Address review comments on Fenrir zeroization fixes

julek-wolfssl · julek-wolfssl · commit a010825bb081 · 2026-04-20T16:12:30.000Z
Two follow-ups raised by Copilot review on PR #10247: src/pk_rsa.c: Make derAllocSz a word32 instead of int and only assign it after a successful XMALLOC, so the cleanup path can never call ForceZero with a wrapped-around size derived from a negative derSz. src/pk.c: Capture allocSz at the XMALLOC call site (and clear it back to 0 on allocation failure) so the relationship between the buffer allocation and the recorded size is explicit and cannot drift if the surrounding control flow changes.
diff --git a/src/pk.c b/src/pk.c
@@ -7150,16 +7150,14 @@ static int pem_write_mem_pkcs8privatekey(byte** pem, int* pemSz,
             *pemSz += 54;
         }
 
+        allocSz = (word32)*pemSz;
         /* Allocate enough memory to hold PEM encoded encrypted key. */
-        *pem = (byte*)XMALLOC((size_t)*pemSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        *pem = (byte*)XMALLOC((size_t)allocSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
         if (*pem == NULL) {
+            allocSz = 0;
             res = 0;
         }
         else {
-            /* Remember the allocation size before *pemSz is updated to the
-             * actual PEM output length, so we can zero any unused tail that
-             * held the DER staging area. */
-            allocSz = (word32)*pemSz;
             /* Use end of PEM buffer for key data. */
             key = *pem + *pemSz - keySz;
         }
diff --git a/src/pk_rsa.c b/src/pk_rsa.c
@@ -782,7 +782,7 @@ static int wolfSSL_RSA_To_Der_ex(WOLFSSL_RSA* rsa, byte** outBuf, int publicKey,
 {
     int ret = 1;
     int derSz = 0;
-    int derAllocSz = 0;
+    word32 derAllocSz = 0;
     byte* derBuf = NULL;
 
     WOLFSSL_ENTER("wolfSSL_RSA_To_Der");
@@ -824,7 +824,6 @@ static int wolfSSL_RSA_To_Der_ex(WOLFSSL_RSA* rsa, byte** outBuf, int publicKey,
         }
     }
 
-    derAllocSz = derSz;
     if ((ret == 1) && (outBuf != NULL)) {
         derBuf = *outBuf;
         if (derBuf == NULL) {
@@ -835,6 +834,9 @@ static int wolfSSL_RSA_To_Der_ex(WOLFSSL_RSA* rsa, byte** outBuf, int publicKey,
                 WOLFSSL_ERROR_MSG("Memory allocation failed");
                 ret = MEMORY_ERROR;
             }
+            else {
+                derAllocSz = (word32)derSz;
+            }
         }
     }
     if ((ret == 1) && (outBuf != NULL)) {
@@ -868,8 +870,8 @@ static int wolfSSL_RSA_To_Der_ex(WOLFSSL_RSA* rsa, byte** outBuf, int publicKey,
 
     if ((outBuf != NULL) && (*outBuf != derBuf)) {
         /* Not returning buffer, needs to be disposed of. */
-        if ((derBuf != NULL) && (publicKey == 0)) {
-            ForceZero(derBuf, (word32)derAllocSz);
+        if ((derBuf != NULL) && (publicKey == 0) && (derAllocSz > 0)) {
+            ForceZero(derBuf, derAllocSz);
         }
         XFREE(derBuf, heap, DYNAMIC_TYPE_TMP_BUFFER);
     }

Original file line number	Diff line number	Diff line change
`@@ -7150,16 +7150,14 @@ static int pem_write_mem_pkcs8privatekey(byte** pem, int* pemSz,`
`7150`	`7150`	`*pemSz += 54;`
`7151`	`7151`	`}`
`7152`	`7152`
	`7153`	`+ allocSz = (word32)*pemSz;`
`7153`	`7154`	`/* Allocate enough memory to hold PEM encoded encrypted key. */`
`7154`		`- pem = (byte)XMALLOC((size_t)*pemSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);`
	`7155`	`+ pem = (byte)XMALLOC((size_t)allocSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);`
`7155`	`7156`	`if (*pem == NULL) {`
	`7157`	`+ allocSz = 0;`
`7156`	`7158`	`res = 0;`
`7157`	`7159`	`}`
`7158`	`7160`	`else {`
`7159`		`- /* Remember the allocation size before *pemSz is updated to the`
`7160`		`- * actual PEM output length, so we can zero any unused tail that`
`7161`		`- * held the DER staging area. */`
`7162`		`- allocSz = (word32)*pemSz;`
`7163`	`7161`	`/* Use end of PEM buffer for key data. */`
`7164`	`7162`	`key = pem + pemSz - keySz;`
`7165`	`7163`	`}`
Original file line number	Diff line number	Diff line change
`@@ -782,7 +782,7 @@ static int wolfSSL_RSA_To_Der_ex(WOLFSSL_RSA* rsa, byte** outBuf, int publicKey,`
`782`	`782`	`{`
`783`	`783`	`int ret = 1;`
`784`	`784`	`int derSz = 0;`
`785`		`- int derAllocSz = 0;`
	`785`	`+ word32 derAllocSz = 0;`
`786`	`786`	`byte* derBuf = NULL;`
`787`	`787`
`788`	`788`	`WOLFSSL_ENTER("wolfSSL_RSA_To_Der");`
`@@ -824,7 +824,6 @@ static int wolfSSL_RSA_To_Der_ex(WOLFSSL_RSA* rsa, byte** outBuf, int publicKey,`
`824`	`824`	`}`
`825`	`825`	`}`
`826`	`826`
`827`		`- derAllocSz = derSz;`
`828`	`827`	`if ((ret == 1) && (outBuf != NULL)) {`
`829`	`828`	`derBuf = *outBuf;`
`830`	`829`	`if (derBuf == NULL) {`
`@@ -835,6 +834,9 @@ static int wolfSSL_RSA_To_Der_ex(WOLFSSL_RSA* rsa, byte** outBuf, int publicKey,`
`835`	`834`	`WOLFSSL_ERROR_MSG("Memory allocation failed");`
`836`	`835`	`ret = MEMORY_ERROR;`
`837`	`836`	`}`
	`837`	`+ else {`
	`838`	`+ derAllocSz = (word32)derSz;`
	`839`	`+ }`
`838`	`840`	`}`
`839`	`841`	`}`
`840`	`842`	`if ((ret == 1) && (outBuf != NULL)) {`
`@@ -868,8 +870,8 @@ static int wolfSSL_RSA_To_Der_ex(WOLFSSL_RSA* rsa, byte** outBuf, int publicKey,`
`868`	`870`
`869`	`871`	`if ((outBuf != NULL) && (*outBuf != derBuf)) {`
`870`	`872`	`/* Not returning buffer, needs to be disposed of. */`
`871`		`- if ((derBuf != NULL) && (publicKey == 0)) {`
`872`		`- ForceZero(derBuf, (word32)derAllocSz);`
	`873`	`+ if ((derBuf != NULL) && (publicKey == 0) && (derAllocSz > 0)) {`
	`874`	`+ ForceZero(derBuf, derAllocSz);`
`873`	`875`	`}`
`874`	`876`	`XFREE(derBuf, heap, DYNAMIC_TYPE_TMP_BUFFER);`
`875`	`877`	`}`