[packages/openssh.git] / openssh-buffer_c_overflow.patch

--- openssh-3.2.3p1/buffer.c	26 Jun 2002 08:54:18 -0000	1.16
+++ openssh-3.2.3p1/buffer.c	16 Sep 2003 21:02:39 -0000	1.18
@@ -23,8 +23,11 @@
 void
 buffer_init(Buffer *buffer)
 {
-	buffer->alloc = 4096;
-	buffer->buf = xmalloc(buffer->alloc);
+	const u_int len = 4096;
+
+	buffer->alloc = 0;
+	buffer->buf = xmalloc(len);
+	buffer->alloc = len;
 	buffer->offset = 0;
 	buffer->end = 0;
 }
@@ -34,8 +37,10 @@
 void
 buffer_free(Buffer *buffer)
 {
-	memset(buffer->buf, 0, buffer->alloc);
-	xfree(buffer->buf);
+	if (buffer->alloc > 0) {
+		memset(buffer->buf, 0, buffer->alloc);
+		xfree(buffer->buf);
+	}
 }
 
 /*
@@ -69,6 +74,7 @@
 void *
 buffer_append_space(Buffer *buffer, u_int len)
 {
+	u_int newlen;
 	void *p;
 
 	if (len > 0x100000)
@@ -95,8 +101,13 @@
 		goto restart;
 	}
 	/* Increase the size of the buffer and retry. */
-	buffer->alloc += len + 32768;
-	buffer->buf = xrealloc(buffer->buf, buffer->alloc);
+
+	newlen = buffer->alloc + len + 32768;
+	if (newlen > 0xa00000)
+		fatal("buffer_append_space: alloc %u not supported",
+		    newlen);
+	buffer->buf = xrealloc(buffer->buf, newlen);
+	buffer->alloc = newlen;
 	goto restart;
 	/* NOTREACHED */
 }
--- openssh-3.2.3p1/channels.c	29 Aug 2003 10:04:36 -0000	1.194
+++ openssh-3.2.3p1/channels.c	16 Sep 2003 21:02:40 -0000	1.195
@@ -233,9 +233,13 @@
 	if (found == -1) {
 		/* There are no free slots.  Take last+1 slot and expand the array.  */
 		found = channels_alloc;
+  		if (channels_alloc > 10000)
+  			fatal("channel_new: internal error: channels_alloc %d "
+  			    "too big.", channels_alloc);
+		channels = xrealloc(channels,
+		    (channels_alloc + 10) * sizeof(Channel *));
 		channels_alloc += 10;
 		debug2("channel: expanding %d", channels_alloc);
-		channels = xrealloc(channels, channels_alloc * sizeof(Channel *));
 		for (i = found; i < channels_alloc; i++)
 			channels[i] = NULL;
 	}
Commit	Line	Data
dfaefe8c TO	1	--- openssh-3.2.3p1/buffer.c 26 Jun 2002 08:54:18 -0000 1.16
	2	+++ openssh-3.2.3p1/buffer.c 16 Sep 2003 21:02:39 -0000 1.18
	3	@@ -23,8 +23,11 @@
	4	void
	5	buffer_init(Buffer *buffer)
	6	{
	7	- buffer->alloc = 4096;
	8	- buffer->buf = xmalloc(buffer->alloc);
	9	+ const u_int len = 4096;
	10	+
	11	+ buffer->alloc = 0;
	12	+ buffer->buf = xmalloc(len);
	13	+ buffer->alloc = len;
	14	buffer->offset = 0;
	15	buffer->end = 0;
	16	}
	17	@@ -34,8 +37,10 @@
	18	void
	19	buffer_free(Buffer *buffer)
	20	{
	21	- memset(buffer->buf, 0, buffer->alloc);
	22	- xfree(buffer->buf);
	23	+ if (buffer->alloc > 0) {
	24	+ memset(buffer->buf, 0, buffer->alloc);
	25	+ xfree(buffer->buf);
	26	+ }
	27	}
	28
	29	/*
	30	@@ -69,6 +74,7 @@
091368d2 MM	31	void *
	32	buffer_append_space(Buffer *buffer, u_int len)
	33	{
	34	+ u_int newlen;
	35	void *p;
	36
dfaefe8c TO	37	if (len > 0x100000)
dfaefe8c TO	38	@@ -95,8 +101,13 @@
091368d2 MM	39	goto restart;
	40	}
	41	/* Increase the size of the buffer and retry. */
	42	- buffer->alloc += len + 32768;
	43	- buffer->buf = xrealloc(buffer->buf, buffer->alloc);
dfaefe8c	44	+
091368d2 MM	45	+ newlen = buffer->alloc + len + 32768;
091368d2 MM	46	+ if (newlen > 0xa00000)
dfaefe8c TO	47	+ fatal("buffer_append_space: alloc %u not supported",
dfaefe8c TO	48	+ newlen);
091368d2 MM	49	+ buffer->buf = xrealloc(buffer->buf, newlen);
	50	+ buffer->alloc = newlen;
	51	goto restart;
	52	/* NOTREACHED */
	53	}
dfaefe8c TO	54	--- openssh-3.2.3p1/channels.c 29 Aug 2003 10:04:36 -0000 1.194
	55	+++ openssh-3.2.3p1/channels.c 16 Sep 2003 21:02:40 -0000 1.195
	56	@@ -233,9 +233,13 @@
	57	if (found == -1) {
	58	/* There are no free slots. Take last+1 slot and expand the array. */
	59	found = channels_alloc;
	60	+ if (channels_alloc > 10000)
	61	+ fatal("channel_new: internal error: channels_alloc %d "
	62	+ "too big.", channels_alloc);
	63	+ channels = xrealloc(channels,
	64	+ (channels_alloc + 10) * sizeof(Channel *));
	65	channels_alloc += 10;
	66	debug2("channel: expanding %d", channels_alloc);
	67	- channels = xrealloc(channels, channels_alloc * sizeof(Channel *));
	68	for (i = found; i < channels_alloc; i++)
	69	channels[i] = NULL;
	70	}