Fix wolfSSL#3058: GetSigLen NULL-deref on key->params

claude · claude · commit 45980104224e · 2026-04-29T08:52:16.000Z
wc_LmsKey_GetSigLen dereferenced key->params->sig_len without first guarding against key->params == NULL, so an Init -> GetSigLen call without a SetParameters in between (a plausible verify-only flow) would crash. wc_XmssKey_GetSigLen has a state check that incidentally catches the same condition, but lacks the explicit guard its sibling GetPubLen / GetPrivLen carry. Add (key->params == NULL) to the BAD_FUNC_ARG precondition block in both functions, matching wc_LmsKey_GetPubLen / wc_LmsKey_GetPrivLen and wc_XmssKey_GetPubLen / wc_XmssKey_GetPrivLen. Documented return contracts already list BAD_FUNC_ARG. Negative tests in test_rfc9802_x509_verify now Init a key and call GetSigLen on it without SetParameters, expecting BAD_FUNC_ARG, for both LMS and XMSS. https://claude.ai/code/session_01SnSQMb145Hkyyf7hQQQ8cq
diff --git a/tests/api.c b/tests/api.c
@@ -35754,6 +35754,16 @@ static int rfc9802_lms_import_negative(void)
         WC_NO_ERR_TRACE(BAD_FUNC_ARG));
     wc_LmsKey_Free(&key);
 
+    /* GetSigLen on a key with no params set must not NULL-deref the
+     * params pointer; it must return BAD_FUNC_ARG instead. */
+    {
+        word32 sigLen = 0;
+        ExpectIntEQ(wc_LmsKey_Init(&key, NULL, INVALID_DEVID), 0);
+        ExpectIntEQ(wc_LmsKey_GetSigLen(&key, &sigLen),
+            WC_NO_ERR_TRACE(BAD_FUNC_ARG));
+        wc_LmsKey_Free(&key);
+    }
+
     return EXPECT_RESULT();
 }
 #endif
@@ -35789,6 +35799,16 @@ static int rfc9802_xmss_import_negative(void)
         WC_NO_ERR_TRACE(BAD_FUNC_ARG));
     wc_XmssKey_Free(&key);
 
+    /* GetSigLen on a key with no params set must not NULL-deref the
+     * params pointer; it must return BAD_FUNC_ARG instead. */
+    {
+        word32 sigLen = 0;
+        ExpectIntEQ(wc_XmssKey_Init(&key, NULL, INVALID_DEVID), 0);
+        ExpectIntEQ(wc_XmssKey_GetSigLen(&key, &sigLen),
+            WC_NO_ERR_TRACE(BAD_FUNC_ARG));
+        wc_XmssKey_Free(&key);
+    }
+
     return EXPECT_RESULT();
 }
 #endif
diff --git a/wolfcrypt/src/wc_lms.c b/wolfcrypt/src/wc_lms.c
@@ -1531,7 +1531,7 @@ int wc_LmsKey_GetSigLen(const LmsKey* key, word32* len)
     int ret = 0;
 
     /* Validate parameters. */
-    if ((key == NULL) || (len == NULL)) {
+    if ((key == NULL) || (len == NULL) || (key->params == NULL)) {
         ret = BAD_FUNC_ARG;
     }
 
diff --git a/wolfcrypt/src/wc_xmss.c b/wolfcrypt/src/wc_xmss.c
@@ -1652,7 +1652,7 @@ int wc_XmssKey_GetSigLen(const XmssKey* key, word32* len)
     int ret = 0;
 
     /* Validate parameters. */
-    if ((key == NULL) || (len == NULL)) {
+    if ((key == NULL) || (len == NULL) || (key->params == NULL)) {
         ret = BAD_FUNC_ARG;
     }
     /* Validate state. */

Original file line number	Diff line number	Diff line change
`@@ -1531,7 +1531,7 @@ int wc_LmsKey_GetSigLen(const LmsKey* key, word32* len)`
`1531`	`1531`	`int ret = 0;`
`1532`	`1532`
`1533`	`1533`	`/* Validate parameters. */`
`1534`		`- if ((key == NULL) \|\| (len == NULL)) {`
	`1534`	`+ if ((key == NULL) \|\| (len == NULL) \|\| (key->params == NULL)) {`
`1535`	`1535`	`ret = BAD_FUNC_ARG;`
`1536`	`1536`	`}`
`1537`	`1537`
Original file line number	Diff line number	Diff line change
`@@ -1652,7 +1652,7 @@ int wc_XmssKey_GetSigLen(const XmssKey* key, word32* len)`
`1652`	`1652`	`int ret = 0;`
`1653`	`1653`
`1654`	`1654`	`/* Validate parameters. */`
`1655`		`- if ((key == NULL) \|\| (len == NULL)) {`
	`1655`	`+ if ((key == NULL) \|\| (len == NULL) \|\| (key->params == NULL)) {`
`1656`	`1656`	`ret = BAD_FUNC_ARG;`
`1657`	`1657`	`}`
`1658`	`1658`	`/* Validate state. */`