From 335afde4746ed5eded649c3a9d69cd74a5861f9f Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Wed, 30 Aug 2023 09:02:51 -0700 Subject: [PATCH] additional checks on packet size --- src/wolfsftp.c | 95 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 95 insertions(+) diff --git a/src/wolfsftp.c b/src/wolfsftp.c index ddd9137ca..fee9b6cf8 100644 --- a/src/wolfsftp.c +++ b/src/wolfsftp.c @@ -1697,6 +1697,11 @@ int wolfSSH_SFTP_RecvRMDIR(WOLFSSH* ssh, int reqId, byte* data, word32 maxSz) WLOG(WS_LOG_SFTP, "Receiving WOLFSSH_FTP_RMDIR"); + if (maxSz < UINT32_SZ) { + /* not enough for an ato32 call */ + return WS_BUFFER_E; + } + ato32(data + idx, &sz); idx += UINT32_SZ; if (sz > maxSz - idx) { return WS_BUFFER_E; @@ -1772,6 +1777,11 @@ int wolfSSH_SFTP_RecvMKDIR(WOLFSSH* ssh, int reqId, byte* data, word32 maxSz) WLOG(WS_LOG_SFTP, "Receiving WOLFSSH_FTP_MKDIR"); + if (maxSz < UINT32_SZ) { + /* not enough for an ato32 call */ + return WS_BUFFER_E; + } + ato32(data + idx, &sz); idx += UINT32_SZ; if (sz > maxSz - idx) { return WS_BUFFER_E; @@ -1971,6 +1981,11 @@ int wolfSSH_SFTP_RecvOpen(WOLFSSH* ssh, int reqId, byte* data, word32 maxSz) return WS_FATAL_ERROR; } + if (maxSz < UINT32_SZ) { + /* not enough for an ato32 call */ + return WS_BUFFER_E; + } + ato32(data + idx, &sz); idx += UINT32_SZ; if (sz > maxSz - idx) { return WS_BUFFER_E; @@ -2099,6 +2114,11 @@ int wolfSSH_SFTP_RecvOpen(WOLFSSH* ssh, int reqId, byte* data, word32 maxSz) return WS_FATAL_ERROR; } + if (maxSz < UINT32_SZ) { + /* not enough for an ato32 call */ + return WS_BUFFER_E; + } + ato32(data + idx, &sz); idx += UINT32_SZ; if (sz > maxSz - idx) { return WS_BUFFER_E; @@ -2237,6 +2257,11 @@ int wolfSSH_SFTP_RecvOpenDir(WOLFSSH* ssh, int reqId, byte* data, word32 maxSz) return WS_FATAL_ERROR; } + if (maxSz < UINT32_SZ) { + /* not enough for an ato32 call */ + return WS_BUFFER_E; + } + /* get directory name */ ato32(data + idx, &sz); idx += UINT32_SZ; if (sz > maxSz - idx) { @@ -2346,6 +2371,11 @@ int wolfSSH_SFTP_RecvOpenDir(WOLFSSH* ssh, int reqId, byte* data, word32 maxSz) return WS_FATAL_ERROR; } + if (maxSz < UINT32_SZ) { + /* not enough for an ato32 call */ + return WS_BUFFER_E; + } + /* get directory name */ ato32(data + idx, &sz); idx += UINT32_SZ; @@ -3098,6 +3128,11 @@ int wolfSSH_SFTP_RecvReadDir(WOLFSSH* ssh, int reqId, byte* data, word32 maxSz) dir = INVALID_HANDLE_VALUE; #endif + if (maxSz < UINT32_SZ) { + /* not enough for an ato32 call */ + return WS_BUFFER_E; + } + /* get directory handle */ ato32(data + idx, &sz); idx += UINT32_SZ; if (sz + idx > maxSz || sz > WOLFSSH_MAX_HANDLE) { @@ -3281,6 +3316,11 @@ int wolfSSH_SFTP_RecvWrite(WOLFSSH* ssh, int reqId, byte* data, word32 maxSz) WLOG(WS_LOG_SFTP, "Receiving WOLFSSH_FTP_WRITE"); + if (maxSz < UINT32_SZ) { + /* not enough for an ato32 call */ + return WS_BUFFER_E; + } + /* get file handle */ ato32(data + idx, &sz); idx += UINT32_SZ; if (sz + idx > maxSz || sz > WOLFSSH_MAX_HANDLE) { @@ -3365,6 +3405,11 @@ int wolfSSH_SFTP_RecvWrite(WOLFSSH* ssh, int reqId, byte* data, word32 maxSz) WLOG(WS_LOG_SFTP, "Receiving WOLFSSH_FTP_WRITE"); + if (maxSz < UINT32_SZ) { + /* not enough for an ato32 call */ + return WS_BUFFER_E; + } + /* get file handle */ ato32(data + idx, &sz); idx += UINT32_SZ; @@ -3456,6 +3501,11 @@ int wolfSSH_SFTP_RecvRead(WOLFSSH* ssh, int reqId, byte* data, word32 maxSz) WLOG(WS_LOG_SFTP, "Receiving WOLFSSH_FTP_READ"); + if (maxSz < UINT32_SZ) { + /* not enough for an ato32 call */ + return WS_BUFFER_E; + } + /* get file handle */ ato32(data + idx, &sz); idx += UINT32_SZ; if (sz + idx > maxSz || sz > WOLFSSH_MAX_HANDLE) { @@ -3551,6 +3601,11 @@ int wolfSSH_SFTP_RecvRead(WOLFSSH* ssh, int reqId, byte* data, word32 maxSz) WLOG(WS_LOG_SFTP, "Receiving WOLFSSH_FTP_READ"); + if (maxSz < UINT32_SZ) { + /* not enough for an ato32 call */ + return WS_BUFFER_E; + } + /* get file handle */ ato32(data + idx, &sz); idx += UINT32_SZ; if (sz > maxSz - idx || sz > WOLFSSH_MAX_HANDLE) { @@ -3668,6 +3723,11 @@ int wolfSSH_SFTP_RecvClose(WOLFSSH* ssh, int reqId, byte* data, word32 maxSz) WLOG(WS_LOG_SFTP, "Receiving WOLFSSH_FTP_CLOSE"); + if (maxSz < UINT32_SZ) { + /* not enough for an ato32 call */ + return WS_BUFFER_E; + } + /* get file handle */ ato32(data + idx, &sz); idx += UINT32_SZ; if (sz + idx > maxSz || sz > WOLFSSH_MAX_HANDLE) { @@ -3749,6 +3809,11 @@ int wolfSSH_SFTP_RecvClose(WOLFSSH* ssh, int reqId, byte* data, word32 maxSz) WLOG(WS_LOG_SFTP, "Receiving WOLFSSH_FTP_CLOSE"); + if (maxSz < UINT32_SZ) { + /* not enough for an ato32 call */ + return WS_BUFFER_E; + } + /* get file handle */ ato32(data + idx, &sz); idx += UINT32_SZ; if (sz + idx > maxSz || sz > WOLFSSH_MAX_HANDLE) { @@ -3839,6 +3904,11 @@ int wolfSSH_SFTP_RecvRemove(WOLFSSH* ssh, int reqId, byte* data, word32 maxSz) WLOG(WS_LOG_SFTP, "Receiving WOLFSSH_FTP_REMOVE"); + if (maxSz < UINT32_SZ) { + /* not enough for an ato32 call */ + return WS_BUFFER_E; + } + /* get file name */ ato32(data + idx, &sz); idx += UINT32_SZ; if (sz + idx > maxSz || sz > WOLFSSH_MAX_HANDLE) { @@ -3925,6 +3995,11 @@ int wolfSSH_SFTP_RecvRename(WOLFSSH* ssh, int reqId, byte* data, word32 maxSz) WLOG(WS_LOG_SFTP, "Receiving WOLFSSH_FTP_RENAME"); + if (maxSz < UINT32_SZ) { + /* not enough for an ato32 call */ + return WS_BUFFER_E; + } + /* get old file name */ ato32(data + idx, &sz); idx += UINT32_SZ; if (sz > maxSz - idx) { @@ -4667,6 +4742,11 @@ int wolfSSH_SFTP_RecvFSTAT(WOLFSSH* ssh, int reqId, byte* data, word32 maxSz) WLOG(WS_LOG_SFTP, "Receiving WOLFSSH_FTP_FSTAT"); + if (maxSz < UINT32_SZ) { + /* not enough for an ato32 call */ + return WS_BUFFER_E; + } + ato32(data + idx, &handleSz); idx += UINT32_SZ; if (handleSz + idx > maxSz) { return WS_BUFFER_E; @@ -4735,6 +4815,11 @@ int wolfSSH_SFTP_RecvSTAT(WOLFSSH* ssh, int reqId, byte* data, word32 maxSz) WLOG(WS_LOG_SFTP, "Receiving WOLFSSH_FTP_STAT"); + if (maxSz < UINT32_SZ) { + /* not enough for an ato32 call */ + return WS_BUFFER_E; + } + ato32(data + idx, &sz); idx += UINT32_SZ; if (sz > maxSz - idx) { return WS_BUFFER_E; @@ -4814,6 +4899,11 @@ int wolfSSH_SFTP_RecvLSTAT(WOLFSSH* ssh, int reqId, byte* data, word32 maxSz) WLOG(WS_LOG_SFTP, "Receiving WOLFSSH_FTP_LSTAT"); + if (maxSz < UINT32_SZ) { + /* not enough for an ato32 call */ + return WS_BUFFER_E; + } + ato32(data + idx, &sz); idx += UINT32_SZ; if (sz > maxSz - idx) { return WS_BUFFER_E; @@ -4955,6 +5045,11 @@ int wolfSSH_SFTP_RecvSetSTAT(WOLFSSH* ssh, int reqId, byte* data, word32 maxSz) WLOG(WS_LOG_SFTP, "Receiving WOLFSSH_FTP_SETSTAT"); + if (maxSz < UINT32_SZ) { + /* not enough for an ato32 call */ + return WS_BUFFER_E; + } + ato32(data + idx, &sz); idx += UINT32_SZ; if (sz > maxSz - idx) { return WS_BUFFER_E;