From e1a402f1d65f4f107a40237bc19384e43b334546 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Tue, 16 Oct 2018 12:49:34 -0600
Subject: [PATCH] sudo_ldap_parse_option() never returns '=' as the operator.
 When parsing command_timeout, role, type, privs and limitprivs, check that
 val is non-NULL instead.  Found by PVS Studio.

---
 plugins/sudoers/ldap_util.c | 37 ++++++++++++++-----------------------
 1 file changed, 14 insertions(+), 23 deletions(-)

diff --git a/plugins/sudoers/ldap_util.c b/plugins/sudoers/ldap_util.c
index d9be95a61..fecb7a6c5 100644
--- a/plugins/sudoers/ldap_util.c
+++ b/plugins/sudoers/ldap_util.c
@@ -405,32 +405,23 @@ sudo_ldap_role_to_priv(const char *cn, void *hosts, void *runasusers,
 		    int op;
 
 		    op = sudo_ldap_parse_option(opt, &var, &val);
-		    if (strcmp(var, "command_timeout") == 0) {
-			if (op == '=')
-			    cmndspec->timeout = parse_timeout(val);
+		    if (strcmp(var, "command_timeout") == 0 && val != NULL) {
+			cmndspec->timeout = parse_timeout(val);
 #ifdef HAVE_SELINUX
-		    } else if (strcmp(var, "role") == 0) {
-			if (op == '=') {
-			    if ((cmndspec->role = strdup(val)) == NULL)
-				goto oom;
-			}
-		    } else if (strcmp(var, "type") == 0) {
-			if (op == '=') {
-			    if ((cmndspec->type = strdup(val)) == NULL)
-				goto oom;
-			}
+		    } else if (strcmp(var, "role") == 0 && val != NULL) {
+			if ((cmndspec->role = strdup(val)) == NULL)
+			    goto oom;
+		    } else if (strcmp(var, "type") == 0 && val != NULL) {
+			if ((cmndspec->type = strdup(val)) == NULL)
+			    goto oom;
 #endif /* HAVE_SELINUX */
 #ifdef HAVE_PRIV_SET
-		    } else if (strcmp(var, "privs") == 0) {
-			if (op == '=') {
-			    if ((cmndspec->privs = strdup(val)) == NULL)
-				goto oom;
-			}
-		    } else if (strcmp(var, "limitprivs") == 0) {
-			if (op == '=') {
-			    if ((cmndspec->limitprivs = strdup(val)) == NULL)
-				goto oom;
-			}
+		    } else if (strcmp(var, "privs") == 0 && val != NULL) {
+			if ((cmndspec->privs = strdup(val)) == NULL)
+			    goto oom;
+		    } else if (strcmp(var, "limitprivs") == 0 && val != NULL) {
+			if ((cmndspec->limitprivs = strdup(val)) == NULL)
+			    goto oom;
 #endif /* HAVE_PRIV_SET */
 		    } else if (store_options) {
 			if (!sudo_ldap_add_default(var, val, op, source,
-- 
2.21.0