Skip to content

fix: correct DoChannelData dataSz bounds check#1090

Open
MarkAtwood wants to merge 1 commit into
wolfSSL:masterfrom
MarkAtwood:fix/dochanneldata-bounds-check
Open

fix: correct DoChannelData dataSz bounds check#1090
MarkAtwood wants to merge 1 commit into
wolfSSL:masterfrom
MarkAtwood:fix/dochanneldata-bounds-check

Conversation

@MarkAtwood

Copy link
Copy Markdown

Bug

In DoChannelData() (src/internal.c), the "Validate dataSz" block checks if (len < begin) after GetSize() has already returned WS_SUCCESS. That condition is provably always false: GetSize/GetUint32 only advance begin when the requested bytes fit, guaranteeing begin <= len on success. So the check is dead code and never validates the payload length against the remaining buffer.

Fix

Replace the dead check with the meaningful one that the surrounding code already relies on:

    /* Validate dataSz */
    if (ret == WS_SUCCESS) {
        if (dataSz > len - begin) {
            ret = WS_RECV_OVERFLOW_E;
        }
    }

len - begin cannot underflow because GetSize guarantees begin <= len on success. This makes the actual payload-length safety invariant explicit for auditors, matching the existing combined pattern used at src/internal.c:7554 (if ((len < begin) || (strSz > len - begin))). No behavioral change on valid input — pure defense-in-depth / readability.

This is a LOW severity finding: the following *idx = begin + dataSz is already safe on valid input (no word32 overflow), so this is not an exploitable overflow.

Build verification

Recompiled the full wolfSSH library (including src/internal.c) against a prebuilt wolfSSL (--enable-all --enable-ssh) on Ubuntu 24.04, make exit 0.

Reported by static analysis (Fenrir finding 247).

Copilot AI review requested due to automatic review settings July 9, 2026 23:47

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot couldn't run its full agentic review because no GitHub Actions runner was available. Make sure your repository has a runner available to run Copilot's review, or add a copilot-setup-steps.yml file specifying one with the runs-on attribute. See the docs for more details.

Fixes a dead/ineffective bounds check in DoChannelData() by validating dataSz against the remaining buffer (len - begin) after size parsing succeeds.

Changes:

  • Replace an always-false len < begin check with a meaningful dataSz > len - begin bounds check in DoChannelData()

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/internal.c
Comment on lines 11092 to 11095
if (ret == WS_SUCCESS) {
if (len < begin) {
if (dataSz > len - begin) {
ret = WS_RECV_OVERFLOW_E;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants