Fix bad free of cms data (DoS only)

handle_unlock_token() set the CMS data to an offset of an allocated buffer, rather than something allocated in its own right. cms_set_pw_data() would then attempt to free this value. Additionally, should pesignd not take SIGABRT at that point, handle_unlock_token() would then also free buffer. Signed-off-by: Robbie Harwood <[email protected]>
rhboot · Mar 3, 2022 · 7b78af4 · 7b78af4
1 parent f783f05
commit 7b78af4
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/src/daemon.c b/src/daemon.c
@@ -153,6 +153,7 @@ handle_unlock_token(context *ctx, struct pollfd *pollfd, socklen_t size)
 	struct msghdr msg;
 	struct iovec iov;
 	ssize_t n;
+	char *pin = NULL;
 
 	int rc = cms_context_alloc(&ctx->cms);
 	if (rc < 0) {
@@ -220,7 +221,8 @@ handle_unlock_token(context *ctx, struct pollfd *pollfd, socklen_t size)
 	if (!ctx->cms->tokenname)
 		goto oom;
 
-	char *pin = (char *)tp->value;
+	if (!tp->value)
+		pin = strndup((char *)tp->value, tp->size);
 	if (!pin)
 		goto oom;