Check for invalid bas64 attributes.

diff --git a/MANIFEST b/MANIFEST
index bde1f83ce973a9372b59958d382bebcb5e9aea18..b7919ee05389fd6e26f6d7bf90a1afaf125bbd2f 100644 (file)
--- a/MANIFEST
+++ b/MANIFEST
@@ -433,6 +433,8 @@ plugins/sudoers/regress/cvtsudoers/test25.out.ok
 plugins/sudoers/regress/cvtsudoers/test25.sh
 plugins/sudoers/regress/cvtsudoers/test26.out.ok
 plugins/sudoers/regress/cvtsudoers/test26.sh
+plugins/sudoers/regress/cvtsudoers/test27.out.ok
+plugins/sudoers/regress/cvtsudoers/test27.sh
 plugins/sudoers/regress/cvtsudoers/test3.out.ok
 plugins/sudoers/regress/cvtsudoers/test3.sh
 plugins/sudoers/regress/cvtsudoers/test4.out.ok

diff --git a/plugins/sudoers/cvtsudoers_ldif.c b/plugins/sudoers/cvtsudoers_ldif.c
index ce8301a695f76dc4ab9576c07d0cd2c1591d0837..1fbda1f5597ee8f4027bfc1abd7321f3eb8682a6 100644 (file)
--- a/plugins/sudoers/cvtsudoers_ldif.c
+++ b/plugins/sudoers/cvtsudoers_ldif.c
@@ -743,9 +743,23 @@ ldif_parse_attribute(char *str)
 
     attr = str;
     if (encoded) {
-       /* decode base64 inline and NUL-terminate */
-       len = base64_decode(str, (unsigned char *)attr, strlen(str));
+       /*
+        * Decode base64 inline and add NUL-terminator.
+        * The copy allows us to provide a useful message on error.
+        */
+       char *copy = strdup(str);
+       if (copy == NULL) {
+           sudo_fatalx(U_("%s: %s"), __func__,
+               U_("unable to allocate memory"));
+       }
+       len = base64_decode(copy, (unsigned char *)attr, strlen(attr));
+       if (len == (size_t)-1) {
+           sudo_warnx(U_("ignoring invalid attribute value: %s"), copy);
+           free(copy);
+           debug_return_str(NULL);
+       }
        attr[len] = '\0';
+       free(copy);
     }
 
     debug_return_str(attr);
@@ -1254,6 +1268,11 @@ parse_ldif(const char *input_file, struct cvtsudoers_config *conf)
            /* Compare dn to base, if specified. */
            if (conf->sudoers_base != NULL) {
                attr = ldif_parse_attribute(line + 3);
+               if (attr == NULL) {
+                   /* invalid attribute */
+                   mismatch = true;
+                   continue;
+               }
                /* Skip over cn if present. */
                if (strncasecmp(attr, "cn=", 3) == 0) {
                    for (attr += 3; *attr != '\0'; attr++) {
@@ -1274,7 +1293,7 @@ parse_ldif(const char *input_file, struct cvtsudoers_config *conf)
            }
        } else if (strncmp(line, "objectClass:", 12) == 0) {
            attr = ldif_parse_attribute(line + 12);
-           if (strcmp(attr, "sudoRole") == 0)
+           if (attr != NULL && strcmp(attr, "sudoRole") == 0)
                in_role = true;
        }
 
@@ -1285,54 +1304,69 @@ parse_ldif(const char *input_file, struct cvtsudoers_config *conf)
        /* Part of a sudoRole, parse it. */
        if (strncmp(line, "cn:", 3) == 0) {
            attr = ldif_parse_attribute(line + 3);
-           free(role->cn);
-           role->cn = unquote_cn(attr);
-           if (role->cn == NULL) {
-               sudo_fatalx(U_("%s: %s"), __func__,
-                   U_("unable to allocate memory"));
+           if (attr != NULL) {
+               free(role->cn);
+               role->cn = unquote_cn(attr);
+               if (role->cn == NULL) {
+                   sudo_fatalx(U_("%s: %s"), __func__,
+                       U_("unable to allocate memory"));
+               }
            }
        } else if (strncmp(line, "sudoUser:", 9) == 0) {
            attr = ldif_parse_attribute(line + 9);
-           ldif_store_string(attr, role->users, true);
+           if (attr != NULL)
+               ldif_store_string(attr, role->users, true);
        } else if (strncmp(line, "sudoHost:", 9) == 0) {
            attr = ldif_parse_attribute(line + 9);
-           ldif_store_string(attr, role->hosts, true);
+           if (attr != NULL)
+               ldif_store_string(attr, role->hosts, true);
        } else if (strncmp(line, "sudoRunAs:", 10) == 0) {
            attr = ldif_parse_attribute(line + 10);
-           ldif_store_string(attr, role->runasusers, true);
+           if (attr != NULL)
+               ldif_store_string(attr, role->runasusers, true);
        } else if (strncmp(line, "sudoRunAsUser:", 14) == 0) {
            attr = ldif_parse_attribute(line + 14);
-           ldif_store_string(attr, role->runasusers, true);
+           if (attr != NULL)
+               ldif_store_string(attr, role->runasusers, true);
        } else if (strncmp(line, "sudoRunAsGroup:", 15) == 0) {
            attr = ldif_parse_attribute(line + 15);
-           ldif_store_string(attr, role->runasgroups, true);
+           if (attr != NULL)
+               ldif_store_string(attr, role->runasgroups, true);
        } else if (strncmp(line, "sudoCommand:", 12) == 0) {
            attr = ldif_parse_attribute(line + 12);
-           ldif_store_string(attr, role->cmnds, false);
+           if (attr != NULL)
+               ldif_store_string(attr, role->cmnds, false);
        } else if (strncmp(line, "sudoOption:", 11) == 0) {
            attr = ldif_parse_attribute(line + 11);
-           ldif_store_string(attr, role->options, false);
+           if (attr != NULL)
+               ldif_store_string(attr, role->options, false);
        } else if (strncmp(line, "sudoOrder:", 10) == 0) {
            char *ep;
            attr = ldif_parse_attribute(line + 10);
-           role->order = strtod(attr, &ep);
-           if (ep == attr || *ep != '\0')
-               sudo_warnx(U_("invalid sudoOrder attribute: %s"), attr);
+           if (attr != NULL) {
+               role->order = strtod(attr, &ep);
+               if (ep == attr || *ep != '\0')
+                   sudo_warnx(U_("invalid sudoOrder attribute: %s"), attr);
+           }
        } else if (strncmp(line, "sudoNotBefore:", 14) == 0) {
            attr = ldif_parse_attribute(line + 14);
-           free(role->notbefore);
-           role->notbefore = strdup(attr);
-           if (role->notbefore == NULL) {
-               sudo_fatalx(U_("%s: %s"), __func__,
-                   U_("unable to allocate memory"));
+           if (attr != NULL) {
+               free(role->notbefore);
+               role->notbefore = strdup(attr);
+               if (role->notbefore == NULL) {
+                   sudo_fatalx(U_("%s: %s"), __func__,
+                       U_("unable to allocate memory"));
+               }
            }
        } else if (strncmp(line, "sudoNotAfter:", 13) == 0) {
            attr = ldif_parse_attribute(line + 13);
-           free(role->notafter);
-           role->notafter = strdup(attr);
-           if (role->notafter == NULL) {
-               sudo_fatalx(U_("%s: %s"), __func__,
-                   U_("unable to allocate memory"));
+           if (attr != NULL) {
+               free(role->notafter);
+               role->notafter = strdup(attr);
+               if (role->notafter == NULL) {
+                   sudo_fatalx(U_("%s: %s"), __func__,
+                       U_("unable to allocate memory"));
+               }
            }
        }
     }

diff --git a/plugins/sudoers/regress/cvtsudoers/test25.sh b/plugins/sudoers/regress/cvtsudoers/test25.sh
index 7d26bb9fa21abdecde019bf259b0cbdafc29061e..4cb8b457282b28478cfb3e0dcb596742830c0fe1 100755 (executable)
--- a/plugins/sudoers/regress/cvtsudoers/test25.sh
+++ b/plugins/sudoers/regress/cvtsudoers/test25.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Test LDAP base filtering.
+# Test LDIF base64 attribute parsing
 #
 
 exec 2>&1

diff --git a/plugins/sudoers/regress/cvtsudoers/test26.out.ok b/plugins/sudoers/regress/cvtsudoers/test26.out.ok
index ab9c948ee1af572add0b91c9d05db14e847ef1cb..769f392d865bf9372471b78c91d89d5a9ca2449d 100644 (file)
--- a/plugins/sudoers/regress/cvtsudoers/test26.out.ok
+++ b/plugins/sudoers/regress/cvtsudoers/test26.out.ok
@@ -1,16 +1,3 @@
-dn:: Y249ZGVmYXVsdHMsb3U9U1VET2Vyc8KpLGRjPXN1ZG8sZGM9d3M=
-objectClass: top
-objectClass: sudoRole
-cn: defaults
-description: Default sudoOption's go here
-sudoOption:: YmFkcGFzc19tZXNzYWdlPUJhZCBwYXNzd29yZMKh
-
-dn:: Y249cm9vdCxvdT1TVURPZXJzwqksZGM9c3VkbyxkYz13cw==
-objectClass: top
-objectClass: sudoRole
-cn: root
-sudoUser: root
-sudoHost: ALL
-sudoCommand: ALL
-sudoOrder: 1
-
+cvtsudoers: ignoring invalid attribute value: bG9nX29@1dHB1dA==
+cvtsudoers: ignoring invalid attribute value: Y249cm9vdCxvdT1TVURPZXJzLGRjPXN1ZG8sZGM9_d3M=
+cvtsudoers: ignoring invalid attribute value: Y249JXdoZWVsLG91PVNVRE9lcnMsZGM9c3VkbyxkYz13cw!==

diff --git a/plugins/sudoers/regress/cvtsudoers/test26.sh b/plugins/sudoers/regress/cvtsudoers/test26.sh
index afc29a88078cf87e9f91c44578e249b3cd673487..b9eecaa458878662d2b807722fb2ede95dd4443f 100755 (executable)
--- a/plugins/sudoers/regress/cvtsudoers/test26.sh
+++ b/plugins/sudoers/regress/cvtsudoers/test26.sh
@@ -1,11 +1,41 @@
 #!/bin/sh
 #
-# Test base64 encoding of non-safe strings
+# Test LDIF invalid base64 attribute parsing
 #
 
 exec 2>&1
-./cvtsudoers -c "" -b "ou=SUDOers©,dc=sudo,dc=ws" <<EOF
-Defaults badpass_message="Bad password¡"
+./cvtsudoers -c "" -i ldif -b "ou=SUDOers,dc=sudo,dc=ws" -I 10 -O 10 <<EOF
+# defaults, SUDOers, sudo.ws
+dn:: Y249ZGVmYXVsdHMsb3U9U1VET2VycyxkYz1zdWRvLGRjPXdz 
+objectClass: top
+objectClass: sudoRole
+cn: defaults
+description: Default sudoOption's go here
+sudoOption:: bG9nX29@1dHB1dA== 
 
-root ALL = ALL
+# root, SUDOers, sudo.ws
+dn::  Y249cm9vdCxvdT1TVURPZXJzLGRjPXN1ZG8sZGM9_d3M=
+objectClass: top
+objectClass: sudoRole
+cn: root
+sudoUser: root
+sudoRunAsUser: ALL
+sudoRunAsGroup: ALL
+sudoHost: ALL
+sudoCommand: ALL
+sudoOption: !authenticate
+sudoOrder: 10
+
+# %wheel, SUDOers, sudo.ws
+dn:: Y249JXdoZWVsLG91PVNVRE9lcnMsZGM9c3VkbyxkYz13cw!==
+objectClass: top
+objectClass: sudoRole
+cn: %wheel
+sudoUser: %wheel
+sudoRunAsUser: ALL
+sudoRunAsGroup: ALL
+sudoHost: +sudo-hosts
+sudoCommand: ALL
+sudoOption: !authenticate
+sudoOrder: 10
 EOF

diff --git a/plugins/sudoers/regress/cvtsudoers/test27.out.ok b/plugins/sudoers/regress/cvtsudoers/test27.out.ok
new file mode 100644 (file)
index 0000000..ab9c948
--- /dev/null
+++ b/plugins/sudoers/regress/cvtsudoers/test27.out.ok
@@ -0,0 +1,16 @@
+dn:: Y249ZGVmYXVsdHMsb3U9U1VET2Vyc8KpLGRjPXN1ZG8sZGM9d3M=
+objectClass: top
+objectClass: sudoRole
+cn: defaults
+description: Default sudoOption's go here
+sudoOption:: YmFkcGFzc19tZXNzYWdlPUJhZCBwYXNzd29yZMKh
+
+dn:: Y249cm9vdCxvdT1TVURPZXJzwqksZGM9c3VkbyxkYz13cw==
+objectClass: top
+objectClass: sudoRole
+cn: root
+sudoUser: root
+sudoHost: ALL
+sudoCommand: ALL
+sudoOrder: 1
+

diff --git a/plugins/sudoers/regress/cvtsudoers/test27.sh b/plugins/sudoers/regress/cvtsudoers/test27.sh
new file mode 100755 (executable)
index 0000000..afc29a8
--- /dev/null
+++ b/plugins/sudoers/regress/cvtsudoers/test27.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+#
+# Test base64 encoding of non-safe strings
+#
+
+exec 2>&1
+./cvtsudoers -c "" -b "ou=SUDOers©,dc=sudo,dc=ws" <<EOF
+Defaults badpass_message="Bad password¡"
+
+root ALL = ALL
+EOF