Fenrir Fixes - 1290,2110,1717#580
Conversation
wolfSSL-Fenrir-bot
left a comment
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #580
Scan targets checked: wolfssl-examples-bugs, wolfssl-examples-src
Findings: 1
1 finding(s) posted as inline comments (see file-level comments below)
This review was generated automatically by Fenrir. Findings are non-blocking.
| for (i = 0; i < sz; i++) | ||
| sprintf(serialMsg + strLen + (i*3), ":%02x ", serial[i]); | ||
| snprintf(serialMsg + strLen + (i*3), | ||
| ((int)sizeof(serialMsg)) - strLen - (i*3), ":%02x ", serial[i]); |
There was a problem hiding this comment.
🔴 [High] snprintf size goes negative — stack overflow on long cert serial still possible · Buffer overflows
Once strLen + i*3 exceeds 80 (peer serial ≥ ~24 bytes), the size ((int)sizeof(serialMsg)) - strLen - (i*3) is negative and converts to a huge size_t, while the destination serialMsg + strLen + i*3 is already past the 80-byte buffer, so a peer cert with a long serial overflows the stack.
Fix: Size serialMsg for the worst case (strLen + sz*3 + 1) and break out when the remaining size would be <= 0.
2 participants
https://fenrir.wolfssl.com/finding/1290
https://fenrir.wolfssl.com/finding/1717
https://fenrir.wolfssl.com/finding/2110