Permalink
Browse files

[server] Enforce proper bounds checking on digest cache file import

Bug fix to ensure that proper bounds are enforced when importing digest
cache files from previous fwknopd executions. This bug
was discovered through fuzzing with American Fuzzy Lop (AFL) as driven
by the test/afl/fuzzing-wrappers/server-digest-cache.sh wrapper.
Previous to this fix, fwknopd could be made to crash through a malicious
digest cache file (normally in /var/run/fwknop/digest.cache) upon
initial import.
  • Loading branch information...
mrash committed Nov 26, 2014
1 parent 8872e50 commit 82cf8b1c9cc9c3256bfbd97cbd3a40353851dc02
Showing with 13 additions and 4 deletions.
  1. +9 −0 ChangeLog
  2. +4 −4 server/replay_cache.c
View
@@ -1,3 +1,12 @@
+fwknop-2.6.5 (11//2014):
+ - [server] Bug fix to ensure that proper bounds are enforced when
+ importing digest cache files from previous fwknopd executions. This bug
+ was discovered through fuzzing with American Fuzzy Lop (AFL) as driven
+ by the test/afl/fuzzing-wrappers/server-digest-cache.sh wrapper.
+ Previous to this fix, fwknopd could be made to crash through a malicious
+ digest cache file (normally in /var/run/fwknop/digest.cache) upon
+ initial import.
+
fwknop-2.6.4 (11/16/2014):
- [server] Added a UDP server mode so that SPA packets can be acquired via
UDP directly without having to use libpcap. This is an optional feature
View
@@ -306,12 +306,12 @@ replay_file_cache_init(fko_srv_options_t *opts)
src_ip[0] = '\0';
dst_ip[0] = '\0';
- if(sscanf(line_buf, "%s %hhu %s %hu %s %hu %ld",
- digest_elm->cache_info.digest,
+ if(sscanf(line_buf, "%64s %hhu %16s %hu %16s %hu %ld",
+ digest_elm->cache_info.digest, /* %64s, buffer size is MAX_DIGEST_SIZE+1 */
&(digest_elm->cache_info.proto),
- src_ip,
+ src_ip, /* %16s, buffer size is INET_ADDRSTRLEN+1 */
&(digest_elm->cache_info.src_port),
- dst_ip,
+ dst_ip, /* %16s, buffer size is INET_ADDRSTRLEN+1 */
&(digest_elm->cache_info.dst_port),
&time_tmp) != 7)
{

0 comments on commit 82cf8b1

Please sign in to comment.