From a76e80f03e23f06a1a868481a7a448143b0b9131 Mon Sep 17 00:00:00 2001 From: Ruby Martin Date: Mon, 14 Jul 2025 10:47:51 -0600 Subject: [PATCH 1/3] AlgoListSz returns 0 if algoList is NULL --- src/internal.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/internal.c b/src/internal.c index 080ded6f3..7fcc07f00 100644 --- a/src/internal.c +++ b/src/internal.c @@ -3988,6 +3988,9 @@ static word32 AlgoListSz(const char* algoList) { word32 algoListSz; + if (algoList == NULL) + return 0; + algoListSz = (word32)WSTRLEN(algoList); if (algoList[algoListSz-1] == ',') { --algoListSz; From 13a1c4a0469f0df53ff56c57916154ce90bf9434 Mon Sep 17 00:00:00 2001 From: Ruby Martin Date: Mon, 21 Jul 2025 10:44:12 -0600 Subject: [PATCH 2/3] check ssh->ctx before dereferencing --- src/internal.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/internal.c b/src/internal.c index 7fcc07f00..d7b416b18 100644 --- a/src/internal.c +++ b/src/internal.c @@ -15120,7 +15120,7 @@ static int GetAllowedAuth(WOLFSSH* ssh, char* authStr) typeAllowed |= WOLFSSH_USERAUTH_PASSWORD; #ifdef WOLFSSH_KEYBOARD_INTERACTIVE - if (ssh->ctx->keyboardAuthCb != NULL) { + if (ssh->ctx && ssh->ctx->keyboardAuthCb) { typeAllowed |= WOLFSSH_USERAUTH_KEYBOARD; } #endif From 4796e346ad3ba3c2ff29117197f97043ed33f790 Mon Sep 17 00:00:00 2001 From: Ruby Martin Date: Mon, 21 Jul 2025 11:09:36 -0600 Subject: [PATCH 3/3] add ret checks for WS_SUCCESS to prevent dereference after null check NULL check before dereferencing authData additional checks formatting changes adjust return values --- src/internal.c | 58 ++++++++++++++++++++++++++++---------------------- 1 file changed, 33 insertions(+), 25 deletions(-) diff --git a/src/internal.c b/src/internal.c index d7b416b18..3b2c400cc 100644 --- a/src/internal.c +++ b/src/internal.c @@ -13321,7 +13321,8 @@ static int BuildUserAuthRequestKeyboard(WOLFSSH* ssh, byte* output, word32* idx, begin += LENGTH_SZ; WMEMCPY(output + begin, authData->sf.keyboard.promptName, slen); begin += slen; - } else { + } + else { c32toa(0, output + begin); begin += LENGTH_SZ; } @@ -13331,7 +13332,8 @@ static int BuildUserAuthRequestKeyboard(WOLFSSH* ssh, byte* output, word32* idx, begin += LENGTH_SZ; WMEMCPY(output + begin, authData->sf.keyboard.promptInstruction, slen); begin += slen; - } else { + } + else { c32toa(0, output + begin); begin += LENGTH_SZ; } @@ -13341,7 +13343,8 @@ static int BuildUserAuthRequestKeyboard(WOLFSSH* ssh, byte* output, word32* idx, begin += LENGTH_SZ; WMEMCPY(output + begin, authData->sf.keyboard.promptLanguage, slen); begin += slen; - } else { + } + else { c32toa(0, output + begin); begin += LENGTH_SZ; } @@ -13373,33 +13376,38 @@ int SendUserAuthKeyboardRequest(WOLFSSH* ssh, WS_UserAuthData* authData) WLOG(WS_LOG_DEBUG, "Entering SendUserAuthKeyboardRequest()"); - if (ssh == NULL || authData == NULL) { - ret = WS_BAD_ARGUMENT; + if (ssh == NULL || ssh->ctx == NULL|| authData == NULL) { + return WS_BAD_ARGUMENT; } - if (ssh->ctx->keyboardAuthCb == NULL) { - WLOG(WS_LOG_DEBUG, "SendUserAuthKeyboardRequest called with no Cb set"); - ret = WS_BAD_USAGE; + if (ret == WS_SUCCESS){ + if (ssh->ctx->keyboardAuthCb == NULL) { + WLOG(WS_LOG_DEBUG, "SendUserAuthKeyboardRequest called with no Cb set"); + return WS_BAD_USAGE; + } + else { + ret = ssh->ctx->keyboardAuthCb(&authData->sf.keyboard, + ssh->keyboardAuthCtx); + } } if (ret == WS_SUCCESS) { - ret = ssh->ctx->keyboardAuthCb(&authData->sf.keyboard, - ssh->keyboardAuthCtx); - } - - if (authData->sf.keyboard.promptCount > 0 && - (authData->sf.keyboard.prompts == NULL || - authData->sf.keyboard.promptLengths == NULL || - authData->sf.keyboard.promptEcho == NULL)) { - - ret = WS_BAD_USAGE; + if (authData->sf.keyboard.promptCount > 0 && + (authData->sf.keyboard.prompts == NULL || + authData->sf.keyboard.promptLengths == NULL || + authData->sf.keyboard.promptEcho == NULL)) { + ret = WS_BAD_USAGE; + } } - if (authData->sf.keyboard.promptCount > WOLFSSH_MAX_PROMPTS) { - ret = WS_BAD_USAGE; + if (ret == WS_SUCCESS) { + if (authData->sf.keyboard.promptCount > WOLFSSH_MAX_PROMPTS) { + ret = WS_BAD_USAGE; + } } - ssh->kbAuth.promptCount = authData->sf.keyboard.promptCount; + if (ret == WS_SUCCESS) + ssh->kbAuth.promptCount = authData->sf.keyboard.promptCount; payloadSz = MSG_ID_SZ; if (ret == WS_SUCCESS) { @@ -13410,12 +13418,12 @@ int SendUserAuthKeyboardRequest(WOLFSSH* ssh, WS_UserAuthData* authData) ret = PreparePacket(ssh, payloadSz); } - output = ssh->outputBuffer.buffer; - idx = ssh->outputBuffer.length; + if (ret == WS_SUCCESS) { + output = ssh->outputBuffer.buffer; + idx = ssh->outputBuffer.length; - output[idx++] = MSGID_USERAUTH_INFO_REQUEST; + output[idx++] = MSGID_USERAUTH_INFO_REQUEST; - if (ret == WS_SUCCESS) { ret = BuildUserAuthRequestKeyboard(ssh, output, &idx, authData); }