isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix potential double free for rules that include a CHROOT= option.

Browse Source 
If a rule with a CHROOT= option matches the user, host and runas,
the user_cmnd variable could be freed twice.
This commit is contained in:
Todd C. Miller
2023-02-21 20:01:13 -07:00
parent 6c52056d36
commit 87ce692468
7 changed files with 71 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
plugins/sudoers/match_command.c
View File

@@ -825,12 +825,16 @@ command_matches(const char *sudoers_cmnd, const char *sudoers_args,
/* Rule-specific runchroot, set user_cmnd and user_stat after pivot. */
int status;
/* Save old user_cmnd first, set_cmnd_path() will free it. */
saved_user_cmnd = user_cmnd;
user_cmnd = NULL;
if (user_stat != NULL)
saved_user_stat = *user_stat;
status = set_cmnd_path(NULL);
if (status != FOUND)
if (status != FOUND) {
user_cmnd = saved_user_cmnd;
saved_user_cmnd = NULL;
}
if (info != NULL)
info->status = status;
}