Skip to content

Reject SFTP resume names that fill the whole name field#1105

Open
yosuke-wolfssl wants to merge 1 commit into
wolfSSL:masterfrom
yosuke-wolfssl:fix/f_6812
Open

Reject SFTP resume names that fill the whole name field#1105
yosuke-wolfssl wants to merge 1 commit into
wolfSSL:masterfrom
yosuke-wolfssl:fix/f_6812

Conversation

@yosuke-wolfssl

Copy link
Copy Markdown
Contributor

Description

wolfSSH_SFTP_SaveOfst saves a from/to file-name pair and a file offset so an interrupted reget/reput can later resume. The names are copied into the fixed-size fields of SFTP_OFST:

typedef struct SFTP_OFST {
    word32 offset[2];
    char from[WOLFSSH_MAX_FILENAME];
    char to[WOLFSSH_MAX_FILENAME];
} SFTP_OFST;

Both fields are char[WOLFSSH_MAX_FILENAME] (256 by default) and the copied names are NUL terminated. The length guard, however, only rejected names strictly longer than the field:

if (frmSz > WOLFSSH_MAX_FILENAME || toSz > WOLFSSH_MAX_FILENAME) {
    WLOG(WS_LOG_SFTP, "File name is too large");
    return WS_BUFFER_E;
}

When frmSz/toSz == WOLFSSH_MAX_FILENAME, the check passes, WMEMCPY fills indices 0..255, and current->from[frmSz] = '\0' (and the to equivalent) writes index 256 — one byte past the array.

For the to field, which is the last member of SFTP_OFST, the stray NUL lands either in the next slot's offset[0] (corrupting a saved resume offset) or, for the last slot in ssh->sftpOfst[], one byte past the array into the adjacent WOLFSSH member (char* sftpDefaultPath), corrupting the low byte of a pointer that is later dereferenced and freed.

The function is a public API (WOLFSSH_API) and is also reached internally from the reget/reput paths (wolfSSH_SFTP_Get, wolfSSH_SFTP_Put), where from/to are caller-supplied file names with no upstream length clamp.

Addressed by f_6812.

Fix

Change the guard from > to >= so a name that fills the whole field, leaving no room for the terminator, is rejected with WS_BUFFER_E. Names up to WOLFSSH_MAX_FILENAME - 1 characters continue to work unchanged.

Testing

Added test_wolfSSH_SFTP_SaveOfst to tests/api.c:

  • A name of WOLFSSH_MAX_FILENAME characters (for from and for to) is rejected with WS_BUFFER_E and stores nothing (verified via wolfSSH_SFTP_GetOfst).
  • The longest name that fits (WOLFSSH_MAX_FILENAME - 1) is saved and round-trips back through wolfSSH_SFTP_GetOfst with the correct offset.
  • The test fails before the fix (0 != -1004) and passes after.

Verified with ./configure --enable-all

@yosuke-wolfssl yosuke-wolfssl self-assigned this Jul 14, 2026
Copilot AI review requested due to automatic review settings July 14, 2026 23:28

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request fixes an out-of-bounds write in wolfSSH_SFTP_SaveOfst() by rejecting from/to filenames whose lengths exactly equal WOLFSSH_MAX_FILENAME (leaving no space for the terminating NUL) and adds an API-level regression test to ensure the boundary behavior is correct.

Changes:

  • Tighten the filename length guard in wolfSSH_SFTP_SaveOfst() from > to >= to prevent writing the terminator one byte past the fixed-size name buffers.
  • Add a new tests/api.c test that verifies WOLFSSH_MAX_FILENAME-length names are rejected and that WOLFSSH_MAX_FILENAME - 1-length names round-trip successfully.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
src/wolfsftp.c Fixes the off-by-one guard to prevent OOB NUL write when saving resume state names.
tests/api.c Adds a boundary-condition regression test for wolfSSH_SFTP_SaveOfst / wolfSSH_SFTP_GetOfst.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #1105

Scan targets checked: wolfssh-bugs, wolfssh-src

No new issues found in the changed files. ✅

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants