openssh-buffer_c_overflow.patch

   1 --- openssh-3.2.3p1/buffer.c    26 Jun 2002 08:54:18 -0000      1.16
   2 +++ openssh-3.2.3p1/buffer.c    16 Sep 2003 21:02:39 -0000      1.18
   3 @@ -23,8 +23,11 @@
   4  void
   5  buffer_init(Buffer *buffer)
   6  {
   7 -       buffer->alloc = 4096;
   8 -       buffer->buf = xmalloc(buffer->alloc);
   9 +       const u_int len = 4096;
  10 +
  11 +       buffer->alloc = 0;
  12 +       buffer->buf = xmalloc(len);
  13 +       buffer->alloc = len;
  14         buffer->offset = 0;
  15         buffer->end = 0;
  16  }
  17 @@ -34,8 +37,10 @@
  18  void
  19  buffer_free(Buffer *buffer)
  20  {
  21 -       memset(buffer->buf, 0, buffer->alloc);
  22 -       xfree(buffer->buf);
  23 +       if (buffer->alloc > 0) {
  24 +               memset(buffer->buf, 0, buffer->alloc);
  25 +               xfree(buffer->buf);
  26 +       }
  27  }
  28
  29  /*
  30 @@ -69,6 +74,7 @@
  31  void *
  32  buffer_append_space(Buffer *buffer, u_int len)
  33  {
  34 +       u_int newlen;
  35         void *p;
  36
  37         if (len > 0x100000)
  38 @@ -95,8 +101,13 @@
  39                 goto restart;
  40         }
  41         /* Increase the size of the buffer and retry. */
  42 -       buffer->alloc += len + 32768;
  43 -       buffer->buf = xrealloc(buffer->buf, buffer->alloc);
  44 +
  45 +       newlen = buffer->alloc + len + 32768;
  46 +       if (newlen > 0xa00000)
  47 +               fatal("buffer_append_space: alloc %u not supported",
  48 +                   newlen);
  49 +       buffer->buf = xrealloc(buffer->buf, newlen);
  50 +       buffer->alloc = newlen;
  51         goto restart;
  52         /* NOTREACHED */
  53  }
  54 --- openssh-3.2.3p1/channels.c  29 Aug 2003 10:04:36 -0000      1.194
  55 +++ openssh-3.2.3p1/channels.c  16 Sep 2003 21:02:40 -0000      1.195
  56 @@ -233,9 +233,13 @@
  57         if (found == -1) {
  58                 /* There are no free slots.  Take last+1 slot and expand the array.  */
  59                 found = channels_alloc;
  60 +               if (channels_alloc > 10000)
  61 +                       fatal("channel_new: internal error: channels_alloc %d "
  62 +                           "too big.", channels_alloc);
  63 +               channels = xrealloc(channels,
  64 +                   (channels_alloc + 10) * sizeof(Channel *));
  65                 channels_alloc += 10;
  66                 debug2("channel: expanding %d", channels_alloc);
  67 -               channels = xrealloc(channels, channels_alloc * sizeof(Channel *));
  68                 for (i = found; i < channels_alloc; i++)
  69                         channels[i] = NULL;
  70         }