From 224d78993a24d1cc31ae0f6a0d0a59c66b765387 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Sat, 9 Jul 2022 09:00:48 -0600 Subject: [PATCH] sudo_putenv_nodebug: require that the environment string include a '=' --- plugins/sudoers/env.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/plugins/sudoers/env.c b/plugins/sudoers/env.c index 99b674300..eaf90f4a0 100644 --- a/plugins/sudoers/env.c +++ b/plugins/sudoers/env.c @@ -314,9 +314,15 @@ int sudo_putenv_nodebug(char *str, bool dupcheck, bool overwrite) { char **ep; - size_t len; + const char *equal; bool found = false; + equal = strchr(str, '='); + if (equal == NULL) { + errno = EINVAL; + return -1; + } + /* Make sure there is room for the new entry plus a NULL. */ if (env.env_size > 2 && env.env_len > env.env_size - 2) { char **nenvp; @@ -358,7 +364,7 @@ sudo_putenv_nodebug(char *str, bool dupcheck, bool overwrite) #endif if (dupcheck) { - len = (strchr(str, '=') - str) + 1; + size_t len = (size_t)(equal - str) + 1; for (ep = env.envp; *ep != NULL; ep++) { if (strncmp(str, *ep, len) == 0) { if (overwrite) -- 2.33.0