Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

[server] Fix uninitialized value usage after proper SPA authenticatio…

…n/decryption

Bug fix discovered with the libfiu fault injection tag
"fko_get_username_init" combined with valgrind analysis. This bug
is only triggered after a valid authenticated and decrypted SPA
packet is sniffed by fwknopd:

==11181== Conditional jump or move depends on uninitialised value(s)
==11181==    at 0x113B6D: incoming_spa (incoming_spa.c:707)
==11181==    by 0x11559F: process_packet (process_packet.c:211)
==11181==    by 0x5270857: ??? (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.4.0)
==11181==    by 0x114BCC: pcap_capture (pcap_capture.c:270)
==11181==    by 0x10F32C: main (fwknopd.c:195)
==11181==  Uninitialised value was created by a stack allocation
==11181==    at 0x113476: incoming_spa (incoming_spa.c:294)
  • Loading branch information...
commit 9f2e01eb0114ee0cb0bc101dda036779c456915d 1 parent 5474ced
@mrash authored
Showing with 22 additions and 9 deletions.
  1. +13 −0 ChangeLog
  2. +9 −9 server/incoming_spa.c
View
13 ChangeLog
@@ -19,6 +19,19 @@ fwknop-2.6.3 (05//2014):
signatures are to be verified for incoming SPA packets. Signature
verification is the default, and can only be disabled with
GPG_DISABLE_SIG but this is NOT recommended.
+ - [server] Bug fix discovered with the libfiu fault injection tag
+ "fko_get_username_init" combined with valgrind analysis. This bug is
+ only triggered after a valid authenticated and decrypted SPA packet is
+ sniffed by fwknopd:
+
+ ==11181== Conditional jump or move depends on uninitialised value(s)
+ ==11181== at 0x113B6D: incoming_spa (incoming_spa.c:707)
+ ==11181== by 0x11559F: process_packet (process_packet.c:211)
+ ==11181== by 0x5270857: ??? (in /usr/lib/x86_64-linux-gnu/libpcap.so.1.4.0)
+ ==11181== by 0x114BCC: pcap_capture (pcap_capture.c:270)
+ ==11181== by 0x10F32C: main (fwknopd.c:195)
+ ==11181== Uninitialised value was created by a stack allocation
+ ==11181== at 0x113476: incoming_spa (incoming_spa.c:294)
fwknop-2.6.2 (04/28/2014):
- [libfko] fix double free bug in SPA parser discovered with the new
View
18 server/incoming_spa.c
@@ -700,6 +700,15 @@ incoming_spa(fko_srv_options_t *opts)
*/
res = get_spa_data_fields(ctx, &spadat);
+ if(res != FKO_SUCCESS)
+ {
+ log_msg(LOG_ERR, "[%s] (stanza #%d) Unexpected error pulling SPA data from the context: %s",
+ spadat.pkt_source_ip, stanza_num, fko_errstr(res));
+
+ acc = acc->next;
+ continue;
+ }
+
/* Figure out what our timeout will be. If it is specified in the SPA
* data, then use that. If not, try the FW_ACCESS_TIMEOUT from the
* access.conf file (if there is one). Otherwise use the default.
@@ -711,15 +720,6 @@ incoming_spa(fko_srv_options_t *opts)
else
spadat.fw_access_timeout = DEF_FW_ACCESS_TIMEOUT;
- if(res != FKO_SUCCESS)
- {
- log_msg(LOG_ERR, "[%s] (stanza #%d) Unexpected error pulling SPA data from the context: %s",
- spadat.pkt_source_ip, stanza_num, fko_errstr(res));
-
- acc = acc->next;
- continue;
- }
-
/* Check packet age if so configured.
*/
if(strncasecmp(opts->config[CONF_ENABLE_SPA_PACKET_AGING], "Y", 1) == 0)
Please sign in to comment.
Something went wrong with that request. Please try again.