From 26a1a7529a1974e28b179e18925a92d6dadf5660 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Wed, 23 Jul 2025 20:00:42 -0600 Subject: [PATCH] digest_matches: plug fd leak on snprinf() failure --- plugins/sudoers/match_command.c | 6 ++++-- plugins/sudoers/match_digest.c | 3 ++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/plugins/sudoers/match_command.c b/plugins/sudoers/match_command.c index a479ceec3..dc4d24472 100644 --- a/plugins/sudoers/match_command.c +++ b/plugins/sudoers/match_command.c @@ -272,7 +272,8 @@ command_matches_dir(struct sudoers_context *ctx, const char *sudoers_dir, len = snprintf(sdbuf, sizeof(sdbuf), "%s%s", runchroot, sudoers_dir); if (len >= ssizeof(sdbuf)) { errno = ENAMETOOLONG; - debug_return_bool(false); + sudo_warn("%s%s", runchroot, sudoers_dir); + goto done; } sudoers_dir = sdbuf; chrootlen = strlen(runchroot); @@ -536,7 +537,8 @@ command_matches_glob(struct sudoers_context *ctx, const char *sudoers_cmnd, snprintf(pathbuf, sizeof(pathbuf), "%s%s", runchroot, sudoers_cmnd); if (len >= ssizeof(pathbuf)) { errno = ENAMETOOLONG; - debug_return_bool(false); + sudo_warn("%s%s", runchroot, sudoers_cmnd); + debug_return_int(DENY); } sudoers_cmnd = pathbuf; chrootlen = strlen(runchroot); diff --git a/plugins/sudoers/match_digest.c b/plugins/sudoers/match_digest.c index 476fdd866..bb5258ef3 100644 --- a/plugins/sudoers/match_digest.c +++ b/plugins/sudoers/match_digest.c @@ -73,7 +73,8 @@ digest_matches(int fd, const char *path, const char *runchroot, snprintf(pathbuf, sizeof(pathbuf), "%s%s", runchroot, path); if (len >= ssizeof(pathbuf)) { errno = ENAMETOOLONG; - debug_return_bool(false); + sudo_warn("%s%s", runchroot, path); + goto done; } path = pathbuf; }