Skip to content

Add missing input validation to VERIFY_ACERT and VERIFY cert handler #317

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jackctj117 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add missing input validation to VERIFY_ACERT and VERIFY cert handler #317

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 28 additions & 0 deletions src/wh_server_cert.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -515,6 +515,16 @@ int wh_Server_HandleCertRequest(whServerContext* server, uint16_t magic,
wh_MessageCert_TranslateVerifyRequest(
magic, (whMessageCert_VerifyRequest*)req_packet, &req);

/* Validate certificate data fits within request */
if (req.cert_len > req_size - sizeof(req)) {
resp.rc = WH_ERROR_BADARGS;
wh_MessageCert_TranslateVerifyResponse(
magic, &resp,
(whMessageCert_VerifyResponse*)resp_packet);
*out_resp_size = sizeof(resp);
break;
}
Comment on lines 515 to +526
Copy link

Copilot AI Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the VERIFY handler, the request is translated before any minimum-size check, which can allow an out-of-bounds read if req_size < sizeof(req). Additionally, req_size - sizeof(req) can underflow (if unsigned) and incorrectly bypass the bounds check. Add a minimum request-size validation (like the VERIFY_ACERT path) before wh_MessageCert_TranslateVerifyRequest(...), and only compute req_size - sizeof(req) after confirming req_size >= sizeof(req).

Copilot uses AI. Check for mistakes.
Comment on lines +519 to +526
Copy link

Copilot AI Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The newly added early-exit error handling repeats a multi-line pattern (set rc → translate response → set *out_resp_sizebreak) that now appears in multiple handlers. Consider extracting a small helper (or local utility macro) for formatting and emitting error responses to reduce duplication and make future validation additions less error-prone. This is optional, but would improve readability as validations expand.

Copilot uses AI. Check for mistakes.

/* Get pointer to certificate data */
cert_data = (const uint8_t*)req_packet + sizeof(req);

Expand Down Expand Up @@ -703,10 +713,28 @@ int wh_Server_HandleCertRequest(whServerContext* server, uint16_t magic,
whMessageCert_SimpleResponse resp = {0};
const uint8_t* cert_data = NULL;

/* Validate minimum request size */
if (req_size < sizeof(req)) {
resp.rc = WH_ERROR_ABORTED;
wh_MessageCert_TranslateSimpleResponse(
magic, &resp, (whMessageCert_SimpleResponse*)resp_packet);
*out_resp_size = sizeof(resp);
break;
}

/* Convert request struct */
wh_MessageCert_TranslateVerifyAcertRequest(
magic, (whMessageCert_VerifyAcertRequest*)req_packet, &req);

/* Validate certificate data fits within request */
if (req.cert_len > req_size - sizeof(req)) {
resp.rc = WH_ERROR_BADARGS;
wh_MessageCert_TranslateSimpleResponse(
magic, &resp, (whMessageCert_SimpleResponse*)resp_packet);
*out_resp_size = sizeof(resp);
break;
}

cert_data = (const uint8_t*)req_packet + sizeof(req);

/* Process the verify action */
Expand Down
Loading