Skip to content

Fix potential overflows in used size calculation in generic, TI and SE050 hash functions.#9954

Open
kareem-wolfssl wants to merge 3 commits intowolfSSL:masterfrom
kareem-wolfssl:gh9951
Open

Fix potential overflows in used size calculation in generic, TI and SE050 hash functions.#9954
kareem-wolfssl wants to merge 3 commits intowolfSSL:masterfrom
kareem-wolfssl:gh9951

Conversation

@kareem-wolfssl
Copy link
Contributor

@kareem-wolfssl kareem-wolfssl commented Mar 11, 2026

Description

Fixes #9951.

Thanks to Arjuna Arya for the report.

Testing

Built in tests

Checklist

  • added tests
  • updated/added doxygen
  • updated appropriate READMEs
  • Updated manual and documentation

@kareem-wolfssl kareem-wolfssl self-assigned this Mar 11, 2026
Copilot AI review requested due to automatic review settings March 11, 2026 21:59
@kareem-wolfssl kareem-wolfssl mentioned this pull request Mar 11, 2026
Closed
@kareem-wolfssl kareem-wolfssl added the Not For This Release Not for release 5.9.0 label Mar 11, 2026
Copilot AI reviewed Mar 11, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Prevents se050_hash_update from proceeding when se050Ctx->used + len would overflow, addressing the reported issue in #9951.

Changes:

  • Introduces a safe-add check (WC_SAFE_SUM_WORD32) before updating the hash state.
  • Adds a tmpSz accumulator to hold the checked sum of used + len.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

wolfcrypt/src/port/nxp/se050_port.c
Comment on lines +272 to 275
if (se050Ctx == NULL || (len > 0 && data == NULL) ||
!WC_SAFE_SUM_WORD32(se050Ctx->used, len, tmpSz)) {
return BAD_FUNC_ARG;
}
Copy link

Copilot AI Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The overflow case (!WC_SAFE_SUM_WORD32(...)) is currently mapped to BAD_FUNC_ARG, which is also used for null-pointer arguments. Consider returning a more specific error code for an invalid/too-large length (e.g., the project’s standard buffer/length error), so callers can distinguish programming errors from input-size issues.

Suggested change
if (se050Ctx == NULL || (len > 0 && data == NULL) ||
!WC_SAFE_SUM_WORD32(se050Ctx->used, len, tmpSz)) {
return BAD_FUNC_ARG;
}
if (se050Ctx == NULL || (len > 0 && data == NULL)) {
return BAD_FUNC_ARG;
}
if (!WC_SAFE_SUM_WORD32(se050Ctx->used, len, tmpSz)) {
return LENGTH_ERROR;
}

Copilot uses AI. Check for mistakes.
wolfcrypt/src/port/nxp/se050_port.c
Comment on lines +272 to 276
if (se050Ctx == NULL || (len > 0 && data == NULL) ||
!WC_SAFE_SUM_WORD32(se050Ctx->used, len, tmpSz)) {
return BAD_FUNC_ARG;
}

Copy link

Copilot AI Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This if condition now mixes argument validation and arithmetic overflow handling, which makes it harder to read and extend. Consider splitting it into sequential early-return checks (e.g., validate pointers first, then do the safe-sum check) so future changes don’t inadvertently weaken one of the checks.

Suggested change
if (se050Ctx == NULL || (len > 0 && data == NULL) ||
!WC_SAFE_SUM_WORD32(se050Ctx->used, len, tmpSz)) {
return BAD_FUNC_ARG;
}
if (se050Ctx == NULL) {
return BAD_FUNC_ARG;
}
if (len > 0 && data == NULL) {
return BAD_FUNC_ARG;
}
if (!WC_SAFE_SUM_WORD32(se050Ctx->used, len, tmpSz)) {
return BAD_FUNC_ARG;
}

Copilot uses AI. Check for mistakes.
@AryzXploit AryzXploit mentioned this pull request Mar 11, 2026
Open
@kareem-wolfssl
Ensure se050Ctx->used does not overflow in se050_hash_update.
dee131d 
Thanks to Arjuna Arya for the report.

Fixes wolfSSL#9951.
@kareem-wolfssl
Fix potential overflows in two additional hash functions.
139a9b3 
Thanks to Arjuna Arya for the report.

Fixes wolfSSL#9955.
@kareem-wolfssl
Use safe sum of used size after calculating it. No reason to redo the…
38f95a4 
… additions. Fixes unused variable warning as well.

Fix different type addition in hash.c.
@kareem-wolfssl kareem-wolfssl changed the title Ensure se050Ctx->used does not overflow in se050_hash_update. Fix potential overflows in used size calculation in generic, TI and SE050 hash functions. Mar 12, 2026
@kareem-wolfssl kareem-wolfssl added For This Release Release version 5.9.0 and removed Not For This Release Not for release 5.9.0 labels Mar 12, 2026
@kareem-wolfssl
Copy link
Contributor Author

kareem-wolfssl commented Mar 12, 2026

Retest this please.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@kareem-wolfssl kareem-wolfssl

Labels

For This Release Release version 5.9.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: Integer overflow in SE050 hash update could mess up the heap

2 participants

@kareem-wolfssl