- markus@cvs.openbsd.org 2003/09/18 08:49:45

     [deattack.c misc.c session.c ssh-agent.c]
     more buffer allocation fixes; from Solar Designer; CAN-2003-0682;
     ok millert@

diff --git a/ChangeLog b/ChangeLog
index 4a6bff01017a3dbbe0907bcb3bcffce83ac6c87b..a1851c94742c25e05cac3ec8fbb0b5b067c9b730 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -39,6 +39,10 @@
    - markus@cvs.openbsd.org 2003/09/18 07:56:05
      [authfile.c]
      missing  buffer_free(&encrypted); #662; zardoz at users.sf.net
+   - markus@cvs.openbsd.org 2003/09/18 08:49:45
+     [deattack.c misc.c session.c ssh-agent.c]
+     more buffer allocation fixes; from Solar Designer; CAN-2003-0682;
+     ok millert@
 
 20030919
  - (djm) Bug #683: Remove reference to --with-ipv4-default from INSTALL;

diff --git a/deattack.c b/deattack.c
index 0442501e7a17b6ddf4c6f7ae15770c8aa29129fc..8b55d668681a1e78c0c2973cedcace140a8b25d9 100644 (file)
--- a/deattack.c
+++ b/deattack.c
@@ -18,7 +18,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: deattack.c,v 1.18 2002/03/04 17:27:39 stevesk Exp $");
+RCSID("$OpenBSD: deattack.c,v 1.19 2003/09/18 08:49:45 markus Exp $");
 
 #include "deattack.h"
 #include "log.h"
@@ -100,12 +100,12 @@ detect_attack(u_char *buf, u_int32_t len, u_char *IV)
 
        if (h == NULL) {
                debug("Installing crc compensation attack detector.");
+               h = (u_int16_t *) xmalloc(l * HASH_ENTRYSIZE);
                n = l;
-               h = (u_int16_t *) xmalloc(n * HASH_ENTRYSIZE);
        } else {
                if (l > n) {
+                       h = (u_int16_t *) xrealloc(h, l * HASH_ENTRYSIZE);
                        n = l;
-                       h = (u_int16_t *) xrealloc(h, n * HASH_ENTRYSIZE);
                }
        }
 

diff --git a/misc.c b/misc.c
index c457a952c5b3ffcd5c3335f55dba7869966b805c..ac616de0234e1ff2afd6177108088ee3061c0281 100644 (file)
--- a/misc.c
+++ b/misc.c
@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: misc.c,v 1.21 2003/04/12 10:15:36 markus Exp $");
+RCSID("$OpenBSD: misc.c,v 1.22 2003/09/18 08:49:45 markus Exp $");
 
 #include "misc.h"
 #include "log.h"
@@ -308,18 +308,21 @@ addargs(arglist *args, char *fmt, ...)
 {
        va_list ap;
        char buf[1024];
+       int nalloc;
 
        va_start(ap, fmt);
        vsnprintf(buf, sizeof(buf), fmt, ap);
        va_end(ap);
 
+       nalloc = args->nalloc;
        if (args->list == NULL) {
-               args->nalloc = 32;
+               nalloc = 32;
                args->num = 0;
-       } else if (args->num+2 >= args->nalloc)
-               args->nalloc *= 2;
+       } else if (args->num+2 >= nalloc)
+               nalloc *= 2;
 
-       args->list = xrealloc(args->list, args->nalloc * sizeof(char *));
+       args->list = xrealloc(args->list, nalloc * sizeof(char *));
+       args->nalloc = nalloc;
        args->list[args->num++] = xstrdup(buf);
        args->list[args->num] = NULL;
 }

diff --git a/session.c b/session.c
index 616fee971ba06ab0efe0e1619ee287527d53fb63..2898ac5185f0b84cf64dc5e8709815aa1550e715 100644 (file)
--- a/session.c
+++ b/session.c
@@ -33,7 +33,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.163 2003/08/31 13:29:05 markus Exp $");
+RCSID("$OpenBSD: session.c,v 1.164 2003/09/18 08:49:45 markus Exp $");
 
 #include "ssh.h"
 #include "ssh1.h"
@@ -798,8 +798,9 @@ void
 child_set_env(char ***envp, u_int *envsizep, const char *name,
        const char *value)
 {
-       u_int i, namelen;
        char **env;
+       u_int envsize;
+       u_int i, namelen;
 
        /*
         * If we're passed an uninitialized list, allocate a single null
@@ -826,12 +827,13 @@ child_set_env(char ***envp, u_int *envsizep, const char *name,
                xfree(env[i]);
        } else {
                /* New variable.  Expand if necessary. */
-               if (i >= (*envsizep) - 1) {
-                       if (*envsizep >= 1000)
-                               fatal("child_set_env: too many env vars,"
-                                   " skipping: %.100s", name);
-                       (*envsizep) += 50;
-                       env = (*envp) = xrealloc(env, (*envsizep) * sizeof(char *));
+               envsize = *envsizep;
+               if (i >= envsize - 1) {
+                       if (envsize >= 1000)
+                               fatal("child_set_env: too many env vars");
+                       envsize += 50;
+                       env = (*envp) = xrealloc(env, envsize * sizeof(char *));
+                       *envsizep = envsize;
                }
                /* Need to set the NULL pointer at end of array beyond the new slot. */
                env[i + 1] = NULL;

diff --git a/ssh-agent.c b/ssh-agent.c
index c05c61468c93e22ce0d62413b72acf12aadbb414..e1e6cae9b29f268fc7eef5082db78ee0ec5a4c5e 100644 (file)
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -35,7 +35,7 @@
 
 #include "includes.h"
 #include "openbsd-compat/sys-queue.h"
-RCSID("$OpenBSD: ssh-agent.c,v 1.111 2003/06/12 19:12:03 markus Exp $");
+RCSID("$OpenBSD: ssh-agent.c,v 1.112 2003/09/18 08:49:45 markus Exp $");
 
 #include <openssl/evp.h>
 #include <openssl/md5.h>
@@ -784,7 +784,7 @@ process_message(SocketEntry *e)
 static void
 new_socket(sock_type type, int fd)
 {
-       u_int i, old_alloc;
+       u_int i, old_alloc, new_alloc;
 
        if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0)
                error("fcntl O_NONBLOCK: %s", strerror(errno));
@@ -795,25 +795,26 @@ new_socket(sock_type type, int fd)
        for (i = 0; i < sockets_alloc; i++)
                if (sockets[i].type == AUTH_UNUSED) {
                        sockets[i].fd = fd;
-                       sockets[i].type = type;
                        buffer_init(&sockets[i].input);
                        buffer_init(&sockets[i].output);
                        buffer_init(&sockets[i].request);
+                       sockets[i].type = type;
                        return;
                }
        old_alloc = sockets_alloc;
-       sockets_alloc += 10;
+       new_alloc = sockets_alloc + 10;
        if (sockets)
-               sockets = xrealloc(sockets, sockets_alloc * sizeof(sockets[0]));
+               sockets = xrealloc(sockets, new_alloc * sizeof(sockets[0]));
        else
-               sockets = xmalloc(sockets_alloc * sizeof(sockets[0]));
-       for (i = old_alloc; i < sockets_alloc; i++)
+               sockets = xmalloc(new_alloc * sizeof(sockets[0]));
+       for (i = old_alloc; i < new_alloc; i++)
                sockets[i].type = AUTH_UNUSED;
-       sockets[old_alloc].type = type;
+       sockets_alloc = new_alloc;
        sockets[old_alloc].fd = fd;
        buffer_init(&sockets[old_alloc].input);
        buffer_init(&sockets[old_alloc].output);
        buffer_init(&sockets[old_alloc].request);
+       sockets[old_alloc].type = type;
 }
 
 static int