Add negative-count and NULL checks to group-setting and shared-cipher APIs

src/ssl.c

@@ -1295,10 +1295,12 @@ const char* wolfSSL_get_shared_ciphers(WOLFSSL* ssl, char* buf, int len)
 {
     const char* cipher;
 
-    if (ssl == NULL || len <= 0)
+    if (ssl == NULL || buf == NULL || len <= 0)
         return NULL;
 
     cipher = wolfSSL_get_cipher_name_iana(ssl);
+    if (cipher == NULL)
+        return NULL;
     len = (int)min((word32)len, (word32)(XSTRLEN(cipher) + 1));
     XMEMCPY(buf, cipher, (size_t)len);
     return buf;
@@ -3319,8 +3321,8 @@ int  wolfSSL_CTX_set1_groups(WOLFSSL_CTX* ctx, int* groups,
     int i;
     int _groups[WOLFSSL_MAX_GROUP_COUNT];
     WOLFSSL_ENTER("wolfSSL_CTX_set1_groups");
-    if (count == 0) {
-        WOLFSSL_MSG("Group count is zero");
+    if (groups == NULL || count <= 0) {
+        WOLFSSL_MSG("Group count is zero or negative");
         return WOLFSSL_FAILURE;
     }
     if (count > WOLFSSL_MAX_GROUP_COUNT) {
@@ -3358,8 +3360,8 @@ int  wolfSSL_set1_groups(WOLFSSL* ssl, int* groups, int count)
     int i;
     int _groups[WOLFSSL_MAX_GROUP_COUNT];
     WOLFSSL_ENTER("wolfSSL_CTX_set1_groups");
-    if (count == 0) {
-        WOLFSSL_MSG("Group count is zero");
+    if (groups == NULL || count <= 0) {
+        WOLFSSL_MSG("Group count is zero or negative");
         return WOLFSSL_FAILURE;
     }
     if (count > WOLFSSL_MAX_GROUP_COUNT) {

src/tls.c

@@ -399,7 +399,8 @@ int wolfSSL_CTX_set_groups(WOLFSSL_CTX* ctx, int* groups, int count)
     int ret, i;
 
     WOLFSSL_ENTER("wolfSSL_CTX_set_groups");
-    if (ctx == NULL || groups == NULL || count > WOLFSSL_MAX_GROUP_COUNT)
+    if (ctx == NULL || groups == NULL || count < 0 ||
+            count > WOLFSSL_MAX_GROUP_COUNT)
         return BAD_FUNC_ARG;
     if (!IsTLS_ex(ctx->method->version))
         return BAD_FUNC_ARG;
@@ -444,7 +445,8 @@ int wolfSSL_set_groups(WOLFSSL* ssl, int* groups, int count)
     int ret, i;
 
     WOLFSSL_ENTER("wolfSSL_set_groups");
-    if (ssl == NULL || groups == NULL || count > WOLFSSL_MAX_GROUP_COUNT)
+    if (ssl == NULL || groups == NULL || count < 0 ||
+            count > WOLFSSL_MAX_GROUP_COUNT)
         return BAD_FUNC_ARG;
     if (!IsTLS_ex(ssl->version))
         return BAD_FUNC_ARG;

tests/api/test_tls.c

@@ -1062,6 +1062,32 @@ int test_tls12_corrupted_finished(void)
     return EXPECT_RESULT();
 }
 
+int test_wolfSSL_get_shared_ciphers(void)
+{
+    EXPECT_DECLS;
+#if !defined(WOLFSSL_NO_TLS12) && !defined(NO_TLS)
+#ifndef NO_WOLFSSL_CLIENT
+    WOLFSSL_CTX* ctx = NULL;
+    WOLFSSL*     ssl = NULL;
+    char         buf[32];
+
+    ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method()));
+    ExpectNotNull(ssl = wolfSSL_new(ctx));
+
+    /* NULL ssl - pre-existing guard; pins the contract. */
+    ExpectNull(wolfSSL_get_shared_ciphers(NULL, buf, sizeof(buf)));
+    /* NULL buf - primary regression case (pre-fix: XMEMCPY(NULL, ...) crash). */
+    ExpectNull(wolfSSL_get_shared_ciphers(ssl, NULL, sizeof(buf)));
+    /* len == 0 - pre-existing guard; pins the contract. */
+    ExpectNull(wolfSSL_get_shared_ciphers(ssl, buf, 0));
+
+    wolfSSL_free(ssl);
+    wolfSSL_CTX_free(ctx);
+#endif /* NO_WOLFSSL_CLIENT */
+#endif
+    return EXPECT_RESULT();
+}
+
 /* Test the TLS 1.2 peerAuthGood fail-safe checks directly on both sides.
  * The client branch sets NO_PEER_VERIFY; the server branch returns a generic
  * fatal error from TICKET_SENT before sending its Finished. */

tests/api/test_tls.h

@@ -35,6 +35,7 @@ int test_tls12_etm_failed_resumption(void);
 int test_tls_set_curves_list_ecc_fallback(void);
 int test_tls12_corrupted_finished(void);
 int test_tls12_peerauth_failsafe(void);
+int test_wolfSSL_get_shared_ciphers(void);
 
 #define TEST_TLS_DECLS                                                         \
         TEST_DECL_GROUP("tls", test_utils_memio_move_message),                 \
@@ -49,6 +50,7 @@ int test_tls12_peerauth_failsafe(void);
         TEST_DECL_GROUP("tls", test_tls12_etm_failed_resumption),              \
         TEST_DECL_GROUP("tls", test_tls_set_curves_list_ecc_fallback),         \
         TEST_DECL_GROUP("tls", test_tls12_corrupted_finished),                 \
-        TEST_DECL_GROUP("tls", test_tls12_peerauth_failsafe)
+        TEST_DECL_GROUP("tls", test_tls12_peerauth_failsafe),                  \
+        TEST_DECL_GROUP("tls", test_wolfSSL_get_shared_ciphers)
 
 #endif /* TESTS_API_TEST_TLS_H */

tests/api/test_tls13.c

@@ -587,6 +587,8 @@ int test_tls13_apis(void)
 #endif
     ExpectIntEQ(wolfSSL_CTX_set_groups(clientCtx, groups,
         WOLFSSL_MAX_GROUP_COUNT + 1), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
+    ExpectIntEQ(wolfSSL_CTX_set_groups(clientCtx, groups, -1),
+        WC_NO_ERR_TRACE(BAD_FUNC_ARG));
     ExpectIntEQ(wolfSSL_CTX_set_groups(clientCtx, groups, numGroups),
         WOLFSSL_SUCCESS);
     ExpectIntEQ(wolfSSL_CTX_set_groups(clientCtx, bad_groups, numGroups),
@@ -614,6 +616,8 @@ int test_tls13_apis(void)
 #endif
     ExpectIntEQ(wolfSSL_set_groups(clientSsl, groups,
         WOLFSSL_MAX_GROUP_COUNT + 1), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
+    ExpectIntEQ(wolfSSL_set_groups(clientSsl, groups, -1),
+        WC_NO_ERR_TRACE(BAD_FUNC_ARG));
     ExpectIntEQ(wolfSSL_set_groups(clientSsl, groups, numGroups),
         WOLFSSL_SUCCESS);
     ExpectIntEQ(wolfSSL_set_groups(clientSsl, bad_groups, numGroups),
@@ -645,6 +649,10 @@ int test_tls13_apis(void)
         WOLFSSL_MAX_GROUP_COUNT + 1), WC_NO_ERR_TRACE(WOLFSSL_FAILURE));
     ExpectIntEQ(wolfSSL_set1_groups(clientSsl, too_many_groups,
         WOLFSSL_MAX_GROUP_COUNT + 1), WC_NO_ERR_TRACE(WOLFSSL_FAILURE));
+    ExpectIntEQ(wolfSSL_CTX_set1_groups(clientCtx, NULL, 1),
+        WC_NO_ERR_TRACE(WOLFSSL_FAILURE));
+    ExpectIntEQ(wolfSSL_set1_groups(clientSsl, NULL, 1),
+        WC_NO_ERR_TRACE(WOLFSSL_FAILURE));
 #endif
 #ifndef NO_WOLFSSL_CLIENT
 #ifndef WOLFSSL_NO_TLS12