Description

Fixes a TOCTOU-induced uninitialized-pointer dereference in HandleInclude
(apps/wolfsshd/configuration.c) that can crash wolfsshd with a SIGSEGV.

HandleInclude walks an Include directory using two separate readdir
passes split by WREWINDDIR:

1. Pass 1 counts non-directory entries into fileCount.
2. fileNames is allocated with WMALLOC(fileCount * sizeof(char*)) — without
   zero-initialization.
3. Pass 2 fills the array but is bounded by
   i < fileCount && (dir = WREADDIR(...)) != NULL, so it stops early if
   readdir returns NULL.
4. The processing loop then iterated the full fileCount, calling
   WSTRLEN(fileNames[i]) / WSNPRINTF(...) on every slot.

If the directory shrinks between the two passes (a local user removing files
from a writable Include directory, e.g. a group-writable
/etc/ssh/sshd_config.d/), the second pass fills fewer slots than fileCount.
The tail slots [fileFilled .. fileCount-1] remain uninitialized, and the
processing loop dereferences those garbage pointers, crashing the daemon at
start/restart. No SSH authentication is required to trigger it.

Fix

• Bound the processing loop to the actual fill count. Capture the number of
  slots populated by the second pass (fileFilled = i;) and iterate
  for (i = 0; i < fileFilled; i++) instead of i < fileCount. This is the
  fix that closes the uninitialized read.
• Zero-initialize the array after allocation (WMEMSET(fileNames, 0, ...))
  as defense-in-depth, so any slot not reached by the second pass is NULL
  rather than garbage and the code fails safe against future changes.

The opposite direction (more files appearing in pass 2) was already safe — the
i < fileCount guard stops the second pass at the allocated size.

Testing

• ./configure --enable-sshd && make — clean build.
• apps/wolfsshd/test/test_configuration — all Include / wildcard cases pass,
  including Include sshd_config.d/*.conf, which exercises this exact two-pass
  path and confirms no regression in the normal (fileFilled == fileCount)
  case.