diff --git a/src/internal.c b/src/internal.c index d4a493a83..39fc8fdf7 100644 --- a/src/internal.c +++ b/src/internal.c @@ -13353,6 +13353,7 @@ int LoadCertByIssuer(WOLFSSL_X509_STORE* store, X509_NAME* issuer, int type) } XFREE(filename, NULL, DYNAMIC_TYPE_OPENSSL); + filename = NULL; } #else (void) type; @@ -15478,6 +15479,8 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx, else if (idx == 1) /* server cert must be OK */ ret = BAD_CERTIFICATE_STATUS_ERROR; } + + /* only frees 'single' if single->isDynamic is set */ FreeOcspResponse(response); *inOutIdx += status_length; diff --git a/src/ssl.c b/src/ssl.c index 9ba44df3f..b390efd63 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -6464,7 +6464,8 @@ static int ProcessBufferTryDecodeRsa(WOLFSSL_CTX* ctx, WOLFSSL* ssl, #ifdef WOLF_PRIVATE_KEY_ID if ((ret != 0) && (devId != INVALID_DEVID #ifdef HAVE_PK_CALLBACKS - || wolfSSL_CTX_IsPrivatePkSet(ctx) + || ((ssl == NULL) ? wolfSSL_CTX_IsPrivatePkSet(ctx) : + wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)) #endif )) { word32 nSz; @@ -6542,7 +6543,8 @@ static int ProcessBufferTryDecodeRsa(WOLFSSL_CTX* ctx, WOLFSSL* ssl, #ifdef WOLF_PRIVATE_KEY_ID if (ret != 0 && (devId != INVALID_DEVID #ifdef HAVE_PK_CALLBACKS - || wolfSSL_CTX_IsPrivatePkSet(ctx) + || ((ssl == NULL) ? wolfSSL_CTX_IsPrivatePkSet(ctx) : + wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)) #endif )) { /* if using crypto or PK callbacks, try public key decode */ @@ -6623,7 +6625,8 @@ static int ProcessBufferTryDecodeEcc(WOLFSSL_CTX* ctx, WOLFSSL* ssl, #ifdef WOLF_PRIVATE_KEY_ID if (ret != 0 && (devId != INVALID_DEVID #ifdef HAVE_PK_CALLBACKS - || wolfSSL_CTX_IsPrivatePkSet(ctx) + || ((ssl == NULL) ? wolfSSL_CTX_IsPrivatePkSet(ctx) : + wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)) #endif )) { /* if using crypto or PK callbacks, try public key decode */ @@ -6709,7 +6712,8 @@ static int ProcessBufferTryDecodeEd25519(WOLFSSL_CTX* ctx, WOLFSSL* ssl, #ifdef WOLF_PRIVATE_KEY_ID if (ret != 0 && (devId != INVALID_DEVID #ifdef HAVE_PK_CALLBACKS - || wolfSSL_CTX_IsPrivatePkSet(ctx) + || ((ssl == NULL) ? wolfSSL_CTX_IsPrivatePkSet(ctx) : + wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)) #endif )) { /* if using crypto or PK callbacks, try public key decode */ @@ -6788,7 +6792,8 @@ static int ProcessBufferTryDecodeEd448(WOLFSSL_CTX* ctx, WOLFSSL* ssl, #ifdef WOLF_PRIVATE_KEY_ID if (ret != 0 && (devId != INVALID_DEVID #ifdef HAVE_PK_CALLBACKS - || wolfSSL_CTX_IsPrivatePkSet(ctx) + || ((ssl == NULL) ? wolfSSL_CTX_IsPrivatePkSet(ctx) : + wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)) #endif )) { /* if using crypto or PK callbacks, try public key decode */ @@ -29974,12 +29979,16 @@ static void SESSION_ex_data_cache_update(WOLFSSL_SESSION* session, int idx, #endif ) { if (get) { - *getRet = wolfSSL_CRYPTO_get_ex_data( + if (getRet) { + *getRet = wolfSSL_CRYPTO_get_ex_data( &cacheSession->ex_data, idx); + } } else { - *setRet = wolfSSL_CRYPTO_set_ex_data( + if (setRet) { + *setRet = wolfSSL_CRYPTO_set_ex_data( &cacheSession->ex_data, idx, data); + } } foundCache = 1; break; @@ -36384,7 +36393,7 @@ static int wolfSSL_BIO_to_MIME_crlf(WOLFSSL_BIO* in, WOLFSSL_BIO* out) #endif XMEMSET(line, 0, MAX_MIME_LINE_LEN); - while ((lineLen = wolfSSL_BIO_gets(in, line, (int)sizeof(line))) > 0) { + while ((lineLen = wolfSSL_BIO_gets(in, line, MAX_MIME_LINE_LEN)) > 0) { if (line[lineLen - 1] == '\r' || line[lineLen - 1] == '\n') { canonLineLen = (word32)lineLen; @@ -36769,7 +36778,7 @@ int wolfSSL_PEM_write_bio_PKCS7(WOLFSSL_BIO* bio, PKCS7* p7) hashType = wc_OidGetHash(p7->hashOID); hashSz = wc_HashGetDigestSize(hashType); if (hashSz > WC_MAX_DIGEST_SIZE) - return WOLFSSL_FAILURE; + goto error; /* only SIGNED_DATA is supported */ switch (p7->contentOID) { @@ -36777,18 +36786,18 @@ int wolfSSL_PEM_write_bio_PKCS7(WOLFSSL_BIO* bio, PKCS7* p7) break; default: WOLFSSL_MSG("Unknown PKCS#7 Type"); - return WOLFSSL_FAILURE; + goto error; }; if ((wc_PKCS7_EncodeSignedData_ex(p7, hashBuf, hashSz, outputHead, &outputHeadSz, outputFoot, &outputFootSz)) != 0) - return WOLFSSL_FAILURE; + goto error; outputSz = outputHeadSz + p7->contentSz + outputFootSz; output = (byte*)XMALLOC(outputSz, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); if (!output) - return WOLFSSL_FAILURE; + goto error; XMEMSET(output, 0, outputSz); outputSz = 0; @@ -37177,6 +37186,8 @@ error: XFREE(section, NULL, DYNAMIC_TYPE_PKCS7); if (canonSection != NULL) XFREE(canonSection, NULL, DYNAMIC_TYPE_PKCS7); + if (canonLine != NULL) + XFREE(canonLine, NULL, DYNAMIC_TYPE_PKCS7); if (bcont) { wolfSSL_BIO_free(*bcont); *bcont = NULL; /* reset 'bcount' pointer to NULL on failure */ diff --git a/src/x509.c b/src/x509.c index 0780601e4..ee59c1558 100644 --- a/src/x509.c +++ b/src/x509.c @@ -1548,15 +1548,19 @@ int wolfSSL_X509V3_EXT_print(WOLFSSL_BIO *out, WOLFSSL_X509_EXTENSION *ext, if (sk->next) { if ((valLen = XSNPRINTF(val, len, "%*s%s,", indent, "", str->strData)) - >= len) + >= len) { + XFREE(val, NULL, DYNAMIC_TYPE_TMP_BUFFER); return rc; + } } else { if ((valLen = XSNPRINTF(val, len, "%*s%s", indent, "", str->strData)) - >= len) + >= len) { + XFREE(val, NULL, DYNAMIC_TYPE_TMP_BUFFER); return rc; + } } - if (tmpLen + valLen > tmpSz) { + if ((tmpLen + valLen) >= tmpSz) { XFREE(val, NULL, DYNAMIC_TYPE_TMP_BUFFER); return rc; } @@ -6480,7 +6484,8 @@ static int X509PrintSignature_ex(WOLFSSL_BIO* bio, byte* sig, break; } } - if (valLen >= (int)sizeof(tmp) - tmpLen - 1) { + if ((tmpLen < 0) || (valLen < 0) || + (valLen >= ((int)sizeof(tmp) - tmpLen - 1))) { ret = WOLFSSL_FAILURE; break; } @@ -12823,6 +12828,7 @@ int wolfSSL_X509_NAME_print_ex(WOLFSSL_BIO* bio, WOLFSSL_X509_NAME* name, >= tmpSz) { WOLFSSL_MSG("buffer overrun"); + XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER); return WOLFSSL_FAILURE; } @@ -12833,6 +12839,7 @@ int wolfSSL_X509_NAME_print_ex(WOLFSSL_BIO* bio, WOLFSSL_X509_NAME* name, >= tmpSz) { WOLFSSL_MSG("buffer overrun"); + XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER); return WOLFSSL_FAILURE; } tmpSz = len + nameStrSz + 1; /* 1 for '=' */ diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index e379f7e7c..e97445f56 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -33607,6 +33607,9 @@ int DecodeAsymKey(const byte* input, word32* inOutIdx, word32 inSz, if (input == NULL || inOutIdx == NULL || inSz == 0 || privKey == NULL || privKeyLen == NULL) { + #ifdef WOLFSSL_ASN_TEMPLATE + FREE_ASNGETDATA(dataASN, NULL); + #endif return BAD_FUNC_ARG; } diff --git a/wolfcrypt/src/hpke.c b/wolfcrypt/src/hpke.c index 9206f5cea..7d293bca2 100644 --- a/wolfcrypt/src/hpke.c +++ b/wolfcrypt/src/hpke.c @@ -785,8 +785,10 @@ static int wc_HpkeEncap(Hpke* hpke, void* ephemeralKey, void* receiverKey, #ifdef ECC_TIMING_RESISTANT rng = wc_rng_new(NULL, 0, hpke->heap); - if (rng == NULL) - return RNG_FAILURE_E; + if (rng == NULL) { + ret = RNG_FAILURE_E; + break; + } wc_ecc_set_rng((ecc_key*)ephemeralKey, rng); #endif diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index 308a2d8b0..b86ba1d33 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -6107,11 +6107,15 @@ static int wc_PKCS7_KariGenerateKEK(WC_PKCS7_KARI* kari, WC_RNG* rng, (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION != 2))) && \ !defined(HAVE_SELFTEST) ret = wc_ecc_set_rng(kari->senderKey, rng); - if (ret != 0) + if (ret != 0) { + XFREE(secret, kari->heap, DYNAMIC_TYPE_PKCS7); return ret; + } ret = wc_ecc_set_rng(kari->recipKey, rng); - if (ret != 0) + if (ret != 0) { + XFREE(secret, kari->heap, DYNAMIC_TYPE_PKCS7); return ret; + } #else (void)rng; #endif diff --git a/wolfcrypt/src/random.c b/wolfcrypt/src/random.c index 41619a009..b0bd2ddce 100644 --- a/wolfcrypt/src/random.c +++ b/wolfcrypt/src/random.c @@ -1866,9 +1866,13 @@ int wc_RNG_GenerateBlock(WC_RNG* rng, byte* output, word32 sz) if (ret == DRBG_SUCCESS) ret = Hash_DRBG_Generate((DRBG_internal *)rng->drbg, output, sz); - ForceZero(newSeed, sizeof(newSeed)); #ifdef WOLFSSL_SMALL_STACK + if (newSeed != NULL) { + ForceZero(newSeed, SEED_SZ + SEED_BLOCK_SZ); + } XFREE(newSeed, rng->heap, DYNAMIC_TYPE_SEED); + #else + ForceZero(newSeed, sizeof(newSeed)); #endif } else {