Skip to content

Commit 2d2c1f5

Browse files
JacobBarthelmehJacobBarthelmeh
authored
Merge pull request wolfSSL#845 from LinuxJedi/zp-fixes
Fix issues found using ZeroPath
2 parents c10896c + 190dda3 commit 2d2c1f5

File tree

4 files changed

+294
-17
lines changed

4 files changed

+294
-17
lines changed

src/agent.c

Lines changed: 47 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1340,6 +1340,8 @@ static int DoMessage(WOLFSSH_AGENT_CTX* agent,
13401340

13411341
if (agent == NULL)
13421342
ret = WS_SSH_NULL_E; /* WS_AGENT_NULL_E */
1343+
else
1344+
agent->lastMsgId = 0;
13431345

13441346
if (ret == WS_SUCCESS) {
13451347
if (buf == NULL || idx == NULL || len == 0)
@@ -1371,6 +1373,7 @@ static int DoMessage(WOLFSSH_AGENT_CTX* agent,
13711373

13721374
if (ret == WS_SUCCESS) {
13731375
msg = buf[begin++];
1376+
agent->lastMsgId = msg;
13741377
payloadIdx = 0;
13751378
switch (msg) {
13761379
case MSGID_AGENT_FAILURE:
@@ -1793,6 +1796,11 @@ int wolfSSH_AGENT_SignRequest(WOLFSSH* ssh,
17931796

17941797
if (ret == WS_SUCCESS) {
17951798
agent = ssh->agent;
1799+
agent->requestFailure = 0;
1800+
agent->requestSuccess = 0;
1801+
agent->msg = NULL;
1802+
agent->msgSz = 0;
1803+
agent->lastMsgId = 0;
17961804
if (ssh->ctx->agentCb)
17971805
ret = ssh->ctx->agentCb(WOLFSSH_AGENT_LOCAL_SETUP, ssh->agentCbCtx);
17981806
}
@@ -1801,11 +1809,16 @@ int wolfSSH_AGENT_SignRequest(WOLFSSH* ssh,
18011809
ret = SendSignRequest(agent, digest, digestSz,
18021810
keyBlob, keyBlobSz, flags);
18031811

1804-
if (ret == WS_SUCCESS)
1805-
ret = ssh->ctx->agentIoCb(WOLFSSH_AGENT_IO_WRITE,
1806-
agent->msg, agent->msgSz, ssh->agentCbCtx);
1812+
if (ret == WS_SUCCESS) {
1813+
int wrote;
18071814

1808-
if (ret > 0) ret = WS_SUCCESS;
1815+
wrote = ssh->ctx->agentIoCb(WOLFSSH_AGENT_IO_WRITE,
1816+
agent->msg, agent->msgSz, ssh->agentCbCtx);
1817+
if (wrote != (int)agent->msgSz) {
1818+
WLOG(WS_LOG_AGENT, "agent write incomplete");
1819+
ret = WS_AGENT_CXN_FAIL;
1820+
}
1821+
}
18091822

18101823
if (agent != NULL && agent->msg != NULL) {
18111824
WFREE(ssh->agent->msg, ssh->agent->heap, DYNTYPE_AGENT_BUFFER);
@@ -1818,18 +1831,41 @@ int wolfSSH_AGENT_SignRequest(WOLFSSH* ssh,
18181831
rxBuf, sizeof(rxBuf), ssh->agentCbCtx);
18191832
if (rxSz > 0) {
18201833
ret = DoMessage(ssh->agent, rxBuf, rxSz, &idx);
1821-
if (ssh->agent->requestFailure) {
1822-
ssh->agent->requestFailure = 0;
1823-
ret = WS_AGENT_NO_KEY_E;
1824-
}
1825-
else {
1826-
WMEMCPY(sig, ssh->agent->msg, ssh->agent->msgSz);
1827-
*sigSz = ssh->agent->msgSz;
1834+
if (ret == WS_SUCCESS) {
1835+
if (ssh->agent->lastMsgId != MSGID_AGENT_SIGN_RESPONSE) {
1836+
WLOG(WS_LOG_AGENT,
1837+
"agent response was not a signature message");
1838+
ret = WS_AGENT_NO_KEY_E;
1839+
}
1840+
else {
1841+
if (ssh->agent->requestFailure ||
1842+
ssh->agent->msg == NULL ||
1843+
ssh->agent->msgSz == 0) {
1844+
ssh->agent->requestFailure = 0;
1845+
ret = WS_AGENT_NO_KEY_E;
1846+
}
1847+
else {
1848+
word32 maxSigSz = *sigSz;
1849+
1850+
if (ssh->agent->msgSz > maxSigSz) {
1851+
WLOG(WS_LOG_AGENT,
1852+
"agent signature too large for caller buffer");
1853+
ret = WS_BUFFER_E;
1854+
}
1855+
else {
1856+
WMEMCPY(sig, ssh->agent->msg, ssh->agent->msgSz);
1857+
*sigSz = ssh->agent->msgSz;
1858+
}
1859+
}
1860+
}
18281861
}
18291862
}
18301863
else ret = WS_AGENT_NO_KEY_E;
18311864
}
18321865

1866+
if (ret != WS_SUCCESS && sigSz != NULL)
1867+
*sigSz = 0;
1868+
18331869
if (agent != NULL) {
18341870
agent->msg = NULL;
18351871
agent->msgSz = 0;

src/wolfscp.c

Lines changed: 32 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -966,6 +966,7 @@ static int GetScpFileName(WOLFSSH* ssh, byte* buf, word32 bufSz,
966966
{
967967
int ret = WS_SUCCESS;
968968
word32 idx, len;
969+
const char* fileName;
969970

970971
if (ssh == NULL || buf == NULL || inOutIdx == NULL)
971972
return WS_BAD_ARGUMENT;
@@ -977,6 +978,31 @@ static int GetScpFileName(WOLFSSH* ssh, byte* buf, word32 bufSz,
977978
ret = WS_SCP_CMD_E;
978979

979980
if (ret == WS_SUCCESS) {
981+
word32 i;
982+
983+
fileName = (const char*)(buf + idx);
984+
985+
if (len == 0 ||
986+
(len == 1 && fileName[0] == '.') ||
987+
(len == 2 && fileName[0] == '.' && fileName[1] == '.')) {
988+
WLOG(WS_LOG_ERROR, "scp: invalid file name component received");
989+
wolfSSH_SetScpErrorMsg(ssh, "invalid file name");
990+
return WS_SCP_BAD_MSG_E;
991+
}
992+
993+
for (i = 0; i < len; i++) {
994+
char c = fileName[i];
995+
996+
if (c == '/' || c == '\\'
997+
#if defined(USE_WINDOWS_API) || defined(WOLFSSL_NUCLEUS)
998+
|| c == ':'
999+
#endif
1000+
) {
1001+
WLOG(WS_LOG_ERROR, "scp: invalid file name component received");
1002+
wolfSSH_SetScpErrorMsg(ssh, "invalid file name");
1003+
return WS_SCP_BAD_MSG_E;
1004+
}
1005+
}
9801006

9811007
if (ssh->scpFileName != NULL) {
9821008
WFREE(ssh->scpFileName, ssh->ctx->heap, DYNTYPE_STRING);
@@ -1277,11 +1303,13 @@ int ParseScpCommand(WOLFSSH* ssh)
12771303
ssh->scpBasePath = ssh->scpBasePathDynamic;
12781304
WMEMCPY(ssh->scpBasePathDynamic, cmd + idx,
12791305
cmdSz - idx);
1280-
ret = ParseBasePathHelper(ssh, cmdSz);
1281-
if (ret == WS_SUCCESS &&
1282-
wolfSSH_CleanPath(ssh,
1283-
ssh->scpBasePathDynamic) < 0)
1306+
if (wolfSSH_CleanPath(ssh,
1307+
ssh->scpBasePathDynamic) < 0) {
12841308
ret = WS_FATAL_ERROR;
1309+
}
1310+
else {
1311+
ret = ParseBasePathHelper(ssh, cmdSz);
1312+
}
12851313
}
12861314
break;
12871315

@@ -3090,4 +3118,3 @@ int wsScpSendCallback(WOLFSSH* ssh, int state, const char* peerRequest,
30903118
#endif /* WOLFSSH_SCP_USER_CALLBACKS */
30913119

30923120
#endif /* WOLFSSH_SCP */
3093-

0 commit comments

Comments
 (0)