Skip to content

Fix integer overflow in wolfSSL_writev#9296

Closed
embhorn wants to merge 2 commits intowolfSSL:masterfrom
embhorn:zd20646
Closed

Fix integer overflow in wolfSSL_writev#9296
embhorn wants to merge 2 commits intowolfSSL:masterfrom
embhorn:zd20646

Conversation

@embhorn
Copy link
Copy Markdown
Member

@embhorn embhorn commented Oct 13, 2025

Description

The total byte count is accumulated into a 32-bit word32 and used for allocation, while the copy loop uses the true iovec lengths. When the sum exceeds 32 bits, it wraps, under-allocating the buffer and causing an overflow in the subsequent copies.

Fixes zd20646

Testing

Unused code, visually confirmed

Checklist

  • added tests
  • updated/added doxygen
  • updated appropriate READMEs
  • Updated manual and documentation

@embhorn embhorn self-assigned this Oct 13, 2025
@embhorn
Copy link
Copy Markdown
Member Author

embhorn commented Oct 14, 2025

Retest this please

PRB-fipsv2-regression-and-rolling-release-v3 #7751 completed with status FAILURE (propagate: false to ignore)
org.jenkinsci.plugins.workflow.actions.ErrorAction$ErrorId: e9bc17cb-afd9-461c-87c2-51f71aa941db
Setting overall build result to FAILURE

@embhorn embhorn requested a review from douzzer October 14, 2025 14:56
@embhorn embhorn assigned wolfSSL-Bot and unassigned embhorn Oct 14, 2025
dgarske
dgarske requested changes Oct 14, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@dgarske dgarske left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider squashing too

Comment thread src/ssl.c
for (i = 0; i < iovcnt; i++)
sending += iov[i].iov_len;
for (i = 0; i < iovcnt; i++) {
if (!WC_SAFE_SUM_WORD32(sending, (word32)iov[i].iov_len, sending))
Copy link
Copy Markdown
Member

@dgarske dgarske Oct 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, but technically over 80 chars...

[check-source-text] [4 of 52] [c243f41193]
    configure...   real 0m11.105s  user 0m5.781s  sys 0m3.870s
    [skipping "codespell" subtest in check-source-text -- codespell is missing or too old]
overlong lines added:
src/ssl.c:11582                 if (!WC_SAFE_SUM_WORD32(sending, (word32)iov[i].iov_len, sending))
    check-source-text OK

douzzer
douzzer requested changes Oct 14, 2025
View reviewed changes
Comment thread src/ssl.c
for (i = 0; i < iovcnt; i++)
sending += iov[i].iov_len;
for (i = 0; i < iovcnt; i++) {
if (!WC_SAFE_SUM_WORD32(sending, (word32)iov[i].iov_len, sending))
Copy link
Copy Markdown
Contributor

@douzzer douzzer Oct 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

whoops, there's still a defect here -- you can't blindly truncate .iov_len to word32. you have to check if it fits in a word32 before casting it. we should use size_t for accumulation, and implement WC_SAFE_SUM_SIZE_T().

@douzzer douzzer mentioned this pull request Oct 14, 2025
Merged
@douzzer
Copy link
Copy Markdown
Contributor

douzzer commented Oct 15, 2025

Closed in favor of #9298

@douzzer douzzer closed this Oct 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dgarske dgarske dgarske requested changes

@douzzer douzzer douzzer requested changes

Assignees

@wolfSSL-Bot wolfSSL-Bot

@embhorn embhorn

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@embhorn @douzzer @dgarske @wolfSSL-Bot