Only realloc() environ if we're sure that we know where it came from.

The recent problems with sshd were due to sshd reassigning
`environ' when setenv() thinks it owns it.  setenv() subsequently
realloc()s the new version of environ and *boom*

2 files changed, 5 insertions, 5 deletions

diff --git a/lib/libc/stdlib/malloc.c b/lib/libc/stdlib/malloc.c
index 3b631e8..1bcc5e1 100644
--- a/lib/libc/stdlib/malloc.c
+++ b/lib/libc/stdlib/malloc.c
@@ -20,6 +20,7 @@
 #ifndef MALLOC_EXTRA_SANITY
 #undef MALLOC_EXTRA_SANITY
 #endif
+#define MALLOC_EXTRA_SANITY
 
 /*
  * What to use for Junk.  This is the byte value we use to fill with
diff --git a/lib/libc/stdlib/setenv.c b/lib/libc/stdlib/setenv.c
index 96f22a3..cd82c0d 100644
--- a/lib/libc/stdlib/setenv.c
+++ b/lib/libc/stdlib/setenv.c
@@ -56,7 +56,7 @@ setenv(name, value, rewrite)
 	int rewrite;
 {
 	extern char **environ;
-	static int alloced;			/* if allocated space before */
+	static char **alloced;			/* if allocated space before */
 	register char *c;
 	int l_value, offset;
 
@@ -75,21 +75,20 @@ setenv(name, value, rewrite)
 		register char **p;
 
 		for (p = environ, cnt = 0; *p; ++p, ++cnt);
-		if (alloced) {			/* just increase size */
+		if (alloced == environ) {			/* just increase size */
 			p = (char **)realloc((char *)environ,
 			    (size_t)(sizeof(char *) * (cnt + 2)));
 			if (!p)
 				return (-1);
-			environ = p;
+			alloced = environ = p;
 		}
 		else {				/* get new space */
 						/* copy old entries into it */
 			p = malloc((size_t)(sizeof(char *) * (cnt + 2)));
 			if (!p)
 				return (-1);
-			alloced = 1;
 			bcopy(environ, p, cnt * sizeof(char *));
-			environ = p;
+			alloced = environ = p;
 		}
 		environ[cnt + 1] = NULL;
 		offset = cnt;