We should be checking for integer overflow, rather than checking if size is 0.
Additionally, we should set errno to ENOMEM when this overflow happens.
Finally, the most efficient implementation of the round-up-to-2 algorithm involves the clz intrinsic.
It was already unsigned in sudoers but not in the front-end or the
python plugin. Making this consistent resolves a lot of -Wconversion
warnings. Also clean up some other -Wconversion warnings in sudo_debug.c.
Variable length arrays are supported by C99, but having it denoted as "1" confused the compiler and is not defined.
Note that because we don't get the inferred NULL terminator, we have to increase the malloc size by one.
Configuration paths in sudo are now a colon-separated list of files
with the adminconfdir instance first (if enabled), followed by a
sysconfdir instance.
This means that _PATH_SUDO_CONF, _PATH_SUDOERS, _PATH_SUDO_LOGSRVD_CONF,
and _PATH_CVTSUDOERS_CONF can now specify multiple files. The first
file that exists is used.
The log message contains user-controlled strings that could include
things like terminal control characters. Space characters in the
command path are now also escaped.
Command line arguments that contain spaces are surrounded with
single quotes and any literal single quote or backslash characters
are escaped with a backslash. This makes it possible to distinguish
multiple command line arguments from a single argument that contains
spaces.
Issue found by Matthieu Barjole and Victor Cutillas of Synacktiv
(https://synacktiv.com).
Previously we were using 504 and 1016 which still produces the
correct result since padding is done in 8-bit bytes. However, using
size-1 for the bitwise AND makes the intent clearer and likely would
have prevented the previous bug in SHA512Pad.
From Matthieu Barjole and Victor Cutillas of Synacktiv (https://synacktiv.com)
The numeric fields in struct sudo_lbuf are now unsigned so that
wraparound is defined, this make the overflow checks simpler.
Problem deteced by oss-fuzz using the fuzz_sudoers fuzzer.
Checking for ep < pathend should be a bit clearer than ep != '\0'
and has the advantage of working when pathend doesn't point to a
NUL byte. No intended change in behavior.
