Merge pull request #8695 from JacobBarthelmeh/coverity

null derefernce sanity checks and control flow issue
2025-04-22 11:37:51 -05:00
parent 3ca444e0e1 d481086910
commit 25cd009a42
5 changed files with 14 additions and 1 deletions
--- a/src/internal.c
+++ b/src/internal.c
@ -7306,6 +7306,8 @@ int InitHandshakeHashesAndCopy(WOLFSSL* ssl, HS_Hashes* source,
    ret = InitHandshakeHashes(ssl);
    if (ret != 0) {
        WOLFSSL_MSG_EX("InitHandshakeHashes failed. err = %d", ret);
+        ssl->hsHashes = tmpHashes; /* restore hsHashes pointer to original
+                                    * before returning */
        return ret;
    }

--- a/src/ssl_load.c
+++ b/src/ssl_load.c
@ -1112,7 +1112,7 @@ static int ProcessBufferTryDecode(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
        matchAnyKey = 1;
    }
 #ifdef WC_RSA_PSS
-    if(*keyFormat == RSAPSSk) {
+    if((ret == 0) && (*keyFormat == RSAPSSk)) {
        /*
            Require logic to verify that the der is RSAPSSk (when *keyFormat == RSAPSSK),
            and to detect that the der is RSAPSSk (when *keyFormat == 0).
--- a/src/ssl_sess.c
+++ b/src/ssl_sess.c
@ -3534,6 +3534,10 @@ int wolfSSL_SESSION_get_master_key_length(const WOLFSSL_SESSION* ses)
 #ifdef WOLFSSL_EARLY_DATA
 unsigned int wolfSSL_SESSION_get_max_early_data(const WOLFSSL_SESSION *session)
 {
+    if (session == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
    return session->maxEarlyDataSz;
 }
 #endif /* WOLFSSL_EARLY_DATA */
--- a/tests/quic.c
+++ b/tests/quic.c
@ -1675,6 +1675,9 @@ static int test_quic_early_data(int verbose) {
    QuicTestContext_free(&tclient);
    QuicTestContext_free(&tserver);

+    /* check for error value with null argument */
+    ExpectIntEQ(wolfSSL_SESSION_get_max_early_data(NULL), BAD_FUNC_ARG);
+
    /* QUIC requires 0 or 0xffffffff as only allowed values.
     * Since we enabled early data in the server that created the session,
     * we need to see it here. */
--- a/wolfcrypt/src/hpke.c
+++ b/wolfcrypt/src/hpke.c
@ -586,6 +586,10 @@ static int wc_HpkeContextComputeNonce(Hpke* hpke, HpkeBaseContext* context,
    int ret;
    byte seq_bytes[HPKE_Nn_MAX];

+    if (hpke == NULL || context == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
    /* convert the sequence into a byte string with the same length as the
     * nonce */
    ret = I2OSP(context->seq, (int)hpke->Nn, seq_bytes);