Fix potential overflows in used size calculation in generic, TI and SE050 hash functions.#9954
Fix potential overflows in used size calculation in generic, TI and SE050 hash functions.#9954kareem-wolfssl wants to merge 7 commits intowolfSSL:masterfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Prevents se050_hash_update from proceeding when se050Ctx->used + len would overflow, addressing the reported issue in #9951.
Changes:
- Introduces a safe-add check (
WC_SAFE_SUM_WORD32) before updating the hash state. - Adds a
tmpSzaccumulator to hold the checked sum ofused + len.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
| if (se050Ctx == NULL || (len > 0 && data == NULL) || | ||
| !WC_SAFE_SUM_WORD32(se050Ctx->used, len, tmpSz)) { | ||
| return BAD_FUNC_ARG; | ||
| } |
There was a problem hiding this comment.
The overflow case (!WC_SAFE_SUM_WORD32(...)) is currently mapped to BAD_FUNC_ARG, which is also used for null-pointer arguments. Consider returning a more specific error code for an invalid/too-large length (e.g., the project’s standard buffer/length error), so callers can distinguish programming errors from input-size issues.
| if (se050Ctx == NULL || (len > 0 && data == NULL) || | |
| !WC_SAFE_SUM_WORD32(se050Ctx->used, len, tmpSz)) { | |
| return BAD_FUNC_ARG; | |
| } | |
| if (se050Ctx == NULL || (len > 0 && data == NULL)) { | |
| return BAD_FUNC_ARG; | |
| } | |
| if (!WC_SAFE_SUM_WORD32(se050Ctx->used, len, tmpSz)) { | |
| return LENGTH_ERROR; | |
| } |
| if (se050Ctx == NULL || (len > 0 && data == NULL) || | ||
| !WC_SAFE_SUM_WORD32(se050Ctx->used, len, tmpSz)) { | ||
| return BAD_FUNC_ARG; | ||
| } | ||
|
|
There was a problem hiding this comment.
This if condition now mixes argument validation and arithmetic overflow handling, which makes it harder to read and extend. Consider splitting it into sequential early-return checks (e.g., validate pointers first, then do the safe-sum check) so future changes don’t inadvertently weaken one of the checks.
| if (se050Ctx == NULL || (len > 0 && data == NULL) || | |
| !WC_SAFE_SUM_WORD32(se050Ctx->used, len, tmpSz)) { | |
| return BAD_FUNC_ARG; | |
| } | |
| if (se050Ctx == NULL) { | |
| return BAD_FUNC_ARG; | |
| } | |
| if (len > 0 && data == NULL) { | |
| return BAD_FUNC_ARG; | |
| } | |
| if (!WC_SAFE_SUM_WORD32(se050Ctx->used, len, tmpSz)) { | |
| return BAD_FUNC_ARG; | |
| } |
Thanks to Arjuna Arya for the report. Fixes wolfSSL#9951.
Thanks to Arjuna Arya for the report. Fixes wolfSSL#9955.
… additions. Fixes unused variable warning as well. Fix different type addition in hash.c.
kareem-wolfssl
changed the title
kareem-wolfssl
added
For This Release
|
Retest this please. |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
| word32 usedSz = 0; | ||
|
|
||
| if ((hash== NULL) || (data == NULL))return BAD_FUNC_ARG; | ||
| if ((hash== NULL) || (data == NULL) || |
There was a problem hiding this comment.
This rejects data == NULL even when len == 0. In the same PR, se050_hash_update permits (len > 0 && data == NULL) only, which matches common hash-update API behavior (allowing a no-op update). Consider aligning TI’s hashUpdate argument validation to allow data == NULL when len == 0 for consistency and easier caller usage.
| if ((hash== NULL) || (data == NULL) || | |
| if ((hash == NULL) || ((len > 0) && (data == NULL)) || |
Description
Fixes #9951.
Thanks to Arjuna Arya for the report.
Testing
Built in tests
Checklist