Fenrir fixes#255
Conversation
ee33f0a to
546a0b8
Compare
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #255
Scan targets checked: wolfclu-bugs, wolfclu-src
Findings: 1
1 finding(s) posted as inline comments (see file-level comments below)
This review was generated automatically by Fenrir. Findings are non-blocking.
5468838 to
963c0c7
Compare
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #255
Scan targets checked: wolfclu-bugs, wolfclu-src
Findings: 1
1 finding(s) posted as inline comments (see file-level comments below)
This review was generated automatically by Fenrir. Findings are non-blocking.
963c0c7 to
b7acc6b
Compare
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #255
Scan targets checked: wolfclu-bugs, wolfclu-src
Findings: 1
1 finding(s) posted as inline comments (see file-level comments below)
This review was generated automatically by Fenrir. Findings are non-blocking.
0e179fb to
5edf352
Compare
There was a problem hiding this comment.
Pull request overview
This PR addresses multiple Fenrir findings by hardening CLI argument handling and file-length processing, adds regression tests for those cases, and fixes Windows rand stdout behavior to avoid output corruption.
Changes:
- Add regression tests for
verify/dgstmalformed-argument edge cases (missing trailing positional args) and averifyno-crash case. - Switch Windows
randstdout to binary mode when emitting to stdout to prevent newline translation from corrupting output. - Improve robustness around buffer sizing and OCSP index parsing (e.g., safer serial handling, larger size types, and negative-length checks).
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/x509/x509-verify-test.py | Adds regression tests for verify malformed-argument and no-crash scenarios. |
| tests/dgst/dgst-test.py | Adds regression tests ensuring dgst detects missing trailing data file and doesn’t mis-flag valid invocations. |
| src/tools/clu_rand.c | Sets stdout to binary mode on Windows when writing to stdout to avoid data corruption. |
| src/sign-verify/clu_x509_verify.c | Adds malformed-argument detection before loading certs. |
| src/sign-verify/clu_verify.c | Uses long for file sizes and adds negative-size checks before allocating/reading. |
| src/sign-verify/clu_dgst_setup.c | Adjusts option parsing to avoid scanning the trailing positional and adds malformed-argument detection. |
| src/ocsp/clu_ocsp.c | Enlarges serial buffer and adds length validation + explicit NUL termination. |
| src/dh/clu_dh.c | Uses long for BIO length and casts for read/decode. |
| src/crypto/clu_evp_crypto.c | Uses long for BIO length and checks for negative length before base64 decode. |
Comments suppressed due to low confidence (1)
src/dh/clu_dh.c:488
- wolfSSL_BIO_get_len() can return 0/negative for empty or unreadable input. With the current logic, that case silently skips parsing the input params and continues, which can lead to confusing downstream failures. Treat non-positive lengths as an error before proceeding.
inSz = wolfSSL_BIO_get_len(bioIn);
if (inSz > 0) {
in = (byte*)XMALLOC(inSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
if (in == NULL) {
ret = WOLFCLU_FATAL_ERROR;
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
https://fenrir.wolfssl.com/finding/5020 https://fenrir.wolfssl.com/finding/5022 https://fenrir.wolfssl.com/finding/5019 https://fenrir.wolfssl.com/finding/5021 https://fenrir.wolfssl.com/finding/5018 make windows behave and not add random bytes!!! copilot fixes
5edf352 to
461205c
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 9 out of 9 changed files in this pull request and generated 7 comments.
Comments suppressed due to low confidence (2)
src/sign-verify/clu_verify.c:346
- keyFileSz is now a long, but it is still used in (int)XFREAD(...) comparisons and cast to int when calling wolfCLU_KeyPemToDer. Add an explicit keyFileSz > INT_MAX check and avoid truncating XFREAD's return value to int to prevent confusing failures on large inputs.
if (ret == 0) {
XFSEEK(keyPathFile, 0, SEEK_END);
keyFileSz = XFTELL(keyPathFile);
if (keyFileSz < 0) {
wolfCLU_LogError("Unable to Get Size of Key File %s.", keyPath);
ret = BAD_FUNC_ARG;
}
}
if (ret == 0) {
keyBuf = (byte*)XMALLOC(keyFileSz+1, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
if (keyBuf == NULL) {
ret = MEMORY_E;
}
}
if (ret == 0) {
XMEMSET(keyBuf, 0, keyFileSz+1);
if (XFSEEK(keyPathFile, 0, SEEK_SET) != 0 ||
(int)XFREAD(keyBuf, 1, keyFileSz, keyPathFile) != keyFileSz) {
ret = WOLFCLU_FATAL_ERROR;
src/dh/clu_dh.c:485
- inSz is widened to long but is then cast to int for wolfSSL_BIO_read and wc_DhKeyDecode without any upper-bound validation. If inSz exceeds INT_MAX, these casts can truncate and lead to short reads/decodes. Validate that inSz fits in an int before using it in int-based APIs.
long inSz = 0;
word32 idx = 0;
inSz = wolfSSL_BIO_get_len(bioIn);
if (inSz > 0) {
| def test_last_arg_not_misread(self): | ||
| r = run_wolfssl("verify", "-partial_chain", "-CAfile", | ||
| os.path.join(CERTS_DIR, "server-cert.pem"), | ||
| "-untrusted", os.path.join(CERTS_DIR, "random.pem") | ||
| ) | ||
| self.assertNotEqual(r.returncode, 0, r.stderr) |
| r = run_wolfssl("dgst", "-sha256", "-verify", | ||
| os.path.join(CERTS_DIR, "server-keyPub.pem"), | ||
| "-signature", os.path.join(DGST_DIR, "sha256-rsa.sig")) | ||
| self.assertNotEqual(r.returncode, 0, r.stderr) |
| * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA | ||
| */ | ||
|
|
||
| #include "wolfclu/clu_error_codes.h" |
There was a problem hiding this comment.
We do always include it bracketed:
$ grep -r "include.*clu_error_codes\.h" * --include=*.c
src/clu_main.c:#include <wolfclu/clu_error_codes.h>
src/ocsp/clu_ocsp.c:#include <wolfclu/clu_error_codes.h>
src/tools/clu_base64.c:#include <wolfclu/clu_error_codes.h>
src/x509/clu_cert_setup.c:#include <wolfclu/clu_error_codes.h>
src/x509/clu_config.c:#include <wolfclu/clu_error_codes.h>
src/x509/clu_parse.c:#include <wolfclu/clu_error_codes.h>
src/x509/clu_x509_sign.c:#include <wolfclu/clu_error_codes.h>
| if (argc >= 2 && optarg != NULL && XSTRCMP(optarg, argv[argc-1]) == 0) { | ||
| wolfCLU_LogError("Malformed arguments last argument read as value for " | ||
| "%s", argv[argc-2]); | ||
| ret = WOLFCLU_FATAL_ERROR; | ||
| } |
| if (argc >= 2 && optarg != NULL && XSTRCMP(optarg, argv[argc-1]) == 0 && | ||
| (partialChain == 0 || caCert == NULL || | ||
| XSTRCMP(caCert, argv[argc-1]) != 0) && | ||
| (intermCert == NULL || XSTRCMP(intermCert, argv[argc-1]) != 0)) { | ||
| wolfCLU_LogError("Malformed arguments last argument read as value for " | ||
| "%s", argv[argc-2]); | ||
| ret = WOLFCLU_FATAL_ERROR; | ||
| } |
| XFSEEK(f, 0, SEEK_END); | ||
| fSz = (int)XFTELL(f); | ||
| fSz = XFTELL(f); | ||
|
|
||
| if (fSz < 0) { | ||
| wolfCLU_LogError("Invalid Sig File %s.", sig); |
| XFSEEK(h, 0, SEEK_END); | ||
| hSz = (int)XFTELL(h); | ||
| hSz = XFTELL(h); | ||
|
|
||
| if (hSz < 0) { | ||
| wolfCLU_LogError("Unable to Get Size of Hash File %s.", |
|
Merge conflict in Copilot found a few things, but some are probably too nitpicky and can be ignored and resolved (leave a comment explaining if doing nothing). |
| } | ||
| } | ||
|
|
||
| /* Detect malformed arguments: if the trailing positional data file was |
There was a problem hiding this comment.
What is this trying to detect? Is there a more straightforward way to err check input?
https://fenrir.wolfssl.com/finding/5020
https://fenrir.wolfssl.com/finding/5022
https://fenrir.wolfssl.com/finding/5019
https://fenrir.wolfssl.com/finding/5021
https://fenrir.wolfssl.com/finding/5018
https://fenrir.wolfssl.com/finding/5023
Added stdout configuration to rand when running on windows to make it behave like Posix