6448031 ssh-keygen does not overwrite old key information when told yes

6451031 broken key in authorized_keys causes sshd to exit
6455367 ssh-agent can accept connections from other users depending on permissions of socket directory
6457202 server side of scp creates a directory even when not in recursive mode
6457241 server side of scp allows dir creation outside of the target subdirectory
6457952 scp performs local copying even when expected target directory is not a directory
6457959 scp doesn't print stderr messages in certain situations
6466048 scp should not call write() for the last chunk of data twice
6468175 sshd may set MAIL variable with two slashes in a row

12 files changed, 344 insertions, 103 deletions

diff --git a/usr/src/cmd/ssh/include/bufaux.h b/usr/src/cmd/ssh/include/bufaux.h
index 1cc767c88f..a4bfe3bcee 100644
--- a/usr/src/cmd/ssh/include/bufaux.h
+++ b/usr/src/cmd/ssh/include/bufaux.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 2003 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 /*	$OpenBSD: bufaux.h,v 1.18 2002/04/20 09:14:58 markus Exp $	*/
@@ -29,8 +29,8 @@ extern "C" {
 #include "buffer.h"
 #include <openssl/bn.h>
 
-void    buffer_put_bignum(Buffer *, BIGNUM *);
-void    buffer_put_bignum2(Buffer *, BIGNUM *);
+void    buffer_put_bignum(Buffer *, const BIGNUM *);
+void    buffer_put_bignum2(Buffer *, const BIGNUM *);
 void	buffer_get_bignum(Buffer *, BIGNUM *);
 void	buffer_get_bignum2(Buffer *, BIGNUM *);
 
@@ -65,6 +65,18 @@ void	buffer_put_ascii_string(Buffer *, const char *, u_int);
 #define buffer_skip_string(b) \
     do { u_int l = buffer_get_int(b); buffer_consume(b, l); } while(0)
 
+int	buffer_put_bignum_ret(Buffer *, const BIGNUM *);
+int	buffer_get_bignum_ret(Buffer *, BIGNUM *);
+int	buffer_put_bignum2_ret(Buffer *, const BIGNUM *);
+int	buffer_get_bignum2_ret(Buffer *, BIGNUM *);
+int	buffer_get_short_ret(u_short *, Buffer *);
+int	buffer_get_int_ret(u_int *, Buffer *);
+#ifdef HAVE_U_INT64_T
+int	buffer_get_int64_ret(u_int64_t *, Buffer *);
+#endif
+void	*buffer_get_string_ret(Buffer *, u_int *);
+int	buffer_get_char_ret(char *, Buffer *);
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/usr/src/cmd/ssh/include/buffer.h b/usr/src/cmd/ssh/include/buffer.h
index 8a24294c6b..1d09c6335f 100644
--- a/usr/src/cmd/ssh/include/buffer.h
+++ b/usr/src/cmd/ssh/include/buffer.h
@@ -30,6 +30,9 @@ typedef struct {
 	u_int	 end;		/* Offset of last byte containing data. */
 }       Buffer;
 
+#define	BUFFER_MAX_CHUNK	0x100000
+#define	BUFFER_MAX_LEN		0xa00000
+
 void	 buffer_init(Buffer *);
 void	 buffer_clear(Buffer *);
 void	 buffer_free(Buffer *);
@@ -47,6 +50,10 @@ void	 buffer_consume_end(Buffer *, u_int);
 
 void     buffer_dump(Buffer *);
 
+int	 buffer_get_ret(Buffer *, void *, u_int);
+int	 buffer_consume_ret(Buffer *, u_int);
+int	 buffer_consume_end_ret(Buffer *, u_int);
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/usr/src/cmd/ssh/include/config.h b/usr/src/cmd/ssh/include/config.h
index 477a8b5ab4..0441e64951 100644
--- a/usr/src/cmd/ssh/include/config.h
+++ b/usr/src/cmd/ssh/include/config.h
@@ -506,6 +506,9 @@ extern "C" {
 /* Define to 1 if you have the `getpeereid' function. */
 /* #undef HAVE_GETPEEREID */
 
+/* Define to 1 if you have the `getpeerucred' function. */
+#define HAVE_GETPEERUCRED 1
+
 /* Define to 1 if you have the `getpwanam' function. */
 /* #undef HAVE_GETPWANAM */
 
@@ -868,6 +871,9 @@ extern "C" {
 /* Define to 1 if you have the <ttyent.h> header file. */
 /* #undef HAVE_TTYENT_H */
 
+/* Define to 1 if you have the <ucred.h> header file. */
+#define HAVE_UCRED_H 1
+
 /* Define to 1 if you have the <unistd.h> header file. */
 #define HAVE_UNISTD_H 1
 
diff --git a/usr/src/cmd/ssh/include/includes.h b/usr/src/cmd/ssh/include/includes.h
index 0e7bf2a397..308b581e15 100644
--- a/usr/src/cmd/ssh/include/includes.h
+++ b/usr/src/cmd/ssh/include/includes.h
@@ -23,6 +23,11 @@ extern "C" {
  * called by a name other than "ssh" or "Secure Shell".
  */
 
+/*
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
 #define RCSID(msg) \
 static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg }
 
@@ -90,6 +95,10 @@ static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg }
 # include <login.h>
 #endif
 
+#ifdef HAVE_UCRED_H
+#  include <ucred.h>
+#endif
+
 #ifdef HAVE_UTMP_H
 #  include <utmp.h>
 #endif
diff --git a/usr/src/cmd/ssh/libopenbsd-compat/common/bsd-getpeereid.c b/usr/src/cmd/ssh/libopenbsd-compat/common/bsd-getpeereid.c
index 2dda7aa69c..4754eee5a9 100644
--- a/usr/src/cmd/ssh/libopenbsd-compat/common/bsd-getpeereid.c
+++ b/usr/src/cmd/ssh/libopenbsd-compat/common/bsd-getpeereid.c
@@ -22,6 +22,11 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
+/*
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
 #include "includes.h"
 
 RCSID("$Id: bsd-getpeereid.c,v 1.1 2002/09/12 00:33:02 djm Exp $");
@@ -44,6 +49,23 @@ getpeereid(int s, uid_t *euid, gid_t *gid)
 
 	return (0);
 }
+#elif defined(HAVE_GETPEERUCRED)
+int
+getpeereid(int s, uid_t *euid, gid_t *gid)
+{
+	ucred_t *ucred = NULL;
+
+	if (getpeerucred(s, &ucred) == -1)
+		return (-1);
+	if ((*euid = ucred_geteuid(ucred)) == -1)
+		return (-1);
+	if ((*gid = ucred_getrgid(ucred)) == -1)
+		return (-1);
+
+	ucred_free(ucred);
+
+	return (0);
+}
 #else
 int
 getpeereid(int s, uid_t *euid, gid_t *gid)
diff --git a/usr/src/cmd/ssh/libssh/common/bufaux.c b/usr/src/cmd/ssh/libssh/common/bufaux.c
index 15ade28076..75ca6f9f15 100644
--- a/usr/src/cmd/ssh/libssh/common/bufaux.c
+++ b/usr/src/cmd/ssh/libssh/common/bufaux.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 /*
@@ -57,8 +57,8 @@ RCSID("$OpenBSD: bufaux.c,v 1.27 2002/06/26 08:53:12 markus Exp $");
  * Stores an BIGNUM in the buffer with a 2-byte msb first bit count, followed
  * by (bits+7)/8 bytes of binary data, msb first.
  */
-void
-buffer_put_bignum(Buffer *buffer, BIGNUM *value)
+int
+buffer_put_bignum_ret(Buffer *buffer, const BIGNUM *value)
 {
 	int bits = BN_num_bits(value);
 	int bin_size = (bits + 7) / 8;
@@ -68,9 +68,12 @@ buffer_put_bignum(Buffer *buffer, BIGNUM *value)
 
 	/* Get the value of in binary */
 	oi = BN_bn2bin(value, buf);
-	if (oi != bin_size)
-		fatal("buffer_put_bignum: BN_bn2bin() failed: oi %d != bin_size %d",
+	if (oi != bin_size) {
+		error("buffer_put_bignum_ret: BN_bn2bin() failed: oi %d != bin_size %d",
 		    oi, bin_size);
+		xfree(buf);
+		return (-1);
+	}
 
 	/* Store the number of bits in the buffer in two bytes, msb first. */
 	PUT_16BIT(msg, bits);
@@ -80,107 +83,209 @@ buffer_put_bignum(Buffer *buffer, BIGNUM *value)
 
 	memset(buf, 0, bin_size);
 	xfree(buf);
+
+	return (0);
+}
+
+void
+buffer_put_bignum(Buffer *buffer, const BIGNUM *value)
+{
+	if (buffer_put_bignum_ret(buffer, value) == -1)
+		fatal("buffer_put_bignum: buffer error");
 }
 
 /*
  * Retrieves an BIGNUM from the buffer.
  */
-void
-buffer_get_bignum(Buffer *buffer, BIGNUM *value)
+int
+buffer_get_bignum_ret(Buffer *buffer, BIGNUM *value)
 {
-	int bits, bytes;
+	u_int bits, bytes;
 	u_char buf[2], *bin;
 
 	/* Get the number for bits. */
-	buffer_get(buffer, (char *) buf, 2);
+	if (buffer_get_ret(buffer, (char *) buf, 2) == -1) {
+		error("buffer_get_bignum_ret: invalid length");
+		return (-1);
+	}
 	bits = GET_16BIT(buf);
 	/* Compute the number of binary bytes that follow. */
 	bytes = (bits + 7) / 8;
-	if (bytes > 8 * 1024)
-		fatal("buffer_get_bignum: cannot handle BN of size %d", bytes);
-	if (buffer_len(buffer) < bytes)
-		fatal("buffer_get_bignum: input buffer too small");
+	if (bytes > 8 * 1024) {
+		error("buffer_get_bignum_ret: cannot handle BN of size %d", bytes);
+		return (-1);
+	}
+	if (buffer_len(buffer) < bytes) {
+		error("buffer_get_bignum_ret: input buffer too small");
+		return (-1);
+	}
 	bin = buffer_ptr(buffer);
 	BN_bin2bn(bin, bytes, value);
-	buffer_consume(buffer, bytes);
+	if (buffer_consume_ret(buffer, bytes) == -1) {
+		error("buffer_get_bignum_ret: buffer_consume failed");
+		return (-1);
+	}
+	return (0);
+}
+
+void
+buffer_get_bignum(Buffer *buffer, BIGNUM *value)
+{
+	if (buffer_get_bignum_ret(buffer, value) == -1)
+		fatal("buffer_get_bignum: buffer error");
 }
 
 /*
  * Stores an BIGNUM in the buffer in SSH2 format.
  */
-void
-buffer_put_bignum2(Buffer *buffer, BIGNUM *value)
+int
+buffer_put_bignum2_ret(Buffer *buffer, const BIGNUM *value)
 {
-	int bytes = BN_num_bytes(value) + 1;
-	u_char *buf = xmalloc(bytes);
+	u_int bytes;
+	u_char *buf;
 	int oi;
-	int hasnohigh = 0;
+	u_int hasnohigh = 0;
 
-	buf[0] = '\0';
+	if (BN_is_zero(value)) {
+		buffer_put_int(buffer, 0);
+		return 0;
+	}
+	if (value->neg) {
+		error("buffer_put_bignum2_ret: negative numbers not supported");
+		return (-1);
+	}
+	bytes = BN_num_bytes(value) + 1; /* extra padding byte */
+	if (bytes < 2) {
+		error("buffer_put_bignum2_ret: BN too small");
+		return (-1);
+	}
+	buf = xmalloc(bytes);
+	buf[0] = 0x00;
 	/* Get the value of in binary */
 	oi = BN_bn2bin(value, buf+1);
-	if (oi != bytes-1)
-		fatal("buffer_put_bignum: BN_bn2bin() failed: oi %d != bin_size %d",
-		    oi, bytes);
-	hasnohigh = (buf[1] & 0x80) ? 0 : 1;
-	if (value->neg) {
-		/**XXX should be two's-complement */
-		int i, carry;
-		u_char *uc = buf;
-		log("negativ!");
-		for (i = bytes-1, carry = 1; i>=0; i--) {
-			uc[i] ^= 0xff;
-			if (carry)
-				carry = !++uc[i];
-		}
+	if (oi < 0 || (u_int)oi != bytes - 1) {
+		error("buffer_put_bignum2_ret: BN_bn2bin() failed: "
+		    "oi %d != bin_size %d", oi, bytes);
+		xfree(buf);
+		return (-1);
 	}
+	hasnohigh = (buf[1] & 0x80) ? 0 : 1;
 	buffer_put_string(buffer, buf+hasnohigh, bytes-hasnohigh);
 	memset(buf, 0, bytes);
 	xfree(buf);
+	return (0);
 }
 
-/* XXX does not handle negative BNs */
 void
-buffer_get_bignum2(Buffer *buffer, BIGNUM *value)
+buffer_put_bignum2(Buffer *buffer, const BIGNUM *value)
+{
+	if (buffer_put_bignum2_ret(buffer, value) == -1)
+		fatal("buffer_put_bignum2: buffer error");
+}
+
+/* XXX does not handle negative BNs */
+int
+buffer_get_bignum2_ret(Buffer *buffer, BIGNUM *value)
 {
 	u_int len;
-	u_char *bin = buffer_get_string(buffer, &len);
+	u_char *bin;
+
+	if ((bin = buffer_get_string_ret(buffer, &len)) == NULL) {
+		error("buffer_get_bignum2_ret: invalid bignum");
+		return (-1);
+	}
 
-	if (len > 8 * 1024)
-		fatal("buffer_get_bignum2: cannot handle BN of size %d", len);
+	if (len > 0 && (bin[0] & 0x80)) {
+		error("buffer_get_bignum2_ret: negative numbers not supported");
+		xfree(bin);
+		return (-1);
+	}
+	if (len > 8 * 1024) {
+		error("buffer_get_bignum2_ret: cannot handle BN of size %d", len);
+		xfree(bin);
+		return (-1);
+	}
 	BN_bin2bn(bin, len, value);
 	xfree(bin);
+	return (0);
+}
+
+void
+buffer_get_bignum2(Buffer *buffer, BIGNUM *value)
+{
+	if (buffer_get_bignum2_ret(buffer, value) == -1)
+		fatal("buffer_get_bignum2: buffer error");
 }
+
 /*
  * Returns integers from the buffer (msb first).
  */
 
+int
+buffer_get_short_ret(u_short *ret, Buffer *buffer)
+{
+	u_char buf[2];
+
+	if (buffer_get_ret(buffer, (char *) buf, 2) == -1)
+		return (-1);
+	*ret = GET_16BIT(buf);
+	return (0);
+}
+
 u_short
 buffer_get_short(Buffer *buffer)
 {
-	u_char buf[2];
+	u_short ret;
+
+	if (buffer_get_short_ret(&ret, buffer) == -1)
+		fatal("buffer_get_short: buffer error");
 
-	buffer_get(buffer, (char *) buf, 2);
-	return GET_16BIT(buf);
+	return (ret);
+}
+
+int
+buffer_get_int_ret(u_int *ret, Buffer *buffer)
+{
+	u_char buf[4];
+
+	if (buffer_get_ret(buffer, (char *) buf, 4) == -1)
+		return (-1);
+	*ret = GET_32BIT(buf);
+	return (0);
 }
 
 u_int
 buffer_get_int(Buffer *buffer)
 {
-	u_char buf[4];
+	u_int ret;
+
+	if (buffer_get_int_ret(&ret, buffer) == -1)
+		fatal("buffer_get_int: buffer error");
 
-	buffer_get(buffer, (char *) buf, 4);
-	return GET_32BIT(buf);
+	return (ret);
 }
 
 #ifdef HAVE_U_INT64_T
+int
+buffer_get_int64_ret(u_int64_t *ret, Buffer *buffer)
+{
+	u_char buf[8];
+
+	if (buffer_get_ret(buffer, (char *) buf, 8) == -1)
+		return (-1);
+	*ret = GET_64BIT(buf);
+	return (0);
+}
+
 u_int64_t
 buffer_get_int64(Buffer *buffer)
 {
-	u_char buf[8];
+	u_int64_t ret;
+
+	if (buffer_get_int64_ret(&ret, buffer) == -1)
+		fatal("buffer_get_int: buffer error");
 
-	buffer_get(buffer, (char *) buf, 8);
-	return GET_64BIT(buf);
+	return (ret);
 }
 #endif
 
@@ -225,26 +330,43 @@ buffer_put_int64(Buffer *buffer, u_int64_t value)
  * to the returned string, and is not counted in length.
  */
 void *
-buffer_get_string(Buffer *buffer, u_int *length_ptr)
+buffer_get_string_ret(Buffer *buffer, u_int *length_ptr)
 {
 	u_char *value;
 	u_int len;
 
 	/* Get the length. */
 	len = buffer_get_int(buffer);
-	if (len > 256 * 1024)
-		fatal("buffer_get_string: bad string length %d", len);
+	if (len > 256 * 1024) {
+		error("buffer_get_string_ret: bad string length %u", len);
+		return (NULL);
+	}
 	/* Allocate space for the string.  Add one byte for a null character. */
 	value = xmalloc(len + 1);
 	/* Get the string. */
-	buffer_get(buffer, value, len);
+	if (buffer_get_ret(buffer, value, len) == -1) {
+		error("buffer_get_string_ret: buffer_get failed");
+		xfree(value);
+		return (NULL);
+	}
 	/* Append a null character to make processing easier. */
 	value[len] = 0;
 	/* Optionally return the length of the string. */
 	if (length_ptr)
 		*length_ptr = len;
-	return value;
+	return (value);
 }
+
+void *
+buffer_get_string(Buffer *buffer, u_int *length_ptr)
+{
+	void *ret;
+
+	if ((ret = buffer_get_string_ret(buffer, length_ptr)) == NULL)
+		fatal("buffer_get_string: buffer error");
+	return (ret);
+}
+
 char *
 buffer_get_ascii_cstring(Buffer *buffer)
 {
@@ -389,11 +511,22 @@ buffer_put_utf8_cstring(Buffer *buffer, const u_char *s)
  * Returns a character from the buffer (0 - 255).
  */
 int
+buffer_get_char_ret(char *ret, Buffer *buffer)
+{
+	if (buffer_get_ret(buffer, ret, 1) == -1) {
+		error("buffer_get_char_ret: buffer_get_ret failed");
+		return (-1);
+	}
+	return (0);
+}
+
+int
 buffer_get_char(Buffer *buffer)
 {
 	char ch;
 
-	buffer_get(buffer, &ch, 1);
+	if (buffer_get_char_ret(&ch, buffer) == -1)
+		fatal("buffer_get_char: buffer error");
 	return (u_char) ch;
 }
 
diff --git a/usr/src/cmd/ssh/libssh/common/buffer.c b/usr/src/cmd/ssh/libssh/common/buffer.c
index f0168e4ba3..9d95851d68 100644
--- a/usr/src/cmd/ssh/libssh/common/buffer.c
+++ b/usr/src/cmd/ssh/libssh/common/buffer.c
@@ -12,7 +12,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: buffer.c,v 1.16 2002/06/26 08:54:18 markus Exp $");
+RCSID("$OpenBSD: buffer.c,v 1.23 2005/03/14 11:46:56 markus Exp $");
 
 #pragma ident	"%Z%%M%	%I%	%E% SMI"
 
@@ -41,6 +41,7 @@ buffer_free(Buffer *buffer)
 {
 	if (buffer->alloc > 0) {
 		memset(buffer->buf, 0, buffer->alloc);
+		buffer->alloc = 0;
 		xfree(buffer->buf);
 	}
 }
@@ -79,7 +80,7 @@ buffer_append_space(Buffer *buffer, u_int len)
 	u_int newlen;
 	void *p;
 
-	if (len > 0x100000)
+	if (len > BUFFER_MAX_CHUNK)
 		fatal("buffer_append_space: len %u not supported", len);
 
 	/* If the buffer is empty, start using it from the beginning. */
@@ -98,7 +99,7 @@ restart:
 	 * If the buffer is quite empty, but all data is at the end, move the
 	 * data to the beginning and retry.
 	 */
-	if (buffer->offset > buffer->alloc / 2) {
+	if (buffer->offset > MIN(buffer->alloc, BUFFER_MAX_CHUNK)) {
 		memmove(buffer->buf, buffer->buf + buffer->offset,
 			buffer->end - buffer->offset);
 		buffer->end -= buffer->offset;
@@ -108,7 +109,7 @@ restart:
 	/* Increase the size of the buffer and retry. */
 	
 	newlen = buffer->alloc + len + 32768;
-	if (newlen > 0xa00000)
+	if (newlen > BUFFER_MAX_LEN)
 		fatal("buffer_append_space: alloc %u not supported",
 		    newlen);
 	buffer->buf = xrealloc(buffer->buf, newlen);
@@ -127,34 +128,62 @@ buffer_len(Buffer *buffer)
 
 /* Gets data from the beginning of the buffer. */
 
-void
-buffer_get(Buffer *buffer, void *buf, u_int len)
+int
+buffer_get_ret(Buffer *buffer, void *buf, u_int len)
 {
-	if (len > buffer->end - buffer->offset)
-		fatal("buffer_get: trying to get more bytes %d than in buffer %d",
+	if (len > buffer->end - buffer->offset) {
+		error("buffer_get_ret: trying to get more bytes %d than in buffer %d",
 		    len, buffer->end - buffer->offset);
+		return (-1);
+	}
 	memcpy(buf, buffer->buf + buffer->offset, len);
 	buffer->offset += len;
+	return (0);
+}
+
+void
+buffer_get(Buffer *buffer, void *buf, u_int len)
+{
+	if (buffer_get_ret(buffer, buf, len) == -1)
+		fatal("buffer_get: buffer error");
 }
 
 /* Consumes the given number of bytes from the beginning of the buffer. */
 
+int
+buffer_consume_ret(Buffer *buffer, u_int bytes)
+{
+	if (bytes > buffer->end - buffer->offset) {
+		error("buffer_consume_ret: trying to get more bytes than in buffer");
+		return (-1);
+	}
+	buffer->offset += bytes;
+	return (0);
+}
+
 void
 buffer_consume(Buffer *buffer, u_int bytes)
 {
-	if (bytes > buffer->end - buffer->offset)
-		fatal("buffer_consume: trying to get more bytes than in buffer");
-	buffer->offset += bytes;
+	if (buffer_consume_ret(buffer, bytes) == -1)
+		fatal("buffer_consume: buffer error");
 }
 
 /* Consumes the given number of bytes from the end of the buffer. */
 
+int
+buffer_consume_end_ret(Buffer *buffer, u_int bytes)
+{
+	if (bytes > buffer->end - buffer->offset)
+		return (-1);
+	buffer->end -= bytes;
+	return (0);
+}
+
 void
 buffer_consume_end(Buffer *buffer, u_int bytes)
 {
-	if (bytes > buffer->end - buffer->offset)
+	if (buffer_consume_end_ret(buffer, bytes) == -1)
 		fatal("buffer_consume_end: trying to get more bytes than in buffer");
-	buffer->end -= bytes;
 }
 
 /* Returns a pointer to the first used byte in the buffer. */
@@ -170,7 +199,7 @@ buffer_ptr(Buffer *buffer)
 void
 buffer_dump(Buffer *buffer)
 {
-	int i;
+	u_int i;
 	u_char *ucp = buffer->buf;
 
 	for (i = buffer->offset; i < buffer->end; i++) {
diff --git a/usr/src/cmd/ssh/libssh/common/key.c b/usr/src/cmd/ssh/libssh/common/key.c
index 8f2f488912..105fa6ee43 100644
--- a/usr/src/cmd/ssh/libssh/common/key.c
+++ b/usr/src/cmd/ssh/libssh/common/key.c
@@ -692,24 +692,38 @@ key_from_blob(u_char *blob, int blen)
 #endif
 	buffer_init(&b);
 	buffer_append(&b, blob, blen);
-	ktype = buffer_get_string(&b, NULL);
+	if ((ktype = buffer_get_string_ret(&b, NULL)) == NULL) {
+		error("key_from_blob: can't read key type");
+		goto out;
+	}
+
 	type = key_type_from_name(ktype);
 
 	switch (type) {
 	case KEY_RSA:
 		key = key_new(type);
-		buffer_get_bignum2(&b, key->rsa->e);
-		buffer_get_bignum2(&b, key->rsa->n);
+		if (buffer_get_bignum2_ret(&b, key->rsa->e) == -1 ||
+		    buffer_get_bignum2_ret(&b, key->rsa->n) == -1) {
+			error("key_from_blob: can't read rsa key");
+			key_free(key);
+			key = NULL;
+			goto out;
+		}
 #ifdef DEBUG_PK
 		RSA_print_fp(stderr, key->rsa, 8);
 #endif
 		break;
 	case KEY_DSA:
 		key = key_new(type);
-		buffer_get_bignum2(&b, key->dsa->p);
-		buffer_get_bignum2(&b, key->dsa->q);
-		buffer_get_bignum2(&b, key->dsa->g);
-		buffer_get_bignum2(&b, key->dsa->pub_key);
+		if (buffer_get_bignum2_ret(&b, key->dsa->p) == -1 ||
+		    buffer_get_bignum2_ret(&b, key->dsa->q) == -1 ||
+		    buffer_get_bignum2_ret(&b, key->dsa->g) == -1 ||
+		    buffer_get_bignum2_ret(&b, key->dsa->pub_key) == -1) {
+			error("key_from_blob: can't read dsa key");
+			key_free(key);
+			key = NULL;
+			goto out;
+		}
 #ifdef DEBUG_PK
 		DSA_print_fp(stderr, key->dsa, 8);
 #endif
@@ -719,12 +733,14 @@ key_from_blob(u_char *blob, int blen)
 		break;
 	default:
 		error("key_from_blob: cannot handle type %s", ktype);
-		break;
+		goto out;
 	}
 	rlen = buffer_len(&b);
 	if (key != NULL && rlen != 0)
 		error("key_from_blob: remaining bytes in key blob %d", rlen);
-	xfree(ktype);
+ out:
+	if (ktype != NULL)
+		xfree(ktype);
 	buffer_free(&b);
 	return key;
 }
diff --git a/usr/src/cmd/ssh/scp/scp.c b/usr/src/cmd/ssh/scp/scp.c
index 4290bae3d5..4ab2fe1aba 100644
--- a/usr/src/cmd/ssh/scp/scp.c
+++ b/usr/src/cmd/ssh/scp/scp.c
@@ -347,9 +347,9 @@ main(argc, argv)
 	if ((targ = colon(argv[argc - 1])))	/* Dest is remote host. */
 		toremote(targ, argc, argv);
 	else {
-		tolocal(argc, argv);	/* Dest is local host. */
 		if (targetshouldbedirectory)
 			verifydir(argv[argc - 1]);
+		tolocal(argc, argv);	/* Dest is local host. */
 	}
 	/*
 	 * Finally check the exit status of the ssh process, if one was forked
@@ -799,6 +799,10 @@ sink(argc, argv)
 			size = size * 10 + (*cp++ - '0');
 		if (*cp++ != ' ')
 			SCREWUP("size not delimited")
+		if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) {
+			run_err("error: unexpected filename: %s", cp);
+			exit(1);
+		}
 		if (targisdir) {
 			static char *namebuf;
 			static int cursize;
@@ -820,6 +824,8 @@ sink(argc, argv)
 		exists = stat(np, &stb) == 0;
 		if (buf[0] == 'D') {
 			int mod_flag = pflag;
+			if (!iamrecursive)
+				SCREWUP("received directory without -r");
 			if (exists) {
 				if (!S_ISDIR(stb.st_mode)) {
 					errno = ENOTDIR;
@@ -900,11 +906,6 @@ bad:			run_err("%s: %s", np, strerror(errno));
 		}
 		if (showprogress)
 			progressmeter(1);
-		if (count != 0 && wrerr == NO &&
-		    (j = atomicio(write, ofd, bp->buf, count)) != count) {
-			wrerr = YES;
-			wrerrno = j >= 0 ? EIO : errno;
-		}
 		if (ftruncate(ofd, size)) {
 			run_err("%s: truncate: %s", np, strerror(errno));
 			wrerr = DISPLAYED;
@@ -1011,8 +1012,17 @@ run_err(const char *fmt, ...)
 	va_list ap;
 
 	++errs;
+
+	if (!iamremote) {
+		va_start(ap, fmt);
+		vfprintf(stderr, fmt, ap);
+		va_end(ap);
+		fprintf(stderr, "\n");
+	}
+
 	if (fp == NULL && !(fp = fdopen(remout, "w")))
 		return;
+
 	(void) fprintf(fp, "%c", 0x01);
 	(void) fprintf(fp, "scp: ");
 	va_start(ap, fmt);
@@ -1021,12 +1031,6 @@ run_err(const char *fmt, ...)
 	(void) fprintf(fp, "\n");
 	(void) fflush(fp);
 
-	if (!iamremote) {
-		va_start(ap, fmt);
-		vfprintf(stderr, fmt, ap);
-		va_end(ap);
-		fprintf(stderr, "\n");
-	}
 }
 
 void
diff --git a/usr/src/cmd/ssh/ssh-keygen/Makefile b/usr/src/cmd/ssh/ssh-keygen/Makefile
index 9dfcfd1fb3..339fa7019d 100644
--- a/usr/src/cmd/ssh/ssh-keygen/Makefile
+++ b/usr/src/cmd/ssh/ssh-keygen/Makefile
@@ -2,9 +2,8 @@
 # CDDL HEADER START
 #
 # The contents of this file are subject to the terms of the
-# Common Development and Distribution License, Version 1.0 only
-# (the "License").  You may not use this file except in compliance
-# with the License.
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
 #
 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 # or http://www.opensolaris.org/os/licensing.
@@ -19,7 +18,7 @@
 #
 # CDDL HEADER END
 #
-# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 # ident	"%Z%%M%	%I%	%E% SMI"
@@ -35,7 +34,7 @@ SRCS	= $(OBJS:.o=.c)
 include ../../Makefile.cmd
 include ../Makefile.ssh-common
 
-LDLIBS += $(SSH_COMMON_LDLIBS) $(OPENSSL_LDFLAGS) -lcrypto
+LDLIBS += $(SSH_COMMON_LDLIBS) $(OPENSSL_LDFLAGS) -lcrypto -lsocket
 
 DYNFLAGS += $(OPENSSL_DYNFLAGS)
 
diff --git a/usr/src/cmd/ssh/ssh-keygen/ssh-keygen.c b/usr/src/cmd/ssh/ssh-keygen/ssh-keygen.c
index 50284e08b7..57eb19d321 100644
--- a/usr/src/cmd/ssh/ssh-keygen/ssh-keygen.c
+++ b/usr/src/cmd/ssh/ssh-keygen/ssh-keygen.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 /*
@@ -33,6 +33,7 @@ RCSID("$OpenBSD: ssh-keygen.c,v 1.101 2002/06/23 09:39:55 deraadt Exp $");
 #include "pathnames.h"
 #include "log.h"
 #include "readpass.h"
+#include "misc.h"
 #include <langinfo.h>
 
 #ifdef SMARTCARD
@@ -946,7 +947,7 @@ main(int ac, char **av)
 		(void) fflush(stdout);
 		if (fgets(yesno, sizeof(yesno), stdin) == NULL)
 			exit(1);
-		if (strcasecmp(yesno, nl_langinfo(YESSTR)) != 0)
+		if (strcasecmp(chop(yesno), nl_langinfo(YESSTR)) != 0)
 			exit(1);
 	}
 	/* Ask for a passphrase (twice). */
diff --git a/usr/src/cmd/ssh/sshd/session.c b/usr/src/cmd/ssh/sshd/session.c
index 63e613f7fb..aee49f05a2 100644
--- a/usr/src/cmd/ssh/sshd/session.c
+++ b/usr/src/cmd/ssh/sshd/session.c
@@ -32,7 +32,7 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -1033,8 +1033,8 @@ deflt_do_setup_env(Session *s, const char *shell, char ***env, u_int *envsize)
 static char **
 do_setup_env(Session *s, const char *shell)
 {
-	char buf[256];
-	u_int i, envsize;
+	char buf[256], *path_maildir = _PATH_MAILDIR;
+	u_int i, envsize, pm_len;
 	char **env;
 	struct passwd *pw = s->pw;
 
@@ -1085,8 +1085,11 @@ do_setup_env(Session *s, const char *shell)
 # endif /* HAVE_CYGWIN */
 #endif /* HAVE_LOGIN_CAP */
 
+		pm_len = strlen(path_maildir);
+		if (path_maildir[pm_len - 1] == '/' && pm_len > 1)
+			path_maildir[pm_len - 1] = NULL;
 		snprintf(buf, sizeof buf, "%.200s/%.50s",
-			 _PATH_MAILDIR, pw->pw_name);
+			 path_maildir, pw->pw_name);
 		child_set_env(&env, &envsize, "MAIL", buf);
 
 		/* Normal systems set SHELL by default. */