PrepareUserAuthRequestEcc Missing Bounds Checks

ejohnstown · ejohnstown · commit 735503189ba8 · 2026-03-10T16:06:47.000-07:00
For agent ECC public key parsing, replaced parsing the data by hand with
the GetSkip() and GetStringRef() functions which do bounds checking.

Affected function: PrepareUserAuthRequestEcc.
Issue: F-526
diff --git a/src/internal.c b/src/internal.c
@@ -14397,26 +14397,36 @@ static int PrepareUserAuthRequestEcc(WOLFSSH* ssh, word32* payloadSz,
         ret = wc_ecc_init(&keySig->ks.ecc.key);
 
     if (ret == 0) {
-        word32 idx = 0;
+        word32 idx;
         #ifdef WOLFSSH_AGENT
         if (ssh->agentEnabled) {
-            word32 sz;
-            const byte* c = (const byte*)authData->sf.publicKey.publicKey;
+            const byte* publicKey = NULL;
+            word32 publicKeySz;
 
-            ato32(c + idx, &sz);
-            idx += LENGTH_SZ + sz;
-            ato32(c + idx, &sz);
-            idx += LENGTH_SZ + sz;
-            ato32(c + idx, &sz);
-            idx += LENGTH_SZ;
-            c += idx;
             idx = 0;
-
-            ret = wc_ecc_import_x963(c, sz, &keySig->ks.ecc.key);
+            ret = GetSkip((const byte*)authData->sf.publicKey.publicKey,
+                    authData->sf.publicKey.publicKeySz, &idx);
+            if (ret == WS_SUCCESS) {
+                ret = GetSkip((const byte*)authData->sf.publicKey.publicKey,
+                        authData->sf.publicKey.publicKeySz, &idx);
+            }
+            if (ret == WS_SUCCESS) {
+                ret = GetStringRef(&publicKeySz, &publicKey,
+                        (const byte*)authData->sf.publicKey.publicKey,
+                        authData->sf.publicKey.publicKeySz, &idx);
+            }
+            if (ret == WS_SUCCESS) {
+                ret = wc_ecc_import_x963(publicKey, publicKeySz,
+                        &keySig->ks.ecc.key);
+            }
+            if (ret == 0) {
+                ret = WS_SUCCESS;
+            }
         }
         else
         #endif
         {
+            idx = 0;
             ret = wc_EccPrivateKeyDecode(authData->sf.publicKey.privateKey,
                     &idx, &keySig->ks.ecc.key,
                     authData->sf.publicKey.privateKeySz);
@@ -14426,6 +14436,9 @@ static int PrepareUserAuthRequestEcc(WOLFSSH* ssh, word32* payloadSz,
                         authData->sf.publicKey.privateKey,
                         authData->sf.publicKey.privateKeySz, &idx);
             }
+            else {
+                ret = WS_ECC_E;
+            }
         }
     }
 
