blob: c04b8e72a6a2ec2f6114fadcd12b9f0281e6a4d6 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
Upstream-Status: Backport [https://www.sudo.ws/repos/sudo/rev/c125fbe68783]
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
CVE: CVE-2021-3156
# HG changeset patch
# User Todd C. Miller <Todd.Miller@sudo.ws>
# Date 1611416640 25200
# Node ID c125fbe6878395d10f01d891d3c09b1229ada404
# Parent 09f98816fc8978f1d8623a857073d2d5746f0379
Don't assume that argv is allocated as a single flat buffer.
While this is how the kernel behaves it is not a portable assumption.
The assumption may also be violated if getopt_long(3) permutes arguments.
Found by Qualys.
diff -r 09f98816fc89 -r c125fbe68783 src/parse_args.c
--- a/src/parse_args.c Sat Jan 23 08:44:00 2021 -0700
+++ b/src/parse_args.c Sat Jan 23 08:44:00 2021 -0700
@@ -614,16 +614,16 @@
if (argc != 0) {
/* shell -c "command" */
char *src, *dst;
- size_t cmnd_size = (size_t) (argv[argc - 1] - argv[0]) +
- strlen(argv[argc - 1]) + 1;
+ size_t size = 0;
- cmnd = dst = reallocarray(NULL, cmnd_size, 2);
- if (cmnd == NULL)
+ for (av = argv; *av != NULL; av++)
+ size += strlen(*av) + 1;
+ if (size == 0 || (cmnd = reallocarray(NULL, size, 2)) == NULL)
sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
if (!gc_add(GC_PTR, cmnd))
exit(EXIT_FAILURE);
- for (av = argv; *av != NULL; av++) {
+ for (dst = cmnd, av = argv; *av != NULL; av++) {
for (src = *av; *src != '\0'; src++) {
/* quote potential meta characters */
if (!isalnum((unsigned char)*src) && *src != '_' && *src != '-' && *src != '$')
|
