aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJacques Vidrine <nectar@FreeBSD.org>2003-09-17 14:52:43 +0000
committerJacques Vidrine <nectar@FreeBSD.org>2003-09-17 14:52:43 +0000
commit4bdd28ca02a581baa4de4b0f914a926685f0d896 (patch)
tree2291f79101b5f301ecec62060c1dccadfea995a7
parentfebb761cf65a19978f3b68df1c9d6b5fe551a73d (diff)
downloadsrc-4bdd28ca02a581baa4de4b0f914a926685f0d896.tar.gz
src-4bdd28ca02a581baa4de4b0f914a926685f0d896.zip
MFC buffer.c 1.2, channels.c 1.16, deattack.c 1.1.1.6, misc.c 1.1.1.5,
session.c 1.41, ssh-agent.c 1.19: Correct more cases of allocation size bookkeeping errors.
Notes
Notes: svn path=/releng/4.6/; revision=120167
-rw-r--r--UPDATING3
-rw-r--r--crypto/openssh/buffer.c13
-rw-r--r--crypto/openssh/channels.c5
-rw-r--r--crypto/openssh/deattack.c4
-rw-r--r--crypto/openssh/misc.c11
-rw-r--r--crypto/openssh/session.c16
-rw-r--r--crypto/openssh/ssh-agent.c15
-rw-r--r--crypto/openssh/version.h2
-rw-r--r--sys/conf/newvers.sh2
9 files changed, 43 insertions, 28 deletions
diff --git a/UPDATING b/UPDATING
index 8314114e4adf..73894e44be1c 100644
--- a/UPDATING
+++ b/UPDATING
@@ -17,6 +17,9 @@ minimal number of processes, if possible, for that patch. For those
updates that don't have an advisory, or to be safe, you can do a full
build and install as described in the COMMON ITEMS section.
+20030916: p19 FreeBSD-SA-03:12.openssh
+ Follow-up fixes for OpenSSH oversized packet buffer handling.
+
20030916: p18 FreeBSD-SA-03:12.openssh
OpenSSH oversized packet buffer handling corrected.
diff --git a/crypto/openssh/buffer.c b/crypto/openssh/buffer.c
index 9370998c97ce..d50756bdbfbc 100644
--- a/crypto/openssh/buffer.c
+++ b/crypto/openssh/buffer.c
@@ -23,8 +23,11 @@ RCSID("$OpenBSD: buffer.c,v 1.16 2002/06/26 08:54:18 markus Exp $");
void
buffer_init(Buffer *buffer)
{
- buffer->alloc = 4096;
- buffer->buf = xmalloc(buffer->alloc);
+ const u_int len = 4096;
+
+ buffer->alloc = 0;
+ buffer->buf = xmalloc(len);
+ buffer->alloc = len;
buffer->offset = 0;
buffer->end = 0;
}
@@ -34,8 +37,10 @@ buffer_init(Buffer *buffer)
void
buffer_free(Buffer *buffer)
{
- memset(buffer->buf, 0, buffer->alloc);
- xfree(buffer->buf);
+ if (buffer->alloc > 0) {
+ memset(buffer->buf, 0, buffer->alloc);
+ xfree(buffer->buf);
+ }
}
/*
diff --git a/crypto/openssh/channels.c b/crypto/openssh/channels.c
index 25d23e3ce999..89a78755012d 100644
--- a/crypto/openssh/channels.c
+++ b/crypto/openssh/channels.c
@@ -229,12 +229,13 @@ channel_new(char *ctype, int type, int rfd, int wfd, int efd,
if (found == -1) {
/* There are no free slots. Take last+1 slot and expand the array. */
found = channels_alloc;
- channels_alloc += 10;
if (channels_alloc > 10000)
fatal("channel_new: internal error: channels_alloc %d "
"too big.", channels_alloc);
+ channels = xrealloc(channels,
+ (channels_alloc + 10) * sizeof(Channel *));
+ channels_alloc += 10;
debug2("channel: expanding %d", channels_alloc);
- channels = xrealloc(channels, channels_alloc * sizeof(Channel *));
for (i = found; i < channels_alloc; i++)
channels[i] = NULL;
}
diff --git a/crypto/openssh/deattack.c b/crypto/openssh/deattack.c
index 0442501e7a17..7bf2749fceb3 100644
--- a/crypto/openssh/deattack.c
+++ b/crypto/openssh/deattack.c
@@ -100,12 +100,12 @@ detect_attack(u_char *buf, u_int32_t len, u_char *IV)
if (h == NULL) {
debug("Installing crc compensation attack detector.");
+ h = (u_int16_t *) xmalloc(l * HASH_ENTRYSIZE);
n = l;
- h = (u_int16_t *) xmalloc(n * HASH_ENTRYSIZE);
} else {
if (l > n) {
+ h = (u_int16_t *) xrealloc(h, l * HASH_ENTRYSIZE);
n = l;
- h = (u_int16_t *) xrealloc(h, n * HASH_ENTRYSIZE);
}
}
diff --git a/crypto/openssh/misc.c b/crypto/openssh/misc.c
index e9fcef6ca301..1b62804b7814 100644
--- a/crypto/openssh/misc.c
+++ b/crypto/openssh/misc.c
@@ -308,18 +308,21 @@ addargs(arglist *args, char *fmt, ...)
{
va_list ap;
char buf[1024];
+ int nalloc;
va_start(ap, fmt);
vsnprintf(buf, sizeof(buf), fmt, ap);
va_end(ap);
+ nalloc = args->nalloc;
if (args->list == NULL) {
- args->nalloc = 32;
+ nalloc = 32;
args->num = 0;
- } else if (args->num+2 >= args->nalloc)
- args->nalloc *= 2;
+ } else if (args->num+2 >= nalloc)
+ nalloc *= 2;
- args->list = xrealloc(args->list, args->nalloc * sizeof(char *));
+ args->list = xrealloc(args->list, nalloc * sizeof(char *));
+ args->nalloc = nalloc;
args->list[args->num++] = xstrdup(buf);
args->list[args->num] = NULL;
}
diff --git a/crypto/openssh/session.c b/crypto/openssh/session.c
index 82f46042f0da..60fe74fe3aef 100644
--- a/crypto/openssh/session.c
+++ b/crypto/openssh/session.c
@@ -831,8 +831,9 @@ static void
child_set_env(char ***envp, u_int *envsizep, const char *name,
const char *value)
{
- u_int i, namelen;
char **env;
+ u_int envsize;
+ u_int i, namelen;
/*
* Find the slot where the value should be stored. If the variable
@@ -849,12 +850,13 @@ child_set_env(char ***envp, u_int *envsizep, const char *name,
xfree(env[i]);
} else {
/* New variable. Expand if necessary. */
- if (i >= (*envsizep) - 1) {
- if (*envsizep >= 1000)
- fatal("child_set_env: too many env vars,"
- " skipping: %.100s", name);
- (*envsizep) += 50;
- env = (*envp) = xrealloc(env, (*envsizep) * sizeof(char *));
+ envsize = *envsizep;
+ if (i >= envsize - 1) {
+ if (envsize >= 1000)
+ fatal("child_set_env: too many env vars");
+ envsize += 50;
+ env = (*envp) = xrealloc(env, envsize * sizeof(char *));
+ *envsizep = envsize;
}
/* Need to set the NULL pointer at end of array beyond the new slot. */
env[i + 1] = NULL;
diff --git a/crypto/openssh/ssh-agent.c b/crypto/openssh/ssh-agent.c
index 4ff5b5418180..bce57431bea8 100644
--- a/crypto/openssh/ssh-agent.c
+++ b/crypto/openssh/ssh-agent.c
@@ -715,7 +715,7 @@ process_message(SocketEntry *e)
static void
new_socket(sock_type type, int fd)
{
- u_int i, old_alloc;
+ u_int i, old_alloc, new_alloc;
if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0)
error("fcntl O_NONBLOCK: %s", strerror(errno));
@@ -726,25 +726,26 @@ new_socket(sock_type type, int fd)
for (i = 0; i < sockets_alloc; i++)
if (sockets[i].type == AUTH_UNUSED) {
sockets[i].fd = fd;
- sockets[i].type = type;
buffer_init(&sockets[i].input);
buffer_init(&sockets[i].output);
buffer_init(&sockets[i].request);
+ sockets[i].type = type;
return;
}
old_alloc = sockets_alloc;
- sockets_alloc += 10;
+ new_alloc = sockets_alloc + 10;
if (sockets)
- sockets = xrealloc(sockets, sockets_alloc * sizeof(sockets[0]));
+ sockets = xrealloc(sockets, new_alloc * sizeof(sockets[0]));
else
- sockets = xmalloc(sockets_alloc * sizeof(sockets[0]));
- for (i = old_alloc; i < sockets_alloc; i++)
+ sockets = xmalloc(new_alloc * sizeof(sockets[0]));
+ for (i = old_alloc; i < new_alloc; i++)
sockets[i].type = AUTH_UNUSED;
- sockets[old_alloc].type = type;
+ sockets_alloc = new_alloc;
sockets[old_alloc].fd = fd;
buffer_init(&sockets[old_alloc].input);
buffer_init(&sockets[old_alloc].output);
buffer_init(&sockets[old_alloc].request);
+ sockets[old_alloc].type = type;
}
static int
diff --git a/crypto/openssh/version.h b/crypto/openssh/version.h
index fb662d25ec93..a55bbb8ea203 100644
--- a/crypto/openssh/version.h
+++ b/crypto/openssh/version.h
@@ -5,7 +5,7 @@
#define SSH_VERSION (ssh_version_get())
#define SSH_VERSION_BASE "OpenSSH_3.4p1"
-#define SSH_VERSION_ADDENDUM "FreeBSD-20030916"
+#define SSH_VERSION_ADDENDUM "FreeBSD-20030917"
const char *ssh_version_get(void);
void ssh_version_set_addendum(const char *add);
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index b60416fd474e..d8205439483a 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -36,7 +36,7 @@
TYPE="FreeBSD"
REVISION="4.6.2"
-BRANCH="RELEASE-p18"
+BRANCH="RELEASE-p19"
RELEASE="${REVISION}-${BRANCH}"
VERSION="${TYPE} ${RELEASE}"