--- /dev/null
+Taken from RH (applies to 3.2.3p1 clearly).
+Patch from Owl, adjusted to apply to 3.1p1.
+diff -urp openssh-3.6.1p2.orig/deattack.c openssh-3.6.1p2/deattack.c
+--- openssh-3.6.1p2.orig/deattack.c Tue Mar 5 01:53:05 2002
++++ openssh-3.6.1p2/deattack.c Wed Sep 17 00:18:30 2003
+@@ -100,12 +100,12 @@ detect_attack(u_char *buf, u_int32_t len
+
+ if (h == NULL) {
+ debug("Installing crc compensation attack detector.");
++ h = (u_int16_t *) xmalloc(l * HASH_ENTRYSIZE);
+ n = l;
+- h = (u_int16_t *) xmalloc(n * HASH_ENTRYSIZE);
+ } else {
+ if (l > n) {
++ h = (u_int16_t *) xrealloc(h, l * HASH_ENTRYSIZE);
+ n = l;
+- h = (u_int16_t *) xrealloc(h, n * HASH_ENTRYSIZE);
+ }
+ }
+
+diff -urp openssh-3.6.1p2.orig/misc.c openssh-3.6.1p2/misc.c
+--- openssh-3.6.1p2.orig/misc.c Mon Dec 23 02:44:36 2002
++++ openssh-3.6.1p2/misc.c Wed Sep 17 00:50:27 2003
+@@ -308,18 +308,21 @@ addargs(arglist *args, char *fmt, ...)
+ {
+ va_list ap;
+ char buf[1024];
++ int nalloc;
+
+ va_start(ap, fmt);
+ vsnprintf(buf, sizeof(buf), fmt, ap);
+ va_end(ap);
+
++ nalloc = args->nalloc;
+ if (args->list == NULL) {
+- args->nalloc = 32;
++ nalloc = 32;
+ args->num = 0;
+- } else if (args->num+2 >= args->nalloc)
+- args->nalloc *= 2;
++ } else if (args->num+2 >= nalloc)
++ nalloc *= 2;
+
+- args->list = xrealloc(args->list, args->nalloc * sizeof(char *));
++ args->list = xrealloc(args->list, nalloc * sizeof(char *));
++ args->nalloc = nalloc;
+ args->list[args->num++] = xstrdup(buf);
+ args->list[args->num] = NULL;
+ }
+diff -urp openssh-3.6.1p2.orig/session.c openssh-3.6.1p2/session.c
+--- openssh-3.6.1p2.orig/session.c Fri Mar 21 01:18:09 2003
++++ openssh-3.6.1p2/session.c Wed Sep 17 00:34:35 2003
+@@ -844,8 +844,9 @@ static void
+ child_set_env(char ***envp, u_int *envsizep, const char *name,
+ const char *value)
+ {
+- u_int i, namelen;
+ char **env;
++ u_int envsize;
++ u_int i, namelen;
+
+ /*
+ * Find the slot where the value should be stored. If the variable
+@@ -804,9 +805,13 @@ child_set_env(char ***envp, u_int *envsi
+ xfree(env[i]);
+ } else {
+ /* New variable. Expand if necessary. */
+- if (i >= (*envsizep) - 1) {
+- (*envsizep) += 50;
+- env = (*envp) = xrealloc(env, (*envsizep) * sizeof(char *));
++ envsize = *envsizep;
++ if (i >= envsize - 1) {
++ if (envsize >= 1000)
++ fatal("child_set_env: too many env vars");
++ envsize += 50;
++ env = (*envp) = xrealloc(env, envsize * sizeof(char *));
++ *envsizep = envsize;
+ }
+ /* Need to set the NULL pointer at end of array beyond the new slot. */
+ env[i + 1] = NULL;
+diff -urp openssh-3.6.1p2.orig/ssh-agent.c openssh-3.6.1p2/ssh-agent.c
+--- openssh-3.6.1p2.orig/ssh-agent.c Sat Mar 15 00:37:09 2003
++++ openssh-3.6.1p2/ssh-agent.c Wed Sep 17 00:42:15 2003
+@@ -620,6 +620,6 @@ process_message(SocketEntry *e)
+ static void
+ new_socket(sock_type type, int fd)
+ {
+- u_int i, old_alloc;
++ u_int i, old_alloc, new_alloc;
+ if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0)
+ error("fcntl O_NONBLOCK: %s", strerror(errno));
+@@ -630,23 +630,24 @@ new_socket(sock_type type, int fd)
+ for (i = 0; i < sockets_alloc; i++)
+ if (sockets[i].type == AUTH_UNUSED) {
+ sockets[i].fd = fd;
+- sockets[i].type = type;
+ buffer_init(&sockets[i].input);
+ buffer_init(&sockets[i].output);
++ sockets[i].type = type;
+ return;
+ }
+ old_alloc = sockets_alloc;
+- sockets_alloc += 10;
++ new_alloc = sockets_alloc + 10;
+ if (sockets)
+- sockets = xrealloc(sockets, sockets_alloc * sizeof(sockets[0]));
++ sockets = xrealloc(sockets, new_alloc * sizeof(sockets[0]));
+ else
+- sockets = xmalloc(sockets_alloc * sizeof(sockets[0]));
+- for (i = old_alloc; i < sockets_alloc; i++)
++ sockets = xmalloc(new_alloc * sizeof(sockets[0]));
++ for (i = old_alloc; i < new_alloc; i++)
+ sockets[i].type = AUTH_UNUSED;
+- sockets[old_alloc].type = type;
++ sockets_alloc = new_alloc;
+ sockets[old_alloc].fd = fd;
+ buffer_init(&sockets[old_alloc].input);
+ buffer_init(&sockets[old_alloc].output);
++ sockets[old_alloc].type = type;
+ }
+
+ static int