From 12452f442728e26dc660095de2d9d43129408c6e Mon Sep 17 00:00:00 2001
From: nicm <nicm>
Date: Fri, 22 Aug 2025 07:26:25 +0000
Subject: [PATCH] Do not double free argv from MSG_COMMAND if it is too long,
 reported by sai02 at student dot ubc dot ca via deraadt. ok deraadt

---
 server-client.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/server-client.c b/server-client.c
index 04d4eb5e..89486b7c 100644
--- a/server-client.c
+++ b/server-client.c
@@ -3446,7 +3446,7 @@ server_client_dispatch_command(struct client *c, struct imsg *imsg)
 	struct msg_command	  data;
 	char			 *buf;
 	size_t			  len;
-	int			  argc;
+	int			  argc = 0;
 	char			**argv, *cause;
 	struct cmd_parse_result	 *pr;
 	struct args_value	 *values;
@@ -3465,12 +3465,12 @@ server_client_dispatch_command(struct client *c, struct imsg *imsg)
 	if (len > 0 && buf[len - 1] != '\0')
 		fatalx("bad MSG_COMMAND string");
 
-	argc = data.argc;
-	if (cmd_unpack_argv(buf, len, argc, &argv) != 0) {
+	if (cmd_unpack_argv(buf, len, data.argc, &argv) != 0) {
 		cause = xstrdup("command too long");
 		goto error;
 	}
 
+	argc = data.argc;
 	if (argc == 0) {
 		cmdlist = cmd_list_copy(options_get_command(global_options,
 		    "default-client-command"), 0, NULL);