===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/mux.c,v
retrieving revision 1.78
retrieving revision 1.79
diff -u -r1.78 -r1.79
--- src/usr.bin/ssh/mux.c	2019/01/19 21:31:32	1.78
+++ src/usr.bin/ssh/mux.c	2019/01/19 21:35:25	1.79
@@ -1,4 +1,4 @@
-/* $OpenBSD: mux.c,v 1.78 2019/01/19 21:31:32 djm Exp $ */
+/* $OpenBSD: mux.c,v 1.79 2019/01/19 21:35:25 djm Exp $ */
 /*
  * Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org>
  *
@@ -55,9 +55,6 @@
 #include "clientloop.h"
 #include "ssherr.h"
 
-#include "opacket.h" /* XXX */
-extern struct ssh *active_state; /* XXX */
-
 /* from ssh.c */
 extern int tty_flag;
 extern Options options;
@@ -600,6 +597,7 @@
 	struct Forward *rfwd;
 	Channel *c;
 	struct sshbuf *out;
+	u_int port;
 	int r;
 
 	if ((c = channel_by_id(ssh, fctx->cid)) == NULL) {
@@ -622,7 +620,15 @@
 	    rfwd->connect_host, rfwd->connect_port);
 	if (type == SSH2_MSG_REQUEST_SUCCESS) {
 		if (rfwd->listen_port == 0) {
-			rfwd->allocated_port = packet_get_int();
+			if ((r = sshpkt_get_u32(ssh, &port)) != 0)
+				fatal("%s: packet error: %s",
+				    __func__, ssh_err(r));
+			if (port > 65535) {
+				fatal("Invalid allocated port %u for "
+				    "mux remote forward to %s:%d", port,
+				    rfwd->connect_host, rfwd->connect_port);
+			}
+			rfwd->allocated_port = (int)port;
 			debug("Allocated port %u for mux remote forward"
 			    " to %s:%d", rfwd->allocated_port,
 			    rfwd->connect_host, rfwd->connect_port);
@@ -1396,7 +1402,8 @@
 	if (cctx->want_agent_fwd && options.forward_agent) {
 		debug("Requesting authentication agent forwarding.");
 		channel_request_start(ssh, id, "auth-agent-req@openssh.com", 0);
-		packet_send();
+		if ((r = sshpkt_send(ssh)) != 0)
+			fatal("%s: packet error: %s", __func__, ssh_err(r));
 	}
 
 	client_session2_setup(ssh, id, cctx->want_tty, cctx->want_subsys,