Correct more cases of allocation size bookkeeping being updated before

calling functions which can potentially fail and cause cleanups to be
invoked.

Submitted by:	Solar Designer <solar@openwall.com>

3 files changed, 18 insertions, 15 deletions

diff --git a/crypto/openssh/session.c b/crypto/openssh/session.c
index 06ddb4c..f2d73a4 100644
--- a/crypto/openssh/session.c
+++ b/crypto/openssh/session.c
@@ -863,8 +863,9 @@ static void
 child_set_env(char ***envp, u_int *envsizep, const char *name,
 	const char *value)
 {
-	u_int i, namelen;
 	char **env;
+	u_int envsize;
+	u_int i, namelen;
 
 	/*
 	 * Find the slot where the value should be stored.  If the variable
@@ -881,12 +882,13 @@ child_set_env(char ***envp, u_int *envsizep, const char *name,
 		xfree(env[i]);
 	} else {
 		/* New variable.  Expand if necessary. */
-		if (i >= (*envsizep) - 1) {
-			if (*envsizep >= 1000)
-				fatal("child_set_env: too many env vars,"
-				    " skipping: %.100s", name);
-			(*envsizep) += 50;
-			env = (*envp) = xrealloc(env, (*envsizep) * sizeof(char *));
+		envsize = *envsizep;
+		if (i >= envsize - 1) {
+			if (envsize >= 1000)
+				fatal("child_set_env: too many env vars");
+			envsize += 50;
+			env = (*envp) = xrealloc(env, envsize * sizeof(char *));
+			*envsizep = envsize;
 		}
 		/* Need to set the NULL pointer at end of array beyond the new slot. */
 		env[i + 1] = NULL;
diff --git a/crypto/openssh/ssh-agent.c b/crypto/openssh/ssh-agent.c
index 041105c..097fad9 100644
--- a/crypto/openssh/ssh-agent.c
+++ b/crypto/openssh/ssh-agent.c
@@ -768,7 +768,7 @@ process_message(SocketEntry *e)
 static void
 new_socket(sock_type type, int fd)
 {
-	u_int i, old_alloc;
+	u_int i, old_alloc, new_alloc;
 
 	if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0)
 		error("fcntl O_NONBLOCK: %s", strerror(errno));
@@ -779,25 +779,26 @@ new_socket(sock_type type, int fd)
 	for (i = 0; i < sockets_alloc; i++)
 		if (sockets[i].type == AUTH_UNUSED) {
 			sockets[i].fd = fd;
-			sockets[i].type = type;
 			buffer_init(&sockets[i].input);
 			buffer_init(&sockets[i].output);
 			buffer_init(&sockets[i].request);
+			sockets[i].type = type;
 			return;
 		}
 	old_alloc = sockets_alloc;
-	sockets_alloc += 10;
+	new_alloc = sockets_alloc + 10;
 	if (sockets)
-		sockets = xrealloc(sockets, sockets_alloc * sizeof(sockets[0]));
+		sockets = xrealloc(sockets, new_alloc * sizeof(sockets[0]));
 	else
-		sockets = xmalloc(sockets_alloc * sizeof(sockets[0]));
-	for (i = old_alloc; i < sockets_alloc; i++)
+		sockets = xmalloc(new_alloc * sizeof(sockets[0]));
+	for (i = old_alloc; i < new_alloc; i++)
 		sockets[i].type = AUTH_UNUSED;
-	sockets[old_alloc].type = type;
+	sockets_alloc = new_alloc;
 	sockets[old_alloc].fd = fd;
 	buffer_init(&sockets[old_alloc].input);
 	buffer_init(&sockets[old_alloc].output);
 	buffer_init(&sockets[old_alloc].request);
+	sockets[old_alloc].type = type;
 }
 
 static int
diff --git a/crypto/openssh/version.h b/crypto/openssh/version.h
index f4b3f9f..d07a692 100644
--- a/crypto/openssh/version.h
+++ b/crypto/openssh/version.h
@@ -5,7 +5,7 @@
 
 #define SSH_VERSION             (ssh_version_get())
 #define SSH_VERSION_BASE        "OpenSSH_3.6.1p1"
-#define SSH_VERSION_ADDENDUM    "FreeBSD-20030916"
+#define SSH_VERSION_ADDENDUM    "FreeBSD-20030917"
 
 const char *ssh_version_get(void);
 void ssh_version_set_addendum(const char *add);