Browse files

[libfko] fix double free bug in SPA parser

This commit fixes a double free condition discovered through the new
python SPA payload fuzzer.  This bug could be triggered in fwknopd with
a malicious SPA payload but only when GnuPG is used.  When Rijndael is
used for SPA packet encryption, this bug cannot be triggered due to an
length/format check towards the end of _rijndael_decrypt().  It should
be noted that only a person in possession of the correct encryption and
authentication GnuPG keys could trigger this bug.
  • Loading branch information...
mrash committed Apr 23, 2014
1 parent 4d167cd commit add2c913ab84e28b699941299d9ee26ff9b85d59
Showing with 1 addition and 6 deletions.
  1. +1 −6 lib/fko_decode.c
@@ -455,20 +455,15 @@ static int
parse_rand_val(char *tbuf, char **ndx, int *t_size, fko_ctx_t ctx)
if((*t_size = strcspn(*ndx, ":")) < FKO_RAND_VAL_SIZE)
if(ctx->rand_val != NULL)
ctx->rand_val = calloc(1, FKO_RAND_VAL_SIZE+1);
if(ctx->rand_val == NULL)
ctx->rand_val = strncpy(ctx->rand_val, *ndx, FKO_RAND_VAL_SIZE);
*ndx += *t_size + 1;

0 comments on commit add2c91

Please sign in to comment.