Skip to content

Commit 1f86385

Browse files
millertmillert
committed
Fix potential buffer overflow when unescaping backslashes in user_args.
Also, do not try to unescaping backslashes unless in run mode *and* we are running the command via a shell. Found by Qualys, this fixes CVE-2021-3156.
1 parent c4d3840 commit 1f86385

File tree

1 file changed

+18
-5
lines changed

1 file changed

+18
-5
lines changed

plugins/sudoers/sudoers.c

+18-5
Original file line numberDiff line numberDiff line change
@@ -547,7 +547,7 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
547547

548548
/* If run as root with SUDO_USER set, set sudo_user.pw to that user. */
549549
/* XXX - causes confusion when root is not listed in sudoers */
550-
if (sudo_mode & (MODE_RUN | MODE_EDIT) && prev_user != NULL) {
550+
if (ISSET(sudo_mode, MODE_RUN|MODE_EDIT) && prev_user != NULL) {
551551
if (user_uid == 0 && strcmp(prev_user, "root") != 0) {
552552
struct passwd *pw;
553553

@@ -932,8 +932,8 @@ set_cmnd(void)
932932
if (user_cmnd == NULL)
933933
user_cmnd = NewArgv[0];
934934

935-
if (sudo_mode & (MODE_RUN | MODE_EDIT | MODE_CHECK)) {
936-
if (ISSET(sudo_mode, MODE_RUN | MODE_CHECK)) {
935+
if (ISSET(sudo_mode, MODE_RUN|MODE_EDIT|MODE_CHECK)) {
936+
if (!ISSET(sudo_mode, MODE_EDIT)) {
937937
const char *runchroot = user_runchroot;
938938
if (runchroot == NULL && def_runchroot != NULL &&
939939
strcmp(def_runchroot, "*") != 0)
@@ -961,18 +961,31 @@ set_cmnd(void)
961961
sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
962962
debug_return_int(NOT_FOUND_ERROR);
963963
}
964-
if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL)) {
964+
if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL) &&
965+
ISSET(sudo_mode, MODE_RUN)) {
965966
/*
966967
* When running a command via a shell, the sudo front-end
967968
* escapes potential meta chars. We unescape non-spaces
968969
* for sudoers matching and logging purposes.
969970
*/
970971
for (to = user_args, av = NewArgv + 1; (from = *av); av++) {
971972
while (*from) {
972-
if (from[0] == '\\' && !isspace((unsigned char)from[1]))
973+
if (from[0] == '\\' && from[1] != '\0' &&
974+
!isspace((unsigned char)from[1])) {
973975
from++;
976+
}
977+
if (size - (to - user_args) < 1) {
978+
sudo_warnx(U_("internal error, %s overflow"),
979+
__func__);
980+
debug_return_int(NOT_FOUND_ERROR);
981+
}
974982
*to++ = *from++;
975983
}
984+
if (size - (to - user_args) < 1) {
985+
sudo_warnx(U_("internal error, %s overflow"),
986+
__func__);
987+
debug_return_int(NOT_FOUND_ERROR);
988+
}
976989
*to++ = ' ';
977990
}
978991
*--to = '\0';

0 commit comments

Comments
 (0)