Skip to content

Use safe sum in PKCS7_VerifySignedData.#10882

Open
kareem-wolfssl wants to merge 3 commits into
wolfSSL:masterfrom
kareem-wolfssl:zd22127
Open

Use safe sum in PKCS7_VerifySignedData.#10882
kareem-wolfssl wants to merge 3 commits into
wolfSSL:masterfrom
kareem-wolfssl:zd22127

Conversation

@kareem-wolfssl

Copy link
Copy Markdown
Contributor

Description

Fixes zd#22137

Testing

Built in tests + provided reproducer

Checklist

  • added tests
  • updated/added doxygen
  • updated appropriate READMEs
  • Updated manual and documentation

@kareem-wolfssl kareem-wolfssl self-assigned this Jul 10, 2026
Copilot AI review requested due to automatic review settings July 10, 2026 23:16

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot couldn't run its full agentic review because no GitHub Actions runner was available. Make sure your repository has a runner available to run Copilot's review, or add a copilot-setup-steps.yml file specifying one with the runs-on attribute. See the docs for more details.

Adds overflow-safe arithmetic when computing certificate length fields during PKCS#7 SignedData verification to address zd#22137.

Changes:

  • Replace direct signed additions to length/certSz with WC_SAFE_SUM_SIGNED checks.
  • Set error codes when overflow is detected (and break out in one of the two sites).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread wolfcrypt/src/pkcs7.c Outdated
Comment on lines 7644 to 7648
if (!WC_SAFE_SUM_SIGNED(int, length,
(int)(localIdx - certIdx), length)) {
ret = ASN_PARSE_E;
}
idx = certIdx;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants