Bound SFTP handle length against received payload in GetHandle#1083
Bound SFTP handle length against received payload in GetHandle#1083yosuke-wolfssl wants to merge 1 commit into
Conversation
There was a problem hiding this comment.
Pull request overview
This PR hardens the SFTP client handle-parsing path by bounding the server-declared handle length against the actual received payload size in wolfSSH_SFTP_GetHandle, preventing a heap over-read and potential client heap disclosure/crash when processing SSH_FXP_HANDLE replies.
Changes:
- Add a payload-size bound check before copying the handle bytes in
wolfSSH_SFTP_GetHandle. - Add a
WOLFSSH_TEST_INTERNALtest hook to drivewolfSSH_SFTP_GetHandledeterministically from unit tests. - Add a unit test that validates both the reject (truncated payload, large declared handle) and accept (exact-fit handle) cases.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| src/wolfsftp.c | Adds the missing payload-bound guard in wolfSSH_SFTP_GetHandle and exposes an internal test hook. |
| wolfssh/wolfsftp.h | Declares the new wolfSSH_TestSftpGetHandle prototype under WOLFSSH_TEST_INTERNAL. |
| tests/unit.c | Adds an injection helper and a unit test that reproduces the prior over-read and asserts correct bounded behavior. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #1083
Scan targets checked: wolfssh-bugs, wolfssh-src
Findings: 1
1 finding(s) posted as inline comments (see file-level comments below)
This review was generated automatically by Fenrir. Findings are non-blocking.
a85fbbb to
97568ff
Compare
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #1083
Scan targets checked: wolfssh-bugs, wolfssh-src
No new issues found in the changed files. ✅
Summary
Fixes a heap over-read in the SFTP client when parsing a server's
SSH_FXP_HANDLEreply.wolfSSH_SFTP_GetHandleallocatesstate->bufferto exactly the server-declared payload size, then reads the handle-string length prefixszand validates it only againstWOLFSSH_MAX_HANDLEand the caller's*handleSz— never against the bytes actually present in the buffer. A malicious or compromised server can declare a 4-byte payload (just the length prefix) while encodingsz = 256. Both existing guards pass (256 > 256is false; the caller sets*handleSz = WOLFSSH_MAX_HANDLE = 256, so256 < 256is false), and:copies 256 bytes out of a 4-byte allocation — reading ~252 bytes past the buffer. Those bytes land in the client's
handle, which is echoed verbatim to the server on every laterREAD/WRITE/CLOSE/READDIR, disclosing client heap memory; a read crossing an unmapped page crashes the client instead.Addressed by f_6696.
Fix
Add a payload bound to the guard in
wolfSSH_SFTP_GetHandle— reject when the declared handle length exceeds what the buffer actually holds:szis capped atWOLFSSH_MAX_HANDLE(256) by the earlier check, soUINT32_SZ + szcannot overflow. This matches the boundGetStringRefalready enforces on length-prefixed strings elsewhere.Tests
WOLFSSH_TEST_INTERNALhookwolfSSH_TestSftpGetHandleto drive the static function.test_SftpGetHandle_sizeBound, which injects a craftedHANDLEreply into a channel and driveswolfSSH_SFTP_GetHandle:ssh->error == WS_BUFFER_E(no over-read).WS_SUCCESSwith a cleanssh->error.Verification
SftpGetHandle_sizeBound: SUCCESS, exit 0.heap-buffer-overflow READ of size 256at theWMEMCPYinwolfSSH_SFTP_GetHandle, confirming the test exercises the exact over-read.Files changed
src/wolfsftp.c— payload bound in the guard;wolfSSH_TestSftpGetHandlehook.wolfssh/wolfsftp.h— prototype for the new test hook.tests/unit.c— injection helper, bound test, and registration.