From 6409a9e9a2cc7b083fb53cf96ac63d50feed0389 Mon Sep 17 00:00:00 2001 From: Kareem Date: Wed, 1 Jul 2026 14:10:58 -0700 Subject: [PATCH 1/3] Fix two issues with the authTag length in wc_PKCS7_DecodeAuthEnvelopedData. Reported by: Jorge Milla (Pig-Tail) --- wolfcrypt/src/pkcs7.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index 9f6b26e99b..0a84f23cad 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -15246,6 +15246,9 @@ int wc_PKCS7_DecodeAuthEnvelopedData(wc_PKCS7* pkcs7, byte* in, localIdx = idx; /* Get authTag OCTET STRING */ + if (ret == 0 && localIdx >= pkiMsgSz) { + ret = BUFFER_E; + } if (ret == 0 && pkiMsg[localIdx] != ASN_OCTET_STRING) { ret = ASN_PARSE_E; } @@ -15306,6 +15309,17 @@ int wc_PKCS7_DecodeAuthEnvelopedData(wc_PKCS7* pkcs7, byte* in, ret = ASN_PARSE_E; } + #ifdef NO_PKCS7_STREAM + /* In the streaming build the block above re-buffers enough data for + * the auth tag. Without streaming, verify the tag fits within the + * provided input before copying. */ + if (ret == 0 && + (idx > pkiMsgSz || authTagSz > pkiMsgSz - idx)) { + WOLFSSL_MSG("AuthEnvelopedData authTag exceeds input buffer"); + ret = BUFFER_E; + } + #endif + if (ret == 0) { XMEMCPY(authTag, &pkiMsg[idx], authTagSz); idx += authTagSz; From eb7ebfa22270e9c3e24a69b6eda1bb12979f5e68 Mon Sep 17 00:00:00 2001 From: Kareem Date: Wed, 1 Jul 2026 14:32:58 -0700 Subject: [PATCH 2/3] Validate IV length in the non-streaming path in wc_PKCS7_DecodeEnvelopedData. Reported by: Jorge Milla (Pig-Tail) --- wolfcrypt/src/pkcs7.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index 0a84f23cad..52083afe77 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -13611,6 +13611,12 @@ int wc_PKCS7_DecodeEnvelopedData(wc_PKCS7* pkcs7, byte* in, break; } #else + /* ensure IV bytes are within the input buffer before copying */ + if (length < 0 || (word32)length > pkiMsgSz || + idx > pkiMsgSz - (word32)length) { + ret = BUFFER_E; + break; + } ret = 0; #endif From 6e6d7ab61913547cb3556331beedbd91f4cb1228 Mon Sep 17 00:00:00 2001 From: Kareem Date: Wed, 1 Jul 2026 15:01:46 -0700 Subject: [PATCH 3/3] Add an upper bound on sendAckList in Dtls13DoScheduledWork. Reported by: Jorge Milla (Pig-Tail) --- src/dtls13.c | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/src/dtls13.c b/src/dtls13.c index 9d7f78bc36..8fd45c7a2b 100644 --- a/src/dtls13.c +++ b/src/dtls13.c @@ -2813,14 +2813,30 @@ int Dtls13DoScheduledWork(WOLFSSL* ssl) * shared WriteDup struct so the write side sends the ACK instead. */ if (ssl->dupWrite != NULL && ssl->dupSide == READ_DUP_SIDE) { struct Dtls13RecordNumber** tail = NULL; + int count = 0; if (wc_LockMutex(&ssl->dupWrite->dupMutex) != 0) return BAD_MUTEX_E; + /* Walk to the tail, counting what is already queued. */ tail = (struct Dtls13RecordNumber**)&ssl->dupWrite->sendAckList; - while (*tail != NULL) + while (*tail != NULL) { tail = &(*tail)->next; - *tail = ssl->dtls13Rtx.seenRecords; - ssl->dtls13Rtx.seenRecords = NULL; - ssl->dtls13Rtx.seenRecordsCount = 0; + count++; + } + /* Each transferred batch is already capped at + * DTLS13_ACK_MAX_RECORDS. Only splice a new batch while the queue + * is below the cap so repeated scheduled-work cycles cannot grow + * it without bound (aggregate stays under 2 * + * DTLS13_ACK_MAX_RECORDS). Otherwise drop the batch: ACKs are + * best-effort and the peer retransmits if one is lost. */ + if (count < DTLS13_ACK_MAX_RECORDS) { + *tail = ssl->dtls13Rtx.seenRecords; + ssl->dtls13Rtx.seenRecords = NULL; + ssl->dtls13Rtx.seenRecordsCount = 0; + } + else { + /* Queue already at the cap: drop this batch. */ + Dtls13RtxFlushAcks(ssl); + } ssl->dupWrite->sendAcks = 1; wc_UnLockMutex(&ssl->dupWrite->dupMutex); }