Skip to content

Fix metadata label leak in WH_KEY_EXPORT error response #316

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jackctj117 wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Fix metadata label leak in WH_KEY_EXPORT error response #316

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
04c7dcb
Fix metadata label leak in WH_KEY_EXPORT error response
jackctj117 Mar 19, 2026
70d63c2
Zero-init ExportDmaResponse to prevent stack data leak on error path
jackctj117 Mar 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions src/wh_server_keystore.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1848,7 +1848,7 @@ int wh_Server_HandleKeyRequest(whServerContext* server, uint16_t magic,

case WH_KEY_EXPORT: {
whMessageKeystore_ExportRequest req;
whMessageKeystore_ExportResponse resp;
whMessageKeystore_ExportResponse resp = {0};
uint32_t keySz;

/* translate request */
Expand All @@ -1872,8 +1872,8 @@ int wh_Server_HandleKeyRequest(whServerContext* server, uint16_t magic,
/* Only provide key output if no error */
if (ret == WH_ERROR_OK) {
resp.len = keySz;
memcpy(resp.label, meta->label, sizeof(meta->label));
}
Comment on lines 1872 to 1876
Copy link

Copilot AI Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moving the label memcpy inside the ret == WH_ERROR_OK block leaves resp.label uninitialized on error paths. wh_MessageKeystore_TranslateExportResponse() always memcpy’s src->label into the outgoing packet, and *out_resp_size always includes sizeof(resp), so this can leak stack bytes to the client when WH_KEY_EXPORT fails. Initialize resp (e.g., zero-init the struct or at least resp.label) and explicitly set the label deterministically on failure (either zero it or copy meta->label, depending on intended API semantics).

Copilot uses AI. Check for mistakes.
Comment on lines 1873 to 1876
Copy link

Copilot AI Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change places the memcpy(resp.label, ...) inside the success-only branch, but the PR title/description say the label should be set in the response regardless of error status. Please confirm the intended behavior for WH_KEY_EXPORT responses on failure (should the label be preserved, cleared, or omitted) and update either the code or the PR description accordingly.

Copilot uses AI. Check for mistakes.
memcpy(resp.label, meta->label, sizeof(meta->label));

(void)WH_SERVER_NVM_UNLOCK(server);
} /* WH_SERVER_NVM_LOCK() */
Expand Down
Loading