Skip to content

Improve DTLS bucket logic#10090

Open
julek-wolfssl wants to merge 1 commit intowolfSSL:masterfrom
julek-wolfssl:zd/21421
Open

Improve DTLS bucket logic#10090
julek-wolfssl wants to merge 1 commit intowolfSSL:masterfrom
julek-wolfssl:zd/21421

Conversation

@julek-wolfssl
Copy link
Copy Markdown
Member

@julek-wolfssl julek-wolfssl commented Mar 27, 2026
edited by embhorn
Loading

ZD21421

Tested by @Sebasteuo

Copilot AI review requested due to automatic review settings March 27, 2026 17:13
@julek-wolfssl julek-wolfssl self-assigned this Mar 27, 2026
@julek-wolfssl julek-wolfssl requested a review from rizlik March 27, 2026 17:13
Copilot AI reviewed Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates DTLS handshake fragment “bucket” handling to correctly manage gap insertion and overlap merging, and strengthens regression coverage by expanding the DTLS fragment bucket API tests.

Changes:

  • Fix fragment merge copy logic when new data overlaps an existing bucket so the non-overlapped tail is copied from the correct offset.
  • Adjust DTLS fragment insertion logic to allow inserting a disjoint fragment before cur even when it’s not the first bucket (gap between buckets).
  • Refactor/extend DTLS fragment bucket tests to use the EXPECT_* harness and add more edge-case scenarios.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
src/internal.c Fixes DTLS fragment bucket combine/insertion logic (overlap copy offset; gap insertion between buckets).
tests/api.c Refactors DTLS fragment bucket tests to EXPECT_* and adds additional scenarios for the updated bucket logic.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@programsurf
Copy link
Copy Markdown

programsurf commented Mar 28, 2026
edited
Loading

Both fixes look correct. The XMEMMOVE source-pointer fix (7e5f607) and the gap-insertion generalization (3907dbd) address the two root causes.

Test sequence 11 covers the same vulnerability pattern from our report — good coverage.

One defense-in-depth note: the else if (fragOffset <= curEnd) condition in the for loop (line 9838) still doesn't verify that the fragment actually overlaps cur. Currently safe because the new fragOffsetEnd < cur->m.m.offset branch catches disjoint fragments first, but adding && fragOffsetEnd >= cur->m.m.offset there would guard against future branch reordering.

@julek-wolfssl
Copy link
Copy Markdown
Member Author

julek-wolfssl commented Mar 30, 2026

One defense-in-depth note: the else if (fragOffset <= curEnd) condition in the for loop (line 9838) still doesn't verify that the fragment actually overlaps cur. Currently safe because the new fragOffsetEnd < cur->m.m.offset branch catches disjoint fragments first, but adding && fragOffsetEnd >= cur->m.m.offset there would guard against future branch reordering.

That check looks for a place to place the new bucket. It doesn't check for overlap.

@julek-wolfssl julek-wolfssl force-pushed the zd/21421 branch 2 times, most recently from 0bca5d0 to ff4e702 Compare March 30, 2026 15:27
Copilot AI review requested due to automatic review settings March 31, 2026 12:18
Copilot AI reviewed Mar 31, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@julek-wolfssl
Copy link
Copy Markdown
Member Author

julek-wolfssl commented Apr 1, 2026
edited
Loading

retest this please history lost..

@julek-wolfssl julek-wolfssl added the For This Release Release version 5.9.1 label Apr 1, 2026
@julek-wolfssl
DTLS Bucket improvements
2f37ab3 
- test_wolfSSL_DTLS_fragment_buckets: rewrite to use Expect framework
- Correctly handle buckets between other buckets that don't touch
- Fix DTLS fragment combine when data overlaps cur from the left
@julek-wolfssl
Copy link
Copy Markdown
Member Author

julek-wolfssl commented Apr 2, 2026

retest this please unrelated errors

@douzzer douzzer added the Staged Staged for merge pending final test results and review label Apr 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@rizlik rizlik Awaiting requested review from rizlik

+1 more reviewer

@programsurf programsurf programsurf left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@wolfSSL-Bot wolfSSL-Bot

Labels

For This Release Release version 5.9.1 Staged Staged for merge pending final test results and review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@julek-wolfssl @programsurf @douzzer @wolfSSL-Bot