Avoid a double-free in fuzz_policy caused by the early env_init(NULL).

This adds an env_free() function to explicitly free both the old
and new copies of the environment.  It is really only needed by
fuzz_policy, which calls the policy module multiple times.

Author: millert

plugins/sudoers/env.c

@@ -228,6 +228,20 @@ static const char *initial_keepenv_table[] = {
     NULL
 };
 
+/*
+ * Free our copy (or copies) of the environment.
+ * This function is only safe to call after the command has executed.
+ */
+void
+env_free(void)
+{
+    sudoers_gc_remove(GC_PTR, env.envp);
+    free(env.envp);
+    sudoers_gc_remove(GC_PTR, env.old_envp);
+    free(env.old_envp);
+    memset(&env, 0, sizeof(env));
+}
+
 /*
  * Initialize env based on envp.
  */
@@ -243,7 +257,10 @@ env_init(char * const envp[])
 	sudoers_gc_remove(GC_PTR, env.old_envp);
 	free(env.old_envp);
 
-	/* Reset to initial state but keep a pointer to what we allocated. */
+	/*
+	 * Reset to initial state but keep a pointer to what we allocated
+	 * since it will be passed to execve(2).
+	 */
 	env.old_envp = env.envp;
 	env.envp = NULL;
 	env.env_size = 0;

plugins/sudoers/sudoers.c

@@ -1514,7 +1514,7 @@ sudoers_cleanup(void)
     canon_path_free_cache();
 
     /* We must free the cached environment before running g/c. */
-    env_init(NULL);
+    env_free();
 
     /* Run garbage collector. */
     sudoers_gc_run();

plugins/sudoers/sudoers.h

@@ -414,6 +414,7 @@ extern const struct iolog_path_escape *sudoers_iolog_path_escapes;
 char **env_get(void);
 bool env_merge(const struct sudoers_context *ctx, char * const envp[]);
 bool env_swap_old(void);
+void env_free(void);
 bool env_init(char * const envp[]);
 bool init_envtables(void);
 bool insert_env_vars(char * const envp[]);