- fix for CAN-2003-0682; patch from Owl, "downdated" by RH

Changed files:
    openssh-owl-realloc.patch -> 1.1.2.1

diff --git a/openssh-owl-realloc.patch b/openssh-owl-realloc.patch
new file mode 100644 (file)
index 0000000..9225e45
--- /dev/null
+++ b/openssh-owl-realloc.patch
@@ -0,0 +1,122 @@
+Taken from RH (applies to 3.2.3p1 clearly).
+Patch from Owl, adjusted to apply to 3.1p1.
+diff -urp openssh-3.6.1p2.orig/deattack.c openssh-3.6.1p2/deattack.c
+--- openssh-3.6.1p2.orig/deattack.c    Tue Mar  5 01:53:05 2002
++++ openssh-3.6.1p2/deattack.c Wed Sep 17 00:18:30 2003
+@@ -100,12 +100,12 @@ detect_attack(u_char *buf, u_int32_t len
+ 
+       if (h == NULL) {
+               debug("Installing crc compensation attack detector.");
++              h = (u_int16_t *) xmalloc(l * HASH_ENTRYSIZE);
+               n = l;
+-              h = (u_int16_t *) xmalloc(n * HASH_ENTRYSIZE);
+       } else {
+               if (l > n) {
++                      h = (u_int16_t *) xrealloc(h, l * HASH_ENTRYSIZE);
+                       n = l;
+-                      h = (u_int16_t *) xrealloc(h, n * HASH_ENTRYSIZE);
+               }
+       }
+ 
+diff -urp openssh-3.6.1p2.orig/misc.c openssh-3.6.1p2/misc.c
+--- openssh-3.6.1p2.orig/misc.c        Mon Dec 23 02:44:36 2002
++++ openssh-3.6.1p2/misc.c     Wed Sep 17 00:50:27 2003
+@@ -308,18 +308,21 @@ addargs(arglist *args, char *fmt, ...)
+ {
+       va_list ap;
+       char buf[1024];
++      int nalloc;
+ 
+       va_start(ap, fmt);
+       vsnprintf(buf, sizeof(buf), fmt, ap);
+       va_end(ap);
+ 
++      nalloc = args->nalloc;
+       if (args->list == NULL) {
+-              args->nalloc = 32;
++              nalloc = 32;
+               args->num = 0;
+-      } else if (args->num+2 >= args->nalloc)
+-              args->nalloc *= 2;
++      } else if (args->num+2 >= nalloc)
++              nalloc *= 2;
+ 
+-      args->list = xrealloc(args->list, args->nalloc * sizeof(char *));
++      args->list = xrealloc(args->list, nalloc * sizeof(char *));
++      args->nalloc = nalloc;
+       args->list[args->num++] = xstrdup(buf);
+       args->list[args->num] = NULL;
+ }
+diff -urp openssh-3.6.1p2.orig/session.c openssh-3.6.1p2/session.c
+--- openssh-3.6.1p2.orig/session.c     Fri Mar 21 01:18:09 2003
++++ openssh-3.6.1p2/session.c  Wed Sep 17 00:34:35 2003
+@@ -844,8 +844,9 @@ static void
+ child_set_env(char ***envp, u_int *envsizep, const char *name,
+       const char *value)
+ {
+-      u_int i, namelen;
+       char **env;
++      u_int envsize;
++      u_int i, namelen;
+ 
+       /*
+        * Find the slot where the value should be stored.  If the variable
+@@ -804,9 +805,13 @@ child_set_env(char ***envp, u_int *envsi
+               xfree(env[i]);
+       } else {
+               /* New variable.  Expand if necessary. */
+-              if (i >= (*envsizep) - 1) {
+-                      (*envsizep) += 50;
+-                      env = (*envp) = xrealloc(env, (*envsizep) * sizeof(char *));
++              envsize = *envsizep;
++              if (i >= envsize - 1) {
++                      if (envsize >= 1000)
++                              fatal("child_set_env: too many env vars");
++                      envsize += 50;
++                      env = (*envp) = xrealloc(env, envsize * sizeof(char *));
++                      *envsizep = envsize;
+               }
+               /* Need to set the NULL pointer at end of array beyond the new slot. */
+               env[i + 1] = NULL;
+diff -urp openssh-3.6.1p2.orig/ssh-agent.c openssh-3.6.1p2/ssh-agent.c
+--- openssh-3.6.1p2.orig/ssh-agent.c   Sat Mar 15 00:37:09 2003
++++ openssh-3.6.1p2/ssh-agent.c        Wed Sep 17 00:42:15 2003
+@@ -620,6 +620,6 @@ process_message(SocketEntry *e)
+ static void
+ new_socket(sock_type type, int fd)
+ {
+-      u_int i, old_alloc;
++      u_int i, old_alloc, new_alloc;
+       if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0)
+               error("fcntl O_NONBLOCK: %s", strerror(errno));
+@@ -630,23 +630,24 @@ new_socket(sock_type type, int fd)
+       for (i = 0; i < sockets_alloc; i++)
+               if (sockets[i].type == AUTH_UNUSED) {
+                       sockets[i].fd = fd;
+-                      sockets[i].type = type;
+                       buffer_init(&sockets[i].input);
+                       buffer_init(&sockets[i].output);
++                      sockets[i].type = type;
+                       return;
+               }
+       old_alloc = sockets_alloc;
+-      sockets_alloc += 10;
++      new_alloc = sockets_alloc + 10;
+       if (sockets)
+-              sockets = xrealloc(sockets, sockets_alloc * sizeof(sockets[0]));
++              sockets = xrealloc(sockets, new_alloc * sizeof(sockets[0]));
+       else
+-              sockets = xmalloc(sockets_alloc * sizeof(sockets[0]));
+-      for (i = old_alloc; i < sockets_alloc; i++)
++              sockets = xmalloc(new_alloc * sizeof(sockets[0]));
++      for (i = old_alloc; i < new_alloc; i++)
+               sockets[i].type = AUTH_UNUSED;
+-      sockets[old_alloc].type = type;
++      sockets_alloc = new_alloc;
+       sockets[old_alloc].fd = fd;
+       buffer_init(&sockets[old_alloc].input);
+       buffer_init(&sockets[old_alloc].output);
++      sockets[old_alloc].type = type;
+ }
+ 
+ static int