From 34dfcec78822f9b067c01e59a3501fec300a0f5f Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Fri, 27 Sep 2024 09:27:33 -0600 Subject: [PATCH 1/6] use heap hint passed in --- src/internal.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/internal.c b/src/internal.c index b2be0cd94..1927cd1a5 100644 --- a/src/internal.c +++ b/src/internal.c @@ -1133,41 +1133,41 @@ void SshResourceFree(WOLFSSH* ssh, void* heap) #ifdef WOLFSSH_SCP if (ssh->scpConfirmMsg) { - WFREE(ssh->scpConfirmMsg, ssh->ctx->heap, DYNTYPE_STRING); + WFREE(ssh->scpConfirmMsg, heap, DYNTYPE_STRING); ssh->scpConfirmMsg = NULL; ssh->scpConfirmMsgSz = 0; } if (ssh->scpFileBuffer) { ForceZero(ssh->scpFileBuffer, ssh->scpFileBufferSz); - WFREE(ssh->scpFileBuffer, ssh->ctx->heap, DYNTYPE_BUFFER); + WFREE(ssh->scpFileBuffer, heap, DYNTYPE_BUFFER); ssh->scpFileBuffer = NULL; ssh->scpFileBufferSz = 0; } if (ssh->scpFileName) { - WFREE(ssh->scpFileName, ssh->ctx->heap, DYNTYPE_STRING); + WFREE(ssh->scpFileName, heap, DYNTYPE_STRING); ssh->scpFileName = NULL; ssh->scpFileNameSz = 0; } if (ssh->scpRecvMsg) { - WFREE(ssh->scpRecvMsg, ssh->ctx->heap, DYNTYPE_STRING); + WFREE(ssh->scpRecvMsg, heap, DYNTYPE_STRING); ssh->scpRecvMsg = NULL; ssh->scpRecvMsgSz = 0; } #ifdef WOLFSSL_NUCLEUS - WFREE(ssh->scpBasePathDynamic, ssh->ctx->heap, DYNTYPE_BUFFER); + WFREE(ssh->scpBasePathDynamic, heap, DYNTYPE_BUFFER); ssh->scpBasePathDynamic = NULL; ssh->scpBasePathSz = 0; #endif #endif #ifdef WOLFSSH_SFTP if (ssh->sftpDefaultPath) { - WFREE(ssh->sftpDefaultPath, ssh->ctx->heap, DYNTYPE_STRING); + WFREE(ssh->sftpDefaultPath, heap, DYNTYPE_STRING); ssh->sftpDefaultPath = NULL; } #endif #ifdef WOLFSSH_TERM if (ssh->modes) { - WFREE(ssh->modes, ssh->ctx->heap, DYNTYPE_STRING); + WFREE(ssh->modes, heap, DYNTYPE_STRING); ssh->modesSz = 0; } #endif From 1dc46d5fe9d928d5a41031e78d16c944bfe2c7af Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Fri, 27 Sep 2024 09:31:30 -0600 Subject: [PATCH 2/6] remove dead code --- src/wolfscp.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/wolfscp.c b/src/wolfscp.c index 26beaa9c7..55f127a8e 100644 --- a/src/wolfscp.c +++ b/src/wolfscp.c @@ -536,8 +536,6 @@ int DoScpSource(WOLFSSH* ssh) break; } - continue; - case SCP_SEND_TIMESTAMP: WLOG(WS_LOG_DEBUG, scpState, "SCP_SEND_TIMESTAMP"); From 76a8d8262da395e96e72f17a6388c95ad2fd3ab8 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Fri, 27 Sep 2024 09:54:05 -0600 Subject: [PATCH 3/6] adjust sanity check on sz before adding null terminator --- src/wolfscp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wolfscp.c b/src/wolfscp.c index 55f127a8e..1be04b2af 100644 --- a/src/wolfscp.c +++ b/src/wolfscp.c @@ -1089,7 +1089,7 @@ static int ScpCheckForRename(WOLFSSH* ssh, int cmdSz) int sz = (int)WSTRLEN(ssh->scpBasePath); int idx; - if (sz > (int)sizeof(buf)) { + if (sz >= DEFAULT_SCP_MSG_SZ) { return WS_BUFFER_E; } From 45534b04181b33c7e265fde0ae8781f8ce9204b6 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Fri, 27 Sep 2024 10:59:14 -0600 Subject: [PATCH 4/6] sanity check on state before dereference --- src/internal.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/internal.c b/src/internal.c index 1927cd1a5..111ba0c10 100644 --- a/src/internal.c +++ b/src/internal.c @@ -9868,7 +9868,7 @@ int SendKexInit(WOLFSSH* ssh) if (ssh == NULL) ret = WS_BAD_ARGUMENT; - if (ssh->ctx->side == WOLFSSH_ENDPOINT_SERVER && + if (ret == WS_SUCCESS && ssh->ctx->side == WOLFSSH_ENDPOINT_SERVER && ssh->ctx->privateKeyCount == 0) { WLOG(WS_LOG_DEBUG, "Server needs at least one private key"); ret = WS_BAD_ARGUMENT; From df179139675254ce292fe056243689f81ea0cf40 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Fri, 27 Sep 2024 11:11:25 -0600 Subject: [PATCH 5/6] sanity check on arguments passed in --- src/internal.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/internal.c b/src/internal.c index 111ba0c10..3fce24289 100644 --- a/src/internal.c +++ b/src/internal.c @@ -3406,6 +3406,10 @@ static int GetNameListRaw(byte* idList, word32* idListSz, word32 nameSz = 0, nameListIdx = 0, idListIdx = 0; int ret = WS_SUCCESS; + if (idList == NULL || nameList == NULL || idListSz == NULL) { + return WS_BAD_ARGUMENT; + } + /* * The strings we want are now in the bounds of the message, and the * length of the list. Find the commas, or end of list, and then decode From f0922715af88cde20ff0e130e938faa1032dfdc5 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Fri, 27 Sep 2024 11:30:30 -0600 Subject: [PATCH 6/6] adjust macro guard to avoid leak for build without cert support --- src/internal.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/src/internal.c b/src/internal.c index 3fce24289..222682a33 100644 --- a/src/internal.c +++ b/src/internal.c @@ -2061,7 +2061,7 @@ int wolfSSH_ProcessBuffer(WOLFSSH_CTX* ctx, int format, int type) { void* heap = NULL; - byte* der; + byte* der = NULL; word32 derSz; int wcType; int ret = WS_SUCCESS; @@ -2078,7 +2078,12 @@ int wolfSSH_ProcessBuffer(WOLFSSH_CTX* ctx, return WS_BAD_FILETYPE_E; } - if (type == BUFTYPE_CA) { + if (type == BUFTYPE_PRIVKEY) { + dynamicType = DYNTYPE_PRIVKEY; + wcType = PRIVATEKEY_TYPE; + } + #ifdef WOLFSSH_CERTS + else if (type == BUFTYPE_CA) { dynamicType = DYNTYPE_CA; wcType = CA_TYPE; } @@ -2086,10 +2091,7 @@ int wolfSSH_ProcessBuffer(WOLFSSH_CTX* ctx, dynamicType = DYNTYPE_CERT; wcType = CERT_TYPE; } - else if (type == BUFTYPE_PRIVKEY) { - dynamicType = DYNTYPE_PRIVKEY; - wcType = PRIVATEKEY_TYPE; - } + #endif else { return WS_BAD_ARGUMENT; }