sudo_ldap_check_non_unix_group: only call plugin for non-Unix groups

The query for netgroups and non-Unix groups may return other types
of sudoUser entries.  We must check that the sudoUser value starts
with "%:" before incrementing it by 2 and passing it to the non-Unix
group plugin.

Reported by Christos Papakonstantinou from Cantina (cantina.xyz)

Author: millert

plugins/sudoers/ldap.c

@@ -324,13 +324,13 @@ sudo_ldap_check_non_unix_group(struct sudoers_context *ctx,
 	    val++;
 	    negated = true;
 	}
-	if (*val == '+') {
+	if (val[0] == '+') {
 	    match = netgr_matches(nss, val,
 		def_netgroup_tuple ? ctx->runas.host : NULL,
 		def_netgroup_tuple ? ctx->runas.shost : NULL, pw->pw_name);
 	    DPRINTF2("ldap sudoUser netgroup '%s%s' ... %s",
 		negated ? "!" : "", val, match == ALLOW ? "MATCH!" : "not");
-	} else {
+	} else if (val[0] == '%' && val[1] == ':') {
 	    if (group_plugin_query(pw->pw_name, val + 2, pw))
 		match = ALLOW;
 	    DPRINTF2("ldap sudoUser non-Unix group '%s%s' ... %s",