Index: crypto/openssh/buffer.c =================================================================== RCS file: /home/ncvs/src/crypto/openssh/buffer.c,v retrieving revision 1.1.1.1.2.2 retrieving revision 1.1.1.1.2.2.4.2 diff -c -p -c -r1.1.1.1.2.2 -r1.1.1.1.2.2.4.2 *** crypto/openssh/buffer.c 28 Oct 2000 23:00:47 -0000 1.1.1.1.2.2 --- crypto/openssh/buffer.c 17 Sep 2003 14:57:32 -0000 1.1.1.1.2.2.4.2 *************** RCSID("$OpenBSD: buffer.c,v 1.8 2000/09/ *** 23,30 **** void buffer_init(Buffer *buffer) { ! buffer->alloc = 4096; ! buffer->buf = xmalloc(buffer->alloc); buffer->offset = 0; buffer->end = 0; } --- 23,33 ---- void buffer_init(Buffer *buffer) { ! const u_int len = 4096; ! ! buffer->alloc = 0; ! buffer->buf = xmalloc(len); ! buffer->alloc = len; buffer->offset = 0; buffer->end = 0; } *************** buffer_init(Buffer *buffer) *** 34,41 **** void buffer_free(Buffer *buffer) { ! memset(buffer->buf, 0, buffer->alloc); ! xfree(buffer->buf); } /* --- 37,46 ---- void buffer_free(Buffer *buffer) { ! if (buffer->alloc > 0) { ! memset(buffer->buf, 0, buffer->alloc); ! xfree(buffer->buf); ! } } /* *************** buffer_append(Buffer *buffer, const char *** 69,74 **** --- 74,81 ---- void buffer_append_space(Buffer *buffer, char **datap, unsigned int len) { + u_int newlen; + /* If the buffer is empty, start using it from the beginning. */ if (buffer->offset == buffer->end) { buffer->offset = 0; *************** restart: *** 93,100 **** goto restart; } /* Increase the size of the buffer and retry. */ ! buffer->alloc += len + 32768; ! buffer->buf = xrealloc(buffer->buf, buffer->alloc); goto restart; } --- 100,111 ---- goto restart; } /* Increase the size of the buffer and retry. */ ! newlen = buffer->alloc + len + 32768; ! if (newlen > 0xa00000) ! fatal("buffer_append_space: alloc %u not supported", ! newlen); ! buffer->buf = xrealloc(buffer->buf, newlen); ! buffer->alloc = newlen; goto restart; } Index: crypto/openssh/channels.c =================================================================== RCS file: /home/ncvs/src/crypto/openssh/channels.c,v retrieving revision 1.1.1.1.2.4.4.1 retrieving revision 1.1.1.1.2.4.4.2 diff -c -p -c -r1.1.1.1.2.4.4.1 -r1.1.1.1.2.4.4.2 *** crypto/openssh/channels.c 7 Mar 2002 14:34:17 -0000 1.1.1.1.2.4.4.1 --- crypto/openssh/channels.c 17 Sep 2003 14:57:32 -0000 1.1.1.1.2.4.4.2 *************** channel_new(char *ctype, int type, int r *** 251,259 **** if (found == -1) { /* There are no free slots. Take last+1 slot and expand the array. */ found = channels_alloc; channels_alloc += 10; debug2("channel: expanding %d", channels_alloc); - channels = xrealloc(channels, channels_alloc * sizeof(Channel)); for (i = found; i < channels_alloc; i++) channels[i].type = SSH_CHANNEL_FREE; } --- 251,263 ---- if (found == -1) { /* There are no free slots. Take last+1 slot and expand the array. */ found = channels_alloc; + if (channels_alloc > 10000) + fatal("channel_new: internal error: channels_alloc %d " + "too big.", channels_alloc); + channels = xrealloc(channels, + (channels_alloc + 10) * sizeof(Channel)); channels_alloc += 10; debug2("channel: expanding %d", channels_alloc); for (i = found; i < channels_alloc; i++) channels[i].type = SSH_CHANNEL_FREE; } Index: crypto/openssh/deattack.c =================================================================== RCS file: /home/ncvs/src/crypto/openssh/deattack.c,v retrieving revision 1.1.1.1.2.2 retrieving revision 1.1.1.1.2.2.4.1 diff -c -p -c -r1.1.1.1.2.2 -r1.1.1.1.2.2.4.1 *** crypto/openssh/deattack.c 12 Jan 2001 04:25:56 -0000 1.1.1.1.2.2 --- crypto/openssh/deattack.c 17 Sep 2003 14:57:33 -0000 1.1.1.1.2.2.4.1 *************** detect_attack(unsigned char *buf, u_int3 *** 100,111 **** if (h == NULL) { debug("Installing crc compensation attack detector."); n = l; - h = (u_int16_t *) xmalloc(n * HASH_ENTRYSIZE); } else { if (l > n) { n = l; - h = (u_int16_t *) xrealloc(h, n * HASH_ENTRYSIZE); } } --- 100,111 ---- if (h == NULL) { debug("Installing crc compensation attack detector."); + h = (u_int16_t *) xmalloc(l * HASH_ENTRYSIZE); n = l; } else { if (l > n) { + h = (u_int16_t *) xrealloc(h, l * HASH_ENTRYSIZE); n = l; } } Index: crypto/openssh/scp.c =================================================================== RCS file: /home/ncvs/src/crypto/openssh/scp.c,v retrieving revision 1.1.1.1.2.3 retrieving revision 1.1.1.1.2.3.4.1 diff -c -p -c -r1.1.1.1.2.3 -r1.1.1.1.2.3.4.1 *** crypto/openssh/scp.c 12 Jan 2001 04:25:57 -0000 1.1.1.1.2.3 --- crypto/openssh/scp.c 17 Sep 2003 14:57:33 -0000 1.1.1.1.2.3.4.1 *************** addargs(char *fmt, ...) *** 1217,1234 **** { va_list ap; char buf[1024]; va_start(ap, fmt); vsnprintf(buf, sizeof(buf), fmt, ap); va_end(ap); if (args.list == NULL) { ! args.nalloc = 32; args.num = 0; ! args.list = xmalloc(args.nalloc * sizeof(char *)); } else if (args.num+2 >= args.nalloc) { ! args.nalloc *= 2; ! args.list = xrealloc(args.list, args.nalloc * sizeof(char *)); } args.list[args.num++] = xstrdup(buf); args.list[args.num] = NULL; --- 1217,1237 ---- { va_list ap; char buf[1024]; + int nalloc; va_start(ap, fmt); vsnprintf(buf, sizeof(buf), fmt, ap); va_end(ap); if (args.list == NULL) { ! nalloc = 32; args.num = 0; ! args.list = xmalloc(nalloc * sizeof(char *)); ! args.nalloc = nalloc; } else if (args.num+2 >= args.nalloc) { ! nalloc = args.nalloc * 2; ! args.list = xrealloc(args.list, nalloc * sizeof(char *)); ! args.nalloc = nalloc; } args.list[args.num++] = xstrdup(buf); args.list[args.num] = NULL; Index: crypto/openssh/session.c =================================================================== RCS file: /home/ncvs/src/crypto/openssh/session.c,v retrieving revision 1.4.2.8.4.1 retrieving revision 1.4.2.8.4.2 diff -c -p -c -r1.4.2.8.4.1 -r1.4.2.8.4.2 *** crypto/openssh/session.c 3 Dec 2001 00:54:18 -0000 1.4.2.8.4.1 --- crypto/openssh/session.c 17 Sep 2003 14:57:33 -0000 1.4.2.8.4.2 *************** void *** 848,853 **** --- 848,854 ---- child_set_env(char ***envp, unsigned int *envsizep, const char *name, const char *value) { + u_int envsize; unsigned int i, namelen; char **env; *************** child_set_env(char ***envp, unsigned int *** 866,874 **** xfree(env[i]); } else { /* New variable. Expand if necessary. */ ! if (i >= (*envsizep) - 1) { ! (*envsizep) += 50; ! env = (*envp) = xrealloc(env, (*envsizep) * sizeof(char *)); } /* Need to set the NULL pointer at end of array beyond the new slot. */ env[i + 1] = NULL; --- 867,877 ---- xfree(env[i]); } else { /* New variable. Expand if necessary. */ ! envsize = *envsizep; ! if (i >= envsize - 1) { ! envsize += 50; ! env = (*envp) = xrealloc(env, envsize * sizeof(char *)); ! *envsizep = envsize; } /* Need to set the NULL pointer at end of array beyond the new slot. */ env[i + 1] = NULL; Index: crypto/openssh/ssh-agent.c =================================================================== RCS file: /home/ncvs/src/crypto/openssh/ssh-agent.c,v retrieving revision 1.2.2.6 retrieving revision 1.2.2.6.4.1 diff -c -p -c -r1.2.2.6 -r1.2.2.6.4.1 *** crypto/openssh/ssh-agent.c 12 Feb 2001 06:45:42 -0000 1.2.2.6 --- crypto/openssh/ssh-agent.c 17 Sep 2003 14:57:33 -0000 1.2.2.6.4.1 *************** process_message(SocketEntry *e) *** 515,521 **** void new_socket(int type, int fd) { ! unsigned int i, old_alloc; if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0) error("fcntl O_NONBLOCK: %s", strerror(errno)); --- 515,521 ---- void new_socket(int type, int fd) { ! unsigned int i, old_alloc, new_alloc; if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0) error("fcntl O_NONBLOCK: %s", strerror(errno)); *************** new_socket(int type, int fd) *** 525,547 **** for (i = 0; i < sockets_alloc; i++) if (sockets[i].type == AUTH_UNUSED) { sockets[i].fd = fd; - sockets[i].type = type; buffer_init(&sockets[i].input); buffer_init(&sockets[i].output); return; } old_alloc = sockets_alloc; ! sockets_alloc += 10; if (sockets) ! sockets = xrealloc(sockets, sockets_alloc * sizeof(sockets[0])); else ! sockets = xmalloc(sockets_alloc * sizeof(sockets[0])); ! for (i = old_alloc; i < sockets_alloc; i++) sockets[i].type = AUTH_UNUSED; ! sockets[old_alloc].type = type; sockets[old_alloc].fd = fd; buffer_init(&sockets[old_alloc].input); buffer_init(&sockets[old_alloc].output); } void --- 525,548 ---- for (i = 0; i < sockets_alloc; i++) if (sockets[i].type == AUTH_UNUSED) { sockets[i].fd = fd; buffer_init(&sockets[i].input); buffer_init(&sockets[i].output); + sockets[i].type = type; return; } old_alloc = sockets_alloc; ! new_alloc = sockets_alloc + 10; if (sockets) ! sockets = xrealloc(sockets, new_alloc * sizeof(sockets[0])); else ! sockets = xmalloc(new_alloc * sizeof(sockets[0])); ! for (i = old_alloc; i < new_alloc; i++) sockets[i].type = AUTH_UNUSED; ! sockets_alloc = new_alloc; sockets[old_alloc].fd = fd; buffer_init(&sockets[old_alloc].input); buffer_init(&sockets[old_alloc].output); + sockets[old_alloc].type = type; } void