From 08bbe248507149d613b9d6be663ada5aa7d4b595 Mon Sep 17 00:00:00 2001 From: Mark Atwood Date: Thu, 9 Jul 2026 17:27:36 -0700 Subject: [PATCH] fix: buffer write hardening across wolfSSH - #3446: clamp passwordSz to sizeof(userPassword) before memcpy in examples/portfwd/portfwd.c and examples/client/common.c, preventing an over-read/overflow when the default password exceeds 256 bytes. - #4105: in readPeer() Windows branch, write (DWORD)ret bytes (the actual bytes read) instead of the full bufSz in examples/client/client.c and apps/wolfssh/wolfssh.c, matching the POSIX sibling. - #4106: src/wolfterm.c cases 'D' and 'E' write sizeof("\n") - 1 (1 byte) instead of sizeof("\n") (2 bytes), dropping the stray trailing NUL. --- apps/wolfssh/wolfssh.c | 2 +- examples/client/client.c | 2 +- examples/client/common.c | 2 ++ examples/portfwd/portfwd.c | 2 ++ src/wolfterm.c | 4 ++-- 5 files changed, 8 insertions(+), 4 deletions(-) diff --git a/apps/wolfssh/wolfssh.c b/apps/wolfssh/wolfssh.c index f9414d795..808953cda 100644 --- a/apps/wolfssh/wolfssh.c +++ b/apps/wolfssh/wolfssh.c @@ -563,7 +563,7 @@ static THREAD_RET readPeer(void* in) buf[bufSz - 1] = '\0'; #ifdef USE_WINDOWS_API - if (WriteFile(stdoutHandle, buf, bufSz, &writtn, NULL) == FALSE) { + if (WriteFile(stdoutHandle, buf, (DWORD)ret, &writtn, NULL) == FALSE) { err_sys("Failed to write to stdout handle"); } #else diff --git a/examples/client/client.c b/examples/client/client.c index 5ab01b19a..38e446721 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -546,7 +546,7 @@ static THREAD_RET readPeer(void* in) buf[bufSz - 1] = '\0'; #ifdef USE_WINDOWS_API - if (WriteFile(stdoutHandle, buf, bufSz, &writtn, NULL) == FALSE) { + if (WriteFile(stdoutHandle, buf, (DWORD)ret, &writtn, NULL) == FALSE) { err_sys("Failed to write to stdout handle"); } #else diff --git a/examples/client/common.c b/examples/client/common.c index ed7e33d7d..8f3d37652 100644 --- a/examples/client/common.c +++ b/examples/client/common.c @@ -519,6 +519,8 @@ int ClientUserAuth(byte authType, else if (authType == WOLFSSH_USERAUTH_PASSWORD) { if (defaultPassword != NULL) { passwordSz = (word32)strlen(defaultPassword); + if (passwordSz > (word32)sizeof(userPassword)) + passwordSz = (word32)sizeof(userPassword); memcpy(userPassword, defaultPassword, passwordSz); } #ifdef WOLFSSH_TERM diff --git a/examples/portfwd/portfwd.c b/examples/portfwd/portfwd.c index 355e5adb4..86521e94e 100644 --- a/examples/portfwd/portfwd.c +++ b/examples/portfwd/portfwd.c @@ -172,6 +172,8 @@ static int wsUserAuth(byte authType, (void)authType; if (defaultPassword != NULL) { passwordSz = (word32)strlen(defaultPassword); + if (passwordSz > (word32)sizeof(userPassword)) + passwordSz = (word32)sizeof(userPassword); memcpy(userPassword, defaultPassword, passwordSz); } else { diff --git a/src/wolfterm.c b/src/wolfterm.c index 7ddd5d117..8dee491f5 100644 --- a/src/wolfterm.c +++ b/src/wolfterm.c @@ -737,7 +737,7 @@ int wolfSSH_ConvertConsole(WOLFSSH* ssh, WOLFSSH_HANDLE handle, byte* buf, case 'D': /* linefeed */ - if (WS_WRITECONSOLE(handle, "\n", sizeof("\n"), &wrt, NULL) + if (WS_WRITECONSOLE(handle, "\n", sizeof("\n") - 1, &wrt, NULL) == 0) { WLOG(WS_LOG_DEBUG, "Error writing newline to handle"); return WS_FATAL_ERROR; @@ -745,7 +745,7 @@ int wolfSSH_ConvertConsole(WOLFSSH* ssh, WOLFSSH_HANDLE handle, byte* buf, break; case 'E': /* newline */ - if (WS_WRITECONSOLE(handle, "\n", sizeof("\n"), &wrt, NULL) + if (WS_WRITECONSOLE(handle, "\n", sizeof("\n") - 1, &wrt, NULL) == 0) { WLOG(WS_LOG_DEBUG, "Error writing newline to handle"); return WS_FATAL_ERROR;