Bug#211434: [PATCH] the extra code in question

To: lunz@reflexsecurity.com, 211434@bugs.debian.org
Subject: Bug#211434: [PATCH] the extra code in question
From: Holt Sorenson <hso@nosneros.net>
Date: Thu, 18 Sep 2003 17:14:36 +0000
Message-id: <[🔎] 20030918171436.GE19428@nosneros.net>
Reply-to: hso@nosneros.net, 211434@bugs.debian.org
In-reply-to: <[🔎] 20030918151735.GA18236@reflexsecurity.com>
References: <[🔎] 20030918151735.GA18236@reflexsecurity.com>

There are more malloc/memory handling fixes that you can pull down
from the OpenSSH CVSweb that have been committed within the past day
or so.

They might be worth including in all the ssh updates that debian
maintainers are working on.

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/


On Thu, Sep 18, 2003 at 11:17:35AM -0400, lunz@reflexsecurity.com wrote:
 > Tags: patch
 > 
 > 
 > Here are the additional fixes in question. I extracted this patch from
 > the file openssh.patch in this rpm:
 > ftp://ftp.openpkg.org/release/1.3/UPD/openssh-3.6.1p2-1.3.2.src.rpm
 > 
 > Jason
 > 
 > 
 > These patches adjust (re)allocation procedures so they do not
 > alter context structures unless the (re)allocation was successful.
 > Otherwise the fatal cleanup functions (trigged from within the
 > failing (re)allocation functions) will be confused and especially
 > (for some instances) incorrectly clear (smaller than recorded) memory
 > buffers with NUL bytes. This patch is based on work by Solar Designer
 > <solar@openwall.com>.
 > 
 > Index: deattack.c
 > --- deattack.c.orig	2002-03-05 02:53:05.000000000 +0100
 > +++ deattack.c	2003-09-17 09:30:09.000000000 +0200
 > @@ -100,12 +100,12 @@
 >  
 >  	if (h == NULL) {
 >  		debug("Installing crc compensation attack detector.");
 > +		h = (u_int16_t *) xmalloc(l * HASH_ENTRYSIZE);
 >  		n = l;
 > -		h = (u_int16_t *) xmalloc(n * HASH_ENTRYSIZE);
 >  	} else {
 >  		if (l > n) {
 > +			h = (u_int16_t *) xrealloc(h, l * HASH_ENTRYSIZE);
 >  			n = l;
 > -			h = (u_int16_t *) xrealloc(h, n * HASH_ENTRYSIZE);
 >  		}
 >  	}
 >  
 > Index: misc.c
 > --- misc.c.orig	2003-08-25 03:16:21.000000000 +0200
 > +++ misc.c	2003-09-17 09:30:09.000000000 +0200
 > @@ -308,18 +308,21 @@
 >  {
 >  	va_list ap;
 >  	char buf[1024];
 > +	int nalloc;
 >  
 >  	va_start(ap, fmt);
 >  	vsnprintf(buf, sizeof(buf), fmt, ap);
 >  	va_end(ap);
 >  
 > +	nalloc = args->nalloc;
 >  	if (args->list == NULL) {
 > -		args->nalloc = 32;
 > +		nalloc = 32;
 >  		args->num = 0;
 > -	} else if (args->num+2 >= args->nalloc)
 > -		args->nalloc *= 2;
 > +	} else if (args->num+2 >= nalloc)
 > +		nalloc *= 2;
 >  
 > -	args->list = xrealloc(args->list, args->nalloc * sizeof(char *));
 > +	args->list = xrealloc(args->list, nalloc * sizeof(char *));
 > +	args->nalloc = nalloc;
 >  	args->list[args->num++] = xstrdup(buf);
 >  	args->list[args->num] = NULL;
 >  }
 > Index: session.c
 > --- session.c.orig	2003-09-16 03:52:19.000000000 +0200
 > +++ session.c	2003-09-17 09:34:20.000000000 +0200
 > @@ -800,6 +800,7 @@
 >  {
 >  	u_int i, namelen;
 >  	char **env;
 > +	u_int envsize;
 >  
 >  	/*
 >  	 * If we're passed an uninitialized list, allocate a single null
 > @@ -826,12 +827,14 @@
 >  		xfree(env[i]);
 >  	} else {
 >  		/* New variable.  Expand if necessary. */
 > -		if (i >= (*envsizep) - 1) {
 > -			if (*envsizep >= 1000)
 > +		envsize = *envsizep;
 > +		if (i >= envsize - 1) {
 > +			if (envsize >= 1000)
 >  				fatal("child_set_env: too many env vars,"
 >  				    " skipping: %.100s", name);
 > -			(*envsizep) += 50;
 > -			env = (*envp) = xrealloc(env, (*envsizep) * sizeof(char *));
 > +			envsize += 50;
 > +			env = (*envp) = xrealloc(env, envsize * sizeof(char *));
 > +			*envsizep = envsize;
 >  		}
 >  		/* Need to set the NULL pointer at end of array beyond the new slot. */
 >  		env[i + 1] = NULL;
 > Index: ssh-agent.c
 > --- ssh-agent.c.orig	2003-08-22 01:34:41.000000000 +0200
 > +++ ssh-agent.c	2003-09-17 09:30:09.000000000 +0200
 > @@ -784,7 +784,7 @@
 >  static void
 >  new_socket(sock_type type, int fd)
 >  {
 > -	u_int i, old_alloc;
 > +	u_int i, old_alloc, new_alloc;
 >  
 >  	if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0)
 >  		error("fcntl O_NONBLOCK: %s", strerror(errno));
 > @@ -795,25 +795,26 @@
 >  	for (i = 0; i < sockets_alloc; i++)
 >  		if (sockets[i].type == AUTH_UNUSED) {
 >  			sockets[i].fd = fd;
 > -			sockets[i].type = type;
 >  			buffer_init(&sockets[i].input);
 >  			buffer_init(&sockets[i].output);
 >  			buffer_init(&sockets[i].request);
 > +			sockets[i].type = type;
 >  			return;
 >  		}
 >  	old_alloc = sockets_alloc;
 > -	sockets_alloc += 10;
 > +	new_alloc = sockets_alloc + 10;
 >  	if (sockets)
 > -		sockets = xrealloc(sockets, sockets_alloc * sizeof(sockets[0]));
 > +		sockets = xrealloc(sockets, new_alloc * sizeof(sockets[0]));
 >  	else
 > -		sockets = xmalloc(sockets_alloc * sizeof(sockets[0]));
 > -	for (i = old_alloc; i < sockets_alloc; i++)
 > +		sockets = xmalloc(new_alloc * sizeof(sockets[0]));
 > +	for (i = old_alloc; i < new_alloc; i++)
 >  		sockets[i].type = AUTH_UNUSED;
 > -	sockets[old_alloc].type = type;
 > +	sockets_alloc = new_alloc;
 >  	sockets[old_alloc].fd = fd;
 >  	buffer_init(&sockets[old_alloc].input);
 >  	buffer_init(&sockets[old_alloc].output);
 >  	buffer_init(&sockets[old_alloc].request);
 > +	sockets[old_alloc].type = type;
 >  }
 >  
 >  static int
 > 
 > 
 > 
 > -- 
 > To UNSUBSCRIBE, email to debian-ssh-request@lists.debian.org
 > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- Bug#211434: [PATCH] the extra code in question
  - From: lunz@reflexsecurity.com

Prev by Date: Re: Bug#211434: more ssh memory management fun
Next by Date: Bug#211640: ssh: contains unlicensed Internet-Draft in /usr/share/doc/ssh/RFC.gz
Previous by thread: Bug#211434: [PATCH] the extra code in question
Next by thread: Bug#211640: ssh: contains unlicensed Internet-Draft in /usr/share/doc/ssh/RFC.gz
Index(es):
- Date
- Thread