From: Darren Tucker <dtucker@dtucker.net>
Date: Thu, 30 Mar 2023 02:53:29 +0000 (+1100)
Subject: child_set_eng: verify both env pointer and count.
X-Git-Tag: V_9_4_P1~110
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=05b8e88ebe23db690abbfb1a91111abea09cde08;p=thirdparty%2Fopenssh-portable.git

child_set_eng: verify both env pointer and count.

If child_set env was called with a NULL env pointer and a non-zero count
it would end up in a null deref, although we don't currently do this.
Prompted by Coverity CID 291850, tweak & ok djm@
---

diff --git a/misc.c b/misc.c
index 6135b1556..63c3d4d29 100644
--- a/misc.c
+++ b/misc.c
@@ -2273,6 +2273,8 @@ child_set_env(char ***envp, u_int *envsizep, const char *name,
 	 * If we're passed an uninitialized list, allocate a single null
 	 * entry before continuing.
 	 */
+	if ((*envp == NULL) != (*envsizep == 0))
+		fatal_f("environment size mismatch");
 	if (*envp == NULL && *envsizep == 0) {
 		*envp = xmalloc(sizeof(char *));
 		*envp[0] = NULL;