NOTE: this is the second revision of this patch Apply by doing: cd /usr/src patch -p0 < 017_sshbuffer.patch cd usr.bin/ssh make obj make cleandir make depend make && make install Do not forget to restart sshd(8). If you started sshd(8) with a full path (i.e. /usr/sbin/sshd) you can simply send it a SIGHUP and it will re-exec itself. E.g. kill -HUP `cat /var/run/sshd.pid` Index: usr.bin/ssh/buffer.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/buffer.c,v retrieving revision 1.16 diff -u -r1.16 buffer.c --- usr.bin/ssh/buffer.c 26 Jun 2002 08:54:18 -0000 1.16 +++ usr.bin/ssh/buffer.c 17 Sep 2003 00:53:39 -0000 @@ -23,8 +23,11 @@ void buffer_init(Buffer *buffer) { - buffer->alloc = 4096; - buffer->buf = xmalloc(buffer->alloc); + const u_int len = 4096; + + buffer->alloc = 0; + buffer->buf = xmalloc(len); + buffer->alloc = len; buffer->offset = 0; buffer->end = 0; } @@ -34,8 +37,10 @@ void buffer_free(Buffer *buffer) { - memset(buffer->buf, 0, buffer->alloc); - xfree(buffer->buf); + if (buffer->alloc > 0) { + memset(buffer->buf, 0, buffer->alloc); + xfree(buffer->buf); + } } /* @@ -69,6 +74,7 @@ void * buffer_append_space(Buffer *buffer, u_int len) { + u_int newlen; void *p; if (len > 0x100000) @@ -98,11 +104,13 @@ goto restart; } /* Increase the size of the buffer and retry. */ - buffer->alloc += len + 32768; - if (buffer->alloc > 0xa00000) + + newlen = buffer->alloc + len + 32768; + if (newlen > 0xa00000) fatal("buffer_append_space: alloc %u not supported", - buffer->alloc); - buffer->buf = xrealloc(buffer->buf, buffer->alloc); + newlen); + buffer->buf = xrealloc(buffer->buf, newlen); + buffer->alloc = newlen; goto restart; /* NOTREACHED */ } Index: usr.bin/ssh/channels.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/channels.c,v retrieving revision 1.183 diff -u -r1.183 channels.c --- usr.bin/ssh/channels.c 17 Sep 2002 07:47:02 -0000 1.183 +++ usr.bin/ssh/channels.c 17 Sep 2003 00:53:41 -0000 @@ -228,12 +228,13 @@ if (found == -1) { /* There are no free slots. Take last+1 slot and expand the array. */ found = channels_alloc; - channels_alloc += 10; if (channels_alloc > 10000) fatal("channel_new: internal error: channels_alloc %d " "too big.", channels_alloc); + channels = xrealloc(channels, + (channels_alloc + 10) * sizeof(Channel *)); + channels_alloc += 10; debug2("channel: expanding %d", channels_alloc); - channels = xrealloc(channels, channels_alloc * sizeof(Channel *)); for (i = found; i < channels_alloc; i++) channels[i] = NULL; }