Skip to content

Fix potential overflows in used size calculation in generic, TI and SE050 hash functions.#9954

Merged
dgarske merged 6 commits intowolfSSL:masterfrom
kareem-wolfssl:gh9951
Mar 16, 2026
Merged

Fix potential overflows in used size calculation in generic, TI and SE050 hash functions.#9954
dgarske merged 6 commits intowolfSSL:masterfrom
kareem-wolfssl:gh9951

Conversation

@kareem-wolfssl
Copy link
Contributor

@kareem-wolfssl kareem-wolfssl commented Mar 11, 2026

Description

Fixes #9951.

Thanks to Arjuna Arya for the report.

Testing

Built in tests

Checklist

  • added tests
  • updated/added doxygen
  • updated appropriate READMEs
  • Updated manual and documentation

@kareem-wolfssl kareem-wolfssl self-assigned this Mar 11, 2026
Copilot AI review requested due to automatic review settings March 11, 2026 21:59
@kareem-wolfssl kareem-wolfssl mentioned this pull request Mar 11, 2026
Closed
@kareem-wolfssl kareem-wolfssl added the Not For This Release Not for release 5.9.0 label Mar 11, 2026
Copilot AI reviewed Mar 11, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Prevents se050_hash_update from proceeding when se050Ctx->used + len would overflow, addressing the reported issue in #9951.

Changes:

  • Introduces a safe-add check (WC_SAFE_SUM_WORD32) before updating the hash state.
  • Adds a tmpSz accumulator to hold the checked sum of used + len.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

@zulfff zulfff mentioned this pull request Mar 11, 2026
Closed
@kareem-wolfssl kareem-wolfssl changed the title Ensure se050Ctx->used does not overflow in se050_hash_update. Fix potential overflows in used size calculation in generic, TI and SE050 hash functions. Mar 12, 2026
@kareem-wolfssl kareem-wolfssl added For This Release Release version 5.9.0 and removed Not For This Release Not for release 5.9.0 labels Mar 12, 2026
@kareem-wolfssl
Copy link
Contributor Author

kareem-wolfssl commented Mar 12, 2026

Retest this please.

Copilot AI review requested due to automatic review settings March 12, 2026 19:38
Copilot AI reviewed Mar 12, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

Copilot AI review requested due to automatic review settings March 13, 2026 18:41
Copilot AI reviewed Mar 13, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

@JacobBarthelmeh JacobBarthelmeh requested a review from Copilot March 13, 2026 21:38
Copilot AI reviewed Mar 13, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

Scottcjn pushed a commit to Scottcjn/wolfssl that referenced this pull request Mar 16, 2026
@claude
Fix integer overflow in hash keep and TI hash update
3a8b177 
Both _wc_Hash_Grow() and hashUpdate() compute buffer sizes via
unchecked addition of used + inSz/len. If used is near UINT32_MAX,
the sum wraps to a small value, causing a small allocation followed
by a large memcpy — a heap buffer overflow.

Fix: use WC_SAFE_SUM_WORD32() to check for overflow before the
addition, consistent with the fix applied in wolfSSL#9954 for SE050.

Affects:
- wolfcrypt/src/hash.c: _wc_Hash_Grow() (WOLFSSL_HASH_KEEP)
- wolfcrypt/src/port/ti/ti-hash.c: hashUpdate() (WOLFSSL_TI_HASH)

Fixes wolfSSL#9955

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
@Scottcjn Scottcjn mentioned this pull request Mar 16, 2026
Closed
@dgarske dgarske merged commit b5c5327 into wolfSSL:master Mar 16, 2026
613 of 614 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@dgarske dgarske dgarske approved these changes

Assignees

@JacobBarthelmeh JacobBarthelmeh

@wolfSSL-Bot wolfSSL-Bot

Labels

For This Release Release version 5.9.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: Integer overflow in SE050 hash update could mess up the heap

5 participants

@kareem-wolfssl @dgarske @JacobBarthelmeh @wolfSSL-Bot