Correctly scrub telnetd's environment.

Approved by: so (cperciva) Security: FreeBSD-SA-09:05.telnetd
author: cperciva <cperciva@FreeBSD.org> 2009-02-16 21:56:17 +0000
committer: cperciva <cperciva@FreeBSD.org> 2009-02-16 21:56:17 +0000
commit: 84a38d39499bdf1855d0d40fd1d1d47d397a8ee3 (patch)
tree: b9751cdf7057bf5fa358e8e5cb109ef63dab6a20 /contrib/telnet
parent: 0f3b39bd241171842dd98ff9b55dc787a0c83469 (diff)
download: FreeBSD-src-84a38d39499bdf1855d0d40fd1d1d47d397a8ee3.zip
FreeBSD-src-84a38d39499bdf1855d0d40fd1d1d47d397a8ee3.tar.gz
1 files changed, 19 insertions, 4 deletions
diff --git a/contrib/telnet/telnetd/sys_term.c b/contrib/telnet/telnetd/sys_term.c
index 781e0d1..7b2dbdb 100644
--- a/contrib/telnet/telnetd/sys_term.c
+++ b/contrib/telnet/telnetd/sys_term.c
@@ -1271,8 +1271,18 @@ scrub_env(void)
 
 	char **cpp, **cpp2;
 	const char **p;
- 
- 	for (cpp2 = cpp = environ; *cpp; cpp++) {
+	char ** new_environ;
+	size_t count;
+
+	/* Allocate space for scrubbed environment. */
+	for (count = 1, cpp = environ; *cpp; count++, cpp++)
+		continue;
+	if ((new_environ = malloc(count * sizeof(char *))) == NULL) {
+		environ = NULL;
+		return;
+	}
+
+ 	for (cpp2 = new_environ, cpp = environ; *cpp; cpp++) {
 		int reject_it = 0;
 
 		for(p = rej; *p; p++)
@@ -1286,10 +1296,15 @@ scrub_env(void)
 		for(p = acc; *p; p++)
 			if(strncmp(*cpp, *p, strlen(*p)) == 0)
 				break;
-		if(*p != NULL)
- 			*cpp2++ = *cpp;
+		if(*p != NULL) {
+			if ((*cpp2++ = strdup(*cpp)) == NULL) {
+				environ = new_environ;
+				return;
+			}
+		}
  	}
 	*cpp2 = NULL;
+	environ = new_environ;
 }
 
 /*
author	cperciva <cperciva@FreeBSD.org>	2009-02-16 21:56:17 +0000
committer	cperciva <cperciva@FreeBSD.org>	2009-02-16 21:56:17 +0000
commit	84a38d39499bdf1855d0d40fd1d1d47d397a8ee3 (patch)
tree	b9751cdf7057bf5fa358e8e5cb109ef63dab6a20 /contrib/telnet
parent	0f3b39bd241171842dd98ff9b55dc787a0c83469 (diff)
download	FreeBSD-src-84a38d39499bdf1855d0d40fd1d1d47d397a8ee3.zip FreeBSD-src-84a38d39499bdf1855d0d40fd1d1d47d397a8ee3.tar.gz