Skip to content

fix: validate req_size in cert erasetrusted#445

Open
MarkAtwood wants to merge 1 commit into
wolfSSL:mainfrom
MarkAtwood:fix/cert-erasetrusted-size-check
Open

fix: validate req_size in cert erasetrusted#445
MarkAtwood wants to merge 1 commit into
wolfSSL:mainfrom
MarkAtwood:fix/cert-erasetrusted-size-check

Conversation

@MarkAtwood

Copy link
Copy Markdown

Bug

In wh_Server_HandleCertRequest (src/wh_server_cert.c), the WH_MESSAGE_CERT_ACTION_ERASETRUSTED case calls wh_MessageCert_TranslateEraseTrustedRequest and then wh_Server_CertEraseTrusted(server, req.id) without first validating that req_size >= sizeof(req). It is the lone outlier among the cert handlers: ADDTRUSTED, VERIFY, and the DMA handlers all guard request size before translating. An undersized request packet leaves req.id populated from stale/attacker-influenced buffer bytes, which can erase the wrong trusted NVM object. Data-integrity issue (the fixed-size translate reads within the comm buffer, so no out-of-bounds access).

Fix

Add a minimum-size check at the top of the ERASETRUSTED case, mirroring the existing ADDTRUSTED handler: on req_size < sizeof(req), set resp.rc = WH_ERROR_BADARGS, emit the simple response, and break. ~9 lines, no API change.

Verification

Compiled the translation unit against a prebuilt wolfSSL install with the cert-manager + server config (-DWOLFHSM_CFG_CERTIFICATE_MANAGER -DWOLFHSM_CFG_ENABLE_SERVER); builds clean (exit 0).

Reported by static analysis (Fenrir finding 267).

Copilot AI review requested due to automatic review settings July 9, 2026 23:46

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot couldn't run its full agentic review because no GitHub Actions runner was available. Make sure your repository has a runner available to run Copilot's review, or add a copilot-setup-steps.yml file specifying one with the runs-on attribute. See the docs for more details.

Adds request-size validation for the WH_MESSAGE_CERT_ACTION_ERASETRUSTED handler to prevent acting on undersized/tainted request data.

Changes:

  • Add minimum req_size guard before translating/using EraseTrustedRequest
  • Return WH_ERROR_BADARGS via simple response when the request packet is too small

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/wh_server_cert.c
Comment on lines +935 to +941
if (req_size < sizeof(req)) {
resp.rc = WH_ERROR_BADARGS;
wh_MessageCert_TranslateSimpleResponse(
magic, &resp, (whMessageCert_SimpleResponse*)resp_packet);
*out_resp_size = sizeof(resp);
break;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants