mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-09-02 15:25:58 +00:00
Code Issues Releases Wiki Activity

Use an iterator instead of fragile pointer arithmetic to iterate

Browse Source 
over value arrays in sudo_ldap_role_to_priv().
This commit is contained in:
Todd C. Miller
2018-02-09 22:06:56 -07:00
parent 64e99328e3
commit 4459ee42ed
4 changed files with 41 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
plugins/sudoers/ldap.c
View File

@@ -2311,6 +2311,16 @@ sudo_ldap_display_bound_defaults(struct sudo_nss *nss, struct passwd *pw,
debug_return_int(0); debug_return_int(0);
} }
static char *
berval_iter(void *base, void **save)
{
struct berval **bv;
bv = *save ? *save : base;
*save = bv + 1;
return *bv ? (*bv)->bv_val : NULL;
}
static struct userspec_list * static struct userspec_list *
ldap_to_sudoers(LDAP *ld, struct ldap_result *lres) ldap_to_sudoers(LDAP *ld, struct ldap_result *lres)
{ {
@@ -2368,8 +2378,7 @@ ldap_to_sudoers(LDAP *ld, struct ldap_result *lres)
priv = sudo_ldap_role_to_priv(cn, runasusers, runasgroups, priv = sudo_ldap_role_to_priv(cn, runasusers, runasgroups,
cmnds, opts, notbefore ? notbefore[0]->bv_val : NULL, cmnds, opts, notbefore ? notbefore[0]->bv_val : NULL,
notafter ? notafter[0]->bv_val : NULL, notafter ? notafter[0]->bv_val : NULL, berval_iter);
sizeof(struct berval *), offsetof(struct berval, bv_val));
/* Cleanup */ /* Cleanup */
if (cn != NULL) if (cn != NULL)

28
plugins/sudoers/ldap_common.c
View File

@@ -117,19 +117,19 @@ sudo_ldap_parse_option(char *optstr, char **varp, char **valp)
* The caller is responsible for freeing the returned struct member_list. * The caller is responsible for freeing the returned struct member_list.
*/ */
static struct member_list * static struct member_list *
array_to_member_list(void *a, size_t ele_size, size_t str_off) array_to_member_list(void *a, sudo_ldap_iter_t iter)
{ {
struct member_list *members; struct member_list *members;
struct member *m; struct member *m;
void *save = NULL;
char *val;
debug_decl(bv_to_member_list, SUDOERS_DEBUG_LDAP) debug_decl(bv_to_member_list, SUDOERS_DEBUG_LDAP)
if ((members = calloc(1, sizeof(*members))) == NULL) if ((members = calloc(1, sizeof(*members))) == NULL)
return NULL; return NULL;
TAILQ_INIT(members); TAILQ_INIT(members);
for (;*((char **)a) != NULL; a = (char *)a + ele_size) { while ((val = iter(a, &save)) != NULL) {
char *val = *(char **)(*((char **)a) + str_off);
if ((m = calloc(1, sizeof(*m))) == NULL) if ((m = calloc(1, sizeof(*m))) == NULL)
goto bad; goto bad;
@@ -173,13 +173,15 @@ bad:
struct privilege * struct privilege *
sudo_ldap_role_to_priv(const char *cn, void *runasusers, void *runasgroups, sudo_ldap_role_to_priv(const char *cn, void *runasusers, void *runasgroups,
void *cmnds, void *opts, const char *notbefore, void *cmnds, void *opts, const char *notbefore,
const char *notafter, size_t ele_size, size_t str_off) const char *notafter, sudo_ldap_iter_t iter)
{ {
struct cmndspec *cmndspec = NULL; struct cmndspec *cmndspec = NULL;
struct cmndspec *prev_cmndspec = NULL; struct cmndspec *prev_cmndspec = NULL;
struct sudo_command *c; struct sudo_command *c;
struct privilege *priv; struct privilege *priv;
struct member *m; struct member *m;
void *cmnds_save = NULL;
char *cmnd;
debug_decl(sudo_ldap_role_to_priv, SUDOERS_DEBUG_LDAP) debug_decl(sudo_ldap_role_to_priv, SUDOERS_DEBUG_LDAP)
if ((priv = calloc(1, sizeof(*priv))) == NULL) if ((priv = calloc(1, sizeof(*priv))) == NULL)
@@ -200,12 +202,8 @@ sudo_ldap_role_to_priv(const char *cn, void *runasusers, void *runasgroups,
/* /*
* Parse sudoCommands and add to cmndlist. * Parse sudoCommands and add to cmndlist.
* The convoluted pointer arithmetic is to support passing in
* either a struct berval ** or a char ***.
* An interator would probably be better.
*/ */
for (;*((char **)cmnds) != NULL; cmnds = (char *)cmnds + ele_size) { while ((cmnd = iter(cmnds, &cmnds_save)) != NULL) {
char *cmnd = *(char **)(*((char **)cmnds) + str_off);
char *args; char *args;
/* Allocate storage upfront. */ /* Allocate storage upfront. */
@@ -256,7 +254,7 @@ sudo_ldap_role_to_priv(const char *cn, void *runasusers, void *runasgroups,
/* Parse sudoRunAsUser / sudoRunAs */ /* Parse sudoRunAsUser / sudoRunAs */
if (runasusers != NULL) { if (runasusers != NULL) {
cmndspec->runasuserlist = cmndspec->runasuserlist =
array_to_member_list(runasusers, ele_size, str_off); array_to_member_list(runasusers, iter);
if (cmndspec->runasuserlist == NULL) if (cmndspec->runasuserlist == NULL)
goto oom; goto oom;
} }
@@ -264,7 +262,7 @@ sudo_ldap_role_to_priv(const char *cn, void *runasusers, void *runasgroups,
/* Parse sudoRunAsGroup */ /* Parse sudoRunAsGroup */
if (runasgroups != NULL) { if (runasgroups != NULL) {
cmndspec->runasgrouplist = cmndspec->runasgrouplist =
array_to_member_list(runasgroups, ele_size, str_off); array_to_member_list(runasgroups, iter);
if (cmndspec->runasgrouplist == NULL) if (cmndspec->runasgrouplist == NULL)
goto oom; goto oom;
} }
@@ -277,8 +275,10 @@ sudo_ldap_role_to_priv(const char *cn, void *runasusers, void *runasgroups,
/* Parse sudoOptions. */ /* Parse sudoOptions. */
if (opts != NULL) { if (opts != NULL) {
for (; *((char **)opts) != NULL; opts = (char *)opts + ele_size) { void *opts_save = NULL;
char *opt = *(char **)(*((char **)opts) + str_off); char *opt;
while ((opt = iter(opts, &opts_save)) != NULL) {
char *var, *val; char *var, *val;
int op; int op;

16
plugins/sudoers/sssd.c
View File

@@ -1408,6 +1408,17 @@ sudo_sss_display_bound_defaults(struct sudo_nss *nss,
debug_return_int(0); debug_return_int(0);
} }
static char *
val_array_iter(void *base, void **save)
{
char **val_array;
val_array = *save ? *save : base;
*save = val_array + 1;
return *val_array;
}
static struct userspec_list * static struct userspec_list *
sss_to_sudoers(struct sudo_sss_handle *handle, struct sss_sudo_result *sss_result) sss_to_sudoers(struct sudo_sss_handle *handle, struct sss_sudo_result *sss_result)
{ {
@@ -1466,10 +1477,9 @@ sss_to_sudoers(struct sudo_sss_handle *handle, struct sss_sudo_result *sss_resul
/* Parse sudoOptions. */ /* Parse sudoOptions. */
handle->fn_get_values(rule, "sudoOption", &opts); handle->fn_get_values(rule, "sudoOption", &opts);
priv = sudo_ldap_role_to_priv(cn, runasusers ? &runasusers : NULL, priv = sudo_ldap_role_to_priv(cn, runasusers, runasgroups, cmnds, opts,
runasgroups ? &runasgroups: NULL, &cmnds, opts ? &opts : NULL,
notbefore ? notbefore[0] : NULL, notafter ? notafter[0] : NULL, notbefore ? notbefore[0] : NULL, notafter ? notafter[0] : NULL,
sizeof(char **), 0); val_array_iter);
/* Cleanup */ /* Cleanup */
if (cn_array != NULL) if (cn_array != NULL)

4
plugins/sudoers/sudo_ldap.h
View File

@@ -17,9 +17,11 @@
#ifndef SUDOERS_LDAP_H #ifndef SUDOERS_LDAP_H
#define SUDOERS_LDAP_H #define SUDOERS_LDAP_H
typedef char * (*sudo_ldap_iter_t)(void *, void **);
bool sudo_ldap_is_negated(char **valp); bool sudo_ldap_is_negated(char **valp);
int sudo_ldap_parse_option(char *optstr, char **varp, char **valp); int sudo_ldap_parse_option(char *optstr, char **varp, char **valp);
struct privilege *sudo_ldap_role_to_priv(const char *cn, void *runasusers, void *runasgroups, void *cmnds, void *opts, const char *notbefore, const char *notafter, size_t ele_size, size_t str_off); struct privilege *sudo_ldap_role_to_priv(const char *cn, void *runasusers, void *runasgroups, void *cmnds, void *opts, const char *notbefore, const char *notafter, sudo_ldap_iter_t iter);
struct sudo_digest *sudo_ldap_extract_digest(char **cmnd, struct sudo_digest *digest); struct sudo_digest *sudo_ldap_extract_digest(char **cmnd, struct sudo_digest *digest);
#endif /* SUDOERS_LDAP_H */ #endif /* SUDOERS_LDAP_H */