From 5d54d8a488205c279d687d6da472906ffd595a21 Mon Sep 17 00:00:00 2001 From: Ruby Martin Date: Thu, 12 Mar 2026 16:59:19 -0600 Subject: [PATCH 1/4] init caCert before function can error out --- examples/ocsp_responder/ocsp_responder.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/examples/ocsp_responder/ocsp_responder.c b/examples/ocsp_responder/ocsp_responder.c index f31d535e6ea..e18ce1470a2 100644 --- a/examples/ocsp_responder/ocsp_responder.c +++ b/examples/ocsp_responder/ocsp_responder.c @@ -749,6 +749,9 @@ THREAD_RETURN WOLFSSL_THREAD ocsp_responder_test(void* args) opts.sendCerts = 1; opts.readyFile = NULL; + /* Initialize caCert */ + XMEMSET(&caCert, 0, sizeof(caCert)); + /* Parse command line arguments */ while ((ch = mygetopt_long(argc, argv, "?p:c:r:k:i:R:n:vx", long_options, 0)) != -1) { @@ -848,7 +851,6 @@ THREAD_RETURN WOLFSSL_THREAD ocsp_responder_test(void* args) } /* Parse CA certificate to get subject */ - XMEMSET(&caCert, 0, sizeof(caCert)); wc_InitDecodedCert(&caCert, caCertDer, caCertDerSz, NULL); ret = wc_ParseCert(&caCert, CERT_TYPE, 0, NULL); if (ret != 0) { From 1ac4ba282b857bd81f5b6719aa4be9c5ce1ec827 Mon Sep 17 00:00:00 2001 From: Ruby Martin Date: Fri, 13 Mar 2026 15:47:35 -0600 Subject: [PATCH 2/4] remove early der free --- src/ssl_api_pk.c | 1 - 1 file changed, 1 deletion(-) diff --git a/src/ssl_api_pk.c b/src/ssl_api_pk.c index e068e5e31c2..c35d9155549 100644 --- a/src/ssl_api_pk.c +++ b/src/ssl_api_pk.c @@ -226,7 +226,6 @@ static int check_cert_key(const DerBuffer* cert, const DerBuffer* key, InitDecodedCert_ex(der, cert->buffer, cert->length, heap, devId); /* Parse certificate. */ if (ParseCertRelative(der, CERT_TYPE, NO_VERIFY, NULL, NULL) != 0) { - WC_FREE_VAR_EX(der, heap, DYNAMIC_TYPE_DCERT); ret = 0; } } From 8b7b6754d9e78576ff374054ec77763368212f35 Mon Sep 17 00:00:00 2001 From: Ruby Martin Date: Fri, 13 Mar 2026 16:32:15 -0600 Subject: [PATCH 3/4] macro guard with WOLFSSL_SMALL_STACK to prevent dead code --- wolfcrypt/src/asn.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 2451b8624e0..b164679ec82 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -18027,10 +18027,13 @@ static word32 SetAlgoIDImpl(int algoOID, byte* output, int type, int curveSz, word32 algoSz = 0; CALLOC_ASNSETDATA(dataASN, algoIdASN_Length, ret, NULL); + +#ifdef WOLFSSL_SMALL_STACK if(ret < 0) { /* Catch MEMORY_E */ return 0; } +#endif algoName = OidFromId((word32)algoOID, (word32)type, &algoSz); if (algoName == NULL) { From 2ca2781756f81c4bd1f2fa68a66e0864e7b3fbad Mon Sep 17 00:00:00 2001 From: Ruby Martin Date: Fri, 13 Mar 2026 17:28:00 -0600 Subject: [PATCH 4/4] reallocate tmp buffer with space for null terminator --- examples/ocsp_responder/ocsp_responder.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/examples/ocsp_responder/ocsp_responder.c b/examples/ocsp_responder/ocsp_responder.c index e18ce1470a2..dcf9658a710 100644 --- a/examples/ocsp_responder/ocsp_responder.c +++ b/examples/ocsp_responder/ocsp_responder.c @@ -177,6 +177,16 @@ static int LoadFile(const char* filename, byte** buf, word32* bufSz, int* isPem) /* Check if PEM format by looking for -----BEGIN */ if (isPem) { + /* Reallocate with space for null terminator for XSTRSTR */ + byte* tmp = (byte*)XREALLOC(*buf, (word32)sz + 1, NULL, + DYNAMIC_TYPE_TMP_BUFFER); + if (tmp == NULL) { + XFREE(*buf, NULL, DYNAMIC_TYPE_TMP_BUFFER); + *buf = NULL; + return MEMORY_E; + } + *buf = tmp; + (*buf)[sz] = '\0'; *isPem = (XSTRSTR((char*)*buf, "-----BEGIN") != NULL) ? 1 : 0; }