diff options
Diffstat (limited to 'share/security/patches/SA-03:12/buffer46.patch')
-rw-r--r-- | share/security/patches/SA-03:12/buffer46.patch | 344 |
1 files changed, 344 insertions, 0 deletions
diff --git a/share/security/patches/SA-03:12/buffer46.patch b/share/security/patches/SA-03:12/buffer46.patch new file mode 100644 index 0000000000..8484d938d7 --- /dev/null +++ b/share/security/patches/SA-03:12/buffer46.patch @@ -0,0 +1,344 @@ +Index: crypto/openssh/buffer.c +=================================================================== +RCS file: /home/ncvs/src/crypto/openssh/buffer.c,v +retrieving revision 1.1.1.6 +retrieving revision 1.2 +diff -c -p -c -r1.1.1.6 -r1.2 +*** crypto/openssh/buffer.c 29 Jun 2002 11:33:59 -0000 1.1.1.6 +--- crypto/openssh/buffer.c 17 Sep 2003 00:58:33 -0000 1.2 +*************** RCSID("$OpenBSD: buffer.c,v 1.16 2002/06 +*** 23,30 **** + void + buffer_init(Buffer *buffer) + { +! buffer->alloc = 4096; +! buffer->buf = xmalloc(buffer->alloc); + buffer->offset = 0; + buffer->end = 0; + } +--- 23,33 ---- + void + buffer_init(Buffer *buffer) + { +! const u_int len = 4096; +! +! buffer->alloc = 0; +! buffer->buf = xmalloc(len); +! buffer->alloc = len; + buffer->offset = 0; + buffer->end = 0; + } +*************** buffer_init(Buffer *buffer) +*** 34,41 **** + void + buffer_free(Buffer *buffer) + { +! memset(buffer->buf, 0, buffer->alloc); +! xfree(buffer->buf); + } + + /* +--- 37,46 ---- + void + buffer_free(Buffer *buffer) + { +! if (buffer->alloc > 0) { +! memset(buffer->buf, 0, buffer->alloc); +! xfree(buffer->buf); +! } + } + + /* +*************** buffer_append(Buffer *buffer, const void +*** 69,74 **** +--- 74,80 ---- + void * + buffer_append_space(Buffer *buffer, u_int len) + { ++ u_int newlen; + void *p; + + if (len > 0x100000) +*************** restart: +*** 98,108 **** + goto restart; + } + /* Increase the size of the buffer and retry. */ +! buffer->alloc += len + 32768; +! if (buffer->alloc > 0xa00000) + fatal("buffer_append_space: alloc %u not supported", +! buffer->alloc); +! buffer->buf = xrealloc(buffer->buf, buffer->alloc); + goto restart; + /* NOTREACHED */ + } +--- 104,116 ---- + goto restart; + } + /* Increase the size of the buffer and retry. */ +! +! newlen = buffer->alloc + len + 32768; +! if (newlen > 0xa00000) + fatal("buffer_append_space: alloc %u not supported", +! newlen); +! buffer->buf = xrealloc(buffer->buf, newlen); +! buffer->alloc = newlen; + goto restart; + /* NOTREACHED */ + } +Index: crypto/openssh/channels.c +=================================================================== +RCS file: /home/ncvs/src/crypto/openssh/channels.c,v +retrieving revision 1.15 +retrieving revision 1.16 +diff -c -p -c -r1.15 -r1.16 +*** crypto/openssh/channels.c 1 May 2003 15:05:42 -0000 1.15 +--- crypto/openssh/channels.c 17 Sep 2003 00:58:33 -0000 1.16 +*************** channel_new(char *ctype, int type, int r +*** 229,240 **** + if (found == -1) { + /* There are no free slots. Take last+1 slot and expand the array. */ + found = channels_alloc; +- channels_alloc += 10; + if (channels_alloc > 10000) + fatal("channel_new: internal error: channels_alloc %d " + "too big.", channels_alloc); + debug2("channel: expanding %d", channels_alloc); +- channels = xrealloc(channels, channels_alloc * sizeof(Channel *)); + for (i = found; i < channels_alloc; i++) + channels[i] = NULL; + } +--- 229,241 ---- + if (found == -1) { + /* There are no free slots. Take last+1 slot and expand the array. */ + found = channels_alloc; + if (channels_alloc > 10000) + fatal("channel_new: internal error: channels_alloc %d " + "too big.", channels_alloc); ++ channels = xrealloc(channels, ++ (channels_alloc + 10) * sizeof(Channel *)); ++ channels_alloc += 10; + debug2("channel: expanding %d", channels_alloc); + for (i = found; i < channels_alloc; i++) + channels[i] = NULL; + } +Index: crypto/openssh/deattack.c +=================================================================== +RCS file: /home/ncvs/src/crypto/openssh/deattack.c,v +retrieving revision 1.1.1.5 +retrieving revision 1.1.1.6 +diff -c -p -c -r1.1.1.5 -r1.1.1.6 +*** crypto/openssh/deattack.c 18 Mar 2002 09:54:55 -0000 1.1.1.5 +--- crypto/openssh/deattack.c 17 Sep 2003 14:35:03 -0000 1.1.1.6 +*************** detect_attack(u_char *buf, u_int32_t len +*** 100,111 **** + + if (h == NULL) { + debug("Installing crc compensation attack detector."); + n = l; +- h = (u_int16_t *) xmalloc(n * HASH_ENTRYSIZE); + } else { + if (l > n) { + n = l; +- h = (u_int16_t *) xrealloc(h, n * HASH_ENTRYSIZE); + } + } + +--- 100,111 ---- + + if (h == NULL) { + debug("Installing crc compensation attack detector."); ++ h = (u_int16_t *) xmalloc(l * HASH_ENTRYSIZE); + n = l; + } else { + if (l > n) { ++ h = (u_int16_t *) xrealloc(h, l * HASH_ENTRYSIZE); + n = l; + } + } + +Index: crypto/openssh/misc.c +=================================================================== +RCS file: /home/ncvs/src/crypto/openssh/misc.c,v +retrieving revision 1.1.1.4 +retrieving revision 1.1.1.5 +diff -c -p -c -r1.1.1.4 -r1.1.1.5 +*** crypto/openssh/misc.c 23 Apr 2003 16:52:55 -0000 1.1.1.4 +--- crypto/openssh/misc.c 17 Sep 2003 14:35:03 -0000 1.1.1.5 +*************** addargs(arglist *args, char *fmt, ...) +*** 308,325 **** + { + va_list ap; + char buf[1024]; + + va_start(ap, fmt); + vsnprintf(buf, sizeof(buf), fmt, ap); + va_end(ap); + + if (args->list == NULL) { +! args->nalloc = 32; + args->num = 0; +! } else if (args->num+2 >= args->nalloc) +! args->nalloc *= 2; + +! args->list = xrealloc(args->list, args->nalloc * sizeof(char *)); + args->list[args->num++] = xstrdup(buf); + args->list[args->num] = NULL; + } +--- 308,328 ---- + { + va_list ap; + char buf[1024]; ++ int nalloc; + + va_start(ap, fmt); + vsnprintf(buf, sizeof(buf), fmt, ap); + va_end(ap); + ++ nalloc = args->nalloc; + if (args->list == NULL) { +! nalloc = 32; + args->num = 0; +! } else if (args->num+2 >= nalloc) +! nalloc *= 2; + +! args->list = xrealloc(args->list, nalloc * sizeof(char *)); +! args->nalloc = nalloc; + args->list[args->num++] = xstrdup(buf); + args->list[args->num] = NULL; + } +Index: crypto/openssh/session.c +=================================================================== +RCS file: /home/ncvs/src/crypto/openssh/session.c,v +retrieving revision 1.40 +retrieving revision 1.41 +diff -c -p -c -r1.40 -r1.41 +*** crypto/openssh/session.c 23 Apr 2003 17:10:53 -0000 1.40 +--- crypto/openssh/session.c 17 Sep 2003 14:36:14 -0000 1.41 +*************** static void +*** 863,870 **** + child_set_env(char ***envp, u_int *envsizep, const char *name, + const char *value) + { +- u_int i, namelen; + char **env; + + /* + * Find the slot where the value should be stored. If the variable +--- 863,871 ---- + child_set_env(char ***envp, u_int *envsizep, const char *name, + const char *value) + { + char **env; ++ u_int envsize; ++ u_int i, namelen; + + /* + * Find the slot where the value should be stored. If the variable +*************** child_set_env(char ***envp, u_int *envsi +*** 881,892 **** + xfree(env[i]); + } else { + /* New variable. Expand if necessary. */ +! if (i >= (*envsizep) - 1) { +! if (*envsizep >= 1000) +! fatal("child_set_env: too many env vars," +! " skipping: %.100s", name); +! (*envsizep) += 50; +! env = (*envp) = xrealloc(env, (*envsizep) * sizeof(char *)); + } + /* Need to set the NULL pointer at end of array beyond the new slot. */ + env[i + 1] = NULL; +--- 882,894 ---- + xfree(env[i]); + } else { + /* New variable. Expand if necessary. */ +! envsize = *envsizep; +! if (i >= envsize - 1) { +! if (envsize >= 1000) +! fatal("child_set_env: too many env vars"); +! envsize += 50; +! env = (*envp) = xrealloc(env, envsize * sizeof(char *)); +! *envsizep = envsize; + } + /* Need to set the NULL pointer at end of array beyond the new slot. */ + env[i + 1] = NULL; +Index: crypto/openssh/ssh-agent.c +=================================================================== +RCS file: /home/ncvs/src/crypto/openssh/ssh-agent.c,v +retrieving revision 1.18 +retrieving revision 1.19 +diff -c -p -c -r1.18 -r1.19 +*** crypto/openssh/ssh-agent.c 23 Apr 2003 17:10:53 -0000 1.18 +--- crypto/openssh/ssh-agent.c 17 Sep 2003 14:36:14 -0000 1.19 +*************** process_message(SocketEntry *e) +*** 768,774 **** + static void + new_socket(sock_type type, int fd) + { +! u_int i, old_alloc; + + if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0) + error("fcntl O_NONBLOCK: %s", strerror(errno)); +--- 768,774 ---- + static void + new_socket(sock_type type, int fd) + { +! u_int i, old_alloc, new_alloc; + + if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0) + error("fcntl O_NONBLOCK: %s", strerror(errno)); +*************** new_socket(sock_type type, int fd) +*** 779,803 **** + for (i = 0; i < sockets_alloc; i++) + if (sockets[i].type == AUTH_UNUSED) { + sockets[i].fd = fd; +- sockets[i].type = type; + buffer_init(&sockets[i].input); + buffer_init(&sockets[i].output); + buffer_init(&sockets[i].request); + return; + } + old_alloc = sockets_alloc; +! sockets_alloc += 10; + if (sockets) +! sockets = xrealloc(sockets, sockets_alloc * sizeof(sockets[0])); + else +! sockets = xmalloc(sockets_alloc * sizeof(sockets[0])); +! for (i = old_alloc; i < sockets_alloc; i++) + sockets[i].type = AUTH_UNUSED; +! sockets[old_alloc].type = type; + sockets[old_alloc].fd = fd; + buffer_init(&sockets[old_alloc].input); + buffer_init(&sockets[old_alloc].output); + buffer_init(&sockets[old_alloc].request); + } + + static int +--- 779,804 ---- + for (i = 0; i < sockets_alloc; i++) + if (sockets[i].type == AUTH_UNUSED) { + sockets[i].fd = fd; + buffer_init(&sockets[i].input); + buffer_init(&sockets[i].output); + buffer_init(&sockets[i].request); ++ sockets[i].type = type; + return; + } + old_alloc = sockets_alloc; +! new_alloc = sockets_alloc + 10; + if (sockets) +! sockets = xrealloc(sockets, new_alloc * sizeof(sockets[0])); + else +! sockets = xmalloc(new_alloc * sizeof(sockets[0])); +! for (i = old_alloc; i < new_alloc; i++) + sockets[i].type = AUTH_UNUSED; +! sockets_alloc = new_alloc; + sockets[old_alloc].fd = fd; + buffer_init(&sockets[old_alloc].input); + buffer_init(&sockets[old_alloc].output); + buffer_init(&sockets[old_alloc].request); ++ sockets[old_alloc].type = type; + } + + static int |