aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJacques Vidrine <nectar@FreeBSD.org>2003-09-17 14:58:56 +0000
committerJacques Vidrine <nectar@FreeBSD.org>2003-09-17 14:58:56 +0000
commitfae992ffd52613b12724a74f84ec4886316abe42 (patch)
tree12f2c1e32658b9cebc4737587d82a54a31440aae
parent2a7db4f2b114022bac421ea8ad9e6388d2c1cb2e (diff)
downloadsrc-fae992ffd52613b12724a74f84ec4886316abe42.tar.gz
src-fae992ffd52613b12724a74f84ec4886316abe42.zip
MFC buffer.c 1.2, channels.c 1.16, deattack.c 1.1.1.6,
misc.c 1.1.1.5 (->scp.c), session.c 1.41, ssh-agent.c 1.19: Correct more cases of allocation size bookkeeping errors.
Notes
Notes: svn path=/releng/4.4/; revision=120168
-rw-r--r--UPDATING3
-rw-r--r--crypto/openssh/buffer.c13
-rw-r--r--crypto/openssh/channels.c6
-rw-r--r--crypto/openssh/deattack.c4
-rw-r--r--crypto/openssh/scp.c11
-rw-r--r--crypto/openssh/session.c9
-rw-r--r--crypto/openssh/ssh-agent.c15
-rw-r--r--crypto/openssh/version.h2
-rw-r--r--sys/conf/newvers.sh2
9 files changed, 42 insertions, 23 deletions
diff --git a/UPDATING b/UPDATING
index 64a5dbf3c4f6..ab9253edbcc5 100644
--- a/UPDATING
+++ b/UPDATING
@@ -17,6 +17,9 @@ minimal number of processes, if possible, for that patch. For those
updates that don't have an advisory, or to be safe, you can do a full
build and install as described in the COMMON ITEMS section.
+20030916: p41 FreeBSD-SA-03:12.openssh
+ Follow-up fixes for OpenSSH oversized packet buffer handling.
+
20030916: p40 FreeBSD-SA-03:12.openssh
OpenSSH oversized packet buffer handling corrected.
diff --git a/crypto/openssh/buffer.c b/crypto/openssh/buffer.c
index f7dc45eb9ef0..f844df36b404 100644
--- a/crypto/openssh/buffer.c
+++ b/crypto/openssh/buffer.c
@@ -23,8 +23,11 @@ RCSID("$OpenBSD: buffer.c,v 1.8 2000/09/07 20:27:50 deraadt Exp $");
void
buffer_init(Buffer *buffer)
{
- buffer->alloc = 4096;
- buffer->buf = xmalloc(buffer->alloc);
+ const u_int len = 4096;
+
+ buffer->alloc = 0;
+ buffer->buf = xmalloc(len);
+ buffer->alloc = len;
buffer->offset = 0;
buffer->end = 0;
}
@@ -34,8 +37,10 @@ buffer_init(Buffer *buffer)
void
buffer_free(Buffer *buffer)
{
- memset(buffer->buf, 0, buffer->alloc);
- xfree(buffer->buf);
+ if (buffer->alloc > 0) {
+ memset(buffer->buf, 0, buffer->alloc);
+ xfree(buffer->buf);
+ }
}
/*
diff --git a/crypto/openssh/channels.c b/crypto/openssh/channels.c
index 176398c40f1e..e5125e856cfb 100644
--- a/crypto/openssh/channels.c
+++ b/crypto/openssh/channels.c
@@ -251,9 +251,13 @@ channel_new(char *ctype, int type, int rfd, int wfd, int efd,
if (found == -1) {
/* There are no free slots. Take last+1 slot and expand the array. */
found = channels_alloc;
+ if (channels_alloc > 10000)
+ fatal("channel_new: internal error: channels_alloc %d "
+ "too big.", channels_alloc);
+ channels = xrealloc(channels,
+ (channels_alloc + 10) * sizeof(Channel));
channels_alloc += 10;
debug2("channel: expanding %d", channels_alloc);
- channels = xrealloc(channels, channels_alloc * sizeof(Channel));
for (i = found; i < channels_alloc; i++)
channels[i].type = SSH_CHANNEL_FREE;
}
diff --git a/crypto/openssh/deattack.c b/crypto/openssh/deattack.c
index df1d2240993f..99b8709057e3 100644
--- a/crypto/openssh/deattack.c
+++ b/crypto/openssh/deattack.c
@@ -100,12 +100,12 @@ detect_attack(unsigned char *buf, u_int32_t len, unsigned char *IV)
if (h == NULL) {
debug("Installing crc compensation attack detector.");
+ h = (u_int16_t *) xmalloc(l * HASH_ENTRYSIZE);
n = l;
- h = (u_int16_t *) xmalloc(n * HASH_ENTRYSIZE);
} else {
if (l > n) {
+ h = (u_int16_t *) xrealloc(h, l * HASH_ENTRYSIZE);
n = l;
- h = (u_int16_t *) xrealloc(h, n * HASH_ENTRYSIZE);
}
}
diff --git a/crypto/openssh/scp.c b/crypto/openssh/scp.c
index a412b8d92f23..a556e0bc5c75 100644
--- a/crypto/openssh/scp.c
+++ b/crypto/openssh/scp.c
@@ -1217,18 +1217,21 @@ addargs(char *fmt, ...)
{
va_list ap;
char buf[1024];
+ int nalloc;
va_start(ap, fmt);
vsnprintf(buf, sizeof(buf), fmt, ap);
va_end(ap);
if (args.list == NULL) {
- args.nalloc = 32;
+ nalloc = 32;
args.num = 0;
- args.list = xmalloc(args.nalloc * sizeof(char *));
+ args.list = xmalloc(nalloc * sizeof(char *));
+ args.nalloc = nalloc;
} else if (args.num+2 >= args.nalloc) {
- args.nalloc *= 2;
- args.list = xrealloc(args.list, args.nalloc * sizeof(char *));
+ nalloc = args.nalloc * 2;
+ args.list = xrealloc(args.list, nalloc * sizeof(char *));
+ args.nalloc = nalloc;
}
args.list[args.num++] = xstrdup(buf);
args.list[args.num] = NULL;
diff --git a/crypto/openssh/session.c b/crypto/openssh/session.c
index f429d8deccf1..56a4151e8dc9 100644
--- a/crypto/openssh/session.c
+++ b/crypto/openssh/session.c
@@ -848,6 +848,7 @@ void
child_set_env(char ***envp, unsigned int *envsizep, const char *name,
const char *value)
{
+ u_int envsize;
unsigned int i, namelen;
char **env;
@@ -866,9 +867,11 @@ child_set_env(char ***envp, unsigned int *envsizep, const char *name,
xfree(env[i]);
} else {
/* New variable. Expand if necessary. */
- if (i >= (*envsizep) - 1) {
- (*envsizep) += 50;
- env = (*envp) = xrealloc(env, (*envsizep) * sizeof(char *));
+ envsize = *envsizep;
+ if (i >= envsize - 1) {
+ envsize += 50;
+ env = (*envp) = xrealloc(env, envsize * sizeof(char *));
+ *envsizep = envsize;
}
/* Need to set the NULL pointer at end of array beyond the new slot. */
env[i + 1] = NULL;
diff --git a/crypto/openssh/ssh-agent.c b/crypto/openssh/ssh-agent.c
index bbd6a782874a..9f76a3c27095 100644
--- a/crypto/openssh/ssh-agent.c
+++ b/crypto/openssh/ssh-agent.c
@@ -515,7 +515,7 @@ process_message(SocketEntry *e)
void
new_socket(int type, int fd)
{
- unsigned int i, old_alloc;
+ unsigned int i, old_alloc, new_alloc;
if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0)
error("fcntl O_NONBLOCK: %s", strerror(errno));
@@ -525,23 +525,24 @@ new_socket(int type, int fd)
for (i = 0; i < sockets_alloc; i++)
if (sockets[i].type == AUTH_UNUSED) {
sockets[i].fd = fd;
- sockets[i].type = type;
buffer_init(&sockets[i].input);
buffer_init(&sockets[i].output);
+ sockets[i].type = type;
return;
}
old_alloc = sockets_alloc;
- sockets_alloc += 10;
+ new_alloc = sockets_alloc + 10;
if (sockets)
- sockets = xrealloc(sockets, sockets_alloc * sizeof(sockets[0]));
+ sockets = xrealloc(sockets, new_alloc * sizeof(sockets[0]));
else
- sockets = xmalloc(sockets_alloc * sizeof(sockets[0]));
- for (i = old_alloc; i < sockets_alloc; i++)
+ sockets = xmalloc(new_alloc * sizeof(sockets[0]));
+ for (i = old_alloc; i < new_alloc; i++)
sockets[i].type = AUTH_UNUSED;
- sockets[old_alloc].type = type;
+ sockets_alloc = new_alloc;
sockets[old_alloc].fd = fd;
buffer_init(&sockets[old_alloc].input);
buffer_init(&sockets[old_alloc].output);
+ sockets[old_alloc].type = type;
}
void
diff --git a/crypto/openssh/version.h b/crypto/openssh/version.h
index 72d95abc25c5..32727994917b 100644
--- a/crypto/openssh/version.h
+++ b/crypto/openssh/version.h
@@ -1,4 +1,4 @@
/* $FreeBSD$ */
/* $OpenBSD: version.h,v 1.13 2000/10/16 09:38:45 djm Exp $ */
-#define SSH_VERSION "OpenSSH_2.3.0 FreeBSD localisations 20030916"
+#define SSH_VERSION "OpenSSH_2.3.0 FreeBSD localisations 20030917"
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index 289751f7883b..882774277586 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -36,7 +36,7 @@
TYPE="FreeBSD"
REVISION="4.4"
-BRANCH="RELEASE-p40"
+BRANCH="RELEASE-p41"
RELEASE="${REVISION}-${BRANCH}"
VERSION="${TYPE} ${RELEASE}"