From 6123febd3fe8ca2051d4a895360cc420cf909af0 Mon Sep 17 00:00:00 2001
From: Daniel Pouzzner <douzzer@wolfssl.com>
Date: Fri, 30 Jan 2026 17:34:37 -0600
Subject: [PATCH] src/ssl_sk.c, src/x509.c, wolfssl/ssl.h: tweaks and fixes to
 from #9705: remove !WOLFSSL_LINUXKM gates, and fix
 nullPointerArithmeticRedundantCheck in ExtractHostFromUri().

---
 src/ssl_sk.c  |  3 +--
 src/x509.c    | 18 +++++++++---------
 wolfssl/ssl.h |  4 ++--
 3 files changed, 12 insertions(+), 13 deletions(-)

diff --git a/src/ssl_sk.c b/src/ssl_sk.c
index 2d1d374c2..9696a820a 100644
--- a/src/ssl_sk.c
+++ b/src/ssl_sk.c
@@ -811,8 +811,7 @@ static wolfSSL_sk_freefunc wolfssl_sk_get_free_func(WOLF_STACK_TYPE type)
             func = (wolfSSL_sk_freefunc)wolfSSL_GENERAL_NAME_free;
             break;
         case STACK_TYPE_GENERAL_SUBTREE:
-        #if defined(OPENSSL_EXTRA) && !defined(IGNORE_NAME_CONSTRAINTS) && \
-            !defined(WOLFSSL_LINUXKM)
+        #if defined(OPENSSL_EXTRA) && !defined(IGNORE_NAME_CONSTRAINTS)
             func = (wolfSSL_sk_freefunc)wolfSSL_GENERAL_SUBTREE_free;
         #endif
             break;
diff --git a/src/x509.c b/src/x509.c
index cec26ca24..291cd37ba 100644
--- a/src/x509.c
+++ b/src/x509.c
@@ -2218,8 +2218,7 @@ out:
 
 #endif /* OPENSSL_ALL || OPENSSL_EXTRA */
 
-#if defined(OPENSSL_EXTRA) && !defined(IGNORE_NAME_CONSTRAINTS) && \
-    !defined(WOLFSSL_LINUXKM)
+#if defined(OPENSSL_EXTRA) && !defined(IGNORE_NAME_CONSTRAINTS)
 /*
  * Convert a Base_entry linked list to a STACK of GENERAL_SUBTREE.
  *
@@ -2370,7 +2369,7 @@ static int ConvertBaseEntryToSubtreeStack(Base_entry* list, WOLFSSL_STACK* sk,
 
     return 0;
 }
-#endif /* OPENSSL_EXTRA && !IGNORE_NAME_CONSTRAINTS && !WOLFSSL_LINUXKM */
+#endif /* OPENSSL_EXTRA && !IGNORE_NAME_CONSTRAINTS */
 
 #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
 /* Looks for the extension matching the passed in nid
@@ -2874,8 +2873,7 @@ void* wolfSSL_X509_get_ext_d2i(const WOLFSSL_X509* x509, int nid, int* c,
             }
             break;
 
-    #if defined(OPENSSL_EXTRA) && !defined(IGNORE_NAME_CONSTRAINTS) && \
-        !defined(WOLFSSL_LINUXKM)
+    #if defined(OPENSSL_EXTRA) && !defined(IGNORE_NAME_CONSTRAINTS)
         case NAME_CONS_OID:
         {
             WOLFSSL_NAME_CONSTRAINTS* nc = NULL;
@@ -2937,7 +2935,7 @@ void* wolfSSL_X509_get_ext_d2i(const WOLFSSL_X509* x509, int nid, int* c,
 
             return nc;
         }
-    #endif /* OPENSSL_EXTRA && !IGNORE_NAME_CONSTRAINTS && !WOLFSSL_LINUXKM */
+    #endif /* OPENSSL_EXTRA && !IGNORE_NAME_CONSTRAINTS */
 
         case PRIV_KEY_USAGE_PERIOD_OID:
             WOLFSSL_MSG("Private Key Usage Period extension not supported");
@@ -5327,7 +5325,7 @@ void wolfSSL_EXTENDED_KEY_USAGE_free(WOLFSSL_STACK * sk)
     wolfSSL_sk_X509_pop_free(sk, NULL);
 }
 
-#if !defined(IGNORE_NAME_CONSTRAINTS) && !defined(WOLFSSL_LINUXKM)
+#if !defined(IGNORE_NAME_CONSTRAINTS)
 /*
  * Allocate and initialize an empty GENERAL_SUBTREE structure.
  * Returns NULL on allocation failure.
@@ -5480,12 +5478,14 @@ static const char* ExtractHostFromUri(const char* uri, int uriLen, int* hostLen)
     const char* hostStart;
     const char* hostEnd;
     const char* p;
-    const char* uriEnd = uri + uriLen;
+    const char* uriEnd;
 
     if (uri == NULL || uriLen <= 0 || hostLen == NULL) {
         return NULL;
     }
 
+    uriEnd = uri + uriLen;
+
     /* Find "://" to skip scheme */
     hostStart = NULL;
     for (p = uri; p < uriEnd - 2; p++) {
@@ -5692,7 +5692,7 @@ int wolfSSL_NAME_CONSTRAINTS_check_name(WOLFSSL_NAME_CONSTRAINTS* nc,
 
     return 1;
 }
-#endif /* !IGNORE_NAME_CONSTRAINTS && !WOLFSSL_LINUXKM */
+#endif /* !IGNORE_NAME_CONSTRAINTS */
 
 #if defined(OPENSSL_ALL) && !defined(NO_BIO)
 /* Outputs name string of the given WOLFSSL_GENERAL_NAME_OBJECT to WOLFSSL_BIO.
diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h
index cf38c9e9d..08989907c 100644
--- a/wolfssl/ssl.h
+++ b/wolfssl/ssl.h
@@ -1984,7 +1984,7 @@ WOLFSSL_API int wolfSSL_GENERAL_NAME_print(WOLFSSL_BIO* out,
                                            WOLFSSL_GENERAL_NAME* name);
 WOLFSSL_API void wolfSSL_EXTENDED_KEY_USAGE_free(WOLFSSL_STACK * sk);
 
-#if !defined(IGNORE_NAME_CONSTRAINTS) && !defined(WOLFSSL_LINUXKM)
+#if !defined(IGNORE_NAME_CONSTRAINTS)
 WOLFSSL_API WOLFSSL_NAME_CONSTRAINTS* wolfSSL_NAME_CONSTRAINTS_new(void);
 WOLFSSL_API void wolfSSL_NAME_CONSTRAINTS_free(WOLFSSL_NAME_CONSTRAINTS* nc);
 WOLFSSL_API int wolfSSL_NAME_CONSTRAINTS_check_name(
@@ -1994,7 +1994,7 @@ WOLFSSL_API void wolfSSL_GENERAL_SUBTREE_free(WOLFSSL_GENERAL_SUBTREE* subtree);
 WOLFSSL_API int wolfSSL_sk_GENERAL_SUBTREE_num(const WOLFSSL_STACK* sk);
 WOLFSSL_API WOLFSSL_GENERAL_SUBTREE* wolfSSL_sk_GENERAL_SUBTREE_value(
         const WOLFSSL_STACK* sk, int idx);
-#endif /* !IGNORE_NAME_CONSTRAINTS && !WOLFSSL_LINUXKM */
+#endif /* !IGNORE_NAME_CONSTRAINTS */
 
 WOLFSSL_API WOLFSSL_DIST_POINT* wolfSSL_DIST_POINT_new(void);
 WOLFSSL_API void wolfSSL_DIST_POINT_free(WOLFSSL_DIST_POINT* dp);