From 82cf8b1c9cc9c3256bfbd97cbd3a40353851dc02 Mon Sep 17 00:00:00 2001
From: Michael Rash <mbr@cipherdyne.org>
Date: Tue, 25 Nov 2014 22:05:15 -0500
Subject: [PATCH] [server] Enforce proper bounds checking on digest cache file
 import

Bug fix to ensure that proper bounds are enforced when importing digest
cache files from previous fwknopd executions. This bug
was discovered through fuzzing with American Fuzzy Lop (AFL) as driven
by the test/afl/fuzzing-wrappers/server-digest-cache.sh wrapper.
Previous to this fix, fwknopd could be made to crash through a malicious
digest cache file (normally in /var/run/fwknop/digest.cache) upon
initial import.
---
 ChangeLog             | 9 +++++++++
 server/replay_cache.c | 8 ++++----
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index bbaaa7cb..4e17e5ce 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+fwknop-2.6.5 (11//2014):
+    - [server] Bug fix to ensure that proper bounds are enforced when
+      importing digest cache files from previous fwknopd executions. This bug
+      was discovered through fuzzing with American Fuzzy Lop (AFL) as driven
+      by the test/afl/fuzzing-wrappers/server-digest-cache.sh wrapper.
+      Previous to this fix, fwknopd could be made to crash through a malicious
+      digest cache file (normally in /var/run/fwknop/digest.cache) upon
+      initial import.
+
 fwknop-2.6.4 (11/16/2014):
     - [server] Added a UDP server mode so that SPA packets can be acquired via
       UDP directly without having to use libpcap. This is an optional feature
diff --git a/server/replay_cache.c b/server/replay_cache.c
index 5c423897..638028eb 100644
--- a/server/replay_cache.c
+++ b/server/replay_cache.c
@@ -306,12 +306,12 @@ replay_file_cache_init(fko_srv_options_t *opts)
         src_ip[0] = '\0';
         dst_ip[0] = '\0';
 
-        if(sscanf(line_buf, "%s %hhu %s %hu %s %hu %ld",
-            digest_elm->cache_info.digest,
+        if(sscanf(line_buf, "%64s %hhu %16s %hu %16s %hu %ld",
+            digest_elm->cache_info.digest,  /* %64s, buffer size is MAX_DIGEST_SIZE+1 */
             &(digest_elm->cache_info.proto),
-            src_ip,
+            src_ip,  /* %16s, buffer size is INET_ADDRSTRLEN+1 */
             &(digest_elm->cache_info.src_port),
-            dst_ip,
+            dst_ip,  /* %16s, buffer size is INET_ADDRSTRLEN+1 */
             &(digest_elm->cache_info.dst_port),
             &time_tmp) != 7)
         {