40 lines
1.2 KiB
Diff
40 lines
1.2 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Robbie Harwood <rharwood@redhat.com>
|
|
Date: Thu, 3 Mar 2022 15:37:02 -0500
|
|
Subject: [PATCH] Fix bad free of cms data (DoS only)
|
|
|
|
handle_unlock_token() set the CMS data to an offset of an allocated
|
|
buffer, rather than something allocated in its own right.
|
|
cms_set_pw_data() would then attempt to free this value. Additionally,
|
|
should pesignd not take SIGABRT at that point, handle_unlock_token()
|
|
would then also free buffer.
|
|
|
|
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
|
(cherry picked from commit 7b78af412dc0ca5db54c426a13550cf35caa9516)
|
|
---
|
|
src/daemon.c | 4 +++-
|
|
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/daemon.c b/src/daemon.c
|
|
index 8522250..3ae3c8d 100644
|
|
--- a/src/daemon.c
|
|
+++ b/src/daemon.c
|
|
@@ -166,6 +166,7 @@ handle_unlock_token(context *ctx, struct pollfd *pollfd, socklen_t size)
|
|
struct msghdr msg;
|
|
struct iovec iov;
|
|
ssize_t n;
|
|
+ char *pin = NULL;
|
|
|
|
int rc = cms_context_alloc(&ctx->cms);
|
|
if (rc < 0) {
|
|
@@ -233,7 +234,8 @@ malformed:
|
|
if (!ctx->cms->tokenname)
|
|
goto oom;
|
|
|
|
- char *pin = (char *)tp->value;
|
|
+ if (!tp->value)
|
|
+ pin = strndup((char *)tp->value, tp->size);
|
|
if (!pin)
|
|
goto oom;
|
|
|