Add missing input validation to VERIFY_ACERT and VERIFY cert handler#317
Add missing input validation to VERIFY_ACERT and VERIFY cert handler#317jackctj117 wants to merge 1 commit intomainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Adds request-boundary validation to certificate verification handlers to prevent out-of-bounds reads and malformed request processing.
Changes:
- Added bounds checks to ensure
cert_lendoes not exceed remaining request payload for VERIFY and VERIFY_ACERT. - Added minimum request-size validation for VERIFY_ACERT before translating/parsing the request.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| wh_MessageCert_TranslateVerifyRequest( | ||
| magic, (whMessageCert_VerifyRequest*)req_packet, &req); | ||
|
|
||
| /* Validate certificate data fits within request */ | ||
| if (req.cert_len > req_size - sizeof(req)) { | ||
| resp.rc = WH_ERROR_BADARGS; | ||
| wh_MessageCert_TranslateVerifyResponse( | ||
| magic, &resp, | ||
| (whMessageCert_VerifyResponse*)resp_packet); | ||
| *out_resp_size = sizeof(resp); | ||
| break; | ||
| } |
There was a problem hiding this comment.
In the VERIFY handler, the request is translated before any minimum-size check, which can allow an out-of-bounds read if req_size < sizeof(req). Additionally, req_size - sizeof(req) can underflow (if unsigned) and incorrectly bypass the bounds check. Add a minimum request-size validation (like the VERIFY_ACERT path) before wh_MessageCert_TranslateVerifyRequest(...), and only compute req_size - sizeof(req) after confirming req_size >= sizeof(req).
| if (req.cert_len > req_size - sizeof(req)) { | ||
| resp.rc = WH_ERROR_BADARGS; | ||
| wh_MessageCert_TranslateVerifyResponse( | ||
| magic, &resp, | ||
| (whMessageCert_VerifyResponse*)resp_packet); | ||
| *out_resp_size = sizeof(resp); | ||
| break; | ||
| } |
There was a problem hiding this comment.
The newly added early-exit error handling repeats a multi-line pattern (set rc → translate response → set *out_resp_size → break) that now appears in multiple handlers. Consider extracting a small helper (or local utility macro) for formatting and emitting error responses to reduce duplication and make future validation additions less error-prone. This is optional, but would improve readability as validations expand.
This pull request adds important input validation checks to the certificate verification request handlers in
src/wh_server_cert.c. These changes improve the robustness and security of the server by ensuring that incoming requests are well-formed and do not cause buffer overflows or invalid memory accesses.Input validation improvements:
WH_ERROR_ABORTED).WH_ERROR_BADARGS) if the data would overflow. [1] [2]