From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Wed, 16 Nov 2016 20:57:50 +0000 (-0700)
Subject: Plug memory leak when a particular Path is set more than once.
X-Git-Tag: SUDO_1_8_19^2~30
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=e797fc643f9f3ab00db7b4e7b7c445cfd7e75769;p=sudo

Plug memory leak when a particular Path is set more than once.
---

diff --git a/lib/util/regress/sudo_conf/test1.in b/lib/util/regress/sudo_conf/test1.in
index d572cad99..41282d7da 100644
--- a/lib/util/regress/sudo_conf/test1.in
+++ b/lib/util/regress/sudo_conf/test1.in
@@ -42,6 +42,7 @@ Path askpass /usr/X11R6/bin/ssh-askpass
 # The compiled-in value is usually sufficient and should only be changed
 # if you rename or move the sudo_noexec.so file.
 #
+Path noexec /usr/local/libexec/sudo_noexec.so
 Path noexec /usr/libexec/sudo_noexec.so
 
 #
diff --git a/lib/util/sudo_conf.c b/lib/util/sudo_conf.c
index f5dd57a9d..0b88badac 100644
--- a/lib/util/sudo_conf.c
+++ b/lib/util/sudo_conf.c
@@ -64,6 +64,7 @@ struct sudo_conf_table {
 struct sudo_conf_path_table {
     const char *pname;
     unsigned int pnamelen;
+    bool dynamic;
     char *pval;
 };
 
@@ -115,10 +116,10 @@ static struct sudo_conf_data {
     TAILQ_HEAD_INITIALIZER(sudo_conf_data.debugging),
     TAILQ_HEAD_INITIALIZER(sudo_conf_data.plugins),
     {
-	{ "askpass", sizeof("askpass") - 1, _PATH_SUDO_ASKPASS },
-	{ "sesh", sizeof("sesh") - 1, _PATH_SUDO_SESH },
-	{ "noexec", sizeof("noexec") - 1, _PATH_SUDO_NOEXEC },
-	{ "plugin_dir", sizeof("plugin_dir") - 1, _PATH_SUDO_PLUGIN_DIR },
+	{ "askpass", sizeof("askpass") - 1, false, _PATH_SUDO_ASKPASS },
+	{ "sesh", sizeof("sesh") - 1, false, _PATH_SUDO_SESH },
+	{ "noexec", sizeof("noexec") - 1, false, _PATH_SUDO_NOEXEC },
+	{ "plugin_dir", sizeof("plugin_dir") - 1, false, _PATH_SUDO_PLUGIN_DIR },
 	{ NULL }
     }
 };
@@ -185,8 +186,10 @@ parse_path(const char *entry, const char *conf_file, unsigned int lineno)
 		    debug_return_int(-1);
 		}
 	    }
-	    /* XXX - potential memory leak */
+	    if (cur->dynamic)
+		free(cur->pval);
 	    cur->pval = pval;
+	    cur->dynamic = true;
 	    sudo_debug_printf(SUDO_DEBUG_INFO, "%s: %s:%u: Path %s %s",
 		__func__, conf_file, lineno, cur->pname,
 		pval ? pval : "(none)");
@@ -633,6 +636,10 @@ sudo_conf_clear_paths_v1(void)
     struct sudo_conf_path_table *cur;
     debug_decl(sudo_conf_clear_paths, SUDO_DEBUG_UTIL)
 
-    for (cur = sudo_conf_data.path_table; cur->pname != NULL; cur++)
+    for (cur = sudo_conf_data.path_table; cur->pname != NULL; cur++) {
+	if (cur->dynamic)
+	    free(cur->pval);
 	cur->pval = NULL;
+	cur->dynamic = false;
+    }
 }