Skip to content

Fix issue in TLS_hmac size calculation#9825

Merged
douzzer merged 3 commits intowolfSSL:masterfrom
embhorn:zd21240
Mar 5, 2026
Merged

Fix issue in TLS_hmac size calculation#9825
douzzer merged 3 commits intowolfSSL:masterfrom
embhorn:zd21240

Conversation

@embhorn
Copy link
Copy Markdown
Member

@embhorn embhorn commented Feb 24, 2026
edited
Loading

Description

Fixes an overflow issues in TLS_hmac().
Credit for finding issue to:

Muhammad Arya Arjuna (pelioro)

Fixes zd21240

Testing

Added test case test_tls_hmac_size_overflow

Checklist

  • added tests
  • updated/added doxygen
  • updated appropriate READMEs
  • Updated manual and documentation

@embhorn embhorn self-assigned this Feb 24, 2026
Copilot AI review requested due to automatic review settings February 24, 2026 15:09
Copilot AI reviewed Feb 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes an integer overflow vulnerability in the TLS_hmac() function where arithmetic operations on word32 values could wrap around when input size approaches UINT32_MAX, potentially causing HMAC operations to process incorrect buffer lengths.

Changes:

  • Added overflow checks using WC_SAFE_SUM_WORD32 before performing size calculations in TLS_hmac()
  • Replaced inline arithmetic expressions with pre-computed totalSz variable to prevent overflow
  • Added comprehensive test case test_tls_hmac_size_overflow to verify overflow detection

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
src/tls.c Implements overflow protection by pre-computing total size with safety checks and returning BUFFER_E on overflow
tests/api/test_hmac.c Adds test case that exercises overflow conditions with values near UINT32_MAX
tests/api/test_hmac.h Declares new test function and registers it in test macro

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread tests/api/test_hmac.c
Copilot AI review requested due to automatic review settings February 24, 2026 19:13
Copilot AI reviewed Feb 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/tls.c Outdated
Copilot AI review requested due to automatic review settings February 24, 2026 20:19
Copilot AI reviewed Feb 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/tls.c
Comment thread tests/api/test_hmac.c
Comment thread tests/api/test_hmac.c
Comment thread tests/api/test_hmac.c
Comment thread tests/api/test_hmac.c
Comment thread tests/api/test_hmac.c
@embhorn
Copy link
Copy Markdown
Member Author

embhorn commented Feb 25, 2026

Jenkins retest this please

Copilot AI review requested due to automatic review settings February 26, 2026 16:26
Copilot AI reviewed Feb 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/tls.c
Copilot AI review requested due to automatic review settings February 27, 2026 16:58
Copilot AI reviewed Feb 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@embhorn embhorn assigned wolfSSL-Bot and unassigned embhorn Feb 27, 2026
@douzzer douzzer added the Staged Staged for merge pending final test results and review label Mar 5, 2026
@douzzer douzzer merged commit c65e3e5 into wolfSSL:master Mar 5, 2026
450 of 451 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@douzzer douzzer douzzer approved these changes

@JacobBarthelmeh JacobBarthelmeh JacobBarthelmeh approved these changes

Assignees

@wolfSSL-Bot wolfSSL-Bot

Labels

Staged Staged for merge pending final test results and review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@embhorn @douzzer @JacobBarthelmeh @wolfSSL-Bot