File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change @@ -2826,14 +2826,30 @@ int wh_Client_Curve25519SharedSecret(whClientContext* ctx,
28262826 /* wolfCrypt allows positive error codes on success in some
28272827 * scenarios */
28282828 if (ret >= 0 ) {
2829+ uint8_t * res_out = (uint8_t * )(res + 1 );
2830+ const size_t hdr_sz =
2831+ sizeof (whMessageCrypto_GenericResponseHeader ) +
2832+ sizeof (* res );
2833+ /* Defensive bound: res->sz must fit within the actual
2834+ * received frame */
2835+ if (res_len < hdr_sz || res -> sz > (res_len - hdr_sz )) {
2836+ ret = WH_ERROR_ABORTED ;
2837+ }
28292838 if (out_size != NULL ) {
2839+ if ((ret >= 0 ) &&
2840+ (out != NULL ) && (res -> sz > * out_size )) {
2841+ /* Output buffer too small. Report required size
2842+ * and fail rather than silently truncating
2843+ * X25519 key material. */
2844+ ret = WH_ERROR_BUFFER_SIZE ;
2845+ }
2846+ /* Give caller the required size, even on failure */
28302847 * out_size = res -> sz ;
2831- }
2832- if (out != NULL ) {
2833- uint8_t * res_out = (uint8_t * )(res + 1 );
2834- memcpy (out , res_out , res -> sz );
2835- WH_DEBUG_VERBOSE_HEXDUMP ("[client] X25519:" , res_out ,
2836- res -> sz );
2848+ if ((ret >= 0 ) && (out != NULL ) && (res -> sz > 0 )) {
2849+ memcpy (out , res_out , res -> sz );
2850+ WH_DEBUG_VERBOSE_HEXDUMP ("[client] X25519:" ,
2851+ res_out , res -> sz );
2852+ }
28372853 }
28382854 }
28392855 }
You can’t perform that action at this time.
0 commit comments