First Last Prev Next    This bug is not in your last search results.
Bug 534 - Off-by-one in disable_execute
Off-by-one in disable_execute
Status: RESOLVED FIXED
Product: Sudo
Classification: Unclassified
Component: Sudo
1.8.3
PC Linux
: low normal
Assigned To: Todd C. Miller
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-01-30 12:27 MST by Jüri Aedla
Modified: 2012-02-21 06:05 MST (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jüri Aedla 2012-01-30 12:27:31 MST 
Hi,

I think I see a possibility of writing outside of array bounds in sudo.c:disable_execute.

The code looks like:

    for (ev = details->envp; *ev != NULL; ev++) {
        if (env_len + 2 > env_size) {
            env_size += 128;
            nenvp = erealloc3(nenvp, env_size, sizeof(char *));
        }

        /* some code removed */

        nenvp[env_len++] = *ev;
    }

    /* some code removed */

    nenvp[env_len++] = cp;
    nenvp[env_len] = NULL;

There is a possibility that env_len + 2 == env_size, so array is not increased and three elements get added.
Comment 1 Todd C. Miller 2012-01-30 13:50:51 MST 
Yes, you are correct.  I've fixes this in the sudo source repo and the fix will be in sudo 1.8.4.
Comment 2 Todd C. Miller 2012-02-21 06:05:59 MST 
Fixed in sudo 1.8.4.
First Last Prev Next    This bug is not in your last search results.