Correctly scrub telnetd's environment.

Approved by:	so (cperciva)
Security:	FreeBSD-SA-09:05.telnetd


git-svn-id: http://svn0.us-east.freebsd.org/base/head/contrib/telnet@188699 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f

telnetd/sys_term.c

@@ -1271,8 +1271,18 @@ scrub_env(void)
 
 	char **cpp, **cpp2;
 	const char **p;
- 
+	char ** new_environ;
- 	for (cpp2 = cpp = environ; *cpp; cpp++) {
+	size_t count;
+
+	/* Allocate space for scrubbed environment. */
+	for (count = 1, cpp = environ; *cpp; count++, cpp++)
+		continue;
+	if ((new_environ = malloc(count * sizeof(char *))) == NULL) {
+		environ = NULL;
+		return;
+	}
+
+ 	for (cpp2 = new_environ, cpp = environ; *cpp; cpp++) {
 		int reject_it = 0;
 
 		for(p = rej; *p; p++)
@@ -1286,10 +1296,15 @@ scrub_env(void)
 		for(p = acc; *p; p++)
 			if(strncmp(*cpp, *p, strlen(*p)) == 0)
 				break;
-		if(*p != NULL)
+		if(*p != NULL) {
- 			*cpp2++ = *cpp;
+			if ((*cpp2++ = strdup(*cpp)) == NULL) {
+				environ = new_environ;
+				return;
+			}
+		}
  	}
 	*cpp2 = NULL;
+	environ = new_environ;
 }
 
 /*