From 52409b9c722f3f0bb9c1e0741d6d8f2e332d037f Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Tue, 23 Jan 2018 11:05:41 -0700
Subject: [PATCH] Do not call the TIOCSETVERAUTH ioctl with a negative number
 of seconds. Also cap the max number of seconds at 3600 to avoid getting
 EINVAL from TIOCSETVERAUTH.

---
 plugins/sudoers/timestamp.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/plugins/sudoers/timestamp.c b/plugins/sudoers/timestamp.c
index 9e2c4179a..465ff56cd 100644
--- a/plugins/sudoers/timestamp.c
+++ b/plugins/sudoers/timestamp.c
@@ -868,7 +868,12 @@ timestamp_update(void *vcookie, struct passwd *pw)
 	int fd = open(_PATH_TTY, O_RDWR);
 	if (fd != -1) {
 	    int secs = def_timestamp_timeout.tv_sec;
-	    ioctl(fd, TIOCSETVERAUTH, &secs);
+	    if (secs > 0) {
+		if (secs > 3600)
+		    secs = 3600;        /* OpenBSD limitation */
+		if (ioctl(fd, TIOCSETVERAUTH, &secs) != 0)
+		    sudo_warn("TIOCSETVERAUTH");
+	    }
 	    close(fd);
 	}
 #endif
-- 
2.40.0