From 985a2261bc5ae0491dc0be0977425c4f9a782883 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Thu, 30 Jun 2022 13:35:04 -0600
Subject: [PATCH] sudoers_main: defer setting return value until the end when
 running a command Otherwise, we could return success when there was an error
 from a system call or memory allocation failure.

---
 plugins/sudoers/sudoers.c | 15 ++++++---------
 1 file changed, 6 insertions(+), 9 deletions(-)

diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c
index b48de3e1f..26f19abb5 100644
--- a/plugins/sudoers/sudoers.c
+++ b/plugins/sudoers/sudoers.c
@@ -699,15 +699,16 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
     switch (sudo_mode & MODE_MASK) {
 	case MODE_CHECK:
 	    ret = display_cmnd(snl, list_pw ? list_pw : sudo_user.pw);
-	    break;
+	    goto done;
 	case MODE_LIST:
 	    ret = display_privs(snl, list_pw ? list_pw : sudo_user.pw, verbose);
-	    break;
+	    goto done;
 	case MODE_VALIDATE:
+	    ret = true;
+	    goto done;
 	case MODE_RUN:
 	case MODE_EDIT:
-	    /* ret may be overridden by "goto bad" later */
-	    ret = true;
+	    /* ret will not be set until the very end. */
 	    break;
 	default:
 	    /* Should not happen. */
@@ -715,11 +716,6 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
 	    goto done;
     }
 
-    if (ISSET(sudo_mode, (MODE_VALIDATE|MODE_CHECK|MODE_LIST))) {
-	/* ret already set appropriately */
-	goto done;
-    }
-
     /*
      * Set umask based on sudoers.
      * If user's umask is more restrictive, OR in those bits too
@@ -825,6 +821,7 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
 	env_swap_old();
     }
 
+    ret = true;
     goto done;
 
 bad:
-- 
2.33.0