From 0e065459bceccf9f1d774c002ab600403dcdb94c Mon Sep 17 00:00:00 2001 From: John Safranek Date: Wed, 7 Oct 2020 15:46:23 -0700 Subject: [PATCH] User Authentication Bounds Checks Added some additional bounds checking to some of the parameters in the public key user auth messages. There was a chance that an out of bounds buffer read could happen. --- src/internal.c | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/src/internal.c b/src/internal.c index c971a87..1e76ad6 100644 --- a/src/internal.c +++ b/src/internal.c @@ -3886,18 +3886,35 @@ static int DoUserAuthRequestPublicKey(WOLFSSH* ssh, WS_UserAuthData* authData, if (ret == WS_SUCCESS) ret = GetUint32(&pk->publicKeyTypeSz, buf, len, &begin); + if (ret == WS_SUCCESS) { + if (pk->publicKeyTypeSz > len - begin) { + ret = WS_BUFFER_E; + } + } + if (ret == WS_SUCCESS) { pk->publicKeyType = buf + begin; begin += pk->publicKeyTypeSz; ret = GetUint32(&pk->publicKeySz, buf, len, &begin); } + if (ret == WS_SUCCESS) { + if (pk->publicKeySz > len - begin) { + ret = WS_BUFFER_E; + } + } + if (ret == WS_SUCCESS) { pk->publicKey = buf + begin; begin += pk->publicKeySz; if (pk->hasSignature) { ret = GetUint32(&pk->signatureSz, buf, len, &begin); + if (ret == WS_SUCCESS) { + if (pk->signatureSz > len - begin) { + ret = WS_BUFFER_E; + } + } if (ret == WS_SUCCESS) { pk->signature = buf + begin; begin += pk->signatureSz; @@ -4043,6 +4060,12 @@ static int DoUserAuthRequest(WOLFSSH* ssh, ret = GetUint32(&authData.usernameSz, buf, len, &begin); } + if (ret == WS_SUCCESS) { + if (authData.usernameSz > len - begin) { + ret = WS_BUFFER_E; + } + } + if (ret == WS_SUCCESS) { authData.username = buf + begin; begin += authData.usernameSz; @@ -4050,6 +4073,12 @@ static int DoUserAuthRequest(WOLFSSH* ssh, ret = GetUint32(&authData.serviceNameSz, buf, len, &begin); } + if (ret == WS_SUCCESS) { + if (authData.serviceNameSz > len - begin) { + ret = WS_BUFFER_E; + } + } + if (ret == WS_SUCCESS) { authData.serviceName = buf + begin; begin += authData.serviceNameSz;