Fix SRTP KDF null-idx crash and X509 DER length hardening

ColtonWilley · ColtonWilley · commit 335c0540e002 · 2026-04-13T17:48:41.000-07:00
- wolfcrypt/src/kdf.c: Add null idx guard to wc_SRTP_KDF, wc_SRTCP_KDF,
  wc_SRTP_KDF_kdr_to_idx, and wc_KDF_SRTP_label
- src/x509.c: Add derCert-&gt;length &gt; INT_MAX check in wolfSSL_X509_get_der
  and derSz &lt;= 0 check in wolfSSL_i2d_X509
diff --git a/src/x509.c b/src/x509.c
@@ -4404,6 +4404,10 @@ const byte* wolfSSL_X509_get_der(WOLFSSL_X509* x509, int* outSz)
     if (x509 == NULL || x509->derCert == NULL || outSz == NULL)
         return NULL;
 
+    if (x509->derCert->length > (word32)INT_MAX) {
+        return NULL;
+    }
+
     *outSz = (int)x509->derCert->length;
     return x509->derCert->buffer;
 }
@@ -8674,7 +8678,7 @@ int wolfSSL_i2d_X509(WOLFSSL_X509* x509, unsigned char** out)
     }
 
     der = wolfSSL_X509_get_der(x509, &derSz);
-    if (der == NULL) {
+    if (der == NULL || derSz <= 0) {
         WOLFSSL_LEAVE("wolfSSL_i2d_X509", MEMORY_E);
         return MEMORY_E;
     }
diff --git a/wolfcrypt/src/kdf.c b/wolfcrypt/src/kdf.c
@@ -1009,7 +1009,8 @@ int wc_SRTP_KDF(const byte* key, word32 keySz, const byte* salt, word32 saltSz,
 
     /* Validate parameters. */
     if ((key == NULL) || (keySz > AES_256_KEY_SIZE) || (salt == NULL) ||
-            (saltSz > WC_SRTP_MAX_SALT) || (kdrIdx < -1) || (kdrIdx > 24)) {
+            (saltSz > WC_SRTP_MAX_SALT) || (kdrIdx < -1) || (kdrIdx > 24) ||
+            (idx == NULL && kdrIdx >= 0)) {
         ret = BAD_FUNC_ARG;
     }
 
@@ -1103,7 +1104,8 @@ int wc_SRTCP_KDF_ex(const byte* key, word32 keySz, const byte* salt, word32 salt
 
     /* Validate parameters. */
     if ((key == NULL) || (keySz > AES_256_KEY_SIZE) || (salt == NULL) ||
-            (saltSz > WC_SRTP_MAX_SALT) || (kdrIdx < -1) || (kdrIdx > 24)) {
+            (saltSz > WC_SRTP_MAX_SALT) || (kdrIdx < -1) || (kdrIdx > 24) ||
+            (idx == NULL && kdrIdx >= 0)) {
         ret = BAD_FUNC_ARG;
     }
 
@@ -1194,7 +1196,7 @@ int wc_SRTP_KDF_label(const byte* key, word32 keySz, const byte* salt,
     /* Validate parameters. */
     if ((key == NULL) || (keySz > AES_256_KEY_SIZE) || (salt == NULL) ||
             (saltSz > WC_SRTP_MAX_SALT) || (kdrIdx < -1) || (kdrIdx > 24) ||
-            (outKey == NULL)) {
+            (outKey == NULL) || (idx == NULL && kdrIdx >= 0)) {
         ret = BAD_FUNC_ARG;
     }
 
@@ -1267,7 +1269,7 @@ int wc_SRTCP_KDF_label(const byte* key, word32 keySz, const byte* salt,
     /* Validate parameters. */
     if ((key == NULL) || (keySz > AES_256_KEY_SIZE) || (salt == NULL) ||
             (saltSz > WC_SRTP_MAX_SALT) || (kdrIdx < -1) || (kdrIdx > 24) ||
-            (outKey == NULL)) {
+            (outKey == NULL) || (idx == NULL && kdrIdx >= 0)) {
         ret = BAD_FUNC_ARG;
     }
 

Original file line number	Diff line number	Diff line change
`@@ -4404,6 +4404,10 @@ const byte* wolfSSL_X509_get_der(WOLFSSL_X509* x509, int* outSz)`
`4404`	`4404`	`if (x509 == NULL \|\| x509->derCert == NULL \|\| outSz == NULL)`
`4405`	`4405`	`return NULL;`
`4406`	`4406`
	`4407`	`+ if (x509->derCert->length > (word32)INT_MAX) {`
	`4408`	`+ return NULL;`
	`4409`	`+ }`
	`4410`	`+`
`4407`	`4411`	`*outSz = (int)x509->derCert->length;`
`4408`	`4412`	`return x509->derCert->buffer;`
`4409`	`4413`	`}`
`@@ -8674,7 +8678,7 @@ int wolfSSL_i2d_X509(WOLFSSL_X509* x509, unsigned char** out)`
`8674`	`8678`	`}`
`8675`	`8679`
`8676`	`8680`	`der = wolfSSL_X509_get_der(x509, &derSz);`
`8677`		`- if (der == NULL) {`
	`8681`	`+ if (der == NULL \|\| derSz <= 0) {`
`8678`	`8682`	`WOLFSSL_LEAVE("wolfSSL_i2d_X509", MEMORY_E);`
`8679`	`8683`	`return MEMORY_E;`
`8680`	`8684`	`}`