Merge pull request #870 from ejohnstown/cov-untrusted-divisor

JacobBarthelmeh · web-flow · commit ef6b6c596195 · 2026-01-20T14:19:04.000-07:00
Coverity: Untrusted divisor
diff --git a/src/internal.c b/src/internal.c
@@ -4757,7 +4757,7 @@ static int DoKexDhInit(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
      * in the message isn't of the DH e value. Treat the Q as e. */
     /* DYNTYPE_DH */
 
-    byte* e;
+    const byte* e;
     word32 eSz;
     word32 begin;
     int ret = WS_SUCCESS;
@@ -4776,28 +4776,20 @@ static int DoKexDhInit(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
             *idx += len;
             return WS_SUCCESS;
         }
-    }
 
-    if (ret == WS_SUCCESS) {
         begin = *idx;
-        ret = GetUint32(&eSz, buf, len, &begin);
+        ret = GetStringRef(&eSz, &e, buf, len, &begin);
     }
 
     if (ret == WS_SUCCESS) {
         /* Validate eSz */
-        if ((len < begin) || (eSz > len - begin)) {
-            ret = WS_RECV_OVERFLOW_E;
-        }
+        if (eSz > (word32)sizeof(ssh->handshake->e) || eSz == 0)
+            ret = WS_PUBKEY_REJECTED_E;
     }
 
     if (ret == WS_SUCCESS) {
-        e = buf + begin;
-        begin += eSz;
-
-        if (eSz <= (word32)sizeof(ssh->handshake->e)) {
-            WMEMCPY(ssh->handshake->e, e, eSz);
-            ssh->handshake->eSz = eSz;
-        }
+        WMEMCPY(ssh->handshake->e, e, eSz);
+        ssh->handshake->eSz = eSz;
 
         ssh->clientState = CLIENT_KEXDH_INIT_DONE;
         *idx = begin;
diff --git a/src/misc.c b/src/misc.c
@@ -74,7 +74,17 @@ STATIC INLINE word32 min(word32 a, word32 b)
 /* convert opaque to 32 bit integer */
 STATIC INLINE void ato32(const byte* c, word32* u32)
 {
-    *u32 = (c[0] << 24) | (c[1] << 16) | (c[2] << 8) | c[3];
+    word32 v = 0;
+
+    v |= (word32)(c[0] & 0xFF);
+    v <<= 8;
+    v |= (word32)(c[1] & 0xFF);
+    v <<= 8;
+    v |= (word32)(c[2] & 0xFF);
+    v <<= 8;
+    v |= (word32)(c[3] & 0xFF);
+
+    *u32 = v;
 }
 
 
