Bug 807 – [PATCH] Segfault when hostname is empty.

Bug 807 - [PATCH] Segfault when hostname is empty.


Summary:	[PATCH] Segfault when hostname is empty.

Status:	RESOLVED FIXED

Product:	Sudo
Classification:	Unclassified
Component:	Sudo
Version:	1.8.21
Hardware:	PC FreeBSD

Importance:	low high
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2017-10-19 22:02 MDT by pprocacci
Modified:	2018-01-16 14:00 MST (History)
CC List:	1 user (show)

See Also:

Attachments
Fix empty user_host (364 bytes, text/plain) 2017-10-19 22:02 MDT, pprocacci	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description pprocacci 2017-10-19 22:02:59 MDT

Created attachment 501 [details]
Fix empty user_host

sudo-1.8.21p2/plugins/sudoers/policy.c:374

user_host can be used uninitialized here.
Passing an uninitialized pointer to strdup is undefined behavior.
My attached patch forces user_host to 'localhost', however you gents may have a better place of doing this.

Comment 1 pprocacci 2017-10-19 22:17:10 MDT

I should add, it actually appears to be initialized .... but in this case NULL.
Passing NULL to strdup is an application bug.  *words*

Comment 2 Guangyuan Yang 2017-10-20 00:59:11 MDT

FYI the original bug report in FreeBSD Bug Tracker is here: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=222510

Comment 3 Todd C. Miller 2017-10-20 07:58:08 MDT

Thanks for the detailed report.  This is fixed by the following two commits:

https://www.sudo.ws/repos/sudo/rev/fafb3a3083cb
https://www.sudo.ws/repos/sudo/rev/03e281d93fff

The first commit treats an empty host name the same as a gethostname() failure which will result in "localhost" being used.  The second commit just adds some sanity checking and will error out if the sudo front end didn't at least set the user name, uid, gid and host name.

Comment 4 Todd C. Miller 2018-01-16 14:00:18 MST

Fixed in sudo 1.8.22, out now.