From 6b3dec489811c01390b5d5167ea9949afdd9b795 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Wed, 4 Mar 2026 10:15:27 -0700 Subject: [PATCH 1/2] additional sanity check on number of groups passed to set groups function --- src/ssl.c | 8 ++++++++ tests/api/test_tls13.c | 14 ++++++++++++++ 2 files changed, 22 insertions(+) diff --git a/src/ssl.c b/src/ssl.c index 8f693bba1b..d772de1912 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -3041,6 +3041,10 @@ int wolfSSL_CTX_set1_groups(WOLFSSL_CTX* ctx, int* groups, WOLFSSL_MSG("Group count is zero"); return WOLFSSL_FAILURE; } + if (count > WOLFSSL_MAX_GROUP_COUNT) { + WOLFSSL_MSG("Group count exceeds maximum"); + return WOLFSSL_FAILURE; + } for (i = 0; i < count; i++) { if (isValidCurveGroup((word16)groups[i])) { _groups[i] = groups[i]; @@ -3076,6 +3080,10 @@ int wolfSSL_set1_groups(WOLFSSL* ssl, int* groups, int count) WOLFSSL_MSG("Group count is zero"); return WOLFSSL_FAILURE; } + if (count > WOLFSSL_MAX_GROUP_COUNT) { + WOLFSSL_MSG("Group count exceeds maximum"); + return WOLFSSL_FAILURE; + } for (i = 0; i < count; i++) { if (isValidCurveGroup((word16)groups[i])) { _groups[i] = groups[i]; diff --git a/tests/api/test_tls13.c b/tests/api/test_tls13.c index a6f411544b..5d3e3f41c4 100644 --- a/tests/api/test_tls13.c +++ b/tests/api/test_tls13.c @@ -119,6 +119,9 @@ int test_tls13_apis(void) int bad_groups[2] = { 0xDEAD, 0xBEEF }; #endif /* !NO_WOLFSSL_SERVER || !NO_WOLFSSL_CLIENT */ int numGroups = 2; +#if defined(OPENSSL_EXTRA) && !defined(NO_WOLFSSL_CLIENT) + int too_many_groups[WOLFSSL_MAX_GROUP_COUNT + 1]; +#endif #endif #if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) char groupList[] = @@ -605,6 +608,17 @@ int test_tls13_apis(void) #endif ExpectIntEQ(wolfSSL_CTX_set1_groups_list(NULL, groupList), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); +#ifndef NO_WOLFSSL_CLIENT + { + int idx; + for (idx = 0; idx < WOLFSSL_MAX_GROUP_COUNT + 1; idx++) + too_many_groups[idx] = WOLFSSL_ECC_SECP256R1; + } + ExpectIntEQ(wolfSSL_CTX_set1_groups(clientCtx, too_many_groups, + WOLFSSL_MAX_GROUP_COUNT + 1), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_set1_groups(clientSsl, too_many_groups, + WOLFSSL_MAX_GROUP_COUNT + 1), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); +#endif #ifndef NO_WOLFSSL_CLIENT #ifndef WOLFSSL_NO_TLS12 ExpectIntEQ(wolfSSL_CTX_set1_groups_list(clientTls12Ctx, groupList), From be245dc4d76f0e813041073d5566dcb8cefb871b Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Wed, 4 Mar 2026 11:20:08 -0700 Subject: [PATCH 2/2] adjust macro guard on test case --- tests/api/test_tls13.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/api/test_tls13.c b/tests/api/test_tls13.c index 5d3e3f41c4..4b4d1fb7c0 100644 --- a/tests/api/test_tls13.c +++ b/tests/api/test_tls13.c @@ -608,7 +608,7 @@ int test_tls13_apis(void) #endif ExpectIntEQ(wolfSSL_CTX_set1_groups_list(NULL, groupList), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); -#ifndef NO_WOLFSSL_CLIENT +#if defined(OPENSSL_EXTRA) && !defined(NO_WOLFSSL_CLIENT) { int idx; for (idx = 0; idx < WOLFSSL_MAX_GROUP_COUNT + 1; idx++)