Skip to content

Fix issue in TLS_hmac size calculation#9825

Open
embhorn wants to merge 1 commit intowolfSSL:masterfrom
embhorn:zd21240
Open

Fix issue in TLS_hmac size calculation#9825
embhorn wants to merge 1 commit intowolfSSL:masterfrom
embhorn:zd21240

Conversation

@embhorn
Copy link
Member

@embhorn embhorn commented Feb 24, 2026

Description

Fixes an overflow issues in TLS_hmac().

Fixes zd21240

Testing

Added test case test_tls_hmac_size_overflow

Checklist

  • added tests
  • updated/added doxygen
  • updated appropriate READMEs
  • Updated manual and documentation

@embhorn embhorn self-assigned this Feb 24, 2026
Copilot AI review requested due to automatic review settings February 24, 2026 15:09
Copilot AI reviewed Feb 24, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes an integer overflow vulnerability in the TLS_hmac() function where arithmetic operations on word32 values could wrap around when input size approaches UINT32_MAX, potentially causing HMAC operations to process incorrect buffer lengths.

Changes:

  • Added overflow checks using WC_SAFE_SUM_WORD32 before performing size calculations in TLS_hmac()
  • Replaced inline arithmetic expressions with pre-computed totalSz variable to prevent overflow
  • Added comprehensive test case test_tls_hmac_size_overflow to verify overflow detection

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
src/tls.c Implements overflow protection by pre-computing total size with safety checks and returning BUFFER_E on overflow
tests/api/test_hmac.c Adds test case that exercises overflow conditions with values near UINT32_MAX
tests/api/test_hmac.h Declares new test function and registers it in test macro

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot AI review requested due to automatic review settings February 24, 2026 19:13
Copilot AI reviewed Feb 24, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot AI review requested due to automatic review settings February 24, 2026 20:19
Copilot AI reviewed Feb 24, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@embhorn
Copy link
Member Author

embhorn commented Feb 25, 2026

Jenkins retest this please

Copilot AI review requested due to automatic review settings February 26, 2026 16:26
Copilot AI reviewed Feb 26, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@embhorn embhorn

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@embhorn