From b1daa1b9db90baacab8a5d04ba07d2405e25f6a8 Mon Sep 17 00:00:00 2001
From: Brian Somers <brian@FreeBSD.org>
Date: Wed, 20 Sep 2000 03:05:37 +0000
Subject: Only realloc() environ if we're sure that we know where it came from.

The recent problems with sshd were due to sshd reassigning
`environ' when setenv() thinks it owns it.  setenv() subsequently
realloc()s the new version of environ and *boom*
---
 lib/libc/stdlib/setenv.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

(limited to 'lib/libc/stdlib/setenv.c')

diff --git a/lib/libc/stdlib/setenv.c b/lib/libc/stdlib/setenv.c
index 96f22a3e6ce5..cd82c0d87074 100644
--- a/lib/libc/stdlib/setenv.c
+++ b/lib/libc/stdlib/setenv.c
@@ -56,7 +56,7 @@ setenv(name, value, rewrite)
 	int rewrite;
 {
 	extern char **environ;
-	static int alloced;			/* if allocated space before */
+	static char **alloced;			/* if allocated space before */
 	register char *c;
 	int l_value, offset;
 
@@ -75,21 +75,20 @@ setenv(name, value, rewrite)
 		register char **p;
 
 		for (p = environ, cnt = 0; *p; ++p, ++cnt);
-		if (alloced) {			/* just increase size */
+		if (alloced == environ) {			/* just increase size */
 			p = (char **)realloc((char *)environ,
 			    (size_t)(sizeof(char *) * (cnt + 2)));
 			if (!p)
 				return (-1);
-			environ = p;
+			alloced = environ = p;
 		}
 		else {				/* get new space */
 						/* copy old entries into it */
 			p = malloc((size_t)(sizeof(char *) * (cnt + 2)));
 			if (!p)
 				return (-1);
-			alloced = 1;
 			bcopy(environ, p, cnt * sizeof(char *));
-			environ = p;
+			alloced = environ = p;
 		}
 		environ[cnt + 1] = NULL;
 		offset = cnt;
-- 
cgit v1.2.3