fix(security): validate SSH_MSG_CHANNEL_WINDOW_ADJUST to prevent uint32 overflow

A malicious server could send a window adjust that overflows the uint32
maximum (0xFFFFFFFF per RFC 4254 §5.2), causing remoteWindowSize to wrap
negative and deadlock the send loop, or allowing unbounded window growth
that breaks flow control. Reject adjustments ≤ 0 or that would push the
window past the protocol maximum.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: kruton

sshlib/src/main/kotlin/org/connectbot/sshlib/client/AgentChannel.kt

@@ -1,6 +1,6 @@
 /*
  * ConnectBot SSH Library
- * Copyright 2025 Kenny Root
+ * Copyright 2025-2026 Kenny Root
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -18,6 +18,7 @@
 package org.connectbot.sshlib.client
 
 import kotlinx.coroutines.channels.Channel
+import org.connectbot.sshlib.SshException
 import org.slf4j.LoggerFactory
 
 internal class AgentChannel(
@@ -30,6 +31,7 @@ internal class AgentChannel(
 ) {
     companion object {
         private val logger = LoggerFactory.getLogger(AgentChannel::class.java)
+        private const val MAX_WINDOW_SIZE = 0xFFFFFFFFL
     }
 
     private var _isOpen = true
@@ -55,6 +57,12 @@ internal class AgentChannel(
     }
 
     fun onWindowAdjust(bytesToAdd: Long) {
+        if (bytesToAdd <= 0) {
+            throw SshException("Invalid window adjust: bytesToAdd must be positive, got $bytesToAdd")
+        }
+        if (remoteWindowSize + bytesToAdd > MAX_WINDOW_SIZE) {
+            throw SshException("Channel window overflow: current=$remoteWindowSize, adding=$bytesToAdd exceeds max $MAX_WINDOW_SIZE")
+        }
         remoteWindowSize += bytesToAdd
         logger.debug("Agent channel window adjust +$bytesToAdd, remote window now $remoteWindowSize")
         if (remoteWindowSize > 0) {

sshlib/src/main/kotlin/org/connectbot/sshlib/client/ForwardingChannel.kt

@@ -1,6 +1,6 @@
 /*
  * ConnectBot SSH Library
- * Copyright 2025 Kenny Root
+ * Copyright 2025-2026 Kenny Root
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -19,6 +19,7 @@ package org.connectbot.sshlib.client
 
 import kotlinx.coroutines.channels.Channel
 import kotlinx.coroutines.channels.ReceiveChannel
+import org.connectbot.sshlib.SshException
 import org.slf4j.LoggerFactory
 
 internal class ForwardingChannel(
@@ -32,6 +33,7 @@ internal class ForwardingChannel(
     companion object {
         private val logger = LoggerFactory.getLogger(ForwardingChannel::class.java)
         private const val WINDOW_ADJUST_THRESHOLD = 64 * 1024
+        private const val MAX_WINDOW_SIZE = 0xFFFFFFFFL
     }
 
     private var _isOpen = true
@@ -57,6 +59,12 @@ internal class ForwardingChannel(
     }
 
     internal fun onWindowAdjust(bytesToAdd: Long) {
+        if (bytesToAdd <= 0) {
+            throw SshException("Invalid window adjust: bytesToAdd must be positive, got $bytesToAdd")
+        }
+        if (remoteWindowSize + bytesToAdd > MAX_WINDOW_SIZE) {
+            throw SshException("Channel window overflow: current=$remoteWindowSize, adding=$bytesToAdd exceeds max $MAX_WINDOW_SIZE")
+        }
         remoteWindowSize += bytesToAdd
         logger.debug("Forwarding channel window adjust +$bytesToAdd, remote window now $remoteWindowSize")
         if (remoteWindowSize > 0) {

sshlib/src/main/kotlin/org/connectbot/sshlib/client/SessionChannel.kt

@@ -1,6 +1,6 @@
 /*
  * ConnectBot SSH Library
- * Copyright 2025 Kenny Root
+ * Copyright 2025-2026 Kenny Root
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -25,6 +25,7 @@ import kotlinx.coroutines.delay
 import kotlinx.coroutines.launch
 import kotlinx.coroutines.sync.Mutex
 import kotlinx.coroutines.sync.withLock
+import org.connectbot.sshlib.SshException
 import org.connectbot.sshlib.SshSession
 import org.connectbot.sshlib.protocol.ByteString
 import org.connectbot.sshlib.protocol.ChannelRequestExec
@@ -52,6 +53,7 @@ class SessionChannel internal constructor(
     companion object {
         private val logger = LoggerFactory.getLogger(SessionChannel::class.java)
         private const val WINDOW_ADJUST_THRESHOLD = 16 * 1024
+        private const val MAX_WINDOW_SIZE = 0xFFFFFFFFL
     }
 
     private var _isOpen = true
@@ -109,6 +111,12 @@ class SessionChannel internal constructor(
     }
 
     internal fun onWindowAdjust(bytesToAdd: Long) {
+        if (bytesToAdd <= 0) {
+            throw SshException("Invalid window adjust: bytesToAdd must be positive, got $bytesToAdd")
+        }
+        if (remoteWindowSize + bytesToAdd > MAX_WINDOW_SIZE) {
+            throw SshException("Channel window overflow: current=$remoteWindowSize, adding=$bytesToAdd exceeds max $MAX_WINDOW_SIZE")
+        }
         remoteWindowSize += bytesToAdd
         logger.debug("Window adjust +$bytesToAdd, remote window now $remoteWindowSize")
         if (remoteWindowSize > 0) {

sshlib/src/test/kotlin/org/connectbot/sshlib/client/SessionChannelTest.kt

@@ -1,6 +1,6 @@
 /*
  * ConnectBot SSH Library
- * Copyright 2025 Kenny Root
+ * Copyright 2025-2026 Kenny Root
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -25,11 +25,13 @@ import kotlinx.coroutines.CoroutineScope
 import kotlinx.coroutines.ExperimentalCoroutinesApi
 import kotlinx.coroutines.test.UnconfinedTestDispatcher
 import kotlinx.coroutines.test.runTest
+import org.connectbot.sshlib.SshException
 import org.junit.jupiter.api.Assertions.assertArrayEquals
 import org.junit.jupiter.api.Assertions.assertEquals
 import org.junit.jupiter.api.Assertions.assertFalse
 import org.junit.jupiter.api.Assertions.assertTrue
 import org.junit.jupiter.api.Test
+import kotlin.test.assertFailsWith
 
 @OptIn(ExperimentalCoroutinesApi::class)
 class SessionChannelTest {
@@ -157,4 +159,45 @@ class SessionChannelTest {
 
         coVerify(exactly = 1) { conn.sendChannelClose(1) }
     }
+
+    @Test
+    fun `onWindowAdjust throws when remote window would exceed max uint32`() = runTest {
+        // Start with a large initial window and try to push it over 2^32-1
+        val (channel, _) = createChannel(
+            connection = mockk(relaxed = true),
+            initialWindowSize = 64 * 1024,
+        )
+        // channel starts with remoteWindowSizeInitial = 64 * 1024; add enough to overflow uint32
+        val overflow = (0xFFFFFFFFL - 64 * 1024L) + 1L
+        assertFailsWith<SshException> {
+            channel.onWindowAdjust(overflow)
+        }
+    }
+
+    @Test
+    fun `onWindowAdjust accepts legitimate adjustment within uint32 range`() = runTest {
+        val (channel, _) = createChannel(
+            connection = mockk(relaxed = true),
+            initialWindowSize = 64 * 1024,
+        )
+        // Valid: bring window up to exactly 2^32-1
+        val maxAdd = 0xFFFFFFFFL - 64 * 1024L
+        channel.onWindowAdjust(maxAdd) // should not throw
+    }
+
+    @Test
+    fun `onWindowAdjust rejects zero adjustment`() = runTest {
+        val (channel, _) = createChannel(connection = mockk(relaxed = true))
+        assertFailsWith<SshException> {
+            channel.onWindowAdjust(0L)
+        }
+    }
+
+    @Test
+    fun `onWindowAdjust rejects negative adjustment`() = runTest {
+        val (channel, _) = createChannel(connection = mockk(relaxed = true))
+        assertFailsWith<SshException> {
+            channel.onWindowAdjust(-1L)
+        }
+    }
 }