@@ -1002,17 +1002,26 @@ static int SHELL_Subsystem(WOLFSSHD_CONNECTION* conn, WOLFSSH* ssh,
10021002 }
10031003
10041004 if (ret == WS_SUCCESS ) {
1005- char cmdWSize [20 ];
1006- int cmdWSizeSz = 20 ;
1005+ /* Worst case "\x1b[8;%u;%ut" with two 10-digit word32 values is 26
1006+ * bytes plus the terminator; size generously. */
1007+ char cmdWSize [32 ];
1008+ int cmdWSizeSz ;
10071009 DWORD wrtn = 0 ;
10081010
10091011 wolfSSH_Log (WS_LOG_INFO , "[SSHD] Successfully created process for "
10101012 "console, waiting for it to start" );
10111013
10121014 WaitForInputIdle (processInfo .hProcess , 1000 );
10131015
1014- /* Send initial terminal size to pseudo console with VT control sequence */
1015- cmdWSizeSz = snprintf (cmdWSize , cmdWSizeSz , "\x1b[8;%d;%dt" , ssh -> heightRows , ssh -> widthChar );
1016+ /* Send initial terminal size to pseudo console with VT control sequence.
1017+ * heightRows/widthChar are peer-supplied word32 values, so format them
1018+ * with %u and clamp the return value before handing it to WriteFile to
1019+ * avoid over-reading the stack buffer. */
1020+ cmdWSizeSz = WSNPRINTF (cmdWSize , sizeof (cmdWSize ), "\x1b[8;%u;%ut" ,
1021+ ssh -> heightRows , ssh -> widthChar );
1022+ if (cmdWSizeSz < 0 || cmdWSizeSz > (int )sizeof (cmdWSize )) {
1023+ cmdWSizeSz = (int )sizeof (cmdWSize );
1024+ }
10161025 if (WriteFile (ptyIn , cmdWSize , cmdWSizeSz , & wrtn , 0 ) != TRUE) {
10171026 WLOG (WS_LOG_ERROR , "Issue with pseudo console resize" );
10181027 ret = WS_FATAL_ERROR ;
0 commit comments