From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Fri, 11 Nov 2005 22:23:08 +0000 (+0000)
Subject: Move sudo_end{gr,pw}ent() until just before the exec since they
X-Git-Tag: SUDO_1_7_0~610
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b2a32d13c0d42462b252f277923987ad3293247b;p=sudo

Move sudo_end{gr,pw}ent() until just before the exec since they
free up our cached copy of the passwd structs, including sudo_user
and sudo_runas.  Fixes a use-after-free bug.
---

diff --git a/sudo.c b/sudo.c
index 4206f4a61..a41310d2c 100644
--- a/sudo.c
+++ b/sudo.c
@@ -404,10 +404,6 @@ main(argc, argv)
 	if (ISSET(sudo_mode, MODE_RUN))
 	    set_perms(PERM_FULL_RUNAS);
 
-	/* Close the password and group files */
-	sudo_endpwent();
-	sudo_endgrent();
-
 	if (ISSET(sudo_mode, MODE_LOGIN_SHELL)) {
 	    char *p;
 
@@ -431,6 +427,10 @@ main(argc, argv)
 	(void) sigaction(SIGTSTP, &saved_sa_tstp, NULL);
 	(void) sigaction(SIGCHLD, &saved_sa_chld, NULL);
 
+	/* Close the password and group files and free up memory. */
+	sudo_endpwent();
+	sudo_endgrent();
+
 	closefrom(def_closefrom + 1);
 
 #ifndef PROFILING
diff --git a/sudo_edit.c b/sudo_edit.c
index f0827c598..cac22312d 100644
--- a/sudo_edit.c
+++ b/sudo_edit.c
@@ -240,6 +240,9 @@ int sudo_edit(argc, argv)
 	(void) sigaction(SIGQUIT, &saved_sa_quit, NULL);
 	(void) sigaction(SIGCHLD, &saved_sa_chld, NULL);
 	set_perms(PERM_FULL_USER);
+	sudo_endpwent();
+	sudo_endgrent();
+	closefrom(def_closefrom + 1);
 	execvp(nargv[0], nargv);
 	warning("unable to execute %s", nargv[0]);
 	_exit(127);