Only realloc() environ if we're sure that we know where it came from.

The recent problems with sshd were due to sshd reassigning `environ' when setenv() thinks it owns it. setenv() subsequently realloc()s the new version of environ and *boom*
2000-09-20 03:05:37 +00:00 · 2000-09-20 03:05:37 +00:00 · b1daa1b9db
commit b1daa1b9db
parent d9e2f78b50
2 changed files with 5 additions and 5 deletions
--- a/lib/libc/stdlib/malloc.c
+++ b/lib/libc/stdlib/malloc.c
@ -20,6 +20,7 @@
 #ifndef MALLOC_EXTRA_SANITY
 #undef MALLOC_EXTRA_SANITY
 #endif
+#define MALLOC_EXTRA_SANITY

 /*
 * What to use for Junk.  This is the byte value we use to fill with
--- a/lib/libc/stdlib/setenv.c
+++ b/lib/libc/stdlib/setenv.c
@ -56,7 +56,7 @@ setenv(name, value, rewrite)
 	int rewrite;
 {
 	extern char **environ;
-	static int alloced;			/* if allocated space before */
+	static char **alloced;			/* if allocated space before */
 	register char *c;
 	int l_value, offset;

@ -75,21 +75,20 @@ setenv(name, value, rewrite)
 		register char **p;

 		for (p = environ, cnt = 0; *p; ++p, ++cnt);
-		if (alloced) {			/* just increase size */
+		if (alloced == environ) {			/* just increase size */
 			p = (char **)realloc((char *)environ,
 			    (size_t)(sizeof(char *) * (cnt + 2)));
 			if (!p)
 				return (-1);
-			environ = p;
+			alloced = environ = p;
 		}
 		else {				/* get new space */
 						/* copy old entries into it */
 			p = malloc((size_t)(sizeof(char *) * (cnt + 2)));
 			if (!p)
 				return (-1);
-			alloced = 1;
 			bcopy(environ, p, cnt * sizeof(char *));
-			environ = p;
+			alloced = environ = p;
 		}
 		environ[cnt + 1] = NULL;
 		offset = cnt;