From f8f080d7ded8b07b45833626dc29dc8c9dc4997f Mon Sep 17 00:00:00 2001
From: Andras Fekete <andras@wolfssl.com>
Date: Mon, 23 Oct 2023 13:32:33 -0400
Subject: [PATCH 1/5] Don't nag about leaked resources

---
 examples/asn1/asn1.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/examples/asn1/asn1.c b/examples/asn1/asn1.c
index 34e7e6280..250733c40 100644
--- a/examples/asn1/asn1.c
+++ b/examples/asn1/asn1.c
@@ -470,6 +470,11 @@ int main(int argc, char* argv[])
     if (ret != 0) {
         fprintf(stderr, "%s\n", wc_GetErrorString(ret));
     }
+
+    if (fp != stdin) {
+        fclose(fp);
+        fp = stdin;
+    }
     return (ret == 0) ? 0 : 1;
 }
 

From 21d465cf9a8dedb7d5d40646a514e12db568b01f Mon Sep 17 00:00:00 2001
From: Andras Fekete <andras@wolfssl.com>
Date: Tue, 24 Oct 2023 14:30:53 -0400
Subject: [PATCH 2/5] Fix possible double free

---
 wolfcrypt/src/asn.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index e379f7e7c..8e8790501 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -37514,8 +37514,10 @@ int wc_MIME_parse_headers(char* in, int inLen, MimeHdr** headers)
             }
             else if (mimeStatus == MIME_BODYVAL && cur == ';' && pos >= 1) {
                 end = pos-1;
-                if (bodyVal != NULL)
+                if (bodyVal != NULL) {
                     XFREE(bodyVal, NULL, DYNAMIC_TYPE_PKCS7);
+                    bodyVal = NULL;
+                }
                 ret = wc_MIME_header_strip(curLine, &bodyVal, start, end);
                 if (ret) {
                     goto error;
@@ -37608,9 +37610,12 @@ error:
     if (ret != 0)
         wc_MIME_free_hdrs(curHdr);
     wc_MIME_free_hdrs(nextHdr);
-    XFREE(nameAttr, NULL, DYNAMIC_TYPE_PKCS7);
-    XFREE(bodyVal, NULL, DYNAMIC_TYPE_PKCS7);
-    XFREE(nextParam, NULL, DYNAMIC_TYPE_PKCS7);
+    if (nameAttr != NULL)
+        XFREE(nameAttr, NULL, DYNAMIC_TYPE_PKCS7);
+    if (bodyVal != NULL)
+        XFREE(bodyVal, NULL, DYNAMIC_TYPE_PKCS7);
+    if (nextParam != NULL)
+        XFREE(nextParam, NULL, DYNAMIC_TYPE_PKCS7);
 
     return ret;
 }

From 2877b7be505c00f9472d53536b976a60be1b0504 Mon Sep 17 00:00:00 2001
From: Andras Fekete <andras@wolfssl.com>
Date: Tue, 24 Oct 2023 17:47:31 -0400
Subject: [PATCH 3/5] Fix possible memory leak

---
 src/x509.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/x509.c b/src/x509.c
index 0780601e4..0bf17ba8e 100644
--- a/src/x509.c
+++ b/src/x509.c
@@ -14098,7 +14098,8 @@ int wolfSSL_X509_REQ_add1_attr_by_NID(WOLFSSL_X509 *req,
             }
         }
         ret = wolfSSL_sk_push(req->reqAttributes, attr);
-        if (ret != WOLFSSL_SUCCESS) {
+        if ((ret != WOLFSSL_SUCCESS) || (req->reqAttributes->type == STACK_TYPE_CIPHER)) {
+            /* CIPHER type makes a copy */
             wolfSSL_X509_ATTRIBUTE_free(attr);
         }
     }

From 42c241dbbfd715ebcc9177805c496d8dff83c5fc Mon Sep 17 00:00:00 2001
From: Andras Fekete <andras@wolfssl.com>
Date: Fri, 27 Oct 2023 13:42:33 -0400
Subject: [PATCH 4/5] Avoid use of uninitialized array

---
 src/tls13.c                     | 13 ++++++++++---
 tests/api.c                     |  3 +++
 tests/srp.c                     | 12 ++++++++++++
 wolfcrypt/benchmark/benchmark.c |  1 +
 wolfcrypt/src/hpke.c            |  1 +
 wolfcrypt/src/pkcs7.c           |  1 +
 6 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/src/tls13.c b/src/tls13.c
index f4028615b..07c7158ef 100644
--- a/src/tls13.c
+++ b/src/tls13.c
@@ -4723,10 +4723,14 @@ static int EchCheckAcceptance(WOLFSSL* ssl, const byte* input,
     int digestSize;
     HS_Hashes* tmpHashes;
     HS_Hashes* acceptHashes;
-    byte zeros[WC_MAX_DIGEST_SIZE] = {0};
+    byte zeros[WC_MAX_DIGEST_SIZE];
     byte transcriptEchConf[WC_MAX_DIGEST_SIZE];
     byte expandLabelPrk[WC_MAX_DIGEST_SIZE];
     byte acceptConfirmation[ECH_ACCEPT_CONFIRMATION_SZ];
+    XMEMSET(zeros, 0, sizeof(zeros));
+    XMEMSET(transcriptEchConf, 0, sizeof(transcriptEchConf));
+    XMEMSET(expandLabelPrk, 0, sizeof(expandLabelPrk));
+    XMEMSET(acceptConfirmation, 0, sizeof(acceptConfirmation));
     /* copy ech hashes to accept */
     ret = InitHandshakeHashesAndCopy(ssl, ssl->hsHashesEch, &acceptHashes);
     /* swap hsHashes to acceptHashes */
@@ -4839,9 +4843,12 @@ static int EchWriteAcceptance(WOLFSSL* ssl, byte* output,
     int digestSize;
     HS_Hashes* tmpHashes;
     HS_Hashes* acceptHashes;
-    byte zeros[WC_MAX_DIGEST_SIZE] = {0};
+    byte zeros[WC_MAX_DIGEST_SIZE];
     byte transcriptEchConf[WC_MAX_DIGEST_SIZE];
     byte expandLabelPrk[WC_MAX_DIGEST_SIZE];
+    XMEMSET(zeros, 0, sizeof(zeros));
+    XMEMSET(transcriptEchConf, 0, sizeof(transcriptEchConf));
+    XMEMSET(expandLabelPrk, 0, sizeof(expandLabelPrk));
 
     /* copy ech hashes to accept */
     ret = InitHandshakeHashesAndCopy(ssl, ssl->hsHashes, &acceptHashes);
@@ -5710,7 +5717,7 @@ static void RefineSuites(WOLFSSL* ssl, Suites* peerSuites)
     if (AllocateSuites(ssl) != 0)
         return;
 
-    XMEMSET(suites, 0, WOLFSSL_MAX_SUITE_SZ);
+    XMEMSET(suites, 0, sizeof(suites));
 
     if (!ssl->options.useClientOrder) {
         /* Server order refining. */
diff --git a/tests/api.c b/tests/api.c
index cac34e717..3e82360ad 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -16876,6 +16876,7 @@ static int test_wc_Chacha_SetKey(void)
     word32 keySz = (word32)(sizeof(key)/sizeof(byte));
     byte       cipher[128];
 
+    XMEMSET(cipher, 0, sizeof(cipher));
     ExpectIntEQ(wc_Chacha_SetKey(&ctx, key, keySz), 0);
     /* Test bad args. */
     ExpectIntEQ(wc_Chacha_SetKey(NULL, key, keySz), BAD_FUNC_ARG);
@@ -54043,6 +54044,8 @@ static int test_wolfssl_EVP_chacha20(void)
     EVP_CIPHER_CTX* ctx = NULL;
     int outSz;
 
+    XMEMSET(key, 0, sizeof(key));
+    XMEMSET(iv, 0, sizeof(iv));
     /* Encrypt. */
     ExpectNotNull((ctx = EVP_CIPHER_CTX_new()));
     ExpectIntEQ(EVP_EncryptInit_ex(ctx, EVP_chacha20(), NULL, NULL,
diff --git a/tests/srp.c b/tests/srp.c
index fa91237fe..ef6aaad63 100644
--- a/tests/srp.c
+++ b/tests/srp.c
@@ -208,6 +208,7 @@ static void test_SrpSetPassword(void)
     byte v[64];
     word32 vSz = 0;
 
+    XMEMSET(v, 0, sizeof(v));
     AssertIntEQ(0, wc_SrpInit(&srp, SRP_TYPE_SHA, SRP_CLIENT_SIDE));
     AssertIntEQ(0, wc_SrpSetUsername(&srp, username, usernameSz));
 
@@ -262,6 +263,7 @@ static void test_SrpGetPublic(void)
     byte pub[64];
     word32 pubSz = 0;
 
+    XMEMSET(pub, 0, sizeof(pub));
     AssertIntEQ(0, wc_SrpInit(&srp, SRP_TYPE_SHA, SRP_CLIENT_SIDE));
     AssertIntEQ(0, wc_SrpSetUsername(&srp, username, usernameSz));
     AssertIntEQ(0, wc_SrpSetParams(&srp, srp_N,    sizeof(srp_N),
@@ -318,6 +320,8 @@ static void test_SrpComputeKey(void)
     word32 clientPubKeySz = 64;
     word32 serverPubKeySz = 64;
 
+    XMEMSET(clientPubKey, 0, sizeof(clientPubKey));
+    XMEMSET(serverPubKey, 0, sizeof(serverPubKey));
     AssertIntEQ(0, wc_SrpInit(&cli, SRP_TYPE_SHA, SRP_CLIENT_SIDE));
     AssertIntEQ(0, wc_SrpInit(&srv, SRP_TYPE_SHA, SRP_SERVER_SIDE));
 
@@ -388,6 +392,10 @@ static void test_SrpGetProofAndVerify(void)
     word32 clientProofSz = SRP_MAX_DIGEST_SIZE;
     word32 serverProofSz = SRP_MAX_DIGEST_SIZE;
 
+    XMEMSET(clientPubKey, 0, sizeof(clientPubKey));
+    XMEMSET(serverPubKey, 0, sizeof(serverPubKey));
+    XMEMSET(clientProof, 0, sizeof(clientProof));
+    XMEMSET(serverProof, 0, sizeof(serverProof));
     AssertIntEQ(0, wc_SrpInit(&cli, SRP_TYPE_SHA, SRP_CLIENT_SIDE));
     AssertIntEQ(0, wc_SrpInit(&srv, SRP_TYPE_SHA, SRP_SERVER_SIDE));
 
@@ -792,6 +800,10 @@ static void test_SrpKeyGenFunc_cb(void)
     };
 #endif
 
+    XMEMSET(clientPubKey, 0, sizeof(clientPubKey));
+    XMEMSET(serverPubKey, 0, sizeof(serverPubKey));
+    XMEMSET(clientProof, 0, sizeof(clientProof));
+    XMEMSET(serverProof, 0, sizeof(serverProof));
     AssertIntEQ(0, wc_SrpInit(&cli, SRP_TYPE_SHA512, SRP_CLIENT_SIDE));
     AssertIntEQ(0, wc_SrpInit(&srv, SRP_TYPE_SHA512, SRP_SERVER_SIDE));
 
diff --git a/wolfcrypt/benchmark/benchmark.c b/wolfcrypt/benchmark/benchmark.c
index 1ff49a8d4..e49b323e5 100644
--- a/wolfcrypt/benchmark/benchmark.c
+++ b/wolfcrypt/benchmark/benchmark.c
@@ -4732,6 +4732,7 @@ void bench_chacha(void)
     double start;
     int    i, count;
 
+    XMEMSET(&enc, 0, sizeof(enc));
     wc_Chacha_SetKey(&enc, bench_key, 16);
 
     bench_stats_start(&count, &start);
diff --git a/wolfcrypt/src/hpke.c b/wolfcrypt/src/hpke.c
index 9206f5cea..2d666b8e0 100644
--- a/wolfcrypt/src/hpke.c
+++ b/wolfcrypt/src/hpke.c
@@ -1125,6 +1125,7 @@ static int wc_HpkeContextOpenBase(Hpke* hpke, HpkeBaseContext* context,
         return BAD_FUNC_ARG;
     }
 
+    XMEMSET(nonce, 0, sizeof(nonce));
 #ifdef WOLFSSL_SMALL_STACK
     aes_key = (Aes*)XMALLOC(sizeof(Aes), hpke->heap, DYNAMIC_TYPE_AES);
     if (aes_key == NULL) {
diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c
index 308a2d8b0..acb7c78fc 100644
--- a/wolfcrypt/src/pkcs7.c
+++ b/wolfcrypt/src/pkcs7.c
@@ -8693,6 +8693,7 @@ static int wc_PKCS7_DecryptKtri(PKCS7* pkcs7, byte* in, word32 inSz,
     mp_int serialNum[1];
     RsaKey privKey[1];
 #endif
+    XMEMSET(issuerHash, 0, sizeof(issuerHash));
 
 #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
     keyIdSize = wc_HashGetDigestSize(wc_HashTypeConvert(HashIdAlg(

From bb9031da6eab051bac926013c332ba69441abdfa Mon Sep 17 00:00:00 2001
From: Andras Fekete <andras@wolfssl.com>
Date: Wed, 1 Nov 2023 13:30:40 -0400
Subject: [PATCH 5/5] Remove dead code

---
 examples/asn1/asn1.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/examples/asn1/asn1.c b/examples/asn1/asn1.c
index 250733c40..891e4ec9a 100644
--- a/examples/asn1/asn1.c
+++ b/examples/asn1/asn1.c
@@ -473,7 +473,6 @@ int main(int argc, char* argv[])
 
     if (fp != stdin) {
         fclose(fp);
-        fp = stdin;
     }
     return (ret == 0) ? 0 : 1;
 }