Add d2i NULL-deref guards and regression tests

ColtonWilley · ColtonWilley · commit 1c90154ef805 · 2026-05-27T11:36:39.000-07:00
Add `*pp == NULL` checks to three d2i wrappers to prevent NULL deref
on public OpenSSL-compat APIs:
- d2i_evp_pkey (reachable via wolfSSL_d2i_PublicKey/PrivateKey)
- wolfSSL_d2i_OCSP_RESPONSE
- wolfSSL_d2i_ECDSA_SIG (template-ASN crash)

Also add regression tests for the existing PR fixes: ProcessBuffer
negative-size, PemToDer family negative-pemSz, GetCRLInfo negative-sz,
and wc_Set*Buffer derSz&lt;0.
diff --git a/src/ocsp.c b/src/ocsp.c
@@ -1272,6 +1272,8 @@ OcspResponse* wolfSSL_d2i_OCSP_RESPONSE(OcspResponse** response,
 
     if (data == NULL)
         return NULL;
+    if (*data == NULL)
+        return NULL;
     if (len <= 0)
         return NULL;
 
diff --git a/src/pk_ec.c b/src/pk_ec.c
@@ -5000,7 +5000,7 @@ WOLFSSL_ECDSA_SIG* wolfSSL_d2i_ECDSA_SIG(WOLFSSL_ECDSA_SIG** sig,
     WOLFSSL_ECDSA_SIG *s = NULL;
 
     /* Validate parameter. */
-    if (pp == NULL) {
+    if (pp == NULL || *pp == NULL) {
         err = 1;
     }
     if ((!err) && (len <= 0)) {
diff --git a/tests/api.c b/tests/api.c
@@ -2516,6 +2516,28 @@ static int test_wolfSSL_CTX_use_certificate_buffer(void)
 
 } /* END test_wolfSSL_CTX_use_certificate_buffer */
 
+static int test_ProcessBuffer_negative_size(void)
+{
+    EXPECT_DECLS;
+#if !defined(NO_CERTS) && !defined(NO_TLS) && !defined(NO_WOLFSSL_SERVER) && \
+    defined(USE_CERT_BUFFERS_2048) && !defined(NO_RSA)
+    WOLFSSL_CTX* ctx = NULL;
+
+    ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()));
+
+    ExpectIntEQ(wolfSSL_CTX_use_certificate_buffer(ctx,
+        server_cert_der_2048, -1, WOLFSSL_FILETYPE_ASN1),
+        WC_NO_ERR_TRACE(BAD_FUNC_ARG));
+
+    ExpectIntEQ(wolfSSL_CTX_use_certificate_buffer(ctx,
+        server_cert_der_2048, sizeof_server_cert_der_2048,
+        WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
+
+    wolfSSL_CTX_free(ctx);
+#endif
+    return EXPECT_RESULT();
+}
+
 static int test_wolfSSL_use_certificate_buffer(void)
 {
     EXPECT_DECLS;
@@ -12159,6 +12181,12 @@ static int test_wc_PemToDer(void)
 
     XMEMSET(&info, 0, sizeof(info));
 
+    {
+        const byte dummy = 'X';
+        ExpectIntEQ(wc_PemToDer(&dummy, -1, CERT_TYPE, &pDer, NULL,
+            &info, &eccKey), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
+    }
+
     ExpectIntEQ(ret = load_file(ca_cert, &cert_buf, &cert_sz), 0);
     ExpectIntEQ(ret = wc_PemToDer(cert_buf, (long int)cert_sz, CERT_TYPE, &pDer, NULL,
         &info, &eccKey), 0);
@@ -12332,6 +12360,10 @@ static int test_wc_KeyPemToDer(void)
     ExpectIntEQ(wc_KeyPemToDer(cert_buf, 0, (byte*)&cert_der, cert_sz, ""),
         WC_NO_ERR_TRACE(BAD_FUNC_ARG));
 
+    /* Bad arg: NULL der buffer with negative pemSz (NULL-deref guard). */
+    ExpectIntEQ(wc_KeyPemToDer(cert_buf, -1, NULL, 0, ""),
+        WC_NO_ERR_TRACE(BAD_FUNC_ARG));
+
     /* Test normal operation */
     cert_dersz = cert_sz; /* DER will be smaller than PEM */
     ExpectNotNull(cert_der = (byte*)malloc((size_t)cert_dersz));
@@ -23478,6 +23510,13 @@ static int test_wc_SetIssueBuffer(void)
 
     ExpectIntEQ(0, wc_SetIssuerBuffer(&forgedCert, peerCertBuf, peerCertSz));
 
+    /* Negative-size rejection: pin both wc_SetIssuerBuffer and
+     * wc_SetSubjectBuffer (representatives for the seven wc_Set* siblings). */
+    ExpectIntEQ(wc_SetIssuerBuffer(&forgedCert, peerCertBuf, -1),
+        WC_NO_ERR_TRACE(BAD_FUNC_ARG));
+    ExpectIntEQ(wc_SetSubjectBuffer(&forgedCert, peerCertBuf, -1),
+        WC_NO_ERR_TRACE(BAD_FUNC_ARG));
+
     wolfSSL_FreeX509(x509);
 #endif
     return EXPECT_RESULT();
@@ -27379,6 +27418,9 @@ static int test_wolfSSL_CTX_LoadCRL_largeCRLnum(void)
         WOLFSSL_SUCCESS);
     AssertIntEQ(XMEMCMP(
         crlInfo.crlNumber, exp_crlnum, XSTRLEN(exp_crlnum)), 0);
+    ExpectIntEQ(wolfSSL_CertManagerGetCRLInfo(
+        cm, &crlInfo, crlLrgCrlNumBuff, -1, WOLFSSL_FILETYPE_PEM),
+        WC_NO_ERR_TRACE(BAD_FUNC_ARG));
     /* Expect to fail loading CRL because of >21 octets CRL number */
     ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(cm, crl_lrgcrlnum2,
                                                 WOLFSSL_FILETYPE_PEM),
@@ -40624,6 +40666,7 @@ TEST_CASE testCases[] = {
     TEST_DECL(test_wolfSSL_CTX_use_certificate),
     TEST_DECL(test_wolfSSL_CTX_use_certificate_file),
     TEST_DECL(test_wolfSSL_CTX_use_certificate_buffer),
+    TEST_DECL(test_ProcessBuffer_negative_size),
     TEST_DECL(test_wolfSSL_use_certificate_buffer),
     TEST_DECL(test_wolfSSL_CTX_use_PrivateKey_file),
     TEST_DECL(test_wolfSSL_CTX_use_RSAPrivateKey_file),
diff --git a/wolfcrypt/src/evp_pk.c b/wolfcrypt/src/evp_pk.c
@@ -1240,7 +1240,7 @@ static WOLFSSL_EVP_PKEY* d2i_evp_pkey(int type, WOLFSSL_EVP_PKEY** out,
     (void)opt;
 
     /* Validate parameters. */
-    if (in == NULL || inSz < 0) {
+    if (in == NULL || *in == NULL || inSz <= 0) {
         WOLFSSL_MSG("Bad argument");
         return NULL;
     }

Original file line number	Diff line number	Diff line change
`@@ -5000,7 +5000,7 @@ WOLFSSL_ECDSA_SIG* wolfSSL_d2i_ECDSA_SIG(WOLFSSL_ECDSA_SIG** sig,`
`5000`	`5000`	`WOLFSSL_ECDSA_SIG *s = NULL;`
`5001`	`5001`
`5002`	`5002`	`/* Validate parameter. */`
`5003`		`- if (pp == NULL) {`
	`5003`	`+ if (pp == NULL \|\| *pp == NULL) {`
`5004`	`5004`	`err = 1;`
`5005`	`5005`	`}`
`5006`	`5006`	`if ((!err) && (len <= 0)) {`
Original file line number	Diff line number	Diff line change
`@@ -1240,7 +1240,7 @@ static WOLFSSL_EVP_PKEY* d2i_evp_pkey(int type, WOLFSSL_EVP_PKEY** out,`
`1240`	`1240`	`(void)opt;`
`1241`	`1241`
`1242`	`1242`	`/* Validate parameters. */`
`1243`		`- if (in == NULL \|\| inSz < 0) {`
	`1243`	`+ if (in == NULL \|\| *in == NULL \|\| inSz <= 0) {`
`1244`	`1244`	`WOLFSSL_MSG("Bad argument");`
`1245`	`1245`	`return NULL;`
`1246`	`1246`	`}`