Skip to content

Fix integer overflow-prone offset+len bounds checks in NVM read handlers#319

Merged
bigbrett merged 1 commit intomainfrom
NVM-int-overflow
Mar 23, 2026
Merged

Fix integer overflow-prone offset+len bounds checks in NVM read handlers#319
bigbrett merged 1 commit intomainfrom
NVM-int-overflow

Conversation

@jackctj117
Copy link
Contributor

@jackctj117 jackctj117 commented Mar 20, 2026

This pull request addresses integer overflow vulnerabilities in range and bounds checks throughout the NVM read and partition logic, replacing potentially unsafe arithmetic with overflow-safe comparisons. It also adds new regression tests to ensure these checks are robust and behave as expected.

Overflow-safe bounds checking improvements:

  • Updated nfPartition_CheckDataRange, nfObject_ReadDataBytes, and logic in wh_server_nvm.c to use overflow-safe comparisons (e.g., if (byte_count > maxOffset - byte_offset)) instead of potentially unsafe arithmetic like if (byte_offset + byte_count > maxOffset). This prevents integer overflows that could allow out-of-bounds access. [1] [2] [3] [4]

Testing and validation:

  • Added new regression tests in _testOutOfBoundsNvmReads to verify that large offsets and lengths are correctly rejected or clamped, ensuring the overflow-safe logic works as intended and preventing future regressions.

Copilot AI review requested due to automatic review settings March 20, 2026 21:41
Copilot AI reviewed Mar 20, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens NVM read/partition bounds checking against integer-overflow edge cases by replacing offset + len style comparisons with subtraction-based, overflow-safe checks, and adds regression coverage for out-of-bounds reads.

Changes:

  • Updated NVM read handlers to clamp len using overflow-safe comparisons (len > meta.len - offset).
  • Updated NVM flash partition/object range validation to avoid overflow in bounds checks.
  • Extended client/server regression tests for out-of-bounds NVM reads and clamping behavior.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
src/wh_server_nvm.c Uses overflow-safe len > meta.len - offset clamping in NVM read paths (incl. DMA).
src/wh_nvm_flash.c Reworks partition/object range checks to avoid byte_offset + byte_count overflow.
test/wh_test_clientserver.c Adds regression assertions for rejection/clamping behavior around NVM reads.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

bigbrett
bigbrett approved these changes Mar 23, 2026
View reviewed changes
test/wh_test_clientserver.c
Comment on lines +577 to +578
* size. Verifies the overflow-safe comparison (len > meta.len - offset)
* correctly clamps when offset + len would exceed meta.len */
Copy link
Contributor

@bigbrett bigbrett Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This new test doesn't actually test your fix FYI but there isn't a good way to test it.

The first test is caught by the pre-existing offset >= meta.len guard before reaching the changed line. This one exercises the clamping logic but with values too small to trigger any overflow

@bigbrett bigbrett merged commit 81f22d6 into main Mar 23, 2026
55 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@bigbrett bigbrett bigbrett approved these changes

Assignees

@wolfSSL-Bot wolfSSL-Bot

@jackctj117 jackctj117

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jackctj117 @bigbrett @wolfSSL-Bot