MFC buffer.c 1.2, channels.c 1.16, deattack.c 1.1.1.6, misc.c 1.1.1.5,

    session.c 1.41, ssh-agent.c 1.19:
Correct more cases of allocation size bookkeeping errors.

8 files changed, 35 insertions, 19 deletions

diff --git a/UPDATING b/UPDATING
index 46c89c6b8311..6c844c226451 100644
--- a/UPDATING
+++ b/UPDATING
@@ -18,6 +18,9 @@ minimal number of processes, if possible, for that patch.  For those
 updates that don't have an advisory, or to be safe, you can do a full
 build and install as described in the COMMON ITEMS section.
 
+20030916:	p31	FreeBSD-SA-03:12.openssh
+	Follow-up fixes for OpenSSH oversized packet buffer handling.
+
 20030916:	p30	FreeBSD-SA-03:12.openssh
 	OpenSSH oversized packet buffer handling corrected.
 
diff --git a/crypto/openssh/buffer.c b/crypto/openssh/buffer.c
index bad0a260c1a2..0c29bb8f0fdd 100644
--- a/crypto/openssh/buffer.c
+++ b/crypto/openssh/buffer.c
@@ -23,8 +23,11 @@ RCSID("$OpenBSD: buffer.c,v 1.13 2001/04/12 19:15:24 markus Exp $");
 void
 buffer_init(Buffer *buffer)
 {
-	buffer->alloc = 4096;
-	buffer->buf = xmalloc(buffer->alloc);
+	const u_int len = 4096;
+
+	buffer->alloc = 0;
+	buffer->buf = xmalloc(len);
+	buffer->alloc = len;
 	buffer->offset = 0;
 	buffer->end = 0;
 }
@@ -34,8 +37,10 @@ buffer_init(Buffer *buffer)
 void
 buffer_free(Buffer *buffer)
 {
-	memset(buffer->buf, 0, buffer->alloc);
-	xfree(buffer->buf);
+	if (buffer->alloc > 0) {
+		memset(buffer->buf, 0, buffer->alloc);
+		xfree(buffer->buf);
+	}
 }
 
 /*
diff --git a/crypto/openssh/channels.c b/crypto/openssh/channels.c
index 8ea7a57cc830..4a9b7d42e455 100644
--- a/crypto/openssh/channels.c
+++ b/crypto/openssh/channels.c
@@ -243,9 +243,13 @@ channel_new(char *ctype, int type, int rfd, int wfd, int efd,
 	if (found == -1) {
 		/* There are no free slots.  Take last+1 slot and expand the array.  */
 		found = channels_alloc;
+		if (channels_alloc > 10000)
+			fatal("channel_new: internal error: channels_alloc %d "
+			    "too big.", channels_alloc);
+		channels = xrealloc(channels,
+		    (channels_alloc + 10) * sizeof(Channel));
 		channels_alloc += 10;
 		debug2("channel: expanding %d", channels_alloc);
-		channels = xrealloc(channels, channels_alloc * sizeof(Channel));
 		for (i = found; i < channels_alloc; i++)
 			channels[i].type = SSH_CHANNEL_FREE;
 	}
diff --git a/crypto/openssh/deattack.c b/crypto/openssh/deattack.c
index 36023e0d3371..ea4879f40a51 100644
--- a/crypto/openssh/deattack.c
+++ b/crypto/openssh/deattack.c
@@ -100,12 +100,12 @@ detect_attack(u_char *buf, u_int32_t len, u_char *IV)
 
 	if (h == NULL) {
 		debug("Installing crc compensation attack detector.");
+		h = (u_int16_t *) xmalloc(l * HASH_ENTRYSIZE);
 		n = l;
-		h = (u_int16_t *) xmalloc(n * HASH_ENTRYSIZE);
 	} else {
 		if (l > n) {
+			h = (u_int16_t *) xrealloc(h, l * HASH_ENTRYSIZE);
 			n = l;
-			h = (u_int16_t *) xrealloc(h, n * HASH_ENTRYSIZE);
 		}
 	}
 
diff --git a/crypto/openssh/session.c b/crypto/openssh/session.c
index f5e0811f55a2..4a477b070e65 100644
--- a/crypto/openssh/session.c
+++ b/crypto/openssh/session.c
@@ -886,6 +886,7 @@ void
 child_set_env(char ***envp, u_int *envsizep, const char *name,
 	      const char *value)
 {
+	u_int envsize;
 	u_int i, namelen;
 	char **env;
 
@@ -904,9 +905,11 @@ child_set_env(char ***envp, u_int *envsizep, const char *name,
 		xfree(env[i]);
 	} else {
 		/* New variable.  Expand if necessary. */
-		if (i >= (*envsizep) - 1) {
-			(*envsizep) += 50;
-			env = (*envp) = xrealloc(env, (*envsizep) * sizeof(char *));
+		envsize = *envsizep;
+		if (i >= envsize - 1) {
+			envsize += 50;
+			env = (*envp) = xrealloc(env, envsize * sizeof(char *));
+			*envsizep = envsize;
 		}
 		/* Need to set the NULL pointer at end of array beyond the new slot. */
 		env[i + 1] = NULL;
diff --git a/crypto/openssh/ssh-agent.c b/crypto/openssh/ssh-agent.c
index ae0f04436e5e..7d1a446b0234 100644
--- a/crypto/openssh/ssh-agent.c
+++ b/crypto/openssh/ssh-agent.c
@@ -508,7 +508,7 @@ process_message(SocketEntry *e)
 void
 new_socket(int type, int fd)
 {
-	u_int i, old_alloc;
+	u_int i, old_alloc, new_alloc;
 	if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0)
 		error("fcntl O_NONBLOCK: %s", strerror(errno));
 
@@ -518,23 +518,24 @@ new_socket(int type, int fd)
 	for (i = 0; i < sockets_alloc; i++)
 		if (sockets[i].type == AUTH_UNUSED) {
 			sockets[i].fd = fd;
-			sockets[i].type = type;
 			buffer_init(&sockets[i].input);
 			buffer_init(&sockets[i].output);
+			sockets[i].type = type;
 			return;
 		}
 	old_alloc = sockets_alloc;
-	sockets_alloc += 10;
+	new_alloc = sockets_alloc + 10;
 	if (sockets)
-		sockets = xrealloc(sockets, sockets_alloc * sizeof(sockets[0]));
+		sockets = xrealloc(sockets, new_alloc * sizeof(sockets[0]));
 	else
-		sockets = xmalloc(sockets_alloc * sizeof(sockets[0]));
-	for (i = old_alloc; i < sockets_alloc; i++)
+		sockets = xmalloc(new_alloc * sizeof(sockets[0]));
+	for (i = old_alloc; i < new_alloc; i++)
 		sockets[i].type = AUTH_UNUSED;
-	sockets[old_alloc].type = type;
+	sockets_alloc = new_alloc;
 	sockets[old_alloc].fd = fd;
 	buffer_init(&sockets[old_alloc].input);
 	buffer_init(&sockets[old_alloc].output);
+	sockets[old_alloc].type = type;
 }
 
 int
diff --git a/crypto/openssh/version.h b/crypto/openssh/version.h
index 6185e400b9f0..a13e8eeec7e7 100644
--- a/crypto/openssh/version.h
+++ b/crypto/openssh/version.h
@@ -5,7 +5,7 @@
 
 #define SSH_VERSION		(ssh_version_get())
 #define SSH_VERSION_BASE	"OpenSSH_2.9"
-#define	SSH_VERSION_ADDENDUM	"FreeBSD localisations 20030916"
+#define	SSH_VERSION_ADDENDUM	"FreeBSD localisations 20030917"
 
 const char *ssh_version_get(void);
 void ssh_version_set_addendum(const char *add);
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index a0f63fc33187..7dbe0cb3defe 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -36,7 +36,7 @@
 
 TYPE="FreeBSD"
 REVISION="4.5"
-BRANCH="RELEASE-p30"
+BRANCH="RELEASE-p31"
 RELEASE="${REVISION}-${BRANCH}"
 VERSION="${TYPE} ${RELEASE}"