Fix potential panic with misconfiguration (#1049)

squell · web-flow · commit 5d96272e1172 · 2025-03-31T11:09:34.000+02:00
diff --git a/docs/man/sudoers.5.md b/docs/man/sudoers.5.md
@@ -368,7 +368,7 @@ sudo's behavior can be modified by Default_Entry lines, as explained earlier.  A
 
 * timestamp_timeout
 
-  Number of minutes that can elapse before sudo will ask for a passwd again.  The timeout may include a fractional component if minute granularity is insufficient, for example 2.5.  The default is 15.  Set this to 0 to always prompt for a password.  If set to a value less than 0 the user's timestamp will not expire until the system is rebooted.  This can be used to allow users to create or delete their own timestamps via “sudo -v” and “sudo -k” respectively.
+  Number of minutes that can elapse before sudo will ask for a passwd again.  The timeout may include a fractional component if minute granularity is insufficient, for example 2.5.  The default is 15.  Set this to 0 to always prompt for a password.
 
 ## Strings that can be used in a boolean context:
 
diff --git a/src/defaults/mod.rs b/src/defaults/mod.rs
@@ -62,10 +62,18 @@ defaults! {
 /// A custom parser to parse seconds as fractional "minutes", the format used by
 /// passwd_timeout and timestamp_timeout.
 fn fractional_minutes(input: &str) -> Option<i64> {
-    if input.contains('.') {
-        Some((input.parse::<f64>().ok()? * 60.0).floor() as i64)
+    if let Some((integral, fractional)) = input.split_once('.') {
+        // - 'input' is maximally 18 characters, making fractional.len() at most 17;
+        //   1e17 < 2**63, so the definition of 'shift' will not overflow.
+        // - for the same reason, if both parses in the definition of 'seconds' succeed,
+        //   we will have constructed an integer < 1e17.
+        //-  1e17 * 60 = 6e18 < 9e18 < 2**63, so the final line also will not overflow
+        let shift = 10i64.pow(fractional.len().try_into().ok()?);
+        let seconds = integral.parse::<i64>().ok()? * shift + fractional.parse::<i64>().ok()?;
+
+        Some(seconds * 60 / shift)
     } else {
-        Some(input.parse::<i64>().ok()? * 60)
+        input.parse::<i64>().ok()?.checked_mul(60)
     }
 }
 
@@ -123,6 +131,10 @@ mod test {
             panic!()
         };
         f("any").unwrap()(&mut def);
+        let SettingKind::Integer(f) = set("timestamp_timeout").unwrap() else {
+            panic!()
+        };
+        f("25.25").unwrap()(&mut def);
         assert_eq! { def.always_query_group_plugin, false };
         assert_eq! { def.always_set_home, false };
         assert_eq! { def.env_reset, true };
@@ -132,6 +144,7 @@ mod test {
         assert_eq! { def.visiblepw, false };
         assert_eq! { def.env_editor, true };
         assert_eq! { def.passwd_tries, 5 };
+        assert_eq! { def.timestamp_timeout, 25*60 + 60/4 };
         assert_eq! { def.secure_path, Some("/bin".into()) };
         assert! { def.env_check.is_empty() };
         assert_eq! { def.verifypw, enums::verifypw::any };
diff --git a/src/sudoers/ast_names.rs b/src/sudoers/ast_names.rs
@@ -17,7 +17,7 @@ mod names {
     }
 
     impl UserFriendly for tokens::Numeric {
-        const DESCRIPTION: &'static str = "number";
+        const DESCRIPTION: &'static str = "nonnegative number";
     }
 
     impl UserFriendly for Identifier {

Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,7 @@ mod names {`
`17`	`17`	`}`
`18`	`18`
`19`	`19`	`impl UserFriendly for tokens::Numeric {`
`20`		`- const DESCRIPTION: &'static str = "number";`
	`20`	`+ const DESCRIPTION: &'static str = "nonnegative number";`
`21`	`21`	`}`
`22`	`22`
`23`	`23`	`impl UserFriendly for Identifier {`