From 179df42adbc918adfa5a762546e932d31d4d3482 Mon Sep 17 00:00:00 2001
From: JacobBarthelmeh <jacob@wolfssl.com>
Date: Mon, 17 Feb 2025 17:40:05 -0700
Subject: [PATCH 1/2] add sanity check before write

---
 src/internal.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/internal.c b/src/internal.c
index 864403fb..798b52cb 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -10109,8 +10109,13 @@ static int BundlePacket(WOLFSSH* ssh)
 
         /* Add the padding */
         WLOG(WS_LOG_DEBUG, "BP: paddingSz = %u", paddingSz);
-        if (ssh->encryptId == ID_NONE)
+        if (idx + paddingSz > ssh->outputBuffer.bufferSz) {
+            ret = WS_BUFFER_E;
+            WLOG(WS_LOG_DEBUG, "BP: paddingSz was too large");
+        }
+        else if (ssh->encryptId == ID_NONE) {
             WMEMSET(output + idx, 0, paddingSz);
+        }
         else if (wc_RNG_GenerateBlock(ssh->rng, output + idx, paddingSz) < 0) {
             ret = WS_CRYPTO_FAILED;
             WLOG(WS_LOG_DEBUG, "BP: failed to add padding");

From 97c3faff8fbca381215eeb0d91e2620b0ab64d1b Mon Sep 17 00:00:00 2001
From: JacobBarthelmeh <jacob@wolfssl.com>
Date: Mon, 17 Feb 2025 17:52:59 -0700
Subject: [PATCH 2/2] initialize array and free dynamic strings on failure

---
 src/internal.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/internal.c b/src/internal.c
index 798b52cb..da042586 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -7886,6 +7886,7 @@ static int DoUserAuthInfoRequest(WOLFSSH* ssh, byte* buf, word32 len,
         if (!prompts) {
             ret = WS_MEMORY_E;
         } else {
+            WMEMSET(prompts, '\0', sizeof(char*) * promptSz);
             echo = (byte*)WMALLOC(sizeof(byte) * promptSz, ssh->ctx->heap,
                                   DYNTYPE_BUFFER);
         }
@@ -7893,7 +7894,7 @@ static int DoUserAuthInfoRequest(WOLFSSH* ssh, byte* buf, word32 len,
         if (!echo) {
             ret = WS_MEMORY_E;
         } else {
-            WMEMSET(prompts, '\0', sizeof(char*) * promptSz);
+            WMEMSET(echo, 0, sizeof(byte) * promptSz);
             for (entry = 0; entry < promptSz; entry++) {
                 ret = GetStringAlloc(ssh->ctx->heap, (char**)&prompts[entry],
                                      buf, len, &begin);
@@ -7923,6 +7924,11 @@ static int DoUserAuthInfoRequest(WOLFSSH* ssh, byte* buf, word32 len,
         }
         WFREE(prompts, ssh->ctx->heap, DYNTYPE_BUFFER);
         WFREE(echo, ssh->ctx->heap, DYNTYPE_BUFFER);
+
+        /* free strings in fail case */
+        WFREE(authName, ssh->ctx->heap,  DYNTYPE_STRING);
+        WFREE(authInstruction, ssh->ctx->heap,  DYNTYPE_STRING);
+        WFREE(language, ssh->ctx->heap,  DYNTYPE_STRING);
     }
 
     if (ret == WS_SUCCESS)