diff options
author | Jacques Vidrine <nectar@FreeBSD.org> | 2003-09-17 14:52:43 +0000 |
---|---|---|
committer | Jacques Vidrine <nectar@FreeBSD.org> | 2003-09-17 14:52:43 +0000 |
commit | 2523c97fab956f036f8f9d56ac8f3a4db30d2ffb (patch) | |
tree | 1d49cd91f98498aa74853343b6b107df60438627 | |
parent | bba06640fb79ad3d1a7dc87f43490c1343a8be7d (diff) | |
download | src-2523c97fab956f036f8f9d56ac8f3a4db30d2ffb.tar.gz src-2523c97fab956f036f8f9d56ac8f3a4db30d2ffb.zip |
MFC buffer.c 1.2, channels.c 1.16, deattack.c 1.1.1.6, misc.c 1.1.1.5,
session.c 1.41, ssh-agent.c 1.19:
Correct more cases of allocation size bookkeeping errors.
Notes
Notes:
svn path=/releng/4.5/; revision=120167
-rw-r--r-- | UPDATING | 3 | ||||
-rw-r--r-- | crypto/openssh/buffer.c | 13 | ||||
-rw-r--r-- | crypto/openssh/channels.c | 6 | ||||
-rw-r--r-- | crypto/openssh/deattack.c | 4 | ||||
-rw-r--r-- | crypto/openssh/session.c | 9 | ||||
-rw-r--r-- | crypto/openssh/ssh-agent.c | 15 | ||||
-rw-r--r-- | crypto/openssh/version.h | 2 | ||||
-rw-r--r-- | sys/conf/newvers.sh | 2 |
8 files changed, 35 insertions, 19 deletions
@@ -18,6 +18,9 @@ minimal number of processes, if possible, for that patch. For those updates that don't have an advisory, or to be safe, you can do a full build and install as described in the COMMON ITEMS section. +20030916: p31 FreeBSD-SA-03:12.openssh + Follow-up fixes for OpenSSH oversized packet buffer handling. + 20030916: p30 FreeBSD-SA-03:12.openssh OpenSSH oversized packet buffer handling corrected. diff --git a/crypto/openssh/buffer.c b/crypto/openssh/buffer.c index bad0a260c1a2..0c29bb8f0fdd 100644 --- a/crypto/openssh/buffer.c +++ b/crypto/openssh/buffer.c @@ -23,8 +23,11 @@ RCSID("$OpenBSD: buffer.c,v 1.13 2001/04/12 19:15:24 markus Exp $"); void buffer_init(Buffer *buffer) { - buffer->alloc = 4096; - buffer->buf = xmalloc(buffer->alloc); + const u_int len = 4096; + + buffer->alloc = 0; + buffer->buf = xmalloc(len); + buffer->alloc = len; buffer->offset = 0; buffer->end = 0; } @@ -34,8 +37,10 @@ buffer_init(Buffer *buffer) void buffer_free(Buffer *buffer) { - memset(buffer->buf, 0, buffer->alloc); - xfree(buffer->buf); + if (buffer->alloc > 0) { + memset(buffer->buf, 0, buffer->alloc); + xfree(buffer->buf); + } } /* diff --git a/crypto/openssh/channels.c b/crypto/openssh/channels.c index 8ea7a57cc830..4a9b7d42e455 100644 --- a/crypto/openssh/channels.c +++ b/crypto/openssh/channels.c @@ -243,9 +243,13 @@ channel_new(char *ctype, int type, int rfd, int wfd, int efd, if (found == -1) { /* There are no free slots. Take last+1 slot and expand the array. */ found = channels_alloc; + if (channels_alloc > 10000) + fatal("channel_new: internal error: channels_alloc %d " + "too big.", channels_alloc); + channels = xrealloc(channels, + (channels_alloc + 10) * sizeof(Channel)); channels_alloc += 10; debug2("channel: expanding %d", channels_alloc); - channels = xrealloc(channels, channels_alloc * sizeof(Channel)); for (i = found; i < channels_alloc; i++) channels[i].type = SSH_CHANNEL_FREE; } diff --git a/crypto/openssh/deattack.c b/crypto/openssh/deattack.c index 36023e0d3371..ea4879f40a51 100644 --- a/crypto/openssh/deattack.c +++ b/crypto/openssh/deattack.c @@ -100,12 +100,12 @@ detect_attack(u_char *buf, u_int32_t len, u_char *IV) if (h == NULL) { debug("Installing crc compensation attack detector."); + h = (u_int16_t *) xmalloc(l * HASH_ENTRYSIZE); n = l; - h = (u_int16_t *) xmalloc(n * HASH_ENTRYSIZE); } else { if (l > n) { + h = (u_int16_t *) xrealloc(h, l * HASH_ENTRYSIZE); n = l; - h = (u_int16_t *) xrealloc(h, n * HASH_ENTRYSIZE); } } diff --git a/crypto/openssh/session.c b/crypto/openssh/session.c index f5e0811f55a2..4a477b070e65 100644 --- a/crypto/openssh/session.c +++ b/crypto/openssh/session.c @@ -886,6 +886,7 @@ void child_set_env(char ***envp, u_int *envsizep, const char *name, const char *value) { + u_int envsize; u_int i, namelen; char **env; @@ -904,9 +905,11 @@ child_set_env(char ***envp, u_int *envsizep, const char *name, xfree(env[i]); } else { /* New variable. Expand if necessary. */ - if (i >= (*envsizep) - 1) { - (*envsizep) += 50; - env = (*envp) = xrealloc(env, (*envsizep) * sizeof(char *)); + envsize = *envsizep; + if (i >= envsize - 1) { + envsize += 50; + env = (*envp) = xrealloc(env, envsize * sizeof(char *)); + *envsizep = envsize; } /* Need to set the NULL pointer at end of array beyond the new slot. */ env[i + 1] = NULL; diff --git a/crypto/openssh/ssh-agent.c b/crypto/openssh/ssh-agent.c index ae0f04436e5e..7d1a446b0234 100644 --- a/crypto/openssh/ssh-agent.c +++ b/crypto/openssh/ssh-agent.c @@ -508,7 +508,7 @@ process_message(SocketEntry *e) void new_socket(int type, int fd) { - u_int i, old_alloc; + u_int i, old_alloc, new_alloc; if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0) error("fcntl O_NONBLOCK: %s", strerror(errno)); @@ -518,23 +518,24 @@ new_socket(int type, int fd) for (i = 0; i < sockets_alloc; i++) if (sockets[i].type == AUTH_UNUSED) { sockets[i].fd = fd; - sockets[i].type = type; buffer_init(&sockets[i].input); buffer_init(&sockets[i].output); + sockets[i].type = type; return; } old_alloc = sockets_alloc; - sockets_alloc += 10; + new_alloc = sockets_alloc + 10; if (sockets) - sockets = xrealloc(sockets, sockets_alloc * sizeof(sockets[0])); + sockets = xrealloc(sockets, new_alloc * sizeof(sockets[0])); else - sockets = xmalloc(sockets_alloc * sizeof(sockets[0])); - for (i = old_alloc; i < sockets_alloc; i++) + sockets = xmalloc(new_alloc * sizeof(sockets[0])); + for (i = old_alloc; i < new_alloc; i++) sockets[i].type = AUTH_UNUSED; - sockets[old_alloc].type = type; + sockets_alloc = new_alloc; sockets[old_alloc].fd = fd; buffer_init(&sockets[old_alloc].input); buffer_init(&sockets[old_alloc].output); + sockets[old_alloc].type = type; } int diff --git a/crypto/openssh/version.h b/crypto/openssh/version.h index 6185e400b9f0..a13e8eeec7e7 100644 --- a/crypto/openssh/version.h +++ b/crypto/openssh/version.h @@ -5,7 +5,7 @@ #define SSH_VERSION (ssh_version_get()) #define SSH_VERSION_BASE "OpenSSH_2.9" -#define SSH_VERSION_ADDENDUM "FreeBSD localisations 20030916" +#define SSH_VERSION_ADDENDUM "FreeBSD localisations 20030917" const char *ssh_version_get(void); void ssh_version_set_addendum(const char *add); diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh index a0f63fc33187..7dbe0cb3defe 100644 --- a/sys/conf/newvers.sh +++ b/sys/conf/newvers.sh @@ -36,7 +36,7 @@ TYPE="FreeBSD" REVISION="4.5" -BRANCH="RELEASE-p30" +BRANCH="RELEASE-p31" RELEASE="${REVISION}-${BRANCH}" VERSION="${TYPE} ${RELEASE}" |