Index: crypto/openssh/buffer.c
===================================================================
RCS file: /home/ncvs/src/crypto/openssh/buffer.c,v
retrieving revision 1.1.1.6
retrieving revision 1.2
diff -c -p -c -r1.1.1.6 -r1.2
*** crypto/openssh/buffer.c	29 Jun 2002 11:33:59 -0000	1.1.1.6
--- crypto/openssh/buffer.c	17 Sep 2003 00:58:33 -0000	1.2
*************** RCSID("$OpenBSD: buffer.c,v 1.16 2002/06
*** 23,30 ****
  void
  buffer_init(Buffer *buffer)
  {
! 	buffer->alloc = 4096;
! 	buffer->buf = xmalloc(buffer->alloc);
  	buffer->offset = 0;
  	buffer->end = 0;
  }
--- 23,33 ----
  void
  buffer_init(Buffer *buffer)
  {
! 	const u_int len = 4096;
! 
! 	buffer->alloc = 0;
! 	buffer->buf = xmalloc(len);
! 	buffer->alloc = len;
  	buffer->offset = 0;
  	buffer->end = 0;
  }
*************** buffer_init(Buffer *buffer)
*** 34,41 ****
  void
  buffer_free(Buffer *buffer)
  {
! 	memset(buffer->buf, 0, buffer->alloc);
! 	xfree(buffer->buf);
  }
  
  /*
--- 37,46 ----
  void
  buffer_free(Buffer *buffer)
  {
! 	if (buffer->alloc > 0) {
! 		memset(buffer->buf, 0, buffer->alloc);
! 		xfree(buffer->buf);
! 	}
  }
  
  /*
*************** buffer_append(Buffer *buffer, const void
*** 69,74 ****
--- 74,80 ----
  void *
  buffer_append_space(Buffer *buffer, u_int len)
  {
+ 	u_int newlen;
  	void *p;
  
  	if (len > 0x100000)
*************** restart:
*** 98,108 ****
  		goto restart;
  	}
  	/* Increase the size of the buffer and retry. */
! 	buffer->alloc += len + 32768;
! 	if (buffer->alloc > 0xa00000)
  		fatal("buffer_append_space: alloc %u not supported",
! 		    buffer->alloc);
! 	buffer->buf = xrealloc(buffer->buf, buffer->alloc);
  	goto restart;
  	/* NOTREACHED */
  }
--- 104,116 ----
  		goto restart;
  	}
  	/* Increase the size of the buffer and retry. */
! 	
! 	newlen = buffer->alloc + len + 32768;
! 	if (newlen > 0xa00000)
  		fatal("buffer_append_space: alloc %u not supported",
! 		    newlen);
! 	buffer->buf = xrealloc(buffer->buf, newlen);
! 	buffer->alloc = newlen;
  	goto restart;
  	/* NOTREACHED */
  }
Index: crypto/openssh/channels.c
===================================================================
RCS file: /home/ncvs/src/crypto/openssh/channels.c,v
retrieving revision 1.15
retrieving revision 1.16
diff -c -p -c -r1.15 -r1.16
*** crypto/openssh/channels.c	1 May 2003 15:05:42 -0000	1.15
--- crypto/openssh/channels.c	17 Sep 2003 00:58:33 -0000	1.16
*************** channel_new(char *ctype, int type, int r
*** 229,240 ****
  	if (found == -1) {
  		/* There are no free slots.  Take last+1 slot and expand the array.  */
  		found = channels_alloc;
- 		channels_alloc += 10;
  		if (channels_alloc > 10000)
  			fatal("channel_new: internal error: channels_alloc %d "
  			    "too big.", channels_alloc);
  		debug2("channel: expanding %d", channels_alloc);
- 		channels = xrealloc(channels, channels_alloc * sizeof(Channel *));
  		for (i = found; i < channels_alloc; i++)
  			channels[i] = NULL;
  	}
--- 229,241 ----
  	if (found == -1) {
  		/* There are no free slots.  Take last+1 slot and expand the array.  */
  		found = channels_alloc;
  		if (channels_alloc > 10000)
  			fatal("channel_new: internal error: channels_alloc %d "
  			    "too big.", channels_alloc);
+ 		channels = xrealloc(channels,
+ 		    (channels_alloc + 10) * sizeof(Channel *));
+ 		channels_alloc += 10;
  		debug2("channel: expanding %d", channels_alloc);
  		for (i = found; i < channels_alloc; i++)
  			channels[i] = NULL;
  	}
Index: crypto/openssh/deattack.c
===================================================================
RCS file: /home/ncvs/src/crypto/openssh/deattack.c,v
retrieving revision 1.1.1.5
retrieving revision 1.1.1.6
diff -c -p -c -r1.1.1.5 -r1.1.1.6
*** crypto/openssh/deattack.c	18 Mar 2002 09:54:55 -0000	1.1.1.5
--- crypto/openssh/deattack.c	17 Sep 2003 14:35:03 -0000	1.1.1.6
*************** detect_attack(u_char *buf, u_int32_t len
*** 100,111 ****
  
  	if (h == NULL) {
  		debug("Installing crc compensation attack detector.");
  		n = l;
- 		h = (u_int16_t *) xmalloc(n * HASH_ENTRYSIZE);
  	} else {
  		if (l > n) {
  			n = l;
- 			h = (u_int16_t *) xrealloc(h, n * HASH_ENTRYSIZE);
  		}
  	}
  
--- 100,111 ----
  
  	if (h == NULL) {
  		debug("Installing crc compensation attack detector.");
+ 		h = (u_int16_t *) xmalloc(l * HASH_ENTRYSIZE);
  		n = l;
  	} else {
  		if (l > n) {
+ 			h = (u_int16_t *) xrealloc(h, l * HASH_ENTRYSIZE);
  			n = l;
  		}
  	}
  
Index: crypto/openssh/misc.c
===================================================================
RCS file: /home/ncvs/src/crypto/openssh/misc.c,v
retrieving revision 1.1.1.4
retrieving revision 1.1.1.5
diff -c -p -c -r1.1.1.4 -r1.1.1.5
*** crypto/openssh/misc.c	23 Apr 2003 16:52:55 -0000	1.1.1.4
--- crypto/openssh/misc.c	17 Sep 2003 14:35:03 -0000	1.1.1.5
*************** addargs(arglist *args, char *fmt, ...)
*** 308,325 ****
  {
  	va_list ap;
  	char buf[1024];
  
  	va_start(ap, fmt);
  	vsnprintf(buf, sizeof(buf), fmt, ap);
  	va_end(ap);
  
  	if (args->list == NULL) {
! 		args->nalloc = 32;
  		args->num = 0;
! 	} else if (args->num+2 >= args->nalloc)
! 		args->nalloc *= 2;
  
! 	args->list = xrealloc(args->list, args->nalloc * sizeof(char *));
  	args->list[args->num++] = xstrdup(buf);
  	args->list[args->num] = NULL;
  }
--- 308,328 ----
  {
  	va_list ap;
  	char buf[1024];
+ 	int nalloc;
  
  	va_start(ap, fmt);
  	vsnprintf(buf, sizeof(buf), fmt, ap);
  	va_end(ap);
  
+ 	nalloc = args->nalloc;
  	if (args->list == NULL) {
! 		nalloc = 32;
  		args->num = 0;
! 	} else if (args->num+2 >= nalloc)
! 		nalloc *= 2;
  
! 	args->list = xrealloc(args->list, nalloc * sizeof(char *));
! 	args->nalloc = nalloc;
  	args->list[args->num++] = xstrdup(buf);
  	args->list[args->num] = NULL;
  }
Index: crypto/openssh/session.c
===================================================================
RCS file: /home/ncvs/src/crypto/openssh/session.c,v
retrieving revision 1.40
retrieving revision 1.41
diff -c -p -c -r1.40 -r1.41
*** crypto/openssh/session.c	23 Apr 2003 17:10:53 -0000	1.40
--- crypto/openssh/session.c	17 Sep 2003 14:36:14 -0000	1.41
*************** static void
*** 863,870 ****
  child_set_env(char ***envp, u_int *envsizep, const char *name,
  	const char *value)
  {
- 	u_int i, namelen;
  	char **env;
  
  	/*
  	 * Find the slot where the value should be stored.  If the variable
--- 863,871 ----
  child_set_env(char ***envp, u_int *envsizep, const char *name,
  	const char *value)
  {
  	char **env;
+ 	u_int envsize;
+ 	u_int i, namelen;
  
  	/*
  	 * Find the slot where the value should be stored.  If the variable
*************** child_set_env(char ***envp, u_int *envsi
*** 881,892 ****
  		xfree(env[i]);
  	} else {
  		/* New variable.  Expand if necessary. */
! 		if (i >= (*envsizep) - 1) {
! 			if (*envsizep >= 1000)
! 				fatal("child_set_env: too many env vars,"
! 				    " skipping: %.100s", name);
! 			(*envsizep) += 50;
! 			env = (*envp) = xrealloc(env, (*envsizep) * sizeof(char *));
  		}
  		/* Need to set the NULL pointer at end of array beyond the new slot. */
  		env[i + 1] = NULL;
--- 882,894 ----
  		xfree(env[i]);
  	} else {
  		/* New variable.  Expand if necessary. */
! 		envsize = *envsizep;
! 		if (i >= envsize - 1) {
! 			if (envsize >= 1000)
! 				fatal("child_set_env: too many env vars");
! 			envsize += 50;
! 			env = (*envp) = xrealloc(env, envsize * sizeof(char *));
! 			*envsizep = envsize;
  		}
  		/* Need to set the NULL pointer at end of array beyond the new slot. */
  		env[i + 1] = NULL;
Index: crypto/openssh/ssh-agent.c
===================================================================
RCS file: /home/ncvs/src/crypto/openssh/ssh-agent.c,v
retrieving revision 1.18
retrieving revision 1.19
diff -c -p -c -r1.18 -r1.19
*** crypto/openssh/ssh-agent.c	23 Apr 2003 17:10:53 -0000	1.18
--- crypto/openssh/ssh-agent.c	17 Sep 2003 14:36:14 -0000	1.19
*************** process_message(SocketEntry *e)
*** 768,774 ****
  static void
  new_socket(sock_type type, int fd)
  {
! 	u_int i, old_alloc;
  
  	if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0)
  		error("fcntl O_NONBLOCK: %s", strerror(errno));
--- 768,774 ----
  static void
  new_socket(sock_type type, int fd)
  {
! 	u_int i, old_alloc, new_alloc;
  
  	if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0)
  		error("fcntl O_NONBLOCK: %s", strerror(errno));
*************** new_socket(sock_type type, int fd)
*** 779,803 ****
  	for (i = 0; i < sockets_alloc; i++)
  		if (sockets[i].type == AUTH_UNUSED) {
  			sockets[i].fd = fd;
- 			sockets[i].type = type;
  			buffer_init(&sockets[i].input);
  			buffer_init(&sockets[i].output);
  			buffer_init(&sockets[i].request);
  			return;
  		}
  	old_alloc = sockets_alloc;
! 	sockets_alloc += 10;
  	if (sockets)
! 		sockets = xrealloc(sockets, sockets_alloc * sizeof(sockets[0]));
  	else
! 		sockets = xmalloc(sockets_alloc * sizeof(sockets[0]));
! 	for (i = old_alloc; i < sockets_alloc; i++)
  		sockets[i].type = AUTH_UNUSED;
! 	sockets[old_alloc].type = type;
  	sockets[old_alloc].fd = fd;
  	buffer_init(&sockets[old_alloc].input);
  	buffer_init(&sockets[old_alloc].output);
  	buffer_init(&sockets[old_alloc].request);
  }
  
  static int
--- 779,804 ----
  	for (i = 0; i < sockets_alloc; i++)
  		if (sockets[i].type == AUTH_UNUSED) {
  			sockets[i].fd = fd;
  			buffer_init(&sockets[i].input);
  			buffer_init(&sockets[i].output);
  			buffer_init(&sockets[i].request);
+ 			sockets[i].type = type;
  			return;
  		}
  	old_alloc = sockets_alloc;
! 	new_alloc = sockets_alloc + 10;
  	if (sockets)
! 		sockets = xrealloc(sockets, new_alloc * sizeof(sockets[0]));
  	else
! 		sockets = xmalloc(new_alloc * sizeof(sockets[0]));
! 	for (i = old_alloc; i < new_alloc; i++)
  		sockets[i].type = AUTH_UNUSED;
! 	sockets_alloc = new_alloc;
  	sockets[old_alloc].fd = fd;
  	buffer_init(&sockets[old_alloc].input);
  	buffer_init(&sockets[old_alloc].output);
  	buffer_init(&sockets[old_alloc].request);
+ 	sockets[old_alloc].type = type;
  }
  
  static int