From 03c04a2b5d0852123d64e2e4df893e03c9e75e2f Mon Sep 17 00:00:00 2001
From: Doug Nazar <nazard@nazar.ca>
Date: Mon, 1 May 2023 15:47:16 -0400
Subject: [PATCH] Fix minor leak in clean_environ()

my_strpos() modifies the string pointer causing us to free
an incorrect pointer.
---
 src/utils.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/utils.c b/src/utils.c
index 9a0795d..99681a6 100644
--- a/src/utils.c
+++ b/src/utils.c
@@ -266,7 +266,7 @@ int clean_environ(const char *keep_env_vars, const char *nrpe_user)
 #endif
 	struct passwd *pw = NULL;
 	size_t len, var_sz = 0;
-	char **kept = NULL, *value, *var, *keep = NULL;
+	char **kept = NULL, *value, *var, *keep = NULL, *tmp;
 	int i, j, keepcnt = 0;
 
 	if (keep_env_vars && *keep_env_vars)
@@ -289,7 +289,8 @@ int clean_environ(const char *keep_env_vars, const char *nrpe_user)
 		logit(LOG_ERR, "Could not sanitize the environment. Aborting!");
 		return ERROR;
 	}
-	for (i = 0, var = my_strsep(&keep, ","); var != NULL; var = my_strsep(&keep, ","))
+	tmp = keep;		/* use temp variable as strsep will update it */
+	for (i = 0, var = my_strsep(&tmp, ","); var != NULL; var = my_strsep(&tmp, ","))
 		kept[i++] = strip(var);
 
 	var = NULL;