Skip to content

Commit 60c6b38

Browse files
committed
Fix integer underflow in SFTP RecvRead bound check
- Replace `strSz > maxSz - WOLFSSH_SFTP_HEADER - idx` with `strSz > WOLFSSH_MAX_SFTP_RW` to prevent unsigned wraparound and downstream WMALLOC size overflow. - Apply to both POSIX and Windows variants. Issue: F-3682
1 parent b12a2a5 commit 60c6b38

1 file changed

Lines changed: 4 additions & 2 deletions

File tree

src/wolfsftp.c

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3835,7 +3835,8 @@ int wolfSSH_SFTP_RecvRead(WOLFSSH* ssh, int reqId, byte* data, word32 maxSz)
38353835
if (GetUint32(&strSz, data, maxSz, &idx) != WS_SUCCESS) {
38363836
return WS_BUFFER_E;
38373837
}
3838-
if (strSz > maxSz - WOLFSSH_SFTP_HEADER - idx) {
3838+
/* Bound strSz to the maximum SFTP read/write payload size. */
3839+
if (strSz > WOLFSSH_MAX_SFTP_RW) {
38393840
return WS_BUFFER_E;
38403841
}
38413842

@@ -3942,7 +3943,8 @@ int wolfSSH_SFTP_RecvRead(WOLFSSH* ssh, int reqId, byte* data, word32 maxSz)
39423943
if (GetUint32(&strSz, data, maxSz, &idx) != WS_SUCCESS) {
39433944
return WS_BUFFER_E;
39443945
}
3945-
if (strSz > maxSz - WOLFSSH_SFTP_HEADER - idx) {
3946+
/* Bound strSz to the maximum SFTP read/write payload size. */
3947+
if (strSz > WOLFSSH_MAX_SFTP_RW) {
39463948
return WS_BUFFER_E;
39473949
}
39483950

0 commit comments

Comments
 (0)