From 8314aa56ae81d43d258ccfff2414fc2db4ec8c32 Mon Sep 17 00:00:00 2001 From: Ruby Martin Date: Tue, 10 Mar 2026 17:07:33 -0600 Subject: [PATCH 1/4] catch MEMORY_E from CALLOC_ASNSETDATA() --- wolfcrypt/src/asn.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index d4ebfe9111..1f6e75d3f2 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -17964,6 +17964,10 @@ static word32 SetAlgoIDImpl(int algoOID, byte* output, int type, int curveSz, word32 algoSz = 0; CALLOC_ASNSETDATA(dataASN, algoIdASN_Length, ret, NULL); + if(ret < 0) { + /* Catch MEMORY_E */ + return 0; + } algoName = OidFromId((word32)algoOID, (word32)type, &algoSz); if (algoName == NULL) { From d432759fdd24f38f781c545bf271fd7c88a1b4ad Mon Sep 17 00:00:00 2001 From: Ruby Martin Date: Tue, 10 Mar 2026 17:33:32 -0600 Subject: [PATCH 2/4] verify algoSz is <= MAX_ALGO_SZ --- wolfcrypt/src/asn.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 1f6e75d3f2..8bc8d76605 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -42553,7 +42553,7 @@ int wc_MakeCRL_ex(const byte* issuerDer, word32 issuerSz, /* Signature AlgorithmIdentifier */ algoSz = SetAlgoID(sigType, algoBuf, oidSigType, 0); - if (algoSz == 0) + if (algoSz == 0 || algoSz > MAX_ALGO_SZ) return ALGO_ID_E; /* thisUpdate */ From 6ebd967345b814af4dc30ad16958f2ecd72ed279 Mon Sep 17 00:00:00 2001 From: Ruby Martin Date: Wed, 11 Mar 2026 16:13:33 -0600 Subject: [PATCH 3/4] bounds check on ext_dump --- tests/quic.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/tests/quic.c b/tests/quic.c index be1bab5780..29099a136c 100644 --- a/tests/quic.c +++ b/tests/quic.c @@ -731,9 +731,13 @@ static void ext_dump(const byte *data, size_t data_len, int indent) word16 len16, etype, i; printf("%*sextensions:\n", indent, " "); - while (idx < data_len) { + while (idx + 4 <= data_len) { ato16(&data[idx], &etype); /* extension type */ ato16(&data[idx+2], &len16); /* extension length */ + if (idx + 4 + len16 > data_len) { + printf(" unexpected extension length\n"); + break; + } printf(" extension: %04x [", etype); for (i = 0; i < len16; ++i) { printf("%s0x%02x", (i? ", ": ""), data[idx+4+i]); From d359f420aba861ebb7282a159faa9558d8c948e2 Mon Sep 17 00:00:00 2001 From: Ruby Martin Date: Thu, 12 Mar 2026 10:25:14 -0600 Subject: [PATCH 4/4] set *inLen = outLen if output == NULL, if != NULL, check that outLen <= *inLen before assigning *inLen = outLen --- wolfcrypt/src/asn.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 8bc8d76605..558179833b 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -12912,8 +12912,8 @@ static int DsaKeyIntsToDer(DsaKey* key, byte* output, word32* inLen, seqSz = SetSequence(verSz + intTotalLen, seq); outLen = seqSz + verSz + intTotalLen; - *inLen = outLen; if (output == NULL) { + *inLen = outLen; FreeTmpDsas(tmps, key->heap, ints); return WC_NO_ERR_TRACE(LENGTH_ONLY_E); } @@ -12921,6 +12921,7 @@ static int DsaKeyIntsToDer(DsaKey* key, byte* output, word32* inLen, FreeTmpDsas(tmps, key->heap, ints); return BAD_FUNC_ARG; } + *inLen = outLen; /* write to output */ XMEMCPY(output, seq, seqSz);