Merge pull request #10706 from JacobBarthelmeh/dev

defense in depth hardening for x509 extension create by OBJ and EVP decode update
This commit is contained in:
David Garske
2026-07-07 16:41:15 -07:00
committed by GitHub
4 changed files with 38 additions and 6 deletions
+17 -5
View File
@@ -298,6 +298,7 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_EXTENSION_create_by_OBJ(
{
int err = 0;
WOLFSSL_X509_EXTENSION *ret = ex;
WOLFSSL_ASN1_OBJECT *newObj = NULL;
WOLFSSL_ENTER("wolfSSL_X509_EXTENSION_create_by_OBJ");
@@ -311,7 +312,18 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_EXTENSION_create_by_OBJ(
err = 1;
}
}
else {
/* Duplicate the source object before freeing the existing one so that a
* caller passing the extension's own object (e.g. obtained via
* wolfSSL_X509_EXTENSION_get_object(ex)) does not read freed memory. */
if (err == 0) {
newObj = wolfSSL_ASN1_OBJECT_dup(obj);
if (newObj == NULL) {
err = 1;
}
}
if ((err == 0) && (ret == ex)) {
/* Prevent potential memory leaks and dangling pointers. */
wolfSSL_ASN1_OBJECT_free(ret->obj);
ret->obj = NULL;
@@ -320,10 +332,8 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_EXTENSION_create_by_OBJ(
if (err == 0) {
ret->crit = crit;
ret->obj = wolfSSL_ASN1_OBJECT_dup(obj);
if (ret->obj == NULL) {
err = 1;
}
ret->obj = newObj;
newObj = NULL;
}
if (err == 0) {
@@ -333,6 +343,8 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_EXTENSION_create_by_OBJ(
}
if (err == 1) {
/* Free the duplicate if it was created but not assigned to ret. */
wolfSSL_ASN1_OBJECT_free(newObj);
if (ret != ex) {
wolfSSL_X509_EXTENSION_free(ret);
}
+12
View File
@@ -404,6 +404,18 @@ int test_wolfSSL_EVP_DecodeUpdate(void)
);
ExpectIntEQ( outl, 0);
/* pass negative length */
ExpectIntEQ(
EVP_DecodeUpdate(
ctx,
decOutBuff,
&outl,
enc1,
-1), /* negative inl */
-1 /* expected result code -1: fail */
);
ExpectIntEQ( outl, 0);
ExpectIntEQ(EVP_DecodeBlock(NULL, NULL, 0), -1);
/* pass zero length input */
+8
View File
@@ -905,6 +905,14 @@ int test_wolfSSL_X509_EXTENSION_create_by_OBJ(void)
if (ext3 == NULL) {
wolfSSL_X509_EXTENSION_free(ext2);
}
/* Reuse the extension passing its own object as the source. This must not
* read freed memory (the source object aliases ext3's current object). */
if (ext3 != NULL) {
WOLFSSL_ASN1_OBJECT* self = NULL;
ExpectNotNull(self = wolfSSL_X509_EXTENSION_get_object(ext3));
ExpectNotNull(ext3 = wolfSSL_X509_EXTENSION_create_by_OBJ(ext3, self,
crit, str));
}
wolfSSL_X509_EXTENSION_free(ext3);
ExpectIntEQ(wolfSSL_X509_get_ext_by_OBJ(NULL, NULL, -1),
+1 -1
View File
@@ -13471,7 +13471,7 @@ int wolfSSL_EVP_DecodeUpdate(WOLFSSL_EVP_ENCODE_CTX* ctx,
if (outl == NULL)
return -1;
if (ctx == NULL || out == NULL || in == NULL) {
if (ctx == NULL || out == NULL || in == NULL || inl < 0) {
*outl = 0;
return -1;
}