X-Git-Url: http://git.pld-linux.org/?a=blobdiff_plain;f=openssh-buffer_c_overflow.patch;fp=openssh-buffer_c_overflow.patch;h=c5249deefd172b46446ba8d7a3a4212c4c4eb435;hb=dfaefe8c63a748f062c71e117e85513f7462bc4e;hp=85de86c4a7b5dcce6e6b2bd741ea717bf78ad899;hpb=96da877e203179fb92393db6f5a7ae740a380ba9;p=packages%2Fopenssh.git

diff --git a/openssh-buffer_c_overflow.patch b/openssh-buffer_c_overflow.patch
index 85de86c..c5249de 100644
--- a/openssh-buffer_c_overflow.patch
+++ b/openssh-buffer_c_overflow.patch
@@ -1,24 +1,70 @@
---- openssh-3.2.3p1/buffer.c~	Tue Sep 16 16:18:17 2003
-+++ openssh-3.2.3p1/buffer.c	Tue Sep 16 16:26:59 2003
-@@ -69,6 +69,7 @@
+--- openssh-3.2.3p1/buffer.c	26 Jun 2002 08:54:18 -0000	1.16
++++ openssh-3.2.3p1/buffer.c	16 Sep 2003 21:02:39 -0000	1.18
+@@ -23,8 +23,11 @@
+ void
+ buffer_init(Buffer *buffer)
+ {
+-	buffer->alloc = 4096;
+-	buffer->buf = xmalloc(buffer->alloc);
++	const u_int len = 4096;
++
++	buffer->alloc = 0;
++	buffer->buf = xmalloc(len);
++	buffer->alloc = len;
+ 	buffer->offset = 0;
+ 	buffer->end = 0;
+ }
+@@ -34,8 +37,10 @@
+ void
+ buffer_free(Buffer *buffer)
+ {
+-	memset(buffer->buf, 0, buffer->alloc);
+-	xfree(buffer->buf);
++	if (buffer->alloc > 0) {
++		memset(buffer->buf, 0, buffer->alloc);
++		xfree(buffer->buf);
++	}
+ }
+ 
+ /*
+@@ -69,6 +74,7 @@
  void *
  buffer_append_space(Buffer *buffer, u_int len)
  {
 +	u_int newlen;
  	void *p;
  
- 	/* If the buffer is empty, start using it from the beginning. */
-@@ -95,8 +96,11 @@
+ 	if (len > 0x100000)
+@@ -95,8 +101,13 @@
  		goto restart;
  	}
  	/* Increase the size of the buffer and retry. */
 -	buffer->alloc += len + 32768;
 -	buffer->buf = xrealloc(buffer->buf, buffer->alloc);
++
 +	newlen = buffer->alloc + len + 32768;
 +	if (newlen > 0xa00000)
-+		fatal("buffer_append_space: alloc %u not supported", newlen);
++		fatal("buffer_append_space: alloc %u not supported",
++		    newlen);
 +	buffer->buf = xrealloc(buffer->buf, newlen);
 +	buffer->alloc = newlen;
  	goto restart;
  	/* NOTREACHED */
  }
+--- openssh-3.2.3p1/channels.c	29 Aug 2003 10:04:36 -0000	1.194
++++ openssh-3.2.3p1/channels.c	16 Sep 2003 21:02:40 -0000	1.195
+@@ -233,9 +233,13 @@
+ 	if (found == -1) {
+ 		/* There are no free slots.  Take last+1 slot and expand the array.  */
+ 		found = channels_alloc;
++  		if (channels_alloc > 10000)
++  			fatal("channel_new: internal error: channels_alloc %d "
++  			    "too big.", channels_alloc);
++		channels = xrealloc(channels,
++		    (channels_alloc + 10) * sizeof(Channel *));
+ 		channels_alloc += 10;
+ 		debug2("channel: expanding %d", channels_alloc);
+-		channels = xrealloc(channels, channels_alloc * sizeof(Channel *));
+ 		for (i = found; i < channels_alloc; i++)
+ 			channels[i] = NULL;
+ 	}