Fix from review

embhorn · embhorn · commit 760efdfb13ae · 2026-04-14T16:47:32.000-05:00
diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c
@@ -19544,42 +19544,52 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t aes_eax_test(void)
 
         /* Direct incremental-API coverage: wc_AesEaxDecryptFinal must also
          * reject authInSz of zero and below WOLFSSL_MIN_AUTH_TAG_SZ. The
-         * one-shot API above is a separate code path. */
+         * one-shot API above is a separate code path. Heap-allocate the
+         * AesEax context to keep stack usage within Linux kernel limits. */
         {
-            AesEax eax;
-            XMEMSET(&eax, 0, sizeof(eax));
-            ret = wc_AesEaxInit(&eax,
+            AesEax *eax = (AesEax *)XMALLOC(sizeof(*eax), HEAP_HINT,
+                                            DYNAMIC_TYPE_TMP_BUFFER);
+            if (eax == NULL) {
+                return WC_TEST_RET_ENC_NC;
+            }
+            XMEMSET(eax, 0, sizeof(*eax));
+            ret = wc_AesEaxInit(eax,
                                 vectors[0].key, (word32)vectors[0].key_length,
                                 vectors[0].iv, (word32)vectors[0].iv_length,
                                 vectors[0].aad,
                                 (word32)vectors[0].aad_length);
             if (ret != 0) {
+                XFREE(eax, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
                 return WC_TEST_RET_ENC_EC(ret);
             }
 
-            ret = wc_AesEaxDecryptFinal(&eax, zero_tag, 0);
+            ret = wc_AesEaxDecryptFinal(eax, zero_tag, 0);
             if (ret != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) {
-                wc_AesEaxFree(&eax);
+                wc_AesEaxFree(eax);
+                XFREE(eax, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
                 return WC_TEST_RET_ENC_EC(ret);
             }
 
 #if WOLFSSL_MIN_AUTH_TAG_SZ > 1
-            ret = wc_AesEaxDecryptFinal(&eax, zero_tag,
+            ret = wc_AesEaxDecryptFinal(eax, zero_tag,
                                         WOLFSSL_MIN_AUTH_TAG_SZ - 1);
             if (ret != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) {
-                wc_AesEaxFree(&eax);
+                wc_AesEaxFree(eax);
+                XFREE(eax, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
                 return WC_TEST_RET_ENC_EC(ret);
             }
 #endif
 
             /* Upper bound: authInSz > WC_AES_BLOCK_SIZE must be rejected. */
-            ret = wc_AesEaxDecryptFinal(&eax, zero_tag, WC_AES_BLOCK_SIZE + 1);
+            ret = wc_AesEaxDecryptFinal(eax, zero_tag, WC_AES_BLOCK_SIZE + 1);
             if (ret != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) {
-                wc_AesEaxFree(&eax);
+                wc_AesEaxFree(eax);
+                XFREE(eax, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
                 return WC_TEST_RET_ENC_EC(ret);
             }
 
-            wc_AesEaxFree(&eax);
+            wc_AesEaxFree(eax);
+            XFREE(eax, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
         }
     }
 #endif /* WOLFSSL_MIN_AUTH_TAG_SZ > 0 */
