From 4f341ddc00226973da4268bcb3183a5d19252da3 Mon Sep 17 00:00:00 2001 From: Philip Taron Date: Tue, 7 Jul 2026 04:44:44 +0000 Subject: [PATCH] Zero AllocKey's allocation so its failure path cannot free garbage AllocKey hands FreeKey a never-initialized key whenever the type's init function fails: the allocation comes straight from XMALLOC, and e.g. wc_FreeRsaKey then walks uninitialized multiprecision integers whose length fields are garbage. AddressSanitizer caught sp_clear doing a 390KB memset past the allocation during a TLS 1.3 handshake whose wc_InitRsaKey failed transiently (a FIPS known-answer-test error), so a recoverable handshake error becomes heap corruption. Zero the key after allocation; every wc_Free* implementation treats an all-zero key as empty. Co-Authored-By: Claude Fable 5 --- src/internal.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/internal.c b/src/internal.c index 3e0e55bbe5..9f9401a19b 100644 --- a/src/internal.c +++ b/src/internal.c @@ -8537,6 +8537,11 @@ int AllocKey(WOLFSSL* ssl, int type, void** pKey) return MEMORY_E; } + /* Zero the key so the failure path below can run the type's free + * function even when its init function failed before initializing + * anything: freeing an uninitialized key walks garbage lengths. */ + XMEMSET(*pKey, 0, sz); + /* Initialize key */ switch (type) { #ifndef NO_RSA