Bug 534

Summary: Off-by-one in disable_execute
Product: Sudo Reporter: Jüri Aedla <asd>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: normal    
Priority: low    
Version: 1.8.3   
Hardware: PC   
OS: Linux   

Description Jüri Aedla 2012-01-30 12:27:31 MST 
Hi,

I think I see a possibility of writing outside of array bounds in sudo.c:disable_execute.

The code looks like:

    for (ev = details->envp; *ev != NULL; ev++) {
        if (env_len + 2 > env_size) {
            env_size += 128;
            nenvp = erealloc3(nenvp, env_size, sizeof(char *));
        }

        /* some code removed */

        nenvp[env_len++] = *ev;
    }

    /* some code removed */

    nenvp[env_len++] = cp;
    nenvp[env_len] = NULL;

There is a possibility that env_len + 2 == env_size, so array is not increased and three elements get added.
Comment 1 Todd C. Miller 2012-01-30 13:50:51 MST 
Yes, you are correct.  I've fixes this in the sudo source repo and the fix will be in sudo 1.8.4.
Comment 2 Todd C. Miller 2012-02-21 06:05:59 MST 
Fixed in sudo 1.8.4.