Skip to content

fix: guard flash offset+size overflow#442

Draft
MarkAtwood wants to merge 1 commit into
wolfSSL:mainfrom
MarkAtwood:fix/flash-offset-overflow-check
Draft

fix: guard flash offset+size overflow#442
MarkAtwood wants to merge 1 commit into
wolfSSL:mainfrom
MarkAtwood:fix/flash-offset-overflow-check

Conversation

@MarkAtwood

@MarkAtwood MarkAtwood commented Jul 9, 2026

Copy link
Copy Markdown

Bug

In port/posix/posix_flash_file.c, the bounds check in posixFlashFile_Read, _Program, _Erase, _Verify, and _BlankCheck (lines 182, 208, 245, 281, 317 on master) is:

(offset + size > MAX_OFFSET(context))

offset, size, and partition_size are all uint32_t (posix_flash_file.h:38-40), and MAX_OFFSET(context) is partition_size * 2, also uint32_t. The addition offset + size is 32-bit unsigned and wraps at 2^32. A caller passing a large offset with a size that makes the sum wrap below MAX_OFFSET bypasses the check and proceeds into pread/pwrite/erase with an out-of-range offset. These functions are unconditionally compiled (no build guard).

Fix

Replace the single overflow-prone comparison with an overflow-safe two-part guard at all 5 sites:

(offset > MAX_OFFSET(context)) ||
(size > MAX_OFFSET(context) - offset)

Checking offset > MAX_OFFSET first ensures MAX_OFFSET - offset cannot underflow before the second comparison, so both the wrap-around and the offset-alone-out-of-range cases are rejected.

Verification

Built the port file on Ubuntu 24.04 with gcc -Wall (BUILD_OK). Ran a harness against the real posixFlashFile_Read with partition_size=0x1000 (MAX_OFFSET=0x2000):

  • offset=0xFFFFF000, size=0x2000 (true sum 0x100001000, wraps to 0x1000): before the fix the check passed and the function proceeded; after the fix it returns WH_ERROR_BADARGS.
  • offset=0x3000, size=0x10 (offset alone out of range): returns WH_ERROR_BADARGS (confirms no underflow regression).
  • offset=0, size=8 (in bounds): returns OK.

Reported by static analysis (Fenrir finding 133).

[fenrir-sweep:held]

Copilot AI review requested due to automatic review settings July 9, 2026 23:31

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the POSIX flash-file backend (port/posix/posix_flash_file.c) against unsigned 32-bit wraparound in offset + size bounds checks, preventing out-of-range I/O operations from bypassing validation.

Changes:

  • Replaced overflow-prone (offset + size > MAX_OFFSET(context)) checks with an overflow-safe two-part guard in 5 APIs.
  • Applied the fix consistently across Read/Program/Verify/Erase/BlankCheck entry validation.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines 181 to 184
if ( (context == NULL) ||
(offset + size > MAX_OFFSET(context))){
(offset > MAX_OFFSET(context)) ||
(size > MAX_OFFSET(context) - offset)){
return WH_ERROR_BADARGS;
Comment on lines 208 to 212
if ( (context == NULL) ||
(offset + size > MAX_OFFSET(context))){
(offset > MAX_OFFSET(context)) ||
(size > MAX_OFFSET(context) - offset)){
return WH_ERROR_BADARGS;
}
Comment on lines 246 to 250
if ( (context == NULL) ||
(offset + size > MAX_OFFSET(context))){
(offset > MAX_OFFSET(context)) ||
(size > MAX_OFFSET(context) - offset)){
return WH_ERROR_BADARGS;
}
@MarkAtwood MarkAtwood assigned MarkAtwood and unassigned wolfSSL-Bot Jul 10, 2026
@MarkAtwood MarkAtwood marked this pull request as draft July 10, 2026 16:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants