From 1d2eb11519de23d51b60203d569caec27f834e5c Mon Sep 17 00:00:00 2001
From: cperciva <cperciva@ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f>
Date: Mon, 16 Feb 2009 21:56:17 +0000
Subject: [PATCH] Correctly scrub telnetd's environment.

Approved by:	so (cperciva)
Security:	FreeBSD-SA-09:05.telnetd


git-svn-id: http://svn0.us-east.freebsd.org/base/head/contrib/telnet@188699 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
---
 telnetd/sys_term.c | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

diff --git a/telnetd/sys_term.c b/telnetd/sys_term.c
index 781e0d1..7b2dbdb 100644
--- a/telnetd/sys_term.c
+++ b/telnetd/sys_term.c
@@ -1271,8 +1271,18 @@ scrub_env(void)
 
 	char **cpp, **cpp2;
 	const char **p;
- 
- 	for (cpp2 = cpp = environ; *cpp; cpp++) {
+	char ** new_environ;
+	size_t count;
+
+	/* Allocate space for scrubbed environment. */
+	for (count = 1, cpp = environ; *cpp; count++, cpp++)
+		continue;
+	if ((new_environ = malloc(count * sizeof(char *))) == NULL) {
+		environ = NULL;
+		return;
+	}
+
+ 	for (cpp2 = new_environ, cpp = environ; *cpp; cpp++) {
 		int reject_it = 0;
 
 		for(p = rej; *p; p++)
@@ -1286,10 +1296,15 @@ scrub_env(void)
 		for(p = acc; *p; p++)
 			if(strncmp(*cpp, *p, strlen(*p)) == 0)
 				break;
-		if(*p != NULL)
- 			*cpp2++ = *cpp;
+		if(*p != NULL) {
+			if ((*cpp2++ = strdup(*cpp)) == NULL) {
+				environ = new_environ;
+				return;
+			}
+		}
  	}
 	*cpp2 = NULL;
+	environ = new_environ;
 }
 
 /*