From: Todd C. Miller Date: Thu, 11 Sep 2008 11:06:37 +0000 (+0000) Subject: Fix a dereference (read) of a freed pointer. Reported by Patrick Williams. X-Git-Tag: SUDO_1_7_0~90 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=d0a44e437ca266b5aa53d93503dcd7a9e8d2379f;p=sudo Fix a dereference (read) of a freed pointer. Reported by Patrick Williams. --- diff --git a/match.c b/match.c index 50115a784..3aa153c62 100644 --- a/match.c +++ b/match.c @@ -1,5 +1,6 @@ /* - * Copyright (c) 1996, 1998-2005 Todd C. Miller + * Copyright (c) 1996, 1998-2005, 2008 + * Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -369,9 +370,10 @@ command_matches(sudoers_cmnd, sudoers_args) { struct stat sudoers_stat; struct dirent *dent; - char **ap, *base, buf[PATH_MAX]; + char *cp, *base, buf[PATH_MAX]; glob_t gl; DIR *dirp; + int i; /* Check for pseudo-commands */ if (strchr(user_cmnd, '/') == NULL) { @@ -413,25 +415,26 @@ command_matches(sudoers_cmnd, sudoers_args) return(FALSE); } /* For each glob match, compare basename, st_dev and st_ino. */ - for (ap = gl.gl_pathv; *ap != NULL; ap++) { + i = 0; + while ((cp = gl.gl_pathv[i++])) { /* only stat if basenames are the same */ - if ((base = strrchr(*ap, '/')) != NULL) + if ((base = strrchr(cp, '/')) != NULL) base++; else - base = *ap; + base = cp; if (strcmp(user_base, base) != 0 || - stat(*ap, &sudoers_stat) == -1) + stat(cp, &sudoers_stat) == -1) continue; if (user_stat == NULL || (user_stat->st_dev == sudoers_stat.st_dev && user_stat->st_ino == sudoers_stat.st_ino)) { efree(safe_cmnd); - safe_cmnd = estrdup(*ap); + safe_cmnd = estrdup(cp); break; } } globfree(&gl); - if (*ap == NULL) + if (cp == NULL) return(FALSE); if (!sudoers_args ||