Permalink
Browse files

[libfko] fix double free bug in SPA parser

This commit fixes a double free condition discovered through the new
python SPA payload fuzzer.  This bug could be triggered in fwknopd with
a malicious SPA payload but only when GnuPG is used.  When Rijndael is
used for SPA packet encryption, this bug cannot be triggered due to an
length/format check towards the end of _rijndael_decrypt().  It should
be noted that only a person in possession of the correct encryption and
authentication GnuPG keys could trigger this bug.
  • Loading branch information...
1 parent 4d167cd commit add2c913ab84e28b699941299d9ee26ff9b85d59 @mrash committed Apr 23, 2014
Showing with 1 addition and 6 deletions.
  1. +1 −6 lib/fko_decode.c
View
@@ -455,20 +455,15 @@ static int
parse_rand_val(char *tbuf, char **ndx, int *t_size, fko_ctx_t ctx)
{
if((*t_size = strcspn(*ndx, ":")) < FKO_RAND_VAL_SIZE)
- {
- free(tbuf);
return(FKO_ERROR_INVALID_DATA_DECODE_RAND_MISSING);
- }
if(ctx->rand_val != NULL)
free(ctx->rand_val);
ctx->rand_val = calloc(1, FKO_RAND_VAL_SIZE+1);
if(ctx->rand_val == NULL)
- {
- free(tbuf);
return(FKO_ERROR_MEMORY_ALLOCATION);
- }
+
ctx->rand_val = strncpy(ctx->rand_val, *ndx, FKO_RAND_VAL_SIZE);
*ndx += *t_size + 1;

0 comments on commit add2c91

Please sign in to comment.