From: Todd C. Miller <Todd.Miller@sudo.ws>
Date: Tue, 23 Jan 2018 18:05:41 +0000 (-0700)
Subject: Do not call the TIOCSETVERAUTH ioctl with a negative number of seconds.
X-Git-Tag: SUDO_1_8_23^2~189
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=52409b9c722f3f0bb9c1e0741d6d8f2e332d037f;p=sudo

Do not call the TIOCSETVERAUTH ioctl with a negative number of seconds.
Also cap the max number of seconds at 3600 to avoid getting EINVAL
from TIOCSETVERAUTH.
---

diff --git a/plugins/sudoers/timestamp.c b/plugins/sudoers/timestamp.c
index 9e2c4179a..465ff56cd 100644
--- a/plugins/sudoers/timestamp.c
+++ b/plugins/sudoers/timestamp.c
@@ -868,7 +868,12 @@ timestamp_update(void *vcookie, struct passwd *pw)
 	int fd = open(_PATH_TTY, O_RDWR);
 	if (fd != -1) {
 	    int secs = def_timestamp_timeout.tv_sec;
-	    ioctl(fd, TIOCSETVERAUTH, &secs);
+	    if (secs > 0) {
+		if (secs > 3600)
+		    secs = 3600;        /* OpenBSD limitation */
+		if (ioctl(fd, TIOCSETVERAUTH, &secs) != 0)
+		    sudo_warn("TIOCSETVERAUTH");
+	    }
 	    close(fd);
 	}
 #endif