From 86e4a598b45f1344bd8fbaccd7804744fb2e7934 Mon Sep 17 00:00:00 2001 From: aidan garske Date: Thu, 25 Jun 2026 14:46:06 -0700 Subject: [PATCH] F-5855 - Bounds-check cert length against bundle end in esp_crt_bundle init --- .../src/port/Espressif/esp_crt_bundle/esp_crt_bundle.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/wolfcrypt/src/port/Espressif/esp_crt_bundle/esp_crt_bundle.c b/wolfcrypt/src/port/Espressif/esp_crt_bundle/esp_crt_bundle.c index 76c8abdb1c..c0baed8180 100644 --- a/wolfcrypt/src/port/Espressif/esp_crt_bundle/esp_crt_bundle.c +++ b/wolfcrypt/src/port/Espressif/esp_crt_bundle/esp_crt_bundle.c @@ -1382,6 +1382,13 @@ static esp_err_t wolfssl_esp_crt_bundle_init(const uint8_t *x509_bundle, ESP_LOGCBI(TAG, "- This certificate at 0x%x, length: %u", (intptr_t)cur_crt, cert_len); + if (cur_crt + CRT_HEADER_OFFSET + cert_len > bundle_end) { + ESP_LOGE(TAG, "Invalid certificate bundle cert length"); + _esp_crt_bundle_is_valid = ESP_FAIL; + ret = ESP_ERR_INVALID_ARG; + break; + } + /* TODO: optional gate out serial check for performance. */ /* Useful only for custom cert bundle, known to have no zeros. */ if (wolfssl_is_zero_serial_number(cur_crt + CRT_HEADER_OFFSET,