Skip to content

Fenrir: Resource Leaks#591

Open
stenslae wants to merge 2 commits into
wolfSSL:masterfrom
stenslae:pr-resource-leaks
Open

Fenrir: Resource Leaks#591
stenslae wants to merge 2 commits into
wolfSSL:masterfrom
stenslae:pr-resource-leaks

Conversation

@stenslae

@stenslae stenslae commented Jul 8, 2026

Copy link
Copy Markdown
Member

Fixes leaked sockets, file descriptors, file handles, and heap allocations on error paths throughout the examples, and zeroizes private-key material before freeing it instead of leaving it in freed memory. Also updated to using wolfSSL macros (memcpy vs XMEMCPY) and improved some examples to better comply with coding standards for cross-platform compatibility.

  • Sockets/fds/file handles/keys: BLE, custom IO, can-bus, PKCS7, TLS, PQ examples
  • Memory leaks, cleanup, and key zeroization: crypto, ECC, OCSP, DTLS, certgen, PUF, optimizer examples

@stenslae stenslae self-assigned this Jul 8, 2026

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #591

Scan targets checked: wolfssl-examples-bugs, wolfssl-examples-src

Findings: 2
2 finding(s) posted as inline comments (see file-level comments below)

This review was generated automatically by Fenrir. Findings are non-blocking.

Comment thread pq/ml_kem/ml_kem.c
Comment thread pq/ml_dsa/ml_dsa.c
Comment thread pq/ml_dsa/ml_dsa.c
Comment thread pq/ml_kem/ml_kem.c
… F-2102 F-2103 F-2896 F-2907 F-2912 F-3226 F-3474 F-3475 F-3476 F-4128 F-4129 F-4602: fix socket, file descriptor, file handle, and key leaks in BLE, custom IO, can-bus, PKCS7, TLS, and PQ examples

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #591

Scan targets checked: wolfssl-examples-bugs, wolfssl-examples-src

Findings: 3
3 finding(s) posted as inline comments (see file-level comments below)

This review was generated automatically by Fenrir. Findings are non-blocking.

Comment thread pkcs7/signedData-stream.c
Comment thread pq/ml_dsa/ml_dsa.c Outdated
Comment thread crypto/aes/aes-file-encrypt.c Outdated
@stenslae stenslae force-pushed the pr-resource-leaks branch from fb4bde8 to 4070dd8 Compare July 9, 2026 19:03
Comment thread crypto/aes/aes-file-encrypt.c Outdated
Comment thread pq/ml_dsa/ml_dsa.c Outdated
Comment thread pkcs7/signedData-stream.c

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #591

Scan targets checked: wolfssl-examples-bugs, wolfssl-examples-src

Findings: 1
1 finding(s) posted as inline comments (see file-level comments below)

This review was generated automatically by Fenrir. Findings are non-blocking.

Comment thread dtls/dtls-export-common.h
Comment thread dtls/dtls-export-common.h
@stenslae stenslae force-pushed the pr-resource-leaks branch 2 times, most recently from 81d7c99 to 8e47b06 Compare July 9, 2026 21:48

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #591

Scan targets checked: wolfssl-examples-bugs, wolfssl-examples-src

Findings: 1
1 finding(s) posted as inline comments (see file-level comments below)

This review was generated automatically by Fenrir. Findings are non-blocking.

Comment thread dtls/client-dtls-import.c
… F-3696 F-3892 F-3893 F-3894 F-3896 F-4126 F-4609 F-6291: fix memory leaks, resource release, and private-key zeroization in crypto, ECC, OCSP, DTLS, certgen, PUF, and optimizer examples
Comment thread dtls/client-dtls-import.c

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #591

Scan targets checked: wolfssl-examples-bugs, wolfssl-examples-src

Findings: 1
1 finding(s) posted as inline comments (see file-level comments below)

This review was generated automatically by Fenrir. Findings are non-blocking.


ret = wc_InitRsaKey_ex(&rsaPriv, NULL, INVALID_DEVID);
if (ret != 0) {
free(der);

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 [Medium] Private key DER freed without zeroization in myCryptoCb error paths · Missing error handling

der is loaded from myCtx->keyFilePriv (private key file) and freed with bare free(der) — without wc_ForceZero — on the two new wc_InitRsaKey_ex and wc_ecc_init_ex failure paths introduced by this PR (lines 248 and 311), leaving private key bytes in freed heap memory.

Fix: Replace free(der) with wc_ForceZero(der, derSz); free(der); at both new error-path exits (RSA line 248, ECC line 311).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants