Skip to content

fix: security hardening across wolfSSH#1098

Open
MarkAtwood wants to merge 1 commit into
wolfSSL:masterfrom
MarkAtwood:fix/wolfssh-security_sensitive
Open

fix: security hardening across wolfSSH#1098
MarkAtwood wants to merge 1 commit into
wolfSSL:masterfrom
MarkAtwood:fix/wolfssh-security_sensitive

Conversation

@MarkAtwood

Copy link
Copy Markdown

Batch of security_sensitive findings from Fenrir static analysis. All fixes build-verified together against wolfSSL (--enable-all --enable-ssh) with ./configure --enable-all && make -j8 (exit 0); the QNX and Windows-only paths were source/syntax-analyzed (gcc -D__QNX__ -fsyntax-only).

  • #1684 src/agent.c — the agent PostLock/PostUnlock stubs logged the plaintext passphrase. Log only that a (un)lock was requested and ForceZero the stack buffer before return.
  • #4108 apps/wolfsshd/configuration.c — the QNX Include-dir filter called lstat(dir->d_name, ...), which resolves relative to CWD, not the include dir. Build the full path with WSNPRINTF and treat snprintf/lstat failure as non-directory so the count pass and populate pass stay consistent.
  • #4794 src/wolfterm.c — reset escState to WC_ESC_NONE after the pre-loop CSI/OSC handling so a stale escape state is not carried into the next call, and bounds-guard the buf[i] read in wolfSSH_DoControlSeq (OOB read).
  • #5849 apps/wolfsshd/configuration.c — reject symlinks (DT_LNK) at both POSIX Include-dir filter sites (CWE-61) so a symlink in the Include dir is not followed by fopen and parsed as config.
  • #5852 src/internal.c — in wolfSSH_CleanPath parent-collapse, only match a .. component that ends at a delimiter or NUL, guarding against ..X components being mistaken for parent references.

Reported by Fenrir static analysis.

Batch of Fenrir static-analysis findings in the security_sensitive theme:

- #1684 src/agent.c: stop logging the plaintext passphrase in the agent
  PostLock/PostUnlock stubs; log only that a (un)lock was requested and
  ForceZero the stack buffer before return.
- #4108 apps/wolfsshd/configuration.c: QNX Include-dir filter lstat'd
  dir->d_name (relative to CWD, not the include dir); build the full path
  with WSNPRINTF and treat snprintf/lstat failure as non-directory so the
  count and populate passes stay consistent.
- #4794 src/wolfterm.c: reset escState to WC_ESC_NONE after the pre-loop
  CSI/OSC handling so a stale escape state is not carried over, and
  bounds-guard the buf[i] read in wolfSSH_DoControlSeq.
- #5849 apps/wolfsshd/configuration.c: reject symlinks (DT_LNK) at both
  POSIX Include-dir filter sites (CWE-61) so a symlink in the Include dir
  is not followed by fopen and parsed as config.
- #5852 src/internal.c: in wolfSSH_CleanPath parent-collapse, only match a
  '..' component that ends at a delimiter or NUL, guarding against '..X'.
Copilot AI review requested due to automatic review settings July 10, 2026 00:29

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR applies a set of security hardening fixes across wolfSSH in response to Fenrir static-analysis findings, focusing on preventing sensitive-data leakage, tightening path/config handling, and fixing edge-case parsing behavior.

Changes:

  • Remove plaintext passphrase logging in agent lock/unlock stubs and scrub the temporary stack buffer.
  • Harden Include-dir handling in wolfsshd (QNX full-path lstat(); POSIX symlink filtering via DT_LNK).
  • Fix terminal escape-sequence parsing edge cases (prevent OOB read; reset stale escape-state) and tighten wolfSSH_CleanPath .. component matching.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File Description
src/wolfterm.c Adds bounds checking in CSI parsing and clears stale escape state between calls.
src/internal.c Tightens .. component detection to avoid misinterpreting ..X as parent traversal.
src/agent.c Stops logging passphrases and zeroizes the temporary stack buffer used for lock/unlock.
apps/wolfsshd/configuration.c Fixes QNX include-dir lstat() to use full path and adds symlink filtering in POSIX include-dir scans.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/wolfterm.c
Comment on lines +476 to +478
if (i >= bufSz) {
return WS_FATAL_ERROR;
}
Comment on lines +796 to +798
if (qnxRet < 0 || qnxRet >= PATH_MAX ||
lstat(filepath, &s) != 0 ||
!S_ISDIR(s.st_mode))
Comment on lines +838 to +840
if (qnxRet < 0 || qnxRet >= PATH_MAX ||
lstat(filepath, &s) != 0 ||
!S_ISDIR(s.st_mode))
@MarkAtwood MarkAtwood requested a review from ejohnstown July 10, 2026 00:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants