Check for invalid bas64 attributes.

2025-08-22 01:49:11 +00:00 · 2018-05-20 08:09:25 -06:00 · 2018-05-20 08:09:25 -06:00 · 1cd472c051
commit 1cd472c051
parent a04cb53e37
7 changed files with 129 additions and 49 deletions
--- a/2
+++ b/2
@ -433,6 +433,8 @@ plugins/sudoers/regress/cvtsudoers/test25.out.ok
 plugins/sudoers/regress/cvtsudoers/test25.sh
 plugins/sudoers/regress/cvtsudoers/test26.out.ok
 plugins/sudoers/regress/cvtsudoers/test26.sh
+plugins/sudoers/regress/cvtsudoers/test27.out.ok
+plugins/sudoers/regress/cvtsudoers/test27.sh
 plugins/sudoers/regress/cvtsudoers/test3.out.ok
 plugins/sudoers/regress/cvtsudoers/test3.sh
 plugins/sudoers/regress/cvtsudoers/test4.out.ok
--- a/plugins/sudoers/cvtsudoers_ldif.c
+++ b/plugins/sudoers/cvtsudoers_ldif.c
@ -743,9 +743,23 @@ ldif_parse_attribute(char *str)

    attr = str;
    if (encoded) {
-	/* decode base64 inline and NUL-terminate */
-	len = base64_decode(str, (unsigned char *)attr, strlen(str));
+	/*
+	 * Decode base64 inline and add NUL-terminator.
+	 * The copy allows us to provide a useful message on error.
+	 */
+	char *copy = strdup(str);
+	if (copy == NULL) {
+	    sudo_fatalx(U_("%s: %s"), __func__,
+		U_("unable to allocate memory"));
+	}
+	len = base64_decode(copy, (unsigned char *)attr, strlen(attr));
+	if (len == (size_t)-1) {
+	    sudo_warnx(U_("ignoring invalid attribute value: %s"), copy);
+	    free(copy);
+	    debug_return_str(NULL);
+	}
 	attr[len] = '\0';
+	free(copy);
    }

    debug_return_str(attr);
@ -1254,6 +1268,11 @@ parse_ldif(const char *input_file, struct cvtsudoers_config *conf)
 	    /* Compare dn to base, if specified. */
 	    if (conf->sudoers_base != NULL) {
 		attr = ldif_parse_attribute(line + 3);
+		if (attr == NULL) {
+		    /* invalid attribute */
+		    mismatch = true;
+		    continue;
+		}
 		/* Skip over cn if present. */
 		if (strncasecmp(attr, "cn=", 3) == 0) {
 		    for (attr += 3; *attr != '\0'; attr++) {
@ -1274,7 +1293,7 @@ parse_ldif(const char *input_file, struct cvtsudoers_config *conf)
 	    }
 	} else if (strncmp(line, "objectClass:", 12) == 0) {
 	    attr = ldif_parse_attribute(line + 12);
-	    if (strcmp(attr, "sudoRole") == 0)
+	    if (attr != NULL && strcmp(attr, "sudoRole") == 0)
 		in_role = true;
 	}

@ -1285,49 +1304,63 @@ parse_ldif(const char *input_file, struct cvtsudoers_config *conf)
 	/* Part of a sudoRole, parse it. */
 	if (strncmp(line, "cn:", 3) == 0) {
 	    attr = ldif_parse_attribute(line + 3);
+	    if (attr != NULL) {
 		free(role->cn);
 		role->cn = unquote_cn(attr);
 		if (role->cn == NULL) {
 		    sudo_fatalx(U_("%s: %s"), __func__,
 			U_("unable to allocate memory"));
 		}
+	    }
 	} else if (strncmp(line, "sudoUser:", 9) == 0) {
 	    attr = ldif_parse_attribute(line + 9);
+	    if (attr != NULL)
 		ldif_store_string(attr, role->users, true);
 	} else if (strncmp(line, "sudoHost:", 9) == 0) {
 	    attr = ldif_parse_attribute(line + 9);
+	    if (attr != NULL)
 		ldif_store_string(attr, role->hosts, true);
 	} else if (strncmp(line, "sudoRunAs:", 10) == 0) {
 	    attr = ldif_parse_attribute(line + 10);
+	    if (attr != NULL)
 		ldif_store_string(attr, role->runasusers, true);
 	} else if (strncmp(line, "sudoRunAsUser:", 14) == 0) {
 	    attr = ldif_parse_attribute(line + 14);
+	    if (attr != NULL)
 		ldif_store_string(attr, role->runasusers, true);
 	} else if (strncmp(line, "sudoRunAsGroup:", 15) == 0) {
 	    attr = ldif_parse_attribute(line + 15);
+	    if (attr != NULL)
 		ldif_store_string(attr, role->runasgroups, true);
 	} else if (strncmp(line, "sudoCommand:", 12) == 0) {
 	    attr = ldif_parse_attribute(line + 12);
+	    if (attr != NULL)
 		ldif_store_string(attr, role->cmnds, false);
 	} else if (strncmp(line, "sudoOption:", 11) == 0) {
 	    attr = ldif_parse_attribute(line + 11);
+	    if (attr != NULL)
 		ldif_store_string(attr, role->options, false);
 	} else if (strncmp(line, "sudoOrder:", 10) == 0) {
 	    char *ep;
 	    attr = ldif_parse_attribute(line + 10);
+	    if (attr != NULL) {
 		role->order = strtod(attr, &ep);
 		if (ep == attr || *ep != '\0')
 		    sudo_warnx(U_("invalid sudoOrder attribute: %s"), attr);
+	    }
 	} else if (strncmp(line, "sudoNotBefore:", 14) == 0) {
 	    attr = ldif_parse_attribute(line + 14);
+	    if (attr != NULL) {
 		free(role->notbefore);
 		role->notbefore = strdup(attr);
 		if (role->notbefore == NULL) {
 		    sudo_fatalx(U_("%s: %s"), __func__,
 			U_("unable to allocate memory"));
 		}
+	    }
 	} else if (strncmp(line, "sudoNotAfter:", 13) == 0) {
 	    attr = ldif_parse_attribute(line + 13);
+	    if (attr != NULL) {
 		free(role->notafter);
 		role->notafter = strdup(attr);
 		if (role->notafter == NULL) {
@ -1336,6 +1369,7 @@ parse_ldif(const char *input_file, struct cvtsudoers_config *conf)
 		}
 	    }
 	}
+    }
    sudo_role_free(role);
    free(line);

--- a/plugins/sudoers/regress/cvtsudoers/test25.sh
+++ b/plugins/sudoers/regress/cvtsudoers/test25.sh
@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Test LDAP base filtering.
+# Test LDIF base64 attribute parsing
 #

 exec 2>&1
--- a/plugins/sudoers/regress/cvtsudoers/test26.out.ok
+++ b/plugins/sudoers/regress/cvtsudoers/test26.out.ok
@ -1,16 +1,3 @@
-dn:: Y249ZGVmYXVsdHMsb3U9U1VET2Vyc8KpLGRjPXN1ZG8sZGM9d3M=
-objectClass: top
-objectClass: sudoRole
-cn: defaults
-description: Default sudoOption's go here
-sudoOption:: YmFkcGFzc19tZXNzYWdlPUJhZCBwYXNzd29yZMKh
-
-dn:: Y249cm9vdCxvdT1TVURPZXJzwqksZGM9c3VkbyxkYz13cw==
-objectClass: top
-objectClass: sudoRole
-cn: root
-sudoUser: root
-sudoHost: ALL
-sudoCommand: ALL
-sudoOrder: 1
-
+cvtsudoers: ignoring invalid attribute value: bG9nX29@1dHB1dA==
+cvtsudoers: ignoring invalid attribute value: Y249cm9vdCxvdT1TVURPZXJzLGRjPXN1ZG8sZGM9_d3M=
+cvtsudoers: ignoring invalid attribute value: Y249JXdoZWVsLG91PVNVRE9lcnMsZGM9c3VkbyxkYz13cw!==
--- a/plugins/sudoers/regress/cvtsudoers/test26.sh
+++ b/plugins/sudoers/regress/cvtsudoers/test26.sh
@ -1,11 +1,41 @@
 #!/bin/sh
 #
-# Test base64 encoding of non-safe strings
+# Test LDIF invalid base64 attribute parsing
 #

 exec 2>&1
-./cvtsudoers -c "" -b "ou=SUDOers©,dc=sudo,dc=ws" <<EOF
-Defaults badpass_message="Bad password¡"
+./cvtsudoers -c "" -i ldif -b "ou=SUDOers,dc=sudo,dc=ws" -I 10 -O 10 <<EOF
+# defaults, SUDOers, sudo.ws
+dn:: Y249ZGVmYXVsdHMsb3U9U1VET2VycyxkYz1zdWRvLGRjPXdz 
+objectClass: top
+objectClass: sudoRole
+cn: defaults
+description: Default sudoOption's go here
+sudoOption:: bG9nX29@1dHB1dA== 

-root ALL = ALL
+# root, SUDOers, sudo.ws
+dn::  Y249cm9vdCxvdT1TVURPZXJzLGRjPXN1ZG8sZGM9_d3M=
+objectClass: top
+objectClass: sudoRole
+cn: root
+sudoUser: root
+sudoRunAsUser: ALL
+sudoRunAsGroup: ALL
+sudoHost: ALL
+sudoCommand: ALL
+sudoOption: !authenticate
+sudoOrder: 10
+
+# %wheel, SUDOers, sudo.ws
+dn:: Y249JXdoZWVsLG91PVNVRE9lcnMsZGM9c3VkbyxkYz13cw!==
+objectClass: top
+objectClass: sudoRole
+cn: %wheel
+sudoUser: %wheel
+sudoRunAsUser: ALL
+sudoRunAsGroup: ALL
+sudoHost: +sudo-hosts
+sudoCommand: ALL
+sudoOption: !authenticate
+sudoOrder: 10
 EOF
--- a/plugins/sudoers/regress/cvtsudoers/test27.out.ok
+++ b/plugins/sudoers/regress/cvtsudoers/test27.out.ok
@ -0,0 +1,16 @@
+dn:: Y249ZGVmYXVsdHMsb3U9U1VET2Vyc8KpLGRjPXN1ZG8sZGM9d3M=
+objectClass: top
+objectClass: sudoRole
+cn: defaults
+description: Default sudoOption's go here
+sudoOption:: YmFkcGFzc19tZXNzYWdlPUJhZCBwYXNzd29yZMKh
+
+dn:: Y249cm9vdCxvdT1TVURPZXJzwqksZGM9c3VkbyxkYz13cw==
+objectClass: top
+objectClass: sudoRole
+cn: root
+sudoUser: root
+sudoHost: ALL
+sudoCommand: ALL
+sudoOrder: 1
+
--- a/plugins/sudoers/regress/cvtsudoers/test27.sh
+++ b/plugins/sudoers/regress/cvtsudoers/test27.sh
@ -0,0 +1,11 @@
+#!/bin/sh
+#
+# Test base64 encoding of non-safe strings
+#
+
+exec 2>&1
+./cvtsudoers -c "" -b "ou=SUDOers©,dc=sudo,dc=ws" <<EOF
+Defaults badpass_message="Bad password¡"
+
+root ALL = ALL
+EOF