|
 |
e7179e |
Treat an ID of -1 as invalid since that means "no change".
|
|
|
e7179e |
Fixes CVE-2019-14287.
|
|
|
e7179e |
Found by Joe Vennix from Apple Information Security.
|
|
|
e7179e |
|
|
|
e7179e |
diff -r fcd7a6d8330e lib/util/strtoid.c
|
|
|
e7179e |
--- a/lib/util/strtoid.c Fri Jan 11 13:31:15 2019 -0700
|
|
|
e7179e |
+++ b/lib/util/strtoid.c Thu Oct 10 09:52:12 2019 -0600
|
|
|
e7179e |
@@ -1,5 +1,5 @@
|
|
|
e7179e |
/*
|
|
|
e7179e |
- * Copyright (c) 2013-2016 Todd C. Miller <Todd.Miller@sudo.ws>
|
|
|
e7179e |
+ * Copyright (c) 2013-2019 Todd C. Miller <Todd.Miller@sudo.ws>
|
|
|
e7179e |
*
|
|
|
e7179e |
* Permission to use, copy, modify, and distribute this software for any
|
|
|
e7179e |
* purpose with or without fee is hereby granted, provided that the above
|
|
|
e7179e |
@@ -47,6 +47,27 @@
|
|
|
e7179e |
#include "sudo_util.h"
|
|
|
e7179e |
|
|
|
e7179e |
/*
|
|
|
e7179e |
+ * Make sure that the ID ends with a valid separator char.
|
|
|
e7179e |
+ */
|
|
|
e7179e |
+static bool
|
|
|
e7179e |
+valid_separator(const char *p, const char *ep, const char *sep)
|
|
|
e7179e |
+{
|
|
|
e7179e |
+ bool valid = false;
|
|
|
e7179e |
+ debug_decl(valid_separator, SUDO_DEBUG_UTIL)
|
|
|
e7179e |
+
|
|
|
e7179e |
+ if (ep != p) {
|
|
|
e7179e |
+ /* check for valid separator (including '\0') */
|
|
|
e7179e |
+ if (sep == NULL)
|
|
|
e7179e |
+ sep = "";
|
|
|
e7179e |
+ do {
|
|
|
e7179e |
+ if (*ep == *sep)
|
|
|
e7179e |
+ valid = true;
|
|
|
e7179e |
+ } while (*sep++ != '\0');
|
|
|
e7179e |
+ }
|
|
|
e7179e |
+ debug_return_bool(valid);
|
|
|
e7179e |
+}
|
|
|
e7179e |
+
|
|
|
e7179e |
+/*
|
|
|
e7179e |
* Parse a uid/gid in string form.
|
|
|
e7179e |
* If sep is non-NULL, it contains valid separator characters (e.g. comma, space)
|
|
|
e7179e |
* If endp is non-NULL it is set to the next char after the ID.
|
|
|
e7179e |
@@ -60,38 +81,35 @@ sudo_strtoid_v1(const char *p, const cha
|
|
|
e7179e |
char *ep;
|
|
|
e7179e |
id_t ret = 0;
|
|
|
e7179e |
long long llval;
|
|
|
e7179e |
- bool valid = false;
|
|
|
e7179e |
debug_decl(sudo_strtoid, SUDO_DEBUG_UTIL)
|
|
|
e7179e |
|
|
|
e7179e |
/* skip leading space so we can pick up the sign, if any */
|
|
|
e7179e |
while (isspace((unsigned char)*p))
|
|
|
e7179e |
p++;
|
|
|
e7179e |
- if (sep == NULL)
|
|
|
e7179e |
- sep = "";
|
|
|
e7179e |
+
|
|
|
e7179e |
+ /* While id_t may be 64-bit signed, uid_t and gid_t are 32-bit unsigned. */
|
|
|
e7179e |
errno = 0;
|
|
|
e7179e |
llval = strtoll(p, &ep, 10);
|
|
|
e7179e |
- if (ep != p) {
|
|
|
e7179e |
- /* check for valid separator (including '\0') */
|
|
|
e7179e |
- do {
|
|
|
e7179e |
- if (*ep == *sep)
|
|
|
e7179e |
- valid = true;
|
|
|
e7179e |
- } while (*sep++ != '\0');
|
|
|
e7179e |
+ if ((errno == ERANGE && llval == LLONG_MAX) || llval > (id_t)UINT_MAX) {
|
|
|
e7179e |
+ errno = ERANGE;
|
|
|
e7179e |
+ if (errstr != NULL)
|
|
|
e7179e |
+ *errstr = N_("value too large");
|
|
|
e7179e |
+ goto done;
|
|
|
e7179e |
}
|
|
|
e7179e |
- if (!valid) {
|
|
|
e7179e |
+ if ((errno == ERANGE && llval == LLONG_MIN) || llval < INT_MIN) {
|
|
|
e7179e |
+ errno = ERANGE;
|
|
|
e7179e |
+ if (errstr != NULL)
|
|
|
e7179e |
+ *errstr = N_("value too small");
|
|
|
e7179e |
+ goto done;
|
|
|
e7179e |
+ }
|
|
|
e7179e |
+
|
|
|
e7179e |
+ /* Disallow id -1, which means "no change". */
|
|
|
e7179e |
+ if (!valid_separator(p, ep, sep) || llval == -1 || llval == (id_t)UINT_MAX) {
|
|
|
e7179e |
if (errstr != NULL)
|
|
|
e7179e |
*errstr = N_("invalid value");
|
|
|
e7179e |
errno = EINVAL;
|
|
|
e7179e |
goto done;
|
|
|
e7179e |
}
|
|
|
e7179e |
- if (errno == ERANGE) {
|
|
|
e7179e |
- if (errstr != NULL) {
|
|
|
e7179e |
- if (llval == LLONG_MAX)
|
|
|
e7179e |
- *errstr = N_("value too large");
|
|
|
e7179e |
- else
|
|
|
e7179e |
- *errstr = N_("value too small");
|
|
|
e7179e |
- }
|
|
|
e7179e |
- goto done;
|
|
|
e7179e |
- }
|
|
|
e7179e |
ret = (id_t)llval;
|
|
|
e7179e |
if (errstr != NULL)
|
|
|
e7179e |
*errstr = NULL;
|
|
|
e7179e |
@@ -106,30 +124,15 @@ sudo_strtoid_v1(const char *p, const cha
|
|
|
e7179e |
{
|
|
|
e7179e |
char *ep;
|
|
|
e7179e |
id_t ret = 0;
|
|
|
e7179e |
- bool valid = false;
|
|
|
e7179e |
debug_decl(sudo_strtoid, SUDO_DEBUG_UTIL)
|
|
|
e7179e |
|
|
|
e7179e |
/* skip leading space so we can pick up the sign, if any */
|
|
|
e7179e |
while (isspace((unsigned char)*p))
|
|
|
e7179e |
p++;
|
|
|
e7179e |
- if (sep == NULL)
|
|
|
e7179e |
- sep = "";
|
|
|
e7179e |
+
|
|
|
e7179e |
errno = 0;
|
|
|
e7179e |
if (*p == '-') {
|
|
|
e7179e |
long lval = strtol(p, &ep, 10);
|
|
|
e7179e |
- if (ep != p) {
|
|
|
e7179e |
- /* check for valid separator (including '\0') */
|
|
|
e7179e |
- do {
|
|
|
e7179e |
- if (*ep == *sep)
|
|
|
e7179e |
- valid = true;
|
|
|
e7179e |
- } while (*sep++ != '\0');
|
|
|
e7179e |
- }
|
|
|
e7179e |
- if (!valid) {
|
|
|
e7179e |
- if (errstr != NULL)
|
|
|
e7179e |
- *errstr = N_("invalid value");
|
|
|
e7179e |
- errno = EINVAL;
|
|
|
e7179e |
- goto done;
|
|
|
e7179e |
- }
|
|
|
e7179e |
if ((errno == ERANGE && lval == LONG_MAX) || lval > INT_MAX) {
|
|
|
e7179e |
errno = ERANGE;
|
|
|
e7179e |
if (errstr != NULL)
|
|
|
e7179e |
@@ -142,28 +145,31 @@ sudo_strtoid_v1(const char *p, const cha
|
|
|
e7179e |
*errstr = N_("value too small");
|
|
|
e7179e |
goto done;
|
|
|
e7179e |
}
|
|
|
e7179e |
- ret = (id_t)lval;
|
|
|
e7179e |
- } else {
|
|
|
e7179e |
- unsigned long ulval = strtoul(p, &ep, 10);
|
|
|
e7179e |
- if (ep != p) {
|
|
|
e7179e |
- /* check for valid separator (including '\0') */
|
|
|
e7179e |
- do {
|
|
|
e7179e |
- if (*ep == *sep)
|
|
|
e7179e |
- valid = true;
|
|
|
e7179e |
- } while (*sep++ != '\0');
|
|
|
e7179e |
- }
|
|
|
e7179e |
- if (!valid) {
|
|
|
e7179e |
+
|
|
|
e7179e |
+ /* Disallow id -1, which means "no change". */
|
|
|
e7179e |
+ if (!valid_separator(p, ep, sep) || lval == -1) {
|
|
|
e7179e |
if (errstr != NULL)
|
|
|
e7179e |
*errstr = N_("invalid value");
|
|
|
e7179e |
errno = EINVAL;
|
|
|
e7179e |
goto done;
|
|
|
e7179e |
}
|
|
|
e7179e |
+ ret = (id_t)lval;
|
|
|
e7179e |
+ } else {
|
|
|
e7179e |
+ unsigned long ulval = strtoul(p, &ep, 10);
|
|
|
e7179e |
if ((errno == ERANGE && ulval == ULONG_MAX) || ulval > UINT_MAX) {
|
|
|
e7179e |
errno = ERANGE;
|
|
|
e7179e |
if (errstr != NULL)
|
|
|
e7179e |
*errstr = N_("value too large");
|
|
|
e7179e |
goto done;
|
|
|
e7179e |
}
|
|
|
e7179e |
+
|
|
|
e7179e |
+ /* Disallow id -1, which means "no change". */
|
|
|
e7179e |
+ if (!valid_separator(p, ep, sep) || ulval == UINT_MAX) {
|
|
|
e7179e |
+ if (errstr != NULL)
|
|
|
e7179e |
+ *errstr = N_("invalid value");
|
|
|
e7179e |
+ errno = EINVAL;
|
|
|
e7179e |
+ goto done;
|
|
|
e7179e |
+ }
|
|
|
e7179e |
ret = (id_t)ulval;
|
|
|
e7179e |
}
|
|
|
e7179e |
if (errstr != NULL)
|