From: Ahmad Fatoum <a.fatoum@barebox.org>
To: barebox@lists.infradead.org
Cc: "Claude Opus 4.6" <noreply@anthropic.com>,
Ahmad Fatoum <a.fatoum@barebox.org>
Subject: [PATCH master 2/3] jwt: fix buffer overflow and double-free in jwt_part_parse
Date: Mon, 2 Mar 2026 14:52:33 +0100 [thread overview]
Message-ID: <20260302135258.197132-2-a.fatoum@barebox.org> (raw)
In-Reply-To: <20260302135258.197132-1-a.fatoum@barebox.org>
jwt_part_parse() allocates a buffer with xmalloc(len) and then writes
a NUL terminator at decoded_len, but when len is 0 (empty JWT parts
like "..sig"), this writes past the allocation.
Additionally, when jsmn_parse_alloc() fails, the function frees
part->content but doesn't NULL the pointer. The caller then calls
jwt_free() → jwt_part_free() which frees part->content again.
Fix both: allocate len + 1 to accommodate the NUL terminator, and
NULL out part->content after freeing it on the error path.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Ahmad Fatoum <a.fatoum@barebox.org>
---
security/jwt.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/security/jwt.c b/security/jwt.c
index e4be17dcfac0..e828ccfd8cfe 100644
--- a/security/jwt.c
+++ b/security/jwt.c
@@ -55,12 +55,13 @@ static int jwt_part_parse(struct jwt_part *part, const char *content, size_t len
{
size_t decoded_len;
- part->content = xmalloc(len);
+ part->content = xmalloc(len + 1);
decoded_len = decode_base64url(part->content, len, content);
part->content[decoded_len] = '\0';
part->tokens = jsmn_parse_alloc(part->content, decoded_len, &part->token_count);
if (!part->tokens) {
free(part->content);
+ part->content = NULL;
return -EILSEQ;
}
--
2.47.3
next prev parent reply other threads:[~2026-03-02 13:53 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-02 13:52 [PATCH master 1/3] treewide: fix -Wformat-security warnings for run_command() Ahmad Fatoum
2026-03-02 13:52 ` Ahmad Fatoum [this message]
2026-03-02 13:52 ` [PATCH master 3/3] of: fdt: fix heap-buffer-overflow in fdt_machine_is_compatible Ahmad Fatoum
2026-03-04 7:34 ` [PATCH master 1/3] treewide: fix -Wformat-security warnings for run_command() Sascha Hauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260302135258.197132-2-a.fatoum@barebox.org \
--to=a.fatoum@barebox.org \
--cc=barebox@lists.infradead.org \
--cc=noreply@anthropic.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox