DeforaNetworks/fwknop
3
0
Fork 0
Code Releases Activity

[libfko] fix double free bug in SPA parser

Browse Source 
This commit fixes a double free condition discovered through the new
python SPA payload fuzzer.  This bug could be triggered in fwknopd with
a malicious SPA payload but only when GnuPG is used.  When Rijndael is
used for SPA packet encryption, this bug cannot be triggered due to an
length/format check towards the end of _rijndael_decrypt().  It should
be noted that only a person in possession of the correct encryption and
authentication GnuPG keys could trigger this bug.
This commit is contained in:
Michael Rash
2014-04-22 21:58:09 -04:00
parent 4d167cd7df
commit add2c913ab
1 changed files with 1 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
lib/fko_decode.c
View File

@@ -455,20 +455,15 @@ static int
parse_rand_val(char *tbuf, char **ndx, int *t_size, fko_ctx_t ctx)
{
if((*t_size = strcspn(*ndx, ":")) < FKO_RAND_VAL_SIZE)
{
free(tbuf);
return(FKO_ERROR_INVALID_DATA_DECODE_RAND_MISSING);
}
if(ctx->rand_val != NULL)
free(ctx->rand_val);
ctx->rand_val = calloc(1, FKO_RAND_VAL_SIZE+1);
if(ctx->rand_val == NULL)
{
free(tbuf);
return(FKO_ERROR_MEMORY_ALLOCATION);
}
ctx->rand_val = strncpy(ctx->rand_val, *ndx, FKO_RAND_VAL_SIZE);
*ndx += *t_size + 1;