mirror of https://github.com/wolfSSL/wolfssh.git
User Authentication Bounds Checks
Added some additional bounds checking to some of the parameters in the public key user auth messages. There was a chance that an out of bounds buffer read could happen.pull/290/head
parent
06ea6eb2d0
commit
0e065459bc
|
@ -3886,18 +3886,35 @@ static int DoUserAuthRequestPublicKey(WOLFSSH* ssh, WS_UserAuthData* authData,
|
|||
if (ret == WS_SUCCESS)
|
||||
ret = GetUint32(&pk->publicKeyTypeSz, buf, len, &begin);
|
||||
|
||||
if (ret == WS_SUCCESS) {
|
||||
if (pk->publicKeyTypeSz > len - begin) {
|
||||
ret = WS_BUFFER_E;
|
||||
}
|
||||
}
|
||||
|
||||
if (ret == WS_SUCCESS) {
|
||||
pk->publicKeyType = buf + begin;
|
||||
begin += pk->publicKeyTypeSz;
|
||||
ret = GetUint32(&pk->publicKeySz, buf, len, &begin);
|
||||
}
|
||||
|
||||
if (ret == WS_SUCCESS) {
|
||||
if (pk->publicKeySz > len - begin) {
|
||||
ret = WS_BUFFER_E;
|
||||
}
|
||||
}
|
||||
|
||||
if (ret == WS_SUCCESS) {
|
||||
pk->publicKey = buf + begin;
|
||||
begin += pk->publicKeySz;
|
||||
|
||||
if (pk->hasSignature) {
|
||||
ret = GetUint32(&pk->signatureSz, buf, len, &begin);
|
||||
if (ret == WS_SUCCESS) {
|
||||
if (pk->signatureSz > len - begin) {
|
||||
ret = WS_BUFFER_E;
|
||||
}
|
||||
}
|
||||
if (ret == WS_SUCCESS) {
|
||||
pk->signature = buf + begin;
|
||||
begin += pk->signatureSz;
|
||||
|
@ -4043,6 +4060,12 @@ static int DoUserAuthRequest(WOLFSSH* ssh,
|
|||
ret = GetUint32(&authData.usernameSz, buf, len, &begin);
|
||||
}
|
||||
|
||||
if (ret == WS_SUCCESS) {
|
||||
if (authData.usernameSz > len - begin) {
|
||||
ret = WS_BUFFER_E;
|
||||
}
|
||||
}
|
||||
|
||||
if (ret == WS_SUCCESS) {
|
||||
authData.username = buf + begin;
|
||||
begin += authData.usernameSz;
|
||||
|
@ -4050,6 +4073,12 @@ static int DoUserAuthRequest(WOLFSSH* ssh,
|
|||
ret = GetUint32(&authData.serviceNameSz, buf, len, &begin);
|
||||
}
|
||||
|
||||
if (ret == WS_SUCCESS) {
|
||||
if (authData.serviceNameSz > len - begin) {
|
||||
ret = WS_BUFFER_E;
|
||||
}
|
||||
}
|
||||
|
||||
if (ret == WS_SUCCESS) {
|
||||
authData.serviceName = buf + begin;
|
||||
begin += authData.serviceNameSz;
|
||||
|
|
Loading…
Reference in New Issue