fix 1. Stack array case (WOLFSSL_SMALL_STACK not defined): buffer is byte buffer[WC_MAX_DIGEST_SIZE] - always valid, never NULL

aidangarske · aidangarske · commit 02d84498a95f · 2026-02-24T14:17:54.000-08:00
2. Heap case (WOLFSSL_SMALL_STACK defined): If XMALLOC fails, WC_ALLOC_VAR_EX returns MEMORY_E immediately, so we never reach ForceZero with a NULL pointer
diff --git a/wolfcrypt/src/pwdbased.c b/wolfcrypt/src/pwdbased.c
@@ -296,9 +296,7 @@ int wc_PBKDF2_ex(byte* output, const byte* passwd, int pLen, const byte* salt,
         wc_HmacFree(hmac);
     }
 
-    if (buffer != NULL) {
-        ForceZero(buffer, (word32)hLen);
-    }
+    ForceZero(buffer, (word32)hLen);
     WC_FREE_VAR_EX(buffer, heap, DYNAMIC_TYPE_TMP_BUFFER);
     WC_FREE_VAR_EX(hmac, heap, DYNAMIC_TYPE_HMAC);
 

Original file line number	Diff line number	Diff line change
`@@ -296,9 +296,7 @@ int wc_PBKDF2_ex(byte* output, const byte* passwd, int pLen, const byte* salt,`
`296`	`296`	`wc_HmacFree(hmac);`
`297`	`297`	`}`
`298`	`298`
`299`		`- if (buffer != NULL) {`
`300`		`- ForceZero(buffer, (word32)hLen);`
`301`		`- }`
	`299`	`+ ForceZero(buffer, (word32)hLen);`
`302`	`300`	`WC_FREE_VAR_EX(buffer, heap, DYNAMIC_TYPE_TMP_BUFFER);`
`303`	`301`	`WC_FREE_VAR_EX(hmac, heap, DYNAMIC_TYPE_HMAC);`
`304`	`302`