Fix UAF in callback wrapper and add input validation guards

Author: ColtonWilley

src/ssl.c

@@ -8030,9 +8030,16 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
         FreeTimeoutInfo(&ssl->timeoutInfo, ssl->heap);
 
         if (hsCb) {
+            HandShakeInfo savedHandShakeInfo;
             FinishHandShakeInfo(&ssl->handShakeInfo);
-            (hsCb)(&ssl->handShakeInfo);
+            XMEMCPY(&savedHandShakeInfo, &ssl->handShakeInfo,
+                     sizeof(HandShakeInfo));
             ssl->hsInfoOn = 0;
+            /* Null out the ssl pointer -- the callback must not free the
+             * session through it, and ssl may already have been freed by
+             * toCb above. */
+            savedHandShakeInfo.ssl = NULL;
+            (hsCb)(&savedHandShakeInfo);
         }
         return ret;
     }

wolfcrypt/src/cryptocb.c

@@ -440,6 +440,10 @@ int wc_CryptoCb_RegisterDevice(int devId, CryptoDevCallbackFunc cb, void* ctx)
 {
     int rc = 0;
 
+    if (devId == INVALID_DEVID) {
+        return BAD_FUNC_ARG;
+    }
+
     /* find existing or new */
     CryptoCb* dev = wc_CryptoCb_GetDevice(devId);
     if (dev == NULL)

wolfcrypt/src/memory.c

@@ -716,6 +716,9 @@ int wc_LoadStaticMemory_ex(WOLFSSL_HEAP_HINT** pHint,
     if (pHint == NULL || buf == NULL || sizeList == NULL || distList == NULL) {
         return BAD_FUNC_ARG;
     }
+    if (listSz == 0) {
+        return BAD_FUNC_ARG;
+    }
 
     /* Cap the listSz to the actual number of items allocated in the list. */
     if (listSz > WOLFMEM_MAX_BUCKETS) {
@@ -832,6 +835,9 @@ int wolfSSL_StaticBufferSz_ex(unsigned int listSz,
     if (buffer == NULL || sizeList == NULL || distList == NULL) {
         return BAD_FUNC_ARG;
     }
+    if (listSz == 0) {
+        return BAD_FUNC_ARG;
+    }
 
     /* Cap the listSz to the actual number of items allocated in the list. */
     if (listSz > WOLFMEM_MAX_BUCKETS) {

wolfcrypt/src/wc_pkcs11.c

@@ -3696,6 +3696,8 @@ static int Pkcs11ECDSASig_Decode(const byte* in, word32 inSz, byte* sig,
         ret = ASN_PARSE_E;
     if (ret == 0 && (len = in[i++]) > sz + 1)
         ret = ASN_PARSE_E;
+    if (ret == 0 && len == 0)
+        ret = ASN_PARSE_E;
     /* Check there is space for INT data */
     if (ret == 0 && i + len > inSz)
         ret = ASN_PARSE_E;
@@ -3720,6 +3722,8 @@ static int Pkcs11ECDSASig_Decode(const byte* in, word32 inSz, byte* sig,
         ret = ASN_PARSE_E;
     if (ret == 0 && (len = in[i++]) > sz + 1)
         ret = ASN_PARSE_E;
+    if (ret == 0 && len == 0)
+        ret = ASN_PARSE_E;
     /* Check there is space for INT data */
     if (ret == 0 && i + len > inSz)
         ret = ASN_PARSE_E;
@@ -3764,6 +3768,12 @@ static int Pkcs11GetEccParams(Pkcs11Session* session, CK_OBJECT_HANDLE privKey,
         ret = WC_HW_E;
     }
     PKCS11_DUMP_TEMPLATE("Ec Params", template, 1);
+    if (ret == 0) {
+        if (template[0].ulValueLen < 2 ||
+                template[0].ulValueLen > sizeof(oid)) {
+            ret = WC_HW_E;
+        }
+    }
     if (ret == 0) {
         /* PKCS #11 wraps the OID in ASN.1 */
         curveId = wc_ecc_get_curve_id_from_oid(oid + 2,