Skip to content

Commit 27f3b06

Browse files
ejohnstownejohnstown
committed
DoServiceRequest Missing Bounds Check
Replace the original message parsing functions with the GetString() function, which does better bounds checking. Affected functions: DoServiceRequest, DoServiceAccept. Issue: F-524, F-525
1 parent cc4db2d commit 27f3b06

1 file changed

Lines changed: 12 additions & 36 deletions

File tree

src/internal.c

Lines changed: 12 additions & 36 deletions
Original file line numberDiff line numberDiff line change
@@ -6523,56 +6523,32 @@ static int DoDisconnect(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
65236523
static int DoServiceRequest(WOLFSSH* ssh,
65246524
byte* buf, word32 len, word32* idx)
65256525
{
6526-
word32 begin = *idx;
6527-
word32 nameSz;
6528-
char serviceName[WOLFSSH_MAX_NAMESZ];
6529-
6530-
WOLFSSH_UNUSED(len);
6531-
6532-
ato32(buf + begin, &nameSz);
6533-
begin += LENGTH_SZ;
6534-
6535-
if (begin + nameSz > len || nameSz >= WOLFSSH_MAX_NAMESZ) {
6536-
return WS_BUFFER_E;
6537-
}
6538-
6539-
WMEMCPY(serviceName, buf + begin, nameSz);
6540-
begin += nameSz;
6541-
serviceName[nameSz] = 0;
6526+
char name[WOLFSSH_MAX_NAMESZ];
6527+
word32 nameSz = sizeof(name);
6528+
int ret;
65426529

6543-
*idx = begin;
6530+
ret = GetString(name, &nameSz, buf, len, idx);
65446531

6545-
WLOG(WS_LOG_DEBUG, "Requesting service: %s", serviceName);
6532+
WLOG(WS_LOG_DEBUG, "Requesting service: %s", name);
65466533
ssh->clientState = CLIENT_USERAUTH_REQUEST_DONE;
65476534

6548-
return WS_SUCCESS;
6535+
return ret;
65496536
}
65506537

65516538

65526539
static int DoServiceAccept(WOLFSSH* ssh,
65536540
byte* buf, word32 len, word32* idx)
65546541
{
6555-
word32 begin = *idx;
6556-
word32 nameSz;
6557-
char serviceName[WOLFSSH_MAX_NAMESZ];
6558-
6559-
ato32(buf + begin, &nameSz);
6560-
begin += LENGTH_SZ;
6561-
6562-
if (begin + nameSz > len || nameSz >= WOLFSSH_MAX_NAMESZ) {
6563-
return WS_BUFFER_E;
6564-
}
6565-
6566-
WMEMCPY(serviceName, buf + begin, nameSz);
6567-
begin += nameSz;
6568-
serviceName[nameSz] = 0;
6542+
char name[WOLFSSH_MAX_NAMESZ];
6543+
word32 nameSz = sizeof(name);
6544+
int ret;
65696545

6570-
*idx = begin;
6546+
ret = GetString(name, &nameSz, buf, len, idx);
65716547

6572-
WLOG(WS_LOG_DEBUG, "Accepted service: %s", serviceName);
6548+
WLOG(WS_LOG_DEBUG, "Accepted service: %s", name);
65736549
ssh->serverState = SERVER_USERAUTH_REQUEST_DONE;
65746550

6575-
return WS_SUCCESS;
6551+
return ret;
65766552
}
65776553

65786554

0 commit comments

Comments
 (0)