Skip to content

Commit 3f981d1

Browse files
yosuke-wolfsslejohnstown
authored andcommitted
wolfsshd: fix peer-controlled over-read in Windows pseudo-console resize
1 parent d49b15f commit 3f981d1

1 file changed

Lines changed: 13 additions & 4 deletions

File tree

apps/wolfsshd/wolfsshd.c

Lines changed: 13 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1002,17 +1002,26 @@ static int SHELL_Subsystem(WOLFSSHD_CONNECTION* conn, WOLFSSH* ssh,
10021002
}
10031003

10041004
if (ret == WS_SUCCESS) {
1005-
char cmdWSize[20];
1006-
int cmdWSizeSz = 20;
1005+
/* Worst case "\x1b[8;%u;%ut" with two 10-digit word32 values is 26
1006+
* bytes plus the terminator; size generously. */
1007+
char cmdWSize[32];
1008+
int cmdWSizeSz;
10071009
DWORD wrtn = 0;
10081010

10091011
wolfSSH_Log(WS_LOG_INFO, "[SSHD] Successfully created process for "
10101012
"console, waiting for it to start");
10111013

10121014
WaitForInputIdle(processInfo.hProcess, 1000);
10131015

1014-
/* Send initial terminal size to pseudo console with VT control sequence */
1015-
cmdWSizeSz = snprintf(cmdWSize, cmdWSizeSz, "\x1b[8;%d;%dt", ssh->heightRows, ssh->widthChar);
1016+
/* Send initial terminal size to pseudo console with VT control sequence.
1017+
* heightRows/widthChar are peer-supplied word32 values, so format them
1018+
* with %u and clamp the return value before handing it to WriteFile to
1019+
* avoid over-reading the stack buffer. */
1020+
cmdWSizeSz = WSNPRINTF(cmdWSize, sizeof(cmdWSize), "\x1b[8;%u;%ut",
1021+
ssh->heightRows, ssh->widthChar);
1022+
if (cmdWSizeSz < 0 || cmdWSizeSz > (int)sizeof(cmdWSize)) {
1023+
cmdWSizeSz = (int)sizeof(cmdWSize);
1024+
}
10161025
if (WriteFile(ptyIn, cmdWSize, cmdWSizeSz, &wrtn, 0) != TRUE) {
10171026
WLOG(WS_LOG_ERROR, "Issue with pseudo console resize");
10181027
ret = WS_FATAL_ERROR;

0 commit comments

Comments
 (0)