From 449fb9c58131bb993af33c47ee25f30859f7b862 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Fri, 27 Oct 2023 13:20:50 -0600 Subject: [PATCH 01/16] Fix for report CID 330424 wrong sizeof argument --- wolfcrypt/src/random.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/wolfcrypt/src/random.c b/wolfcrypt/src/random.c index 41619a009..b0bd2ddce 100644 --- a/wolfcrypt/src/random.c +++ b/wolfcrypt/src/random.c @@ -1866,9 +1866,13 @@ int wc_RNG_GenerateBlock(WC_RNG* rng, byte* output, word32 sz) if (ret == DRBG_SUCCESS) ret = Hash_DRBG_Generate((DRBG_internal *)rng->drbg, output, sz); - ForceZero(newSeed, sizeof(newSeed)); #ifdef WOLFSSL_SMALL_STACK + if (newSeed != NULL) { + ForceZero(newSeed, SEED_SZ + SEED_BLOCK_SZ); + } XFREE(newSeed, rng->heap, DYNAMIC_TYPE_SEED); + #else + ForceZero(newSeed, sizeof(newSeed)); #endif } else { From 16b842992d1a34189bce8747c4b87451745caf28 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Fri, 27 Oct 2023 13:27:30 -0600 Subject: [PATCH 02/16] fix for CID 330416 memory leak --- wolfcrypt/src/hpke.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/wolfcrypt/src/hpke.c b/wolfcrypt/src/hpke.c index 9206f5cea..7d293bca2 100644 --- a/wolfcrypt/src/hpke.c +++ b/wolfcrypt/src/hpke.c @@ -785,8 +785,10 @@ static int wc_HpkeEncap(Hpke* hpke, void* ephemeralKey, void* receiverKey, #ifdef ECC_TIMING_RESISTANT rng = wc_rng_new(NULL, 0, hpke->heap); - if (rng == NULL) - return RNG_FAILURE_E; + if (rng == NULL) { + ret = RNG_FAILURE_E; + break; + } wc_ecc_set_rng((ecc_key*)ephemeralKey, rng); #endif From 8add411d9a4a6a8ab5dc3f1a9013403ca6e5c464 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Fri, 27 Oct 2023 13:35:08 -0600 Subject: [PATCH 03/16] fix for CID 330412 wrong sizeof argument --- src/ssl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ssl.c b/src/ssl.c index 9ba44df3f..6db1347fc 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -36384,7 +36384,7 @@ static int wolfSSL_BIO_to_MIME_crlf(WOLFSSL_BIO* in, WOLFSSL_BIO* out) #endif XMEMSET(line, 0, MAX_MIME_LINE_LEN); - while ((lineLen = wolfSSL_BIO_gets(in, line, (int)sizeof(line))) > 0) { + while ((lineLen = wolfSSL_BIO_gets(in, line, MAX_MIME_LINE_LEN)) > 0) { if (line[lineLen - 1] == '\r' || line[lineLen - 1] == '\n') { canonLineLen = (word32)lineLen; From c11176c276be27f847486d33eeed54d117e3391f Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Fri, 27 Oct 2023 14:04:46 -0600 Subject: [PATCH 04/16] Fixes CID 330401 and 330392 memory leak --- src/internal.c | 2 ++ src/ssl.c | 6 +++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/src/internal.c b/src/internal.c index d4a493a83..c69309e72 100644 --- a/src/internal.c +++ b/src/internal.c @@ -15478,6 +15478,8 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx, else if (idx == 1) /* server cert must be OK */ ret = BAD_CERTIFICATE_STATUS_ERROR; } + + /* only frees 'single' if single->isDynamic is set */ FreeOcspResponse(response); *inOutIdx += status_length; diff --git a/src/ssl.c b/src/ssl.c index 6db1347fc..fb2d80176 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -36777,18 +36777,18 @@ int wolfSSL_PEM_write_bio_PKCS7(WOLFSSL_BIO* bio, PKCS7* p7) break; default: WOLFSSL_MSG("Unknown PKCS#7 Type"); - return WOLFSSL_FAILURE; + goto error; }; if ((wc_PKCS7_EncodeSignedData_ex(p7, hashBuf, hashSz, outputHead, &outputHeadSz, outputFoot, &outputFootSz)) != 0) - return WOLFSSL_FAILURE; + goto error; outputSz = outputHeadSz + p7->contentSz + outputFootSz; output = (byte*)XMALLOC(outputSz, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); if (!output) - return WOLFSSL_FAILURE; + goto error; XMEMSET(output, 0, outputSz); outputSz = 0; From 7b20a5597c11fc521db170f639fc7edc90525ddc Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Fri, 27 Oct 2023 14:11:21 -0600 Subject: [PATCH 05/16] Fix for CID 330399 memory leak on error case --- wolfcrypt/src/asn.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index e379f7e7c..e97445f56 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -33607,6 +33607,9 @@ int DecodeAsymKey(const byte* input, word32* inOutIdx, word32 inSz, if (input == NULL || inOutIdx == NULL || inSz == 0 || privKey == NULL || privKeyLen == NULL) { + #ifdef WOLFSSL_ASN_TEMPLATE + FREE_ASNGETDATA(dataASN, NULL); + #endif return BAD_FUNC_ARG; } From 8760ad947314833bfd4a7d7dd46a05193a4af9ee Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Fri, 27 Oct 2023 14:17:31 -0600 Subject: [PATCH 06/16] Fix for CID 299847 memory leak on error case --- src/x509.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/x509.c b/src/x509.c index 0780601e4..68337a6e8 100644 --- a/src/x509.c +++ b/src/x509.c @@ -1549,11 +1549,13 @@ int wolfSSL_X509V3_EXT_print(WOLFSSL_BIO *out, WOLFSSL_X509_EXTENSION *ext, if ((valLen = XSNPRINTF(val, len, "%*s%s,", indent, "", str->strData)) >= len) + XFREE(val, NULL, DYNAMIC_TYPE_TMP_BUFFER); return rc; } else { if ((valLen = XSNPRINTF(val, len, "%*s%s", indent, "", str->strData)) >= len) + XFREE(val, NULL, DYNAMIC_TYPE_TMP_BUFFER); return rc; } if (tmpLen + valLen > tmpSz) { From 271fa83a158b3225d6aa6aa5232d645805334179 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Fri, 27 Oct 2023 14:28:47 -0600 Subject: [PATCH 07/16] Fix for CID 299778 memory leak on error case --- src/x509.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/x509.c b/src/x509.c index 68337a6e8..ec8b9c60d 100644 --- a/src/x509.c +++ b/src/x509.c @@ -12825,6 +12825,7 @@ int wolfSSL_X509_NAME_print_ex(WOLFSSL_BIO* bio, WOLFSSL_X509_NAME* name, >= tmpSz) { WOLFSSL_MSG("buffer overrun"); + XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER); return WOLFSSL_FAILURE; } @@ -12835,6 +12836,7 @@ int wolfSSL_X509_NAME_print_ex(WOLFSSL_BIO* bio, WOLFSSL_X509_NAME* name, >= tmpSz) { WOLFSSL_MSG("buffer overrun"); + XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER); return WOLFSSL_FAILURE; } tmpSz = len + nameStrSz + 1; /* 1 for '=' */ From ef50cb3f02f00680b7cd67d353b1c21ff55c30a3 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Fri, 27 Oct 2023 14:33:33 -0600 Subject: [PATCH 08/16] Fix for CID 299759 be explicit on compare --- src/x509.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/x509.c b/src/x509.c index ec8b9c60d..f9fc3853a 100644 --- a/src/x509.c +++ b/src/x509.c @@ -6482,7 +6482,7 @@ static int X509PrintSignature_ex(WOLFSSL_BIO* bio, byte* sig, break; } } - if (valLen >= (int)sizeof(tmp) - tmpLen - 1) { + if (valLen >= ((int)sizeof(tmp) - tmpLen - 1)) { ret = WOLFSSL_FAILURE; break; } From 33c4054cbba4ce227b41149b96b05ff3b41f8d03 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Fri, 27 Oct 2023 14:36:51 -0600 Subject: [PATCH 09/16] Fix for CID 299748 memory leak in error case --- wolfcrypt/src/pkcs7.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index 308a2d8b0..b86ba1d33 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -6107,11 +6107,15 @@ static int wc_PKCS7_KariGenerateKEK(WC_PKCS7_KARI* kari, WC_RNG* rng, (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION != 2))) && \ !defined(HAVE_SELFTEST) ret = wc_ecc_set_rng(kari->senderKey, rng); - if (ret != 0) + if (ret != 0) { + XFREE(secret, kari->heap, DYNAMIC_TYPE_PKCS7); return ret; + } ret = wc_ecc_set_rng(kari->recipKey, rng); - if (ret != 0) + if (ret != 0) { + XFREE(secret, kari->heap, DYNAMIC_TYPE_PKCS7); return ret; + } #else (void)rng; #endif From a2032dfb36fc1b7703875721f0f99536492394e1 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Fri, 27 Oct 2023 14:50:13 -0600 Subject: [PATCH 10/16] touch up negative value sanity check, fix CID 210741 sanity check --- src/x509.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/x509.c b/src/x509.c index f9fc3853a..6edc0fcaf 100644 --- a/src/x509.c +++ b/src/x509.c @@ -1558,7 +1558,7 @@ int wolfSSL_X509V3_EXT_print(WOLFSSL_BIO *out, WOLFSSL_X509_EXTENSION *ext, XFREE(val, NULL, DYNAMIC_TYPE_TMP_BUFFER); return rc; } - if (tmpLen + valLen > tmpSz) { + if ((tmpLen + valLen) >= tmpSz) { XFREE(val, NULL, DYNAMIC_TYPE_TMP_BUFFER); return rc; } @@ -6482,7 +6482,8 @@ static int X509PrintSignature_ex(WOLFSSL_BIO* bio, byte* sig, break; } } - if (valLen >= ((int)sizeof(tmp) - tmpLen - 1)) { + if ((tmpLen < 0) || (valLen < 0) || + (valLen >= ((int)sizeof(tmp) - tmpLen - 1))) { ret = WOLFSSL_FAILURE; break; } From 0ba406a52ca20a0bbc92be6dc0cc1fc801cd5c42 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Fri, 27 Oct 2023 15:02:10 -0600 Subject: [PATCH 11/16] Fix for CID 299536 possible null dereference --- src/ssl.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index fb2d80176..30da655be 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -29974,12 +29974,16 @@ static void SESSION_ex_data_cache_update(WOLFSSL_SESSION* session, int idx, #endif ) { if (get) { - *getRet = wolfSSL_CRYPTO_get_ex_data( + if (getRet) { + *getRet = wolfSSL_CRYPTO_get_ex_data( &cacheSession->ex_data, idx); + } } else { - *setRet = wolfSSL_CRYPTO_set_ex_data( + if (setRet) { + *setRet = wolfSSL_CRYPTO_set_ex_data( &cacheSession->ex_data, idx, data); + } } foundCache = 1; break; From 247bc151d9ed7ac59b37e93b2a0f4fba633578cf Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Fri, 27 Oct 2023 15:10:32 -0600 Subject: [PATCH 12/16] Fix for CID 299627 memory leak on error case --- src/ssl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/ssl.c b/src/ssl.c index 30da655be..c9a373dbb 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -37181,6 +37181,8 @@ error: XFREE(section, NULL, DYNAMIC_TYPE_PKCS7); if (canonSection != NULL) XFREE(canonSection, NULL, DYNAMIC_TYPE_PKCS7); + if (cannonLine != NULL) + XFREE(canonLine, NULL, DYNAMIC_TYPE_PKCS7); if (bcont) { wolfSSL_BIO_free(*bcont); *bcont = NULL; /* reset 'bcount' pointer to NULL on failure */ From 29782449ec454408ba99d61bb38fe7d27bb13abe Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Fri, 27 Oct 2023 15:14:02 -0600 Subject: [PATCH 13/16] Fix for CID 299637 make sure after free'ing pointer it is not re-used --- src/internal.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/internal.c b/src/internal.c index c69309e72..39fc8fdf7 100644 --- a/src/internal.c +++ b/src/internal.c @@ -13353,6 +13353,7 @@ int LoadCertByIssuer(WOLFSSL_X509_STORE* store, X509_NAME* issuer, int type) } XFREE(filename, NULL, DYNAMIC_TYPE_OPENSSL); + filename = NULL; } #else (void) type; From 7d5491994e22f492d00afe1afdab5e22f5907093 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Fri, 27 Oct 2023 15:28:42 -0600 Subject: [PATCH 14/16] Fix for CID 299649 checking on if ctx is null --- src/ssl.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index c9a373dbb..33b5927df 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -6464,7 +6464,8 @@ static int ProcessBufferTryDecodeRsa(WOLFSSL_CTX* ctx, WOLFSSL* ssl, #ifdef WOLF_PRIVATE_KEY_ID if ((ret != 0) && (devId != INVALID_DEVID #ifdef HAVE_PK_CALLBACKS - || wolfSSL_CTX_IsPrivatePkSet(ctx) + || ((ssl == NULL) ? wolfSSL_CTX_IsPrivatePkSet(ctx) : + wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)) #endif )) { word32 nSz; @@ -6542,7 +6543,8 @@ static int ProcessBufferTryDecodeRsa(WOLFSSL_CTX* ctx, WOLFSSL* ssl, #ifdef WOLF_PRIVATE_KEY_ID if (ret != 0 && (devId != INVALID_DEVID #ifdef HAVE_PK_CALLBACKS - || wolfSSL_CTX_IsPrivatePkSet(ctx) + || ((ssl == NULL) ? wolfSSL_CTX_IsPrivatePkSet(ctx) : + wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)) #endif )) { /* if using crypto or PK callbacks, try public key decode */ @@ -6623,7 +6625,8 @@ static int ProcessBufferTryDecodeEcc(WOLFSSL_CTX* ctx, WOLFSSL* ssl, #ifdef WOLF_PRIVATE_KEY_ID if (ret != 0 && (devId != INVALID_DEVID #ifdef HAVE_PK_CALLBACKS - || wolfSSL_CTX_IsPrivatePkSet(ctx) + || ((ssl == NULL) ? wolfSSL_CTX_IsPrivatePkSet(ctx) : + wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)) #endif )) { /* if using crypto or PK callbacks, try public key decode */ @@ -6709,7 +6712,8 @@ static int ProcessBufferTryDecodeEd25519(WOLFSSL_CTX* ctx, WOLFSSL* ssl, #ifdef WOLF_PRIVATE_KEY_ID if (ret != 0 && (devId != INVALID_DEVID #ifdef HAVE_PK_CALLBACKS - || wolfSSL_CTX_IsPrivatePkSet(ctx) + || ((ssl == NULL) ? wolfSSL_CTX_IsPrivatePkSet(ctx) : + wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)) #endif )) { /* if using crypto or PK callbacks, try public key decode */ @@ -6788,7 +6792,8 @@ static int ProcessBufferTryDecodeEd448(WOLFSSL_CTX* ctx, WOLFSSL* ssl, #ifdef WOLF_PRIVATE_KEY_ID if (ret != 0 && (devId != INVALID_DEVID #ifdef HAVE_PK_CALLBACKS - || wolfSSL_CTX_IsPrivatePkSet(ctx) + || ((ssl == NULL) ? wolfSSL_CTX_IsPrivatePkSet(ctx) : + wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)) #endif )) { /* if using crypto or PK callbacks, try public key decode */ From 688b94cad29d13e57d817fb19ac214387da99026 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Fri, 27 Oct 2023 16:11:18 -0600 Subject: [PATCH 15/16] fix typo and missing brackets --- src/ssl.c | 2 +- src/x509.c | 6 ++++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 33b5927df..6516366c6 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -37186,7 +37186,7 @@ error: XFREE(section, NULL, DYNAMIC_TYPE_PKCS7); if (canonSection != NULL) XFREE(canonSection, NULL, DYNAMIC_TYPE_PKCS7); - if (cannonLine != NULL) + if (canonLine != NULL) XFREE(canonLine, NULL, DYNAMIC_TYPE_PKCS7); if (bcont) { wolfSSL_BIO_free(*bcont); diff --git a/src/x509.c b/src/x509.c index 6edc0fcaf..ee59c1558 100644 --- a/src/x509.c +++ b/src/x509.c @@ -1548,15 +1548,17 @@ int wolfSSL_X509V3_EXT_print(WOLFSSL_BIO *out, WOLFSSL_X509_EXTENSION *ext, if (sk->next) { if ((valLen = XSNPRINTF(val, len, "%*s%s,", indent, "", str->strData)) - >= len) + >= len) { XFREE(val, NULL, DYNAMIC_TYPE_TMP_BUFFER); return rc; + } } else { if ((valLen = XSNPRINTF(val, len, "%*s%s", indent, "", str->strData)) - >= len) + >= len) { XFREE(val, NULL, DYNAMIC_TYPE_TMP_BUFFER); return rc; + } } if ((tmpLen + valLen) >= tmpSz) { XFREE(val, NULL, DYNAMIC_TYPE_TMP_BUFFER); From c3ed45d33182eb512e27547b69334ba942d92772 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Fri, 27 Oct 2023 16:34:04 -0600 Subject: [PATCH 16/16] additional case for CID 330392 and 330401 --- src/ssl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ssl.c b/src/ssl.c index 6516366c6..b390efd63 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -36778,7 +36778,7 @@ int wolfSSL_PEM_write_bio_PKCS7(WOLFSSL_BIO* bio, PKCS7* p7) hashType = wc_OidGetHash(p7->hashOID); hashSz = wc_HashGetDigestSize(hashType); if (hashSz > WC_MAX_DIGEST_SIZE) - return WOLFSSL_FAILURE; + goto error; /* only SIGNED_DATA is supported */ switch (p7->contentOID) {