From 730ebabdbab8437e95ffa89714e32078b3b42ad1 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Fri, 19 Nov 2021 12:29:21 -0700 Subject: [PATCH] init_parse_tree() now takes ownership of lhost and shost, if any. This means that lhost and shost in struct sudoers_parse_tree are no longer const and that free_parse_tree() will free lhost/shost. The only consumer that passed in lho.st/shost was the SSSD back-end which has been updated to avoid a double-free. --- plugins/sudoers/gram.c | 8 ++++++-- plugins/sudoers/gram.y | 8 ++++++-- plugins/sudoers/parse.h | 4 ++-- plugins/sudoers/regress/fuzz/fuzz_sudoers.c | 2 +- plugins/sudoers/sssd.c | 3 --- 5 files changed, 15 insertions(+), 10 deletions(-) diff --git a/plugins/sudoers/gram.c b/plugins/sudoers/gram.c index 530de2d12..ca5b9d79e 100644 --- a/plugins/sudoers/gram.c +++ b/plugins/sudoers/gram.c @@ -3830,10 +3830,10 @@ free_userspec(struct userspec *us) /* * Initialized a sudoers parse tree. + * Takes ownership of lhost and shost. */ void -init_parse_tree(struct sudoers_parse_tree *parse_tree, const char *lhost, - const char *shost) +init_parse_tree(struct sudoers_parse_tree *parse_tree, char *lhost, char *shost) { TAILQ_INIT(&parse_tree->userspecs); TAILQ_INIT(&parse_tree->defaults); @@ -3864,6 +3864,10 @@ free_parse_tree(struct sudoers_parse_tree *parse_tree) free_defaults(&parse_tree->defaults); free_aliases(parse_tree->aliases); parse_tree->aliases = NULL; + free(parse_tree->lhost); + if (parse_tree->shost != parse_tree->lhost) + free(parse_tree->shost); + parse_tree->lhost = parse_tree->shost = NULL; } /* diff --git a/plugins/sudoers/gram.y b/plugins/sudoers/gram.y index 82c352077..1dad0608c 100644 --- a/plugins/sudoers/gram.y +++ b/plugins/sudoers/gram.y @@ -1674,10 +1674,10 @@ free_userspec(struct userspec *us) /* * Initialized a sudoers parse tree. + * Takes ownership of lhost and shost. */ void -init_parse_tree(struct sudoers_parse_tree *parse_tree, const char *lhost, - const char *shost) +init_parse_tree(struct sudoers_parse_tree *parse_tree, char *lhost, char *shost) { TAILQ_INIT(&parse_tree->userspecs); TAILQ_INIT(&parse_tree->defaults); @@ -1708,6 +1708,10 @@ free_parse_tree(struct sudoers_parse_tree *parse_tree) free_defaults(&parse_tree->defaults); free_aliases(parse_tree->aliases); parse_tree->aliases = NULL; + free(parse_tree->lhost); + if (parse_tree->shost != parse_tree->lhost) + free(parse_tree->shost); + parse_tree->lhost = parse_tree->shost = NULL; } /* diff --git a/plugins/sudoers/parse.h b/plugins/sudoers/parse.h index 2984c5833..549b6d04d 100644 --- a/plugins/sudoers/parse.h +++ b/plugins/sudoers/parse.h @@ -294,7 +294,7 @@ struct sudoers_parse_tree { struct userspec_list userspecs; struct defaults_list defaults; struct rbtree *aliases; - const char *shost, *lhost; + char *shost, *lhost; }; /* @@ -366,7 +366,7 @@ void free_userspec(struct userspec *us); void free_userspecs(struct userspec_list *usl); void free_default(struct defaults *def, struct member_list **binding); void free_defaults(struct defaults_list *defs); -void init_parse_tree(struct sudoers_parse_tree *parse_tree, const char *lhost, const char *shost); +void init_parse_tree(struct sudoers_parse_tree *parse_tree, char *lhost, char *shost); void free_parse_tree(struct sudoers_parse_tree *parse_tree); void reparent_parse_tree(struct sudoers_parse_tree *new_tree); bool parser_leak_add(enum parser_leak_types type, void *v); diff --git a/plugins/sudoers/regress/fuzz/fuzz_sudoers.c b/plugins/sudoers/regress/fuzz/fuzz_sudoers.c index ef74462f7..b591f3339 100644 --- a/plugins/sudoers/regress/fuzz/fuzz_sudoers.c +++ b/plugins/sudoers/regress/fuzz/fuzz_sudoers.c @@ -273,7 +273,7 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) } /* Only one sudoers source, the sudoers file itself. */ - init_parse_tree(&parse_tree, user_host, user_shost); + init_parse_tree(&parse_tree, NULL, NULL); memset(&sudo_nss_fuzz, 0, sizeof(sudo_nss_fuzz)); sudo_nss_fuzz.parse_tree = &parse_tree; sudo_nss_fuzz.query = sudo_fuzz_query; diff --git a/plugins/sudoers/sssd.c b/plugins/sudoers/sssd.c index e396d8466..8f15e576b 100644 --- a/plugins/sudoers/sssd.c +++ b/plugins/sudoers/sssd.c @@ -532,9 +532,6 @@ sudo_sss_close(struct sudo_nss *nss) sudo_dso_unload(handle->ssslib); if (handle->pw != NULL) sudo_pw_delref(handle->pw); - free(handle->ipa_host); - if (handle->ipa_host != handle->ipa_shost) - free(handle->ipa_shost); free_parse_tree(&handle->parse_tree); free(handle); nss->handle = NULL;