Skip to content

Fix things found with ZeroPath#9325

Merged
JacobBarthelmeh merged 6 commits intowolfSSL:masterfrom
LinuxJedi:zp-fixes
Oct 21, 2025
Merged

Fix things found with ZeroPath#9325
JacobBarthelmeh merged 6 commits intowolfSSL:masterfrom
LinuxJedi:zp-fixes

Conversation

@LinuxJedi
Copy link
Copy Markdown
Member

@LinuxJedi LinuxJedi commented Oct 21, 2025

Description

Fixes various things found using ZeroPath:

  • MicriumReceiveFrom: tighten peer validation
  • BioReceiveInternal: allow NULL write BIO
  • Guard ProcessKeyShare against truncated key shares
  • Validate AF_ALG RSA inputs
  • Bound buffered HTTP body size
  • Validate LinuxKM I/O lengths

@LinuxJedi
MicriumReceiveFrom: tighten peer validation
e6ca4d1 
Reject DTLS datagrams when the stored peer is missing, the address length changes, or the address bytes differ. The old check required both the length and byte comparisons to fail, letting spoofed peers through when only one mismatch occurred.
@LinuxJedi
BioReceiveInternal: allow NULL write BIO
8b4f816 
Some callers, such as the OCSP request context, only supply a read BIO. Guard the write-BIO pending check so a read error or EOF does not dereference NULL.
@LinuxJedi
Guard ProcessKeyShare against truncated key shares
11d2f48 
Add bounds check before reading named_group so malformed TLS 1.3 key share data cannot read past the supplied buffer.
@LinuxJedi
Validate AF_ALG RSA inputs
be1428d 
Require the ciphertext length to match the RSA modulus before copying into the AF_ALG Xilinx stack buffer, preventing oversized inputs from overflowing the aligned scratch space.
@LinuxJedi
Bound buffered HTTP body size
2596700 
Clamp per-chunk and aggregated HTTP response sizes before allocating in wolfIO_HttpProcessResponseBuf so untrusted Content-Length or chunk headers can’t overflow the arithmetic or force giant buffers.
@devin-ai-integration
Copy link
Copy Markdown
Contributor

devin-ai-integration Bot commented Oct 21, 2025

🛟 Devin Lifeguard found 1 likely issues in this PR

  • pointer-null-check snippet snippet: Add a NULL check before using the buffer, e.g., if (buf == NULL) return -EINVAL; in both linuxkm_send() and linuxkm_recv() when size > 0.

@LinuxJedi
please take a look at the above issues which Devin flagged. Devin will not fix these issues automatically.

@LinuxJedi
Validate LinuxKM I/O lengths
90e0857 
Reject negative lengths and normalize to size_t before calling kernel_sendmsg/kernel_recvmsg so the kernel transport can’t be tricked into huge or wrapped iov_len values.
@LinuxJedi
Copy link
Copy Markdown
Member Author

LinuxJedi commented Oct 21, 2025

HAProxy test failures are due to hitting vtest/VTest2#8

@JacobBarthelmeh JacobBarthelmeh merged commit 936e350 into wolfSSL:master Oct 21, 2025
335 of 338 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JacobBarthelmeh JacobBarthelmeh JacobBarthelmeh approved these changes

Assignees

@wolfSSL-Bot wolfSSL-Bot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@LinuxJedi @JacobBarthelmeh @wolfSSL-Bot