From 9b723b9e11d11d74290d5c4486eef71d167bc28c Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Wed, 10 Jun 2026 13:02:15 -0500 Subject: [PATCH] fix F-3024: Missing buffer-length validation in km_dh_decode_secret enables out-of-bounds read --- linuxkm/lkcapi_dh_glue.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/linuxkm/lkcapi_dh_glue.c b/linuxkm/lkcapi_dh_glue.c index 02dcf5d780..cc4dc8781e 100644 --- a/linuxkm/lkcapi_dh_glue.c +++ b/linuxkm/lkcapi_dh_glue.c @@ -356,6 +356,14 @@ static int km_dh_decode_secret(const u8 * buf, unsigned int len, return -EINVAL; } + if (len != expected_len) { + #ifdef WOLFKM_DEBUG_DH + pr_err("%s: km_dh_decode_secret: caller passed %u, expected %zu\n", + WOLFKM_DH_DRIVER, len, expected_len); + #endif /* WOLFKM_DEBUG_DH */ + return -EINVAL; + } + /* The rest of the fields are optional depending on how much data * was passed, and whether it's ffdhe or dh. */ if (params->key_size) {