From 34d3e873a618e44b731ee40299a2f9b522f2bab1 Mon Sep 17 00:00:00 2001
From: Chris Conlon <chris@wolfssl.com>
Date: Fri, 25 Apr 2025 16:08:46 -0600
Subject: [PATCH 1/2] JNI: NativeALPNSelectCb() fix to make sure peer proto
 array is null terminated before calling XSTRTOK()

---
 native/com_wolfssl_WolfSSLSession.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/native/com_wolfssl_WolfSSLSession.c b/native/com_wolfssl_WolfSSLSession.c
index 897e530..a445679 100644
--- a/native/com_wolfssl_WolfSSLSession.c
+++ b/native/com_wolfssl_WolfSSLSession.c
@@ -5343,7 +5343,9 @@ int NativeALPNSelectCb(WOLFSSL *ssl, const unsigned char **out,
 
     /* Use wolfSSL_ALPN_GetPeerProtocol() here to get ALPN protocols sent
      * by the peer instead of directly using in/inlen, since this API
-     * splits/formats into a comma-separated, null-terminated list */
+     * splits/formats into a comma-separated list. peerProtosSz does not
+     * include the null terminator byte in the size. It is only the size
+     * of the ALPN list chars proper.*/
     ret = wolfSSL_ALPN_GetPeerProtocol(ssl, &peerProtos, &peerProtosSz);
     if (ret != WOLFSSL_SUCCESS) {
         if ((*jenv)->ExceptionOccurred(jenv)) {
@@ -5359,8 +5361,9 @@ int NativeALPNSelectCb(WOLFSSL *ssl, const unsigned char **out,
     }
 
     /* Make a copy of peer protos since we have to scan through it first
-     * to get total number of tokens */
-    peerProtosCopy = (char*)XMALLOC(peerProtosSz, NULL,
+     * to get total number of tokens. Allocate peerProtosSz+1 to make
+     * sure our list is null terminated for XSTRTOK(). */
+    peerProtosCopy = (char*)XMALLOC(peerProtosSz + 1, NULL,
         DYNAMIC_TYPE_TMP_BUFFER);
     if (peerProtosCopy == NULL) {
         if ((*jenv)->ExceptionOccurred(jenv)) {
@@ -5374,6 +5377,7 @@ int NativeALPNSelectCb(WOLFSSL *ssl, const unsigned char **out,
         }
         return SSL_TLSEXT_ERR_ALERT_FATAL;
     }
+    XMEMSET(peerProtosCopy, 0, peerProtosSz + 1);
     XMEMCPY(peerProtosCopy, peerProtos, peerProtosSz);
 
     /* get count of protocols, used to create Java array of proper size */

From d466ff16e4b995f4dfabfdad36e1a031ef039b91 Mon Sep 17 00:00:00 2001
From: Chris Conlon <chris@wolfssl.com>
Date: Thu, 17 Apr 2025 16:45:20 -0600
Subject: [PATCH 2/2] JNI test: remove min ECC key size not divisible by 8
 test, no longer fails with https://github.com/wolfSSL/wolfssl/pull/8691

---
 src/test/com/wolfssl/test/WolfSSLContextTest.java | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/src/test/com/wolfssl/test/WolfSSLContextTest.java b/src/test/com/wolfssl/test/WolfSSLContextTest.java
index ddac700..f0416b2 100644
--- a/src/test/com/wolfssl/test/WolfSSLContextTest.java
+++ b/src/test/com/wolfssl/test/WolfSSLContextTest.java
@@ -644,13 +644,6 @@ public class WolfSSLContextTest {
                 fail("setMinECCKeySize should fail with negative key size");
             }
 
-            /* key length not % 8 should fail */
-            ret = ctx.setMinECCKeySize(255);
-            if (ret != WolfSSL.BAD_FUNC_ARG) {
-                System.out.println("\t\t... failed");
-                fail("setMinECCKeySize should fail with non % 8 size");
-            }
-
             /* valid key length should succeed */
             ret = ctx.setMinECCKeySize(128);
             if (ret != WolfSSL.SSL_SUCCESS) {