sudo/backport-sudo_ldap_parse_options-fix-memory-leak-of-sudoRole-.patch

From 22a01410bdac0ead284e0611b7814a56973a860a Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Thu, 24 Feb 2022 07:56:38 -0700
Subject: [PATCH] sudo_ldap_parse_options: fix memory leak of sudoRole cn
 string. Coverity CID 249976

---
 plugins/sudoers/ldap.c | 41 ++++++++++++++++++-----------------------
 1 file changed, 18 insertions(+), 23 deletions(-)

diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c
index e3c47b9bc..13e74160b 100644
--- a/plugins/sudoers/ldap.c
+++ b/plugins/sudoers/ldap.c
@@ -421,38 +421,31 @@ sudo_ldap_get_first_rdn(LDAP *ld, LDAPMessage *entry, int *rc)
 static bool
 sudo_ldap_parse_options(LDAP *ld, LDAPMessage *entry, struct defaults_list *defs)
 {
-    struct berval **bv, **p;
-    char *cn, *cp, *source = NULL;
+    struct berval **p, **bv = NULL;
+    char *cp, *cn = NULL, *source = NULL;
     bool ret = false;
     int rc;
     debug_decl(sudo_ldap_parse_options, SUDOERS_DEBUG_LDAP);
 
     bv = sudo_ldap_get_values_len(ld, entry, "sudoOption", &rc);
     if (bv == NULL) {
-	if (rc == LDAP_NO_MEMORY) {
-	    sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
-	    debug_return_bool(false);
-	}
+	if (rc == LDAP_NO_MEMORY)
+	    goto oom;
 	debug_return_bool(true);
     }
 
     /* Use sudoRole in place of file name in defaults. */
     cn = sudo_ldap_get_first_rdn(ld, entry, &rc);
     if (cn == NULL) {
-	if (rc == LDAP_NO_MEMORY) {
-	    sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
-	    goto done;
-	}
-    }
-    if (asprintf(&cp, "sudoRole %s", cn ? cn : "UNKNOWN") == -1) {
-	sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
-	goto done;
-    }
-    if ((source = sudo_rcstr_dup(cp)) == NULL) {
-	sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
-	free(cp);
-	goto done;
+	if (rc == LDAP_NO_MEMORY)
+	    goto oom;
     }
+    if (asprintf(&cp, "sudoRole %s", cn ? cn : "UNKNOWN") == -1)
+	goto oom;
+    source = sudo_rcstr_dup(cp);
+    free(cp);
+    if (source == NULL)
+	goto oom;
 
     /* Walk through options, appending to defs. */
     for (p = bv; *p != NULL; p++) {
@@ -460,13 +453,15 @@ sudo_ldap_parse_options(LDAP *ld, LDAPMessage *entry, struct defaults_list *defs
 	int op;
 
 	op = sudo_ldap_parse_option((*p)->bv_val, &var, &val);
-	if (!append_default(var, val, op, source, defs)) {
-	    sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
-	    goto done;
-	}
+	if (!append_default(var, val, op, source, defs))
+	    goto oom;
     }
 
     ret = true;
+    goto done;
+
+oom:
+    sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
 
 done:
     sudo_rcstr_delref(source);
-- 
2.33.0
Backport patches from upstream community 2022-11-25 12:49:32 +00:00			`From 22a01410bdac0ead284e0611b7814a56973a860a Mon Sep 17 00:00:00 2001`
			`From: "Todd C. Miller" <Todd.Miller@sudo.ws>`
			`Date: Thu, 24 Feb 2022 07:56:38 -0700`
			`Subject: [PATCH] sudo_ldap_parse_options: fix memory leak of sudoRole cn`
			`string. Coverity CID 249976`

			`---`
			`plugins/sudoers/ldap.c \| 41 ++++++++++++++++++-----------------------`
			`1 file changed, 18 insertions(+), 23 deletions(-)`

			`diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c`
			`index e3c47b9bc..13e74160b 100644`
			`--- a/plugins/sudoers/ldap.c`
			`+++ b/plugins/sudoers/ldap.c`
			`@@ -421,38 +421,31 @@ sudo_ldap_get_first_rdn(LDAP ld, LDAPMessage entry, int *rc)`
			`static bool`
			`sudo_ldap_parse_options(LDAP ld, LDAPMessage entry, struct defaults_list *defs)`
			`{`
			`- struct berval bv, p;`
			`- char cn, cp, *source = NULL;`
			`+ struct berval p, bv = NULL;`
			`+ char cp, cn = NULL, *source = NULL;`
			`bool ret = false;`
			`int rc;`
			`debug_decl(sudo_ldap_parse_options, SUDOERS_DEBUG_LDAP);`

			`bv = sudo_ldap_get_values_len(ld, entry, "sudoOption", &rc);`
			`if (bv == NULL) {`
			`- if (rc == LDAP_NO_MEMORY) {`
			`- sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));`
			`- debug_return_bool(false);`
			`- }`
			`+ if (rc == LDAP_NO_MEMORY)`
			`+ goto oom;`
			`debug_return_bool(true);`
			`}`

			`/* Use sudoRole in place of file name in defaults. */`
			`cn = sudo_ldap_get_first_rdn(ld, entry, &rc);`
			`if (cn == NULL) {`
			`- if (rc == LDAP_NO_MEMORY) {`
			`- sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));`
			`- goto done;`
			`- }`
			`- }`
			`- if (asprintf(&cp, "sudoRole %s", cn ? cn : "UNKNOWN") == -1) {`
			`- sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));`
			`- goto done;`
			`- }`
			`- if ((source = sudo_rcstr_dup(cp)) == NULL) {`
			`- sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));`
			`- free(cp);`
			`- goto done;`
			`+ if (rc == LDAP_NO_MEMORY)`
			`+ goto oom;`
			`}`
			`+ if (asprintf(&cp, "sudoRole %s", cn ? cn : "UNKNOWN") == -1)`
			`+ goto oom;`
			`+ source = sudo_rcstr_dup(cp);`
			`+ free(cp);`
			`+ if (source == NULL)`
			`+ goto oom;`

			`/* Walk through options, appending to defs. */`
			`for (p = bv; *p != NULL; p++) {`
			`@@ -460,13 +453,15 @@ sudo_ldap_parse_options(LDAP ld, LDAPMessage entry, struct defaults_list *defs`
			`int op;`

			`op = sudo_ldap_parse_option((*p)->bv_val, &var, &val);`
			`- if (!append_default(var, val, op, source, defs)) {`
			`- sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));`
			`- goto done;`
			`- }`
			`+ if (!append_default(var, val, op, source, defs))`
			`+ goto oom;`
			`}`

			`ret = true;`
			`+ goto done;`
			`+`
			`+oom:`
			`+ sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));`

			`done:`
			`sudo_rcstr_delref(source);`
			`--`
			`2.33.0`