WolfSSL
/
wolfssh
mirror of https://github.com/wolfSSL/wolfssh.git
1
0
Fork 0
Code Issues Releases Wiki Activity

User Authentication Bounds Checks 

Added some additional bounds checking to some of the parameters in the
public key user auth messages. There was a chance that an out of bounds
buffer read could happen.
pull/290/head
John Safranek 2020-10-07 15:46:23 -07:00
parent 06ea6eb2d0
commit 0e065459bc
No known key found for this signature in database
GPG Key ID: 8CE817DE0D3CCB4A
1 changed files with 29 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
src/internal.c
View File

@ -3886,18 +3886,35 @@ static int DoUserAuthRequestPublicKey(WOLFSSH* ssh, WS_UserAuthData* authData,
if (ret == WS_SUCCESS)
ret = GetUint32(&pk->publicKeyTypeSz, buf, len, &begin);
if (ret == WS_SUCCESS) {
if (pk->publicKeyTypeSz > len - begin) {
ret = WS_BUFFER_E;
}
}
if (ret == WS_SUCCESS) {
pk->publicKeyType = buf + begin;
begin += pk->publicKeyTypeSz;
ret = GetUint32(&pk->publicKeySz, buf, len, &begin);
}
if (ret == WS_SUCCESS) {
if (pk->publicKeySz > len - begin) {
ret = WS_BUFFER_E;
}
}
if (ret == WS_SUCCESS) {
pk->publicKey = buf + begin;
begin += pk->publicKeySz;
if (pk->hasSignature) {
ret = GetUint32(&pk->signatureSz, buf, len, &begin);
if (ret == WS_SUCCESS) {
if (pk->signatureSz > len - begin) {
ret = WS_BUFFER_E;
}
}
if (ret == WS_SUCCESS) {
pk->signature = buf + begin;
begin += pk->signatureSz;
@ -4043,6 +4060,12 @@ static int DoUserAuthRequest(WOLFSSH* ssh,
ret = GetUint32(&authData.usernameSz, buf, len, &begin);
}
if (ret == WS_SUCCESS) {
if (authData.usernameSz > len - begin) {
ret = WS_BUFFER_E;
}
}
if (ret == WS_SUCCESS) {
authData.username = buf + begin;
begin += authData.usernameSz;
@ -4050,6 +4073,12 @@ static int DoUserAuthRequest(WOLFSSH* ssh,
ret = GetUint32(&authData.serviceNameSz, buf, len, &begin);
}
if (ret == WS_SUCCESS) {
if (authData.serviceNameSz > len - begin) {
ret = WS_BUFFER_E;
}
}
if (ret == WS_SUCCESS) {
authData.serviceName = buf + begin;
begin += authData.serviceNameSz;