From 7a6a78a1b00a9e60b17c1138ce85867c6c610f34 Mon Sep 17 00:00:00 2001 From: Paul Adelsbach Date: Thu, 14 May 2026 09:49:03 -0700 Subject: [PATCH] F-3803: validate response sizes --- src/wh_client_crypto.c | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/src/wh_client_crypto.c b/src/wh_client_crypto.c index d1819812..228271ce 100644 --- a/src/wh_client_crypto.c +++ b/src/wh_client_crypto.c @@ -3409,10 +3409,13 @@ int wh_Client_Ed25519Sign(whClientContext* ctx, ed25519_key* key, ret = _getCryptoResponse(dataPtr, WC_PK_TYPE_ED25519_SIGN, (uint8_t**)&res); if (ret >= 0) { - uint32_t res_total = + const uint32_t res_len_min = sizeof(whMessageCrypto_GenericResponseHeader) + - sizeof(*res) + res->sigSz; - if (res_total > res_len) { + sizeof(*res); + if (res_len < res_len_min) { + ret = WH_ERROR_ABORTED; + } + else if (res->sigSz > (uint32_t)res_len - res_len_min) { ret = WH_ERROR_ABORTED; } } @@ -3547,14 +3550,16 @@ int wh_Client_Ed25519Verify(whClientContext* ctx, ed25519_key* key, if (ret == WH_ERROR_OK) { ret = _getCryptoResponse(dataPtr, WC_PK_TYPE_ED25519_VERIFY, (uint8_t**)&res); - if (ret >= 0 && res != NULL) { - uint32_t res_total = + if (ret >= 0) { + const uint32_t res_len_min = sizeof(whMessageCrypto_GenericResponseHeader) + sizeof(*res); - if (res_total > res_len) { + if (res_len >= res_len_min) { + *out_res = res->res; + } + else { ret = WH_ERROR_ABORTED; } - *out_res = res->res; } } } @@ -7808,7 +7813,15 @@ int wh_Client_MlDsaVerify(whClientContext* ctx, const byte* sig, word32 sig_len, /* wolfCrypt allows positive error codes on success in some * scenarios */ if (ret >= 0) { - *out_res = res->res; + const uint32_t res_len_min = + sizeof(whMessageCrypto_GenericResponseHeader) + + sizeof(*res); + if (res_len >= res_len_min) { + *out_res = res->res; + } + else { + ret = WH_ERROR_ABORTED; + } } } }