Filter out some more magic environment variables used by libraries linked

with telnetd. This should really be done with a positive filter - i.e.
only allow through a configured list of variables.

Also do some buffer-safety cleanups while I'm here - I don't think these
are exploitable.

libexec/telnetd/sys_term.c

@@ -1799,6 +1799,13 @@ scrub_env()
 		    strncmp(*cpp, "_RLD_", 5) &&
 		    strncmp(*cpp, "LIBPATH=", 8) &&
 #endif
+		    strncmp(*cpp, "LOCALDOMAIN=", 12) &&
+		    strncmp(*cpp, "RES_OPTIONS=", 12) &&
+		    strncmp(*cpp, "TERMINFO=", 9) &&
+		    strncmp(*cpp, "TERMINFO_DIRS=", 14) &&
+		    strncmp(*cpp, "TERMPATH=", 9) &&
+		    strncmp(*cpp, "TERMCAP=/", 9) &&
+		    strncmp(*cpp, "ENV=", 4) &&
 		    strncmp(*cpp, "IFS=", 4))
 			*cpp2++ = *cpp;
 	}

libexec/telnetd/telnetd.c

@@ -811,7 +811,7 @@ doit(who)
 			fatal(net, "Out of ptys");
 
 		if ((pty = open(lp, 2)) >= 0) {
-			strcpy(line,lp);
+			strlcpy(line,lp,sizeof(line));
 			line[5] = 't';
 			break;
 		}
@@ -1115,7 +1115,7 @@ telnet(f, p, host)
 		IM = Getstr("im", &cp);
 		IF = Getstr("if", &cp);
 		if (HN && *HN)
-			(void) strcpy(host_name, HN);
+			(void) strlcpy(host_name, HN, sizeof(host_name));
 		if (IF && (if_fd = open(IF, O_RDONLY, 000)) != -1)
 			IM = 0;
 		if (IM == 0)

libexec/telnetd/utility.c

@@ -330,7 +330,7 @@ fatal(f, msg)
 {
 	char buf[BUFSIZ];
 
-	(void) sprintf(buf, "telnetd: %s.\r\n", msg);
+	(void) snprintf(buf, sizeof(buf), "telnetd: %s.\r\n", msg);
 	(void) write(f, buf, (int)strlen(buf));
 	sleep(1);	/*XXX*/
 	exit(1);
@@ -343,7 +343,7 @@ fatalperror(f, msg)
 {
 	char buf[BUFSIZ], *strerror();
 
-	(void) sprintf(buf, "%s: %s", msg, strerror(errno));
+	(void) snprintf(buf, sizeof(buf), "%s: %s", msg, strerror(errno));
 	fatal(f, buf);
 }