Skip to content

Commit

Permalink
ZTAT-452 Fixed multiple memory related issues in duo_common_ini_handler
Browse files Browse the repository at this point in the history
  • Loading branch information
ysyrota committed Oct 17, 2024
1 parent bbec1e2 commit 2b67df0
Show file tree
Hide file tree
Showing 2 changed files with 49 additions and 22 deletions.
69 changes: 47 additions & 22 deletions lib/util.c
Original file line number Diff line number Diff line change
Expand Up @@ -53,9 +53,6 @@ int
duo_common_ini_handler(struct duo_config *cfg, const char *section,
const char *name, const char*val)
{
char *buf, *currWord, *nextWord, *tmpString;
int int_val, new_length;

if (strcmp(name, "ikey") == 0) {
cfg->ikey = strdup(val);
} else if (strcmp(name, "skey") == 0) {
Expand All @@ -67,30 +64,44 @@ duo_common_ini_handler(struct duo_config *cfg, const char *section,
} else if (strcmp(name, "http_proxy") == 0) {
cfg->http_proxy = strdup(val);
} else if (strcmp(name, "groups") == 0 || strcmp(name, "group") == 0) {
if ((buf = strdup(val)) == NULL) {
size_t len = strlen(val);
size_t j = 0;
int inEscape = 0;
char *currWord;
if ((currWord = malloc(len)) == NULL) {
fprintf(stderr, "Out of memory parsing groups\n");
return (0);
}
for (currWord = strtok(buf, " "); currWord != NULL; currWord = strtok(NULL, " ")) {
if (cfg->groups_cnt >= MAX_GROUPS) {
fprintf(stderr, "Exceeded max %d groups\n",
MAX_GROUPS);
cfg->groups_cnt = 0;
free(buf);
return (0);

for (size_t i = 0; i <= len; ++i) {
if (val[i] == '\\' && val[i + 1] == ' ' && !inEscape) {
inEscape = 1;
continue;
}
/* Concatenate next word if current word ends with "\ " */
while (currWord[strlen(currWord) - 1] == '\\') {
currWord[strlen(currWord) - 1] = ' ';
nextWord = strtok(NULL, " ");
new_length = strlen(currWord) + strlen(nextWord) + 1;
tmpString = (char *) malloc(new_length);
strlcpy(tmpString, currWord, new_length);
strncat(tmpString, nextWord, new_length);
currWord = tmpString;

if (inEscape) {
currWord[j++] = ' ';
inEscape = 0;
} else if (val[i] == ' ' || val[i] == '\0') {
if (j > 0) {
currWord[j] = '\0';
cfg->groups[cfg->groups_cnt++] = strdup(currWord);
if (cfg->groups_cnt >= MAX_GROUPS) {
fprintf(stderr, "Exceeded max %d groups\n", MAX_GROUPS);
cleanup_config_groups(cfg);
free(currWord);
return (0);
}
j = 0;
}
if (val[i] == '\0') {
break;
}
} else {
currWord[j++] = val[i];
}
cfg->groups[cfg->groups_cnt++] = currWord;
}
free(currWord);
} else if (strcmp(name, "failmode") == 0) {
if (strcmp(val, "secure") == 0) {
cfg->failmode = DUO_FAIL_SECURE;
Expand All @@ -105,7 +116,7 @@ duo_common_ini_handler(struct duo_config *cfg, const char *section,
} else if (strcmp(name, "noverify") == 0) {
cfg->noverify = duo_set_boolean_option(val);
} else if (strcmp(name, "prompts") == 0) {
int_val = atoi(val);
int int_val = atoi(val);
/* Clamp the value into acceptable range */
if (int_val <= 0) {
int_val = 1;
Expand Down Expand Up @@ -189,8 +200,22 @@ close_config(struct duo_config *cfg)
duo_zero_free(cfg->http_proxy, strlen(cfg->http_proxy));
cfg->http_proxy = NULL;
}
cleanup_config_groups(cfg);
}

void
cleanup_config_groups(struct duo_config *cfg)
{
for (int i = 0; i < MAX_GROUPS; ++i) {
if (cfg->groups[i] != NULL) {
free(cfg->groups[i]);
cfg->groups[i] = NULL;
}
}
cfg->groups_cnt = 0;
}


int
duo_check_groups(struct passwd *pw, char **groups, int groups_cnt)
{
Expand Down
2 changes: 2 additions & 0 deletions lib/util.h
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,8 @@ int duo_common_ini_handler(
/* Clean up config memory. */
void close_config(struct duo_config *cfg);

void cleanup_config_groups(struct duo_config *cfg);

int duo_check_groups(struct passwd *pw, char **groups, int groups_cnt);

void duo_log(
Expand Down

0 comments on commit 2b67df0

Please sign in to comment.