PrepareUserAuthRequestEcc Missing Bounds Checks

ejohnstown · ejohnstown · commit 8039e884fae8 · 2026-03-09T14:06:22.000-07:00
For agent ECC public key parsing, replaced parsing the data by hand with
the GetSkip() and GetStringRef() functions which do bounds checking.

Affected function: PrepareUserAuthRequestEcc.
Issue: F-526
diff --git a/src/internal.c b/src/internal.c
@@ -14393,26 +14393,32 @@ static int PrepareUserAuthRequestEcc(WOLFSSH* ssh, word32* payloadSz,
         ret = wc_ecc_init(&keySig->ks.ecc.key);
 
     if (ret == 0) {
-        word32 idx = 0;
+        word32 idx;
         #ifdef WOLFSSH_AGENT
         if (ssh->agentEnabled) {
             word32 sz;
             const byte* c = (const byte*)authData->sf.publicKey.publicKey;
 
-            ato32(c + idx, &sz);
-            idx += LENGTH_SZ + sz;
-            ato32(c + idx, &sz);
-            idx += LENGTH_SZ + sz;
-            ato32(c + idx, &sz);
-            idx += LENGTH_SZ;
-            c += idx;
             idx = 0;
-
-            ret = wc_ecc_import_x963(c, sz, &keySig->ks.ecc.key);
+            ret = GetSkip(c, authData->sf.publicKey.publicKeySz, &idx);
+            if (ret == WS_SUCCESS) {
+                ret = GetSkip(c, authData->sf.publicKey.publicKeySz, &idx);
+            }
+            if (ret == WS_SUCCESS) {
+                ret = GetStringRef(&sz, &c, c,
+                        authData->sf.publicKey.publicKeySz, &idx);
+            }
+            if (ret == WS_SUCCESS) {
+                ret = wc_ecc_import_x963(c, sz, &keySig->ks.ecc.key);
+            }
+            if (ret == 0) {
+                ret = WS_SUCCESS;
+            }
         }
         else
         #endif
         {
+            idx = 0;
             ret = wc_EccPrivateKeyDecode(authData->sf.publicKey.privateKey,
                     &idx, &keySig->ks.ecc.key,
                     authData->sf.publicKey.privateKeySz);
@@ -14422,6 +14428,9 @@ static int PrepareUserAuthRequestEcc(WOLFSSH* ssh, word32* payloadSz,
                         authData->sf.publicKey.privateKey,
                         authData->sf.publicKey.privateKeySz, &idx);
             }
+            else {
+                ret = WS_ECC_E;
+            }
         }
     }
 
