Fix negative count and NULL pointer checks in group-setting and shared cipher APIs

Add count < 0 validation to wolfSSL_CTX_set_groups and wolfSSL_set_groups
(src/tls.c) to prevent negative count from bypassing the upper-bound check
and corrupting numGroups via byte truncation.

Widen count == 0 to count <= 0 and add NULL groups check in
wolfSSL_CTX_set1_groups and wolfSSL_set1_groups (src/ssl.c).

Add NULL buf and NULL cipher checks in wolfSSL_get_shared_ciphers to
prevent NULL pointer dereference.
This commit is contained in:
Colton Willey
2026-04-13 21:53:39 -07:00
parent 8fca95ce65
commit af0db53e86
+7 -5
View File
@@ -1295,10 +1295,12 @@ const char* wolfSSL_get_shared_ciphers(WOLFSSL* ssl, char* buf, int len)
{
const char* cipher;
if (ssl == NULL || len <= 0)
if (ssl == NULL || buf == NULL || len <= 0)
return NULL;
cipher = wolfSSL_get_cipher_name_iana(ssl);
if (cipher == NULL)
return NULL;
len = (int)min((word32)len, (word32)(XSTRLEN(cipher) + 1));
XMEMCPY(buf, cipher, (size_t)len);
return buf;
@@ -3321,8 +3323,8 @@ int wolfSSL_CTX_set1_groups(WOLFSSL_CTX* ctx, int* groups,
int i;
int _groups[WOLFSSL_MAX_GROUP_COUNT];
WOLFSSL_ENTER("wolfSSL_CTX_set1_groups");
if (count <= 0) {
WOLFSSL_MSG("Group count is not positive");
if (groups == NULL || count <= 0) {
WOLFSSL_MSG("Groups NULL or count not positive");
return WOLFSSL_FAILURE;
}
if (count > WOLFSSL_MAX_GROUP_COUNT) {
@@ -3360,8 +3362,8 @@ int wolfSSL_set1_groups(WOLFSSL* ssl, int* groups, int count)
int i;
int _groups[WOLFSSL_MAX_GROUP_COUNT];
WOLFSSL_ENTER("wolfSSL_CTX_set1_groups");
if (count <= 0) {
WOLFSSL_MSG("Group count is not positive");
if (groups == NULL || count <= 0) {
WOLFSSL_MSG("Groups NULL or count not positive");
return WOLFSSL_FAILURE;
}
if (count > WOLFSSL_MAX_GROUP_COUNT) {