From: Todd C. Miller <Todd.Miller@sudo.ws>
Date: Sun, 20 May 2018 14:09:25 +0000 (-0600)
Subject: Check for invalid bas64 attributes.
X-Git-Tag: SUDO_1_8_24^2~62
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=1cd472c0514b79dd3e5cb117dd6a94fe4fb3c82a;p=sudo

Check for invalid bas64 attributes.
---

diff --git a/MANIFEST b/MANIFEST
index bde1f83ce..b7919ee05 100644
--- a/MANIFEST
+++ b/MANIFEST
@@ -433,6 +433,8 @@ plugins/sudoers/regress/cvtsudoers/test25.out.ok
 plugins/sudoers/regress/cvtsudoers/test25.sh
 plugins/sudoers/regress/cvtsudoers/test26.out.ok
 plugins/sudoers/regress/cvtsudoers/test26.sh
+plugins/sudoers/regress/cvtsudoers/test27.out.ok
+plugins/sudoers/regress/cvtsudoers/test27.sh
 plugins/sudoers/regress/cvtsudoers/test3.out.ok
 plugins/sudoers/regress/cvtsudoers/test3.sh
 plugins/sudoers/regress/cvtsudoers/test4.out.ok
diff --git a/plugins/sudoers/cvtsudoers_ldif.c b/plugins/sudoers/cvtsudoers_ldif.c
index ce8301a69..1fbda1f55 100644
--- a/plugins/sudoers/cvtsudoers_ldif.c
+++ b/plugins/sudoers/cvtsudoers_ldif.c
@@ -743,9 +743,23 @@ ldif_parse_attribute(char *str)
 
     attr = str;
     if (encoded) {
-	/* decode base64 inline and NUL-terminate */
-	len = base64_decode(str, (unsigned char *)attr, strlen(str));
+	/*
+	 * Decode base64 inline and add NUL-terminator.
+	 * The copy allows us to provide a useful message on error.
+	 */
+	char *copy = strdup(str);
+	if (copy == NULL) {
+	    sudo_fatalx(U_("%s: %s"), __func__,
+		U_("unable to allocate memory"));
+	}
+	len = base64_decode(copy, (unsigned char *)attr, strlen(attr));
+	if (len == (size_t)-1) {
+	    sudo_warnx(U_("ignoring invalid attribute value: %s"), copy);
+	    free(copy);
+	    debug_return_str(NULL);
+	}
 	attr[len] = '\0';
+	free(copy);
     }
 
     debug_return_str(attr);
@@ -1254,6 +1268,11 @@ parse_ldif(const char *input_file, struct cvtsudoers_config *conf)
 	    /* Compare dn to base, if specified. */
 	    if (conf->sudoers_base != NULL) {
 		attr = ldif_parse_attribute(line + 3);
+		if (attr == NULL) {
+		    /* invalid attribute */
+		    mismatch = true;
+		    continue;
+		}
 		/* Skip over cn if present. */
 		if (strncasecmp(attr, "cn=", 3) == 0) {
 		    for (attr += 3; *attr != '\0'; attr++) {
@@ -1274,7 +1293,7 @@ parse_ldif(const char *input_file, struct cvtsudoers_config *conf)
 	    }
 	} else if (strncmp(line, "objectClass:", 12) == 0) {
 	    attr = ldif_parse_attribute(line + 12);
-	    if (strcmp(attr, "sudoRole") == 0)
+	    if (attr != NULL && strcmp(attr, "sudoRole") == 0)
 		in_role = true;
 	}
 
@@ -1285,54 +1304,69 @@ parse_ldif(const char *input_file, struct cvtsudoers_config *conf)
 	/* Part of a sudoRole, parse it. */
 	if (strncmp(line, "cn:", 3) == 0) {
 	    attr = ldif_parse_attribute(line + 3);
-	    free(role->cn);
-	    role->cn = unquote_cn(attr);
-	    if (role->cn == NULL) {
-		sudo_fatalx(U_("%s: %s"), __func__,
-		    U_("unable to allocate memory"));
+	    if (attr != NULL) {
+		free(role->cn);
+		role->cn = unquote_cn(attr);
+		if (role->cn == NULL) {
+		    sudo_fatalx(U_("%s: %s"), __func__,
+			U_("unable to allocate memory"));
+		}
 	    }
 	} else if (strncmp(line, "sudoUser:", 9) == 0) {
 	    attr = ldif_parse_attribute(line + 9);
-	    ldif_store_string(attr, role->users, true);
+	    if (attr != NULL)
+		ldif_store_string(attr, role->users, true);
 	} else if (strncmp(line, "sudoHost:", 9) == 0) {
 	    attr = ldif_parse_attribute(line + 9);
-	    ldif_store_string(attr, role->hosts, true);
+	    if (attr != NULL)
+		ldif_store_string(attr, role->hosts, true);
 	} else if (strncmp(line, "sudoRunAs:", 10) == 0) {
 	    attr = ldif_parse_attribute(line + 10);
-	    ldif_store_string(attr, role->runasusers, true);
+	    if (attr != NULL)
+		ldif_store_string(attr, role->runasusers, true);
 	} else if (strncmp(line, "sudoRunAsUser:", 14) == 0) {
 	    attr = ldif_parse_attribute(line + 14);
-	    ldif_store_string(attr, role->runasusers, true);
+	    if (attr != NULL)
+		ldif_store_string(attr, role->runasusers, true);
 	} else if (strncmp(line, "sudoRunAsGroup:", 15) == 0) {
 	    attr = ldif_parse_attribute(line + 15);
-	    ldif_store_string(attr, role->runasgroups, true);
+	    if (attr != NULL)
+		ldif_store_string(attr, role->runasgroups, true);
 	} else if (strncmp(line, "sudoCommand:", 12) == 0) {
 	    attr = ldif_parse_attribute(line + 12);
-	    ldif_store_string(attr, role->cmnds, false);
+	    if (attr != NULL)
+		ldif_store_string(attr, role->cmnds, false);
 	} else if (strncmp(line, "sudoOption:", 11) == 0) {
 	    attr = ldif_parse_attribute(line + 11);
-	    ldif_store_string(attr, role->options, false);
+	    if (attr != NULL)
+		ldif_store_string(attr, role->options, false);
 	} else if (strncmp(line, "sudoOrder:", 10) == 0) {
 	    char *ep;
 	    attr = ldif_parse_attribute(line + 10);
-	    role->order = strtod(attr, &ep);
-	    if (ep == attr || *ep != '\0')
-		sudo_warnx(U_("invalid sudoOrder attribute: %s"), attr);
+	    if (attr != NULL) {
+		role->order = strtod(attr, &ep);
+		if (ep == attr || *ep != '\0')
+		    sudo_warnx(U_("invalid sudoOrder attribute: %s"), attr);
+	    }
 	} else if (strncmp(line, "sudoNotBefore:", 14) == 0) {
 	    attr = ldif_parse_attribute(line + 14);
-	    free(role->notbefore);
-	    role->notbefore = strdup(attr);
-	    if (role->notbefore == NULL) {
-		sudo_fatalx(U_("%s: %s"), __func__,
-		    U_("unable to allocate memory"));
+	    if (attr != NULL) {
+		free(role->notbefore);
+		role->notbefore = strdup(attr);
+		if (role->notbefore == NULL) {
+		    sudo_fatalx(U_("%s: %s"), __func__,
+			U_("unable to allocate memory"));
+		}
 	    }
 	} else if (strncmp(line, "sudoNotAfter:", 13) == 0) {
 	    attr = ldif_parse_attribute(line + 13);
-	    free(role->notafter);
-	    role->notafter = strdup(attr);
-	    if (role->notafter == NULL) {
-		sudo_fatalx(U_("%s: %s"), __func__,
-		    U_("unable to allocate memory"));
+	    if (attr != NULL) {
+		free(role->notafter);
+		role->notafter = strdup(attr);
+		if (role->notafter == NULL) {
+		    sudo_fatalx(U_("%s: %s"), __func__,
+			U_("unable to allocate memory"));
+		}
 	    }
 	}
     }
diff --git a/plugins/sudoers/regress/cvtsudoers/test25.sh b/plugins/sudoers/regress/cvtsudoers/test25.sh
index 7d26bb9fa..4cb8b4572 100755
--- a/plugins/sudoers/regress/cvtsudoers/test25.sh
+++ b/plugins/sudoers/regress/cvtsudoers/test25.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Test LDAP base filtering.
+# Test LDIF base64 attribute parsing
 #
 
 exec 2>&1
diff --git a/plugins/sudoers/regress/cvtsudoers/test26.out.ok b/plugins/sudoers/regress/cvtsudoers/test26.out.ok
index ab9c948ee..769f392d8 100644
--- a/plugins/sudoers/regress/cvtsudoers/test26.out.ok
+++ b/plugins/sudoers/regress/cvtsudoers/test26.out.ok
@@ -1,16 +1,3 @@
-dn:: Y249ZGVmYXVsdHMsb3U9U1VET2Vyc8KpLGRjPXN1ZG8sZGM9d3M=
-objectClass: top
-objectClass: sudoRole
-cn: defaults
-description: Default sudoOption's go here
-sudoOption:: YmFkcGFzc19tZXNzYWdlPUJhZCBwYXNzd29yZMKh
-
-dn:: Y249cm9vdCxvdT1TVURPZXJzwqksZGM9c3VkbyxkYz13cw==
-objectClass: top
-objectClass: sudoRole
-cn: root
-sudoUser: root
-sudoHost: ALL
-sudoCommand: ALL
-sudoOrder: 1
-
+cvtsudoers: ignoring invalid attribute value: bG9nX29@1dHB1dA==
+cvtsudoers: ignoring invalid attribute value: Y249cm9vdCxvdT1TVURPZXJzLGRjPXN1ZG8sZGM9_d3M=
+cvtsudoers: ignoring invalid attribute value: Y249JXdoZWVsLG91PVNVRE9lcnMsZGM9c3VkbyxkYz13cw!==
diff --git a/plugins/sudoers/regress/cvtsudoers/test26.sh b/plugins/sudoers/regress/cvtsudoers/test26.sh
index afc29a880..b9eecaa45 100755
--- a/plugins/sudoers/regress/cvtsudoers/test26.sh
+++ b/plugins/sudoers/regress/cvtsudoers/test26.sh
@@ -1,11 +1,41 @@
 #!/bin/sh
 #
-# Test base64 encoding of non-safe strings
+# Test LDIF invalid base64 attribute parsing
 #
 
 exec 2>&1
-./cvtsudoers -c "" -b "ou=SUDOers©,dc=sudo,dc=ws" <<EOF
-Defaults badpass_message="Bad password¡"
+./cvtsudoers -c "" -i ldif -b "ou=SUDOers,dc=sudo,dc=ws" -I 10 -O 10 <<EOF
+# defaults, SUDOers, sudo.ws
+dn:: Y249ZGVmYXVsdHMsb3U9U1VET2VycyxkYz1zdWRvLGRjPXdz 
+objectClass: top
+objectClass: sudoRole
+cn: defaults
+description: Default sudoOption's go here
+sudoOption:: bG9nX29@1dHB1dA== 
 
-root ALL = ALL
+# root, SUDOers, sudo.ws
+dn::  Y249cm9vdCxvdT1TVURPZXJzLGRjPXN1ZG8sZGM9_d3M=
+objectClass: top
+objectClass: sudoRole
+cn: root
+sudoUser: root
+sudoRunAsUser: ALL
+sudoRunAsGroup: ALL
+sudoHost: ALL
+sudoCommand: ALL
+sudoOption: !authenticate
+sudoOrder: 10
+
+# %wheel, SUDOers, sudo.ws
+dn:: Y249JXdoZWVsLG91PVNVRE9lcnMsZGM9c3VkbyxkYz13cw!==
+objectClass: top
+objectClass: sudoRole
+cn: %wheel
+sudoUser: %wheel
+sudoRunAsUser: ALL
+sudoRunAsGroup: ALL
+sudoHost: +sudo-hosts
+sudoCommand: ALL
+sudoOption: !authenticate
+sudoOrder: 10
 EOF
diff --git a/plugins/sudoers/regress/cvtsudoers/test27.out.ok b/plugins/sudoers/regress/cvtsudoers/test27.out.ok
new file mode 100644
index 000000000..ab9c948ee
--- /dev/null
+++ b/plugins/sudoers/regress/cvtsudoers/test27.out.ok
@@ -0,0 +1,16 @@
+dn:: Y249ZGVmYXVsdHMsb3U9U1VET2Vyc8KpLGRjPXN1ZG8sZGM9d3M=
+objectClass: top
+objectClass: sudoRole
+cn: defaults
+description: Default sudoOption's go here
+sudoOption:: YmFkcGFzc19tZXNzYWdlPUJhZCBwYXNzd29yZMKh
+
+dn:: Y249cm9vdCxvdT1TVURPZXJzwqksZGM9c3VkbyxkYz13cw==
+objectClass: top
+objectClass: sudoRole
+cn: root
+sudoUser: root
+sudoHost: ALL
+sudoCommand: ALL
+sudoOrder: 1
+
diff --git a/plugins/sudoers/regress/cvtsudoers/test27.sh b/plugins/sudoers/regress/cvtsudoers/test27.sh
new file mode 100755
index 000000000..afc29a880
--- /dev/null
+++ b/plugins/sudoers/regress/cvtsudoers/test27.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+#
+# Test base64 encoding of non-safe strings
+#
+
+exec 2>&1
+./cvtsudoers -c "" -b "ou=SUDOers©,dc=sudo,dc=ws" <<EOF
+Defaults badpass_message="Bad password¡"
+
+root ALL = ALL
+EOF