Fenrir fixes#255
Open
aidankeefe2022 wants to merge 1 commit into
Open
Conversation
aidankeefe2022
force-pushed
the
fenrir-fixes-jun18-26
branch
from
ee33f0a to
546a0b8
Compare
wolfSSL-Fenrir-bot
left a comment
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #255
Scan targets checked: wolfclu-bugs, wolfclu-src
Findings: 1
1 finding(s) posted as inline comments (see file-level comments below)
This review was generated automatically by Fenrir. Findings are non-blocking.
aidankeefe2022
commented
Jun 22, 2026
aidankeefe2022
force-pushed
the
fenrir-fixes-jun18-26
branch
4 times, most recently
from
5468838 to
963c0c7
Compare
wolfSSL-Fenrir-bot
left a comment
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #255
Scan targets checked: wolfclu-bugs, wolfclu-src
Findings: 1
1 finding(s) posted as inline comments (see file-level comments below)
This review was generated automatically by Fenrir. Findings are non-blocking.
aidankeefe2022
force-pushed
the
fenrir-fixes-jun18-26
branch
from
963c0c7 to
b7acc6b
Compare
aidankeefe2022
commented
Jun 23, 2026
wolfSSL-Fenrir-bot
left a comment
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #255
Scan targets checked: wolfclu-bugs, wolfclu-src
Findings: 1
1 finding(s) posted as inline comments (see file-level comments below)
This review was generated automatically by Fenrir. Findings are non-blocking.
aidankeefe2022
force-pushed
the
fenrir-fixes-jun18-26
branch
2 times, most recently
from
0e179fb to
5edf352
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR addresses multiple Fenrir findings by hardening CLI argument handling and file-length processing, adds regression tests for those cases, and fixes Windows rand stdout behavior to avoid output corruption.
Changes:
- Add regression tests for
verify/dgstmalformed-argument edge cases (missing trailing positional args) and averifyno-crash case. - Switch Windows
randstdout to binary mode when emitting to stdout to prevent newline translation from corrupting output. - Improve robustness around buffer sizing and OCSP index parsing (e.g., safer serial handling, larger size types, and negative-length checks).
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/x509/x509-verify-test.py | Adds regression tests for verify malformed-argument and no-crash scenarios. |
| tests/dgst/dgst-test.py | Adds regression tests ensuring dgst detects missing trailing data file and doesn’t mis-flag valid invocations. |
| src/tools/clu_rand.c | Sets stdout to binary mode on Windows when writing to stdout to avoid data corruption. |
| src/sign-verify/clu_x509_verify.c | Adds malformed-argument detection before loading certs. |
| src/sign-verify/clu_verify.c | Uses long for file sizes and adds negative-size checks before allocating/reading. |
| src/sign-verify/clu_dgst_setup.c | Adjusts option parsing to avoid scanning the trailing positional and adds malformed-argument detection. |
| src/ocsp/clu_ocsp.c | Enlarges serial buffer and adds length validation + explicit NUL termination. |
| src/dh/clu_dh.c | Uses long for BIO length and casts for read/decode. |
| src/crypto/clu_evp_crypto.c | Uses long for BIO length and checks for negative length before base64 decode. |
Comments suppressed due to low confidence (1)
src/dh/clu_dh.c:488
- wolfSSL_BIO_get_len() can return 0/negative for empty or unreadable input. With the current logic, that case silently skips parsing the input params and continues, which can lead to confusing downstream failures. Treat non-positive lengths as an error before proceeding.
inSz = wolfSSL_BIO_get_len(bioIn);
if (inSz > 0) {
in = (byte*)XMALLOC(inSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
if (in == NULL) {
ret = WOLFCLU_FATAL_ERROR;
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
https://fenrir.wolfssl.com/finding/5020 https://fenrir.wolfssl.com/finding/5022 https://fenrir.wolfssl.com/finding/5019 https://fenrir.wolfssl.com/finding/5021 https://fenrir.wolfssl.com/finding/5018 make windows behave and not add random bytes!!! copilot fixes
aidankeefe2022
force-pushed
the
fenrir-fixes-jun18-26
branch
from
5edf352 to
461205c
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
https://fenrir.wolfssl.com/finding/5020
https://fenrir.wolfssl.com/finding/5022
https://fenrir.wolfssl.com/finding/5019
https://fenrir.wolfssl.com/finding/5021
https://fenrir.wolfssl.com/finding/5018
https://fenrir.wolfssl.com/finding/5023
Added stdout configuration to rand when running on windows to make it behave like Posix