From a68503c7c9d7e01c3a0dcad1eae09032ca3ce62d Mon Sep 17 00:00:00 2001
From: Michael Rash <mbr@cipherdyne.org>
Date: Sun, 18 Aug 2013 22:15:15 -0400
Subject: [PATCH] [server] fix crash if replay digest tracking init() fails

This commit fixes a crash if the replay digest init() routine fails - fwknopd
attempted to make use of replay tracking anyway.  The crash was discovered
during testing fwknopd with an AppArmor enforce policy deployed.  The
following stack trace shows the crash (taken before the previous static
function commit):

 Program received signal SIGSEGV, Segmentation fault.
 __strlen_sse2 () at ../sysdeps/x86_64/multiarch/../strlen.S:31
 31      ../sysdeps/x86_64/multiarch/../strlen.S: No such file or directory.
 (gdb) where
 #0  __strlen_sse2 () at ../sysdeps/x86_64/multiarch/../strlen.S:31
 #1  0x00007f59cabd8b26 in add_replay_file_cache (opts=opts@entry=0x7fff3eaa0bb0, digest=digest@entry=0x0) at replay_cache.c:516
 #2  0x00007f59cabd8cf5 in add_replay (opts=opts@entry=0x7fff3eaa0bb0, digest=digest@entry=0x0) at replay_cache.c:472
 #3  0x00007f59cabd62eb in incoming_spa (opts=0x7fff3eaa0bb0) at incoming_spa.c:536
 #4  0x00007f59ca56164e in ?? () from /usr/lib/x86_64-linux-gnu/libpcap.so.0.8
 #5  0x00007f59cabd7175 in pcap_capture (opts=opts@entry=0x7fff3eaa0bb0) at pcap_capture.c:269
 #6  0x00007f59cabd3d4d in main (argc=5, argv=0x7fff3eaa1458) at fwknopd.c:314
---
 server/incoming_spa.c | 4 +++-
 server/replay_cache.c | 6 ++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/server/incoming_spa.c b/server/incoming_spa.c
index ad6268ae..f80a76ea 100644
--- a/server/incoming_spa.c
+++ b/server/incoming_spa.c
@@ -531,8 +531,10 @@ incoming_spa(fko_srv_options_t *opts)
 
         /* Add this SPA packet into the replay detection cache
         */
-        if (added_replay_digest == 0)
+        if (added_replay_digest == 0
+                && strncasecmp(opts->config[CONF_ENABLE_DIGEST_PERSISTENCE], "Y", 1) == 0)
         {
+
             res = add_replay(opts, raw_digest);
             if (res != SPA_MSG_SUCCESS)
             {
diff --git a/server/replay_cache.c b/server/replay_cache.c
index 51e73d3b..3b93f621 100644
--- a/server/replay_cache.c
+++ b/server/replay_cache.c
@@ -730,6 +730,12 @@ add_replay(fko_srv_options_t *opts, char *digest)
     return(-1);
 #else
 
+    if(digest == NULL)
+    {
+        log_msg(LOG_WARNING, "NULL digest passed into add_replay()");
+        return(SPA_MSG_DIGEST_CACHE_ERROR);
+    }
+
 #if USE_FILE_CACHE
     return add_replay_file_cache(opts, digest);
 #else