From af0db53e867c1330304f4629b8a7c4dfd198536a Mon Sep 17 00:00:00 2001 From: Colton Willey Date: Mon, 13 Apr 2026 21:53:39 -0700 Subject: [PATCH] Fix negative count and NULL pointer checks in group-setting and shared cipher APIs Add count < 0 validation to wolfSSL_CTX_set_groups and wolfSSL_set_groups (src/tls.c) to prevent negative count from bypassing the upper-bound check and corrupting numGroups via byte truncation. Widen count == 0 to count <= 0 and add NULL groups check in wolfSSL_CTX_set1_groups and wolfSSL_set1_groups (src/ssl.c). Add NULL buf and NULL cipher checks in wolfSSL_get_shared_ciphers to prevent NULL pointer dereference. --- src/ssl.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index c215101175..89cd4543f7 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -1295,10 +1295,12 @@ const char* wolfSSL_get_shared_ciphers(WOLFSSL* ssl, char* buf, int len) { const char* cipher; - if (ssl == NULL || len <= 0) + if (ssl == NULL || buf == NULL || len <= 0) return NULL; cipher = wolfSSL_get_cipher_name_iana(ssl); + if (cipher == NULL) + return NULL; len = (int)min((word32)len, (word32)(XSTRLEN(cipher) + 1)); XMEMCPY(buf, cipher, (size_t)len); return buf; @@ -3321,8 +3323,8 @@ int wolfSSL_CTX_set1_groups(WOLFSSL_CTX* ctx, int* groups, int i; int _groups[WOLFSSL_MAX_GROUP_COUNT]; WOLFSSL_ENTER("wolfSSL_CTX_set1_groups"); - if (count <= 0) { - WOLFSSL_MSG("Group count is not positive"); + if (groups == NULL || count <= 0) { + WOLFSSL_MSG("Groups NULL or count not positive"); return WOLFSSL_FAILURE; } if (count > WOLFSSL_MAX_GROUP_COUNT) { @@ -3360,8 +3362,8 @@ int wolfSSL_set1_groups(WOLFSSL* ssl, int* groups, int count) int i; int _groups[WOLFSSL_MAX_GROUP_COUNT]; WOLFSSL_ENTER("wolfSSL_CTX_set1_groups"); - if (count <= 0) { - WOLFSSL_MSG("Group count is not positive"); + if (groups == NULL || count <= 0) { + WOLFSSL_MSG("Groups NULL or count not positive"); return WOLFSSL_FAILURE; } if (count > WOLFSSL_MAX_GROUP_COUNT) {