Fix bad free of cms data (DoS only)

handle_unlock_token() set the CMS data to an offset of an allocated
buffer, rather than something allocated in its own right.
cms_set_pw_data() would then attempt to free this value.  Additionally,
should pesignd not take SIGABRT at that point, handle_unlock_token()
would then also free buffer.

Signed-off-by: Robbie Harwood <[email protected]>

Author: frozencemetery

src/daemon.c

@@ -153,6 +153,7 @@ handle_unlock_token(context *ctx, struct pollfd *pollfd, socklen_t size)
 	struct msghdr msg;
 	struct iovec iov;
 	ssize_t n;
+	char *pin = NULL;
 
 	int rc = cms_context_alloc(&ctx->cms);
 	if (rc < 0) {
@@ -220,7 +221,8 @@ handle_unlock_token(context *ctx, struct pollfd *pollfd, socklen_t size)
 	if (!ctx->cms->tokenname)
 		goto oom;
 
-	char *pin = (char *)tp->value;
+	if (!tp->value)
+		pin = strndup((char *)tp->value, tp->size);
 	if (!pin)
 		goto oom;