[PATCH v2025.09.y 52/58] jwt: fix buffer overflow and double-free in jwt_part_parse

[Ahmad Fatoum]

From: Ahmad Fatoum <a.fatoum at barebox.org>

jwt_part_parse() allocates a buffer with xmalloc(len) and then writes
a NUL terminator at decoded_len, but when len is 0 (empty JWT parts
like "..sig"), this writes past the allocation.

Additionally, when jsmn_parse_alloc() fails, the function frees
part->content but doesn't NULL the pointer. The caller then calls
jwt_free() → jwt_part_free() which frees part->content again.

Fix both: allocate len + 1 to accommodate the NUL terminator, and
NULL out part->content after freeing it on the error path.

(cherry picked from commit ca92053262374b3dbd741c1435dd90bbed4ec1e9)

Co-Authored-By: Claude Opus 4.6 <noreply at anthropic.com>
Signed-off-by: Ahmad Fatoum <a.fatoum at barebox.org>
Link: https://lore.barebox.org/20260302135258.197132-2-a.fatoum@barebox.org
Signed-off-by: Sascha Hauer <s.hauer at pengutronix.de>
---
 security/jwt.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/security/jwt.c b/security/jwt.c
index e4be17dcfac0..e828ccfd8cfe 100644
--- a/security/jwt.c
+++ b/security/jwt.c
@@ -55,12 +55,13 @@ static int jwt_part_parse(struct jwt_part *part, const char *content, size_t len
 {
 	size_t decoded_len;
 
-	part->content = xmalloc(len);
+	part->content = xmalloc(len + 1);
 	decoded_len = decode_base64url(part->content, len, content);
 	part->content[decoded_len] = '\0';
 	part->tokens = jsmn_parse_alloc(part->content, decoded_len, &part->token_count);
 	if (!part->tokens) {
 		free(part->content);
+		part->content = NULL;
 		return -EILSEQ;
 	}
 
-- 
2.47.3