sudo_ldap_get_first_rdn: Fix memory leak when ldap_str2dn is missing

millert · millert · commit 41c4b826b8b0 · 2025-09-14T16:51:27.000-06:00
This assumes that ldap_memfree() simply calls free(), which appears
to be the case with all Linux/UNIX LDAP client libraries.

Thanks to Joshua Rogers for finding this.
diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c
@@ -378,7 +378,7 @@ sudo_ldap_get_first_rdn(LDAP *ld, LDAPMessage *entry, int *rc)
     ldap_memfree(dn);
     debug_return_str(rdn);
 #else
-    char *dn, **edn;
+    char *dn, **edn, *rdn;
     debug_decl(sudo_ldap_get_first_rdn, SUDOERS_DEBUG_LDAP);
 
     if ((dn = ldap_get_dn(ld, entry)) == NULL) {
@@ -393,8 +393,10 @@ sudo_ldap_get_first_rdn(LDAP *ld, LDAPMessage *entry, int *rc)
 	*rc = LDAP_NO_MEMORY;
 	debug_return_str(NULL);
     }
-    *rc = LDAP_SUCCESS;
-    debug_return_str(edn[0]);
+    rdn = strdup(edn[0]);
+    *rc = rdn ? LDAP_SUCCESS : LDAP_NO_MEMORY;
+    ldap_value_free(edn);
+    debug_return_str(rdn);
 #endif
 }
 
