From c93a7418cf94fccdd82ae898312130807a06a957 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Tue, 23 Feb 2021 11:42:11 -0800 Subject: [PATCH] SFTP For SFTP messages, check both minimum bound and maximum bound of the length value. --- src/wolfsftp.c | 32 ++++++++++++++++++++++++++++---- wolfssh/wolfsftp.h | 3 +++ 2 files changed, 31 insertions(+), 4 deletions(-) diff --git a/src/wolfsftp.c b/src/wolfsftp.c index 99e4a6c..e5d902e 100644 --- a/src/wolfsftp.c +++ b/src/wolfsftp.c @@ -926,6 +926,29 @@ static int SFTP_SetAttributes(WOLFSSH* ssh, byte* buf, word32 bufSz, } +static INLINE int SFTP_GetSz(byte* buf, word32* sz, + word32 lowerBound, word32 upperBound) +{ + int ret = WS_SUCCESS; + + if (buf == NULL || sz == NULL) { + ret = WS_BAD_ARGUMENT; + } + + if (ret == WS_SUCCESS) { + word32 val; + + ato32(buf, &val); + if (val < lowerBound || val > upperBound) + ret = WS_BUFFER_E; + else + *sz = val; + } + + return ret; +} + + #ifndef NO_WOLFSSH_SERVER static int SFTP_GetAttributes(void* fs, const char* fileName, @@ -948,8 +971,8 @@ static int SFTP_ServerRecvInit(WOLFSSH* ssh) { return len; } - ato32(buf, &sz); - if (sz < MSG_ID_SZ + UINT32_SZ) { + if (SFTP_GetSz(buf, &sz, + MSG_ID_SZ + UINT32_SZ, WOLFSSH_MAX_SFTP_RECV) != WS_SUCCESS) { wolfSSH_SFTP_ClearState(ssh, STATE_ID_ALL); return WS_BUFFER_E; } @@ -4679,8 +4702,9 @@ static int SFTP_ClientRecvInit(WOLFSSH* ssh) { return len; } - ato32(buf, &sz); - if (sz < MSG_ID_SZ + UINT32_SZ) { + if (SFTP_GetSz(buf, &sz, + MSG_ID_SZ + UINT32_SZ, + WOLFSSH_MAX_SFTP_RECV) != WS_SUCCESS) { return WS_BUFFER_E; } diff --git a/wolfssh/wolfsftp.h b/wolfssh/wolfsftp.h index daf5175..402b33c 100644 --- a/wolfssh/wolfsftp.h +++ b/wolfssh/wolfsftp.h @@ -152,6 +152,9 @@ struct WS_SFTPNAME { #ifndef WOLFSSH_MAX_SFTP_RW #define WOLFSSH_MAX_SFTP_RW 1024 #endif +#ifndef WOLFSSH_MAX_SFTP_RECV + #define WOLFSSH_MAX_SFTP_RECV 32768 +#endif /* functions for establishing a connection */ WOLFSSH_API int wolfSSH_SFTP_accept(WOLFSSH* ssh);