From 6ee660841b01e8a28dae6d9e976bf66ffee267e9 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Thu, 16 Oct 2025 15:04:47 -0500 Subject: [PATCH] fixes/workarounds for -Wnull-dereferences, some true positive, some false positive: * src/pk.c:wolfSSL_RSA_meth_new() * tests/api.c:test_wolfSSL_PKCS7_certs() * tests/api.c:test_wolfSSL_X509V3_EXT_get() * wolfcrypt/src/asn.c:EncodeName() * wolfcrypt/src/pkcs12.c:wc_i2d_PKCS12() * wolfcrypt/src/port/af_alg/afalg_aes.c --- src/pk.c | 32 +++++++++++++-------------- tests/api.c | 10 +++++---- wolfcrypt/src/asn.c | 9 +++++--- wolfcrypt/src/pkcs12.c | 6 +++-- wolfcrypt/src/port/af_alg/afalg_aes.c | 20 +++++++++++++++++ 5 files changed, 52 insertions(+), 25 deletions(-) diff --git a/src/pk.c b/src/pk.c index 113112f1f..8f07a679c 100644 --- a/src/pk.c +++ b/src/pk.c @@ -970,23 +970,23 @@ WOLFSSL_RSA_METHOD *wolfSSL_RSA_meth_new(const char *name, int flags) int err; /* Validate name is not NULL. */ - err = (name == NULL); - if (!err) { - /* Allocate an RSA METHOD to return. */ - meth = (WOLFSSL_RSA_METHOD*)XMALLOC(sizeof(WOLFSSL_RSA_METHOD), NULL, - DYNAMIC_TYPE_OPENSSL); - err = (meth == NULL); - } - if (!err) { - XMEMSET(meth, 0, sizeof(*meth)); - meth->flags = flags; - meth->dynamic = 1; + if (name == NULL) + return NULL; + /* Allocate an RSA METHOD to return. */ + meth = (WOLFSSL_RSA_METHOD*)XMALLOC(sizeof(WOLFSSL_RSA_METHOD), NULL, + DYNAMIC_TYPE_OPENSSL); + if (meth == NULL) + return NULL; + + XMEMSET(meth, 0, sizeof(*meth)); + meth->flags = flags; + meth->dynamic = 1; + + name_len = (int)XSTRLEN(name); + meth->name = (char*)XMALLOC((size_t)(name_len + 1), NULL, + DYNAMIC_TYPE_OPENSSL); + err = (meth->name == NULL); - name_len = (int)XSTRLEN(name); - meth->name = (char*)XMALLOC((size_t)(name_len + 1), NULL, - DYNAMIC_TYPE_OPENSSL); - err = (meth->name == NULL); - } if (!err) { XMEMCPY(meth->name, name, (size_t)(name_len + 1)); } diff --git a/tests/api.c b/tests/api.c index 44e3fabe2..fe32649b1 100644 --- a/tests/api.c +++ b/tests/api.c @@ -20116,8 +20116,8 @@ static int test_wolfSSL_PKCS7_certs(void) while (EXPECT_SUCCESS() && (sk_X509_INFO_num(info_sk) > 0)) { X509_INFO* info = NULL; ExpectNotNull(info = sk_X509_INFO_shift(info_sk)); - ExpectIntGT(sk_X509_push(sk, info->x509), 0); - if (EXPECT_SUCCESS() && (info != NULL)) { + if (info != NULL) { + ExpectIntGT(sk_X509_push(sk, info->x509), 0); info->x509 = NULL; } X509_INFO_free(info); @@ -32422,8 +32422,10 @@ static int test_wolfSSL_X509V3_EXT_get(void) ExpectIntNE((extNid = ext->obj->nid), NID_undef); ExpectNotNull(method = wolfSSL_X509V3_EXT_get(ext)); ExpectIntEQ(method->ext_nid, extNid); - if (method->ext_nid == NID_subject_key_identifier) { - ExpectNotNull(method->i2s); + if (EXPECT_SUCCESS()) { + if (method->ext_nid == NID_subject_key_identifier) { + ExpectNotNull(method->i2s); + } } } diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index cddb408f3..55ab98ffd 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -29922,6 +29922,9 @@ static int EncodeName(EncodedName* name, const char* nameStr, name->used = 0; return 0; } + nameSz = (word32)cname->custom.valSz; + oid = cname->custom.oid; + oidSz = (word32)cname->custom.oidSz; } #else (void)cname; @@ -29961,9 +29964,9 @@ static int EncodeName(EncodedName* name, const char* nameStr, break; #ifdef WOLFSSL_CUSTOM_OID case ASN_CUSTOM_NAME: - nameSz = (word32)cname->custom.valSz; - oid = cname->custom.oid; - oidSz = (word32)cname->custom.oidSz; + /* oid setup is above (mitigating false positive + * -Wnull-dereference). + */ break; #endif #ifdef WOLFSSL_CERT_REQ diff --git a/wolfcrypt/src/pkcs12.c b/wolfcrypt/src/pkcs12.c index 516ef654e..de368ac5a 100644 --- a/wolfcrypt/src/pkcs12.c +++ b/wolfcrypt/src/pkcs12.c @@ -977,8 +977,10 @@ int wc_i2d_PKCS12(WC_PKCS12* pkcs12, byte** der, int* derSz) totalSz += seqSz; /* check if getting length only */ - if (der == NULL && derSz != NULL) { - *derSz = (int)totalSz; + if (der == NULL) { + /* repeat nullness check locally to mollify -Wnull-dereference. */ + if (derSz != NULL) + *derSz = (int)totalSz; XFREE(sdBuf, pkcs12->heap, DYNAMIC_TYPE_PKCS); return WC_NO_ERR_TRACE(LENGTH_ONLY_E); } diff --git a/wolfcrypt/src/port/af_alg/afalg_aes.c b/wolfcrypt/src/port/af_alg/afalg_aes.c index 9e46bc0bb..aec42527e 100644 --- a/wolfcrypt/src/port/af_alg/afalg_aes.c +++ b/wolfcrypt/src/port/af_alg/afalg_aes.c @@ -186,6 +186,10 @@ int wc_AesSetKey(Aes* aes, const byte* userKey, word32 keylen, if ((sz / WC_AES_BLOCK_SIZE) > 0) { /* update IV */ cmsg = CMSG_FIRSTHDR(&(aes->msg)); + if (cmsg == NULL) { + WOLFSSL_MSG("CMSG_FIRSTHDR() in wc_AesCbcEncrypt() returned NULL unexpectedly."); + return SYSLIB_FAILED_E; + } ret = wc_Afalg_SetIv(CMSG_NXTHDR(&(aes->msg), cmsg), (byte*)(aes->reg), AES_IV_SIZE); if (ret < 0) { @@ -245,6 +249,10 @@ int wc_AesSetKey(Aes* aes, const byte* userKey, word32 keylen, if ((sz / WC_AES_BLOCK_SIZE) > 0) { /* update IV */ cmsg = CMSG_FIRSTHDR(&(aes->msg)); + if (cmsg == NULL) { + WOLFSSL_MSG("CMSG_FIRSTHDR() in wc_AesCbcDecrypt() returned NULL unexpectedly."); + return SYSLIB_FAILED_E; + } ret = wc_Afalg_SetIv(CMSG_NXTHDR(&(aes->msg), cmsg), (byte*)(aes->reg), AES_IV_SIZE); if (ret != 0) { @@ -397,6 +405,10 @@ int wc_AesSetKeyDirect(Aes* aes, const byte* userKey, word32 keylen, /* update IV */ cmsg = CMSG_FIRSTHDR(&(aes->msg)); + if (cmsg == NULL) { + WOLFSSL_MSG("CMSG_FIRSTHDR() in wc_AesCtrEncrypt() returned NULL unexpectedly."); + return SYSLIB_FAILED_E; + } ret = wc_Afalg_SetIv(CMSG_NXTHDR(&(aes->msg), cmsg), (byte*)(aes->reg), AES_IV_SIZE); if (ret < 0) { @@ -613,7 +625,15 @@ int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz, msg = &(aes->msg); cmsg = CMSG_FIRSTHDR(msg); + if (cmsg == NULL) { + WOLFSSL_MSG("CMSG_FIRSTHDR() in wc_AesGcmEncrypt() returned NULL unexpectedly."); + return SYSLIB_FAILED_E; + } cmsg = CMSG_NXTHDR(msg, cmsg); + if (cmsg == NULL) { + WOLFSSL_MSG("CMSG_NEXTHDR() in wc_AesGcmEncrypt() returned NULL unexpectedly."); + return SYSLIB_FAILED_E; + } /* set IV and AAD size */ ret = wc_Afalg_SetIv(cmsg, (byte*)iv, ivSz);