffer->alloc > 0) { |
| 41 | memset(buffer->buf, 0, buffer->alloc); | 41 | memset(buffer->buf, 0, buffer->alloc); |
| 42 | buffer->alloc = 0; | ||
| 42 | xfree(buffer->buf); | 43 | xfree(buffer->buf); |
| 43 | } | 44 | } |
| 44 | } | 45 | } |
diff --git a/deattack.c b/deattack.c index 0442501e7..8b55d6686 100644 --- a/deattack.c +++ b/deattack.c | |||
| @@ -18,7 +18,7 @@ | |||
| 18 | */ | 18 | */ |
| 19 | 19 | ||
| 20 | #include "includes.h" | 20 | #include "includes.h" |
| 21 | RCSID("$OpenBSD: deattack.c,v 1.18 2002/03/04 17:27:39 stevesk Exp $"); | 21 | RCSID("$OpenBSD: deattack.c,v 1.19 2003/09/18 08:49:45 markus Exp $"); |
| 22 | 22 | ||
| 23 | #include "deattack.h" | 23 | #include "deattack.h" |
| 24 | #include "log.h" | 24 | #include "log.h" |
| @@ -100,12 +100,12 @@ detect_attack(u_char *buf, u_int32_t len, u_char *IV) | |||
| 100 | 100 | ||
| 101 | if (h == NULL) { | 101 | if (h == NULL) { |
| 102 | debug("Installing crc compensation attack detector."); | 102 | debug("Installing crc compensation attack detector."); |
| 103 | h = (u_int16_t *) xmalloc(l * HASH_ENTRYSIZE); | ||
| 103 | n = l; | 104 | n = l; |
| 104 | h = (u_int16_t *) xmalloc(n * HASH_ENTRYSIZE); | ||
| 105 | } else { | 105 | } else { |
| 106 | if (l > n) { | 106 | if (l > n) { |
| 107 | h = (u_int16_t *) xrealloc(h, l * HASH_ENTRYSIZE); | ||
| 107 | n = l; | 108 | n = l; |
| 108 | h = (u_int16_t *) xrealloc(h, n * HASH_ENTRYSIZE); | ||
| 109 | } | 109 | } |
| 110 | } | 110 | } |
| 111 | 111 | ||
diff --git a/debian/changelog b/debian/changelog index 9a61869a6..60844b097 100644 --- a/debian/changelog +++ b/debian/changelog | |||
| @@ -1,3 +1,10 @@ | |||
| 1 | openssh (1:3.6.1p2-9) unstable; urgency=high | ||
| 2 | |||
| 3 | * Merge even more buffer allocation fixes from upstream (CAN-2003-0682; | ||
| 4 | closes: #211434). | ||
| 5 | |||
| 6 | -- Colin Watson <cjwatson@debian.org> Fri, 19 Sep 2003 10:25:25 +0100 | ||
| 7 | |||
| 1 | openssh (1:3.6.1p2-8) unstable; urgency=high | 8 | openssh (1:3.6.1p2-8) unstable; urgency=high |
| 2 | 9 | ||
| 3 | * Merge more buffer allocation fixes from new upstream version 3.7.1p1 | 10 | * Merge more buffer allocation fixes from new upstream version 3.7.1p1 |
| @@ -308,18 +308,21 @@ addargs(arglist *args, char *fmt, ...) | |||
| 308 | { | 308 | { |
| 309 | va_list ap; | 309 | va_list ap; |
| 310 | char buf[1024]; | 310 | char buf[1024]; |
| 311 | int nalloc; | ||
| 311 | 312 | ||
| 312 | va_start(ap, fmt); | 313 | va_start(ap, fmt); |
| 313 | vsnprintf(buf, sizeof(buf), fmt, ap); | 314 | vsnprintf(buf, sizeof(buf), fmt, ap); |
| 314 | va_end(ap); | 315 | va_end(ap); |
| 315 | 316 | ||
| 317 | nalloc = args->nalloc; | ||
| 316 | if (args->list == NULL) { | 318 | if (args->list == NULL) { |
| 317 | args->nalloc = 32; | 319 | nalloc = 32; |
| 318 | args->num = 0; | 320 | args->num = 0; |
| 319 | } else if (args->num+2 >= args->nalloc) | 321 | } else if (args->num+2 >= nalloc) |
| 320 | args->nalloc *= 2; | 322 | nalloc *= 2; |
| 321 | 323 | ||
| 322 | args->list = xrealloc(args->list, args->nalloc * sizeof(char *)); | 324 | args->list = xrealloc(args->list, nalloc * sizeof(char *)); |
| 325 | args->nalloc = nalloc; | ||
| 323 | args->list[args->num++] = xstrdup(buf); | 326 | args->list[args->num++] = xstrdup(buf); |
| 324 | args->list[args->num] = NULL; | 327 | args->list[args->num] = NULL; |
| 325 | } | 328 | } |
| @@ -844,8 +844,9 @@ static void | |||
| 844 | child_set_env(char ***envp, u_int *envsizep, const char *name, | 844 | child_set_env(char ***envp, u_int *envsizep, const char *name, |
| 845 | const char *value) | 845 | const char *value) |
| 846 | { | 846 | { |
| 847 | u_int i, namelen; | ||
| 848 | char **env; | 847 | char **env; |
| 848 | u_int envsize; | ||
| 849 | u_int i, namelen; | ||
| 849 | 850 | ||
| 850 | /* | 851 | /* |
| 851 | * Find the slot where the value should be stored. If the variable | 852 | * Find the slot where the value should be stored. If the variable |
| @@ -862,12 +863,13 @@ child_set_env(char ***envp, u_int *envsizep, const char *name, | |||
| 862 | xfree(env[i]); | 863 | xfree(env[i]); |
| 863 | } else { | 864 | } else { |
| 864 | /* New variable. Expand if necessary. */ | 865 | /* New variable. Expand if necessary. */ |
| 865 | if (i >= (*envsizep) - 1) { | 866 | envsize = *envsizep; |
| 866 | if (*envsizep >= 1000) | 867 | if (i >= envsize - 1) { |
| 867 | fatal("child_set_env: too many env vars," | 868 | if (envsize >= 1000) |
| 868 | " skipping: %.100s", name); | 869 | fatal("child_set_env: too many env vars"); |
| 869 | (*envsizep) += 50; | 870 | envsize += 50; |
| 870 | env = (*envp) = xrealloc(env, (*envsizep) * sizeof(char *)); | 871 | env = (*envp) = xrealloc(env, envsize * sizeof(char *)); |
| 872 | *envsizep = envsize; | ||
| 871 | } | 873 | } |
| 872 | /* Need to set the NULL pointer at end of array beyond the new slot. */ | 874 | /* Need to set the NULL pointer at end of array beyond the new slot. */ |
| 873 | env[i + 1] = NULL; | 875 | env[i + 1] = NULL; |
diff --git a/ssh-agent.c b/ssh-agent.c index eb593de73..a936134fe 100644 --- a/ssh-agent.c +++ b/ssh-agent.c | |||
| @@ -767,7 +767,7 @@ process_message(SocketEntry *e) | |||
| 767 | static void | 767 | static void |
| 768 | new_socket(sock_type type, int fd) | 768 | new_socket(sock_type type, int fd) |
| 769 | { | 769 | { |
| 770 | u_int i, old_alloc; | 770 | u_int i, old_alloc, new_alloc; |
| 771 | 771 | ||
| 772 | if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0) | 772 | if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0) |
| 773 | error("fcntl O_NONBLOCK: %s", strerror(errno)); | 773 | error("fcntl O_NONBLOCK: %s", strerror(errno)); |
| @@ -778,25 +778,26 @@ new_socket(sock_type type, int fd) | |||
| 778 | for (i = 0; i < sockets_alloc; i++) | 778 | for (i = 0; i < sockets_alloc; i++) |
| 779 | if (sockets[i].type == AUTH_UNUSED) { | 779 | if (sockets[i].type == AUTH_UNUSED) { |
| 780 | sockets[i].fd = fd; | 780 | sockets[i].fd = fd; |
| 781 | sockets[i].type = type; | ||
| 782 | buffer_init(&sockets[i].input); | 781 | buffer_init(&sockets[i].input); |
| 783 | buffer_init(&sockets[i].output); | 782 | buffer_init(&sockets[i].output); |
| 784 | buffer_init(&sockets[i].request); | 783 | buffer_init(&sockets[i].request); |
| 784 | sockets[i].type = type; | ||
| 785 | return; | 785 | return; |
| 786 | } | 786 | } |
| 787 | old_alloc = sockets_alloc; | 787 | old_alloc = sockets_alloc; |
| 788 | sockets_alloc += 10; | 788 | new_alloc = sockets_alloc + 10; |
| 789 | if (sockets) | 789 | if (sockets) |
| 790 | sockets = xrealloc(sockets, sockets_alloc * sizeof(sockets[0])); | 790 | sockets = xrealloc(sockets, new_alloc * sizeof(sockets[0])); |
| 791 | else | 791 | else |
| 792 | sockets = xmalloc(sockets_alloc * sizeof(sockets[0])); | 792 | sockets = xmalloc(new_alloc * sizeof(sockets[0])); |
| 793 | for (i = old_alloc; i < sockets_alloc; i++) | 793 | for (i = old_alloc; i < new_alloc; i++) |
| 794 | sockets[i].type = AUTH_UNUSED; | 794 | sockets[i].type = AUTH_UNUSED; |
| 795 | sockets[old_alloc].type = type; | 795 | sockets_alloc = new_alloc; |
| 796 | sockets[old_alloc].fd = fd; | 796 | sockets[old_alloc].fd = fd; |
| 797 | buffer_init(&sockets[old_alloc].input); | 797 | buffer_init(&sockets[old_alloc].input); |
| 798 | buffer_init(&sockets[old_alloc].output); | 798 | buffer_init(&sockets[old_alloc].output); |
| 799 | buffer_init(&sockets[old_alloc].request); | 799 | buffer_init(&sockets[old_alloc].request); |
| 800 | sockets[old_alloc].type = type; | ||
| 800 | } | 801 | } |
| 801 | 802 | ||
| 802 | static int | 803 | static int |