From 431b2017c15856003226ac930a9d210dd3f0e55e Mon Sep 17 00:00:00 2001 From: jackctj117 Date: Fri, 20 Mar 2026 13:12:13 -0600 Subject: [PATCH] fix: add missing input validation to VERIFY_ACERT and VERIFY cert handlers --- src/wh_server_cert.c | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/src/wh_server_cert.c b/src/wh_server_cert.c index 5cc9b77e3..06d1a211e 100644 --- a/src/wh_server_cert.c +++ b/src/wh_server_cert.c @@ -515,6 +515,16 @@ int wh_Server_HandleCertRequest(whServerContext* server, uint16_t magic, wh_MessageCert_TranslateVerifyRequest( magic, (whMessageCert_VerifyRequest*)req_packet, &req); + /* Validate certificate data fits within request */ + if (req.cert_len > req_size - sizeof(req)) { + resp.rc = WH_ERROR_BADARGS; + wh_MessageCert_TranslateVerifyResponse( + magic, &resp, + (whMessageCert_VerifyResponse*)resp_packet); + *out_resp_size = sizeof(resp); + break; + } + /* Get pointer to certificate data */ cert_data = (const uint8_t*)req_packet + sizeof(req); @@ -703,10 +713,28 @@ int wh_Server_HandleCertRequest(whServerContext* server, uint16_t magic, whMessageCert_SimpleResponse resp = {0}; const uint8_t* cert_data = NULL; + /* Validate minimum request size */ + if (req_size < sizeof(req)) { + resp.rc = WH_ERROR_ABORTED; + wh_MessageCert_TranslateSimpleResponse( + magic, &resp, (whMessageCert_SimpleResponse*)resp_packet); + *out_resp_size = sizeof(resp); + break; + } + /* Convert request struct */ wh_MessageCert_TranslateVerifyAcertRequest( magic, (whMessageCert_VerifyAcertRequest*)req_packet, &req); + /* Validate certificate data fits within request */ + if (req.cert_len > req_size - sizeof(req)) { + resp.rc = WH_ERROR_BADARGS; + wh_MessageCert_TranslateSimpleResponse( + magic, &resp, (whMessageCert_SimpleResponse*)resp_packet); + *out_resp_size = sizeof(resp); + break; + } + cert_data = (const uint8_t*)req_packet + sizeof(req); /* Process the verify action */