--- openssh-3.2.3p1/buffer.c	26 Jun 2002 08:54:18 -0000	1.16
+++ openssh-3.2.3p1/buffer.c	16 Sep 2003 21:02:39 -0000	1.18
@@ -23,8 +23,11 @@
 void
 buffer_init(Buffer *buffer)
 {
-	buffer->alloc = 4096;
-	buffer->buf = xmalloc(buffer->alloc);
+	const u_int len = 4096;
+
+	buffer->alloc = 0;
+	buffer->buf = xmalloc(len);
+	buffer->alloc = len;
 	buffer->offset = 0;
 	buffer->end = 0;
 }
@@ -34,8 +37,10 @@
 void
 buffer_free(Buffer *buffer)
 {
-	memset(buffer->buf, 0, buffer->alloc);
-	xfree(buffer->buf);
+	if (buffer->alloc > 0) {
+		memset(buffer->buf, 0, buffer->alloc);
+		xfree(buffer->buf);
+	}
 }
 
 /*
@@ -69,6 +74,7 @@
 void *
 buffer_append_space(Buffer *buffer, u_int len)
 {
+	u_int newlen;
 	void *p;
 
 	if (len > 0x100000)
@@ -95,8 +101,13 @@
 		goto restart;
 	}
 	/* Increase the size of the buffer and retry. */
-	buffer->alloc += len + 32768;
-	buffer->buf = xrealloc(buffer->buf, buffer->alloc);
+
+	newlen = buffer->alloc + len + 32768;
+	if (newlen > 0xa00000)
+		fatal("buffer_append_space: alloc %u not supported",
+		    newlen);
+	buffer->buf = xrealloc(buffer->buf, newlen);
+	buffer->alloc = newlen;
 	goto restart;
 	/* NOTREACHED */
 }
--- openssh-3.2.3p1/channels.c	29 Aug 2003 10:04:36 -0000	1.194
+++ openssh-3.2.3p1/channels.c	16 Sep 2003 21:02:40 -0000	1.195
@@ -233,9 +233,13 @@
 	if (found == -1) {
 		/* There are no free slots.  Take last+1 slot and expand the array.  */
 		found = channels_alloc;
+  		if (channels_alloc > 10000)
+  			fatal("channel_new: internal error: channels_alloc %d "
+  			    "too big.", channels_alloc);
+		channels = xrealloc(channels,
+		    (channels_alloc + 10) * sizeof(Channel *));
 		channels_alloc += 10;
 		debug2("channel: expanding %d", channels_alloc);
-		channels = xrealloc(channels, channels_alloc * sizeof(Channel *));
 		for (i = found; i < channels_alloc; i++)
 			channels[i] = NULL;
 	}