fix: buffer write hardening across wolfSSH#1094
Open
MarkAtwood wants to merge 1 commit into
Open
Conversation
- #3446: clamp passwordSz to sizeof(userPassword) before memcpy in
examples/portfwd/portfwd.c and examples/client/common.c, preventing
an over-read/overflow when the default password exceeds 256 bytes.
- #4105: in readPeer() Windows branch, write (DWORD)ret bytes (the
actual bytes read) instead of the full bufSz in examples/client/client.c
and apps/wolfssh/wolfssh.c, matching the POSIX sibling.
- #4106: src/wolfterm.c cases 'D' and 'E' write sizeof("\n") - 1 (1 byte)
instead of sizeof("\n") (2 bytes), dropping the stray trailing NUL.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens several buffer-write sites across wolfSSH (mostly in examples and Windows-only console output paths) to prevent buffer overflows and unintended output of stale/NUL bytes.
Changes:
- Clamp password copy length to the fixed
userPassword[256]buffer size beforememcpyin example authentication callbacks. - On Windows, write only the number of bytes actually read (
ret) to stdout inreadPeer()instead of the full buffer size. - In Windows console escape-sequence handling, write only the newline character (not the trailing NUL) via
WriteConsole.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| src/wolfterm.c | Avoids writing the trailing NUL when emitting "\n" via WriteConsole in escape-sequence cases. |
| examples/portfwd/portfwd.c | Clamps passwordSz to prevent overflow when copying defaultPassword into userPassword[256]. |
| examples/client/common.c | Same password-length clamp as port forwarding example to prevent overflow into userPassword[256]. |
| examples/client/client.c | Windows readPeer() now writes only ret bytes to stdout to avoid emitting stale buffer tail. |
| apps/wolfssh/wolfssh.c | Same Windows readPeer() stdout write-length fix as the client example. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Buffer-write hardening across wolfSSH. Three independent fixes reported by Fenrir static analysis, batched into one PR. Build-verified on Ubuntu 24.04 against wolfSSL
--enable-all --enable-ssh(./configure --enable-all && make -j8, exit 0).examples/portfwd/portfwd.candexamples/client/common.c: clamppasswordSztosizeof(userPassword)(256) before thememcpy. Without the clamp, adefaultPasswordlonger than 256 bytes overflows the fixeduserPasswordbuffer.userPasswordis a raw password buffer whose length travels inpassword.passwordSz, so clamping without a NUL terminator is correct.examples/client/client.candapps/wolfssh/wolfssh.c: inreadPeer()'s Windows branch,WriteFilenow writes(DWORD)ret(bytes actually read) instead of the fullbufSz, matching the POSIXwrite(STDOUT_FILENO, buf, ret)sibling. Prevents emitting stale buffer tail on short reads.src/wolfterm.ccases'D'and'E':WS_WRITECONSOLEnow writessizeof("\n") - 1(1 byte) instead ofsizeof("\n")(2 bytes), dropping the stray trailing NUL from the console output.The #4105 and #4106 sites are under
USE_WINDOWS_API(not compiled on Linux); they are source-verified against the working POSIX path. The #3446 sites are compiled and covered by the successful Linux build.Reported by Fenrir static analysis.