Merge pull request #8695 from JacobBarthelmeh/coverity

douzzer · web-flow · commit 25cd009a42c7 · 2025-04-22T11:37:51.000-05:00
null derefernce sanity checks and control flow issue
diff --git a/src/internal.c b/src/internal.c
@@ -7306,6 +7306,8 @@ int InitHandshakeHashesAndCopy(WOLFSSL* ssl, HS_Hashes* source,
     ret = InitHandshakeHashes(ssl);
     if (ret != 0) {
         WOLFSSL_MSG_EX("InitHandshakeHashes failed. err = %d", ret);
+        ssl->hsHashes = tmpHashes; /* restore hsHashes pointer to original
+                                    * before returning */
         return ret;
     }
 
diff --git a/src/ssl_load.c b/src/ssl_load.c
@@ -1112,7 +1112,7 @@ static int ProcessBufferTryDecode(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
         matchAnyKey = 1;
     }
 #ifdef WC_RSA_PSS
-    if(*keyFormat == RSAPSSk) {
+    if((ret == 0) && (*keyFormat == RSAPSSk)) {
         /*
             Require logic to verify that the der is RSAPSSk (when *keyFormat == RSAPSSK),
             and to detect that the der is RSAPSSk (when *keyFormat == 0).
diff --git a/src/ssl_sess.c b/src/ssl_sess.c
@@ -3534,6 +3534,10 @@ int wolfSSL_SESSION_get_master_key_length(const WOLFSSL_SESSION* ses)
 #ifdef WOLFSSL_EARLY_DATA
 unsigned int wolfSSL_SESSION_get_max_early_data(const WOLFSSL_SESSION *session)
 {
+    if (session == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
     return session->maxEarlyDataSz;
 }
 #endif /* WOLFSSL_EARLY_DATA */
diff --git a/tests/quic.c b/tests/quic.c
@@ -1675,6 +1675,9 @@ static int test_quic_early_data(int verbose) {
     QuicTestContext_free(&tclient);
     QuicTestContext_free(&tserver);
 
+    /* check for error value with null argument */
+    ExpectIntEQ(wolfSSL_SESSION_get_max_early_data(NULL), BAD_FUNC_ARG);
+
     /* QUIC requires 0 or 0xffffffff as only allowed values.
      * Since we enabled early data in the server that created the session,
      * we need to see it here. */
diff --git a/wolfcrypt/src/hpke.c b/wolfcrypt/src/hpke.c
@@ -586,6 +586,10 @@ static int wc_HpkeContextComputeNonce(Hpke* hpke, HpkeBaseContext* context,
     int ret;
     byte seq_bytes[HPKE_Nn_MAX];
 
+    if (hpke == NULL || context == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
     /* convert the sequence into a byte string with the same length as the
      * nonce */
     ret = I2OSP(context->seq, (int)hpke->Nn, seq_bytes);

Original file line number	Diff line number	Diff line change
`@@ -7306,6 +7306,8 @@ int InitHandshakeHashesAndCopy(WOLFSSL* ssl, HS_Hashes* source,`
`7306`	`7306`	`ret = InitHandshakeHashes(ssl);`
`7307`	`7307`	`if (ret != 0) {`
`7308`	`7308`	`WOLFSSL_MSG_EX("InitHandshakeHashes failed. err = %d", ret);`
	`7309`	`+ ssl->hsHashes = tmpHashes; /* restore hsHashes pointer to original`
	`7310`	`+ * before returning */`
`7309`	`7311`	`return ret;`
`7310`	`7312`	`}`
`7311`	`7313`
Original file line number	Diff line number	Diff line change
`@@ -1112,7 +1112,7 @@ static int ProcessBufferTryDecode(WOLFSSL_CTX* ctx, WOLFSSL* ssl,`
`1112`	`1112`	`matchAnyKey = 1;`
`1113`	`1113`	`}`
`1114`	`1114`	`#ifdef WC_RSA_PSS`
`1115`		`- if(*keyFormat == RSAPSSk) {`
	`1115`	`+ if((ret == 0) && (*keyFormat == RSAPSSk)) {`
`1116`	`1116`	`/*`
`1117`	`1117`	`Require logic to verify that the der is RSAPSSk (when *keyFormat == RSAPSSK),`
`1118`	`1118`	`and to detect that the der is RSAPSSk (when *keyFormat == 0).`
Original file line number	Diff line number	Diff line change
`@@ -3534,6 +3534,10 @@ int wolfSSL_SESSION_get_master_key_length(const WOLFSSL_SESSION* ses)`
`3534`	`3534`	`#ifdef WOLFSSL_EARLY_DATA`
`3535`	`3535`	`unsigned int wolfSSL_SESSION_get_max_early_data(const WOLFSSL_SESSION *session)`
`3536`	`3536`	`{`
	`3537`	`+ if (session == NULL) {`
	`3538`	`+ return BAD_FUNC_ARG;`
	`3539`	`+ }`
	`3540`	`+`
`3537`	`3541`	`return session->maxEarlyDataSz;`
`3538`	`3542`	`}`
`3539`	`3543`	`#endif /* WOLFSSL_EARLY_DATA */`