Skip to content

wolfsshd: fix peer-controlled over-read in Windows pseudo-console resize#1005

Open
yosuke-wolfssl wants to merge 2 commits into
wolfSSL:masterfrom
yosuke-wolfssl:fix/f_4581
Open

wolfsshd: fix peer-controlled over-read in Windows pseudo-console resize#1005
yosuke-wolfssl wants to merge 2 commits into
wolfSSL:masterfrom
yosuke-wolfssl:fix/f_4581

Conversation

@yosuke-wolfssl
Copy link
Copy Markdown
Contributor

@yosuke-wolfssl yosuke-wolfssl commented Jun 8, 2026

Description

In the Windows variant of SHELL_Subsystem, the initial pty-resize VT escape sequence was formatted into a 20-byte stack buffer and the snprintf return value was passed unchecked to WriteFile.

char cmdWSize[20];
int cmdWSizeSz = 20;
cmdWSizeSz = snprintf(cmdWSize, cmdWSizeSz, "\x1b[8;%d;%dt",
    ssh->heightRows, ssh->widthChar);
WriteFile(ptyIn, cmdWSize, cmdWSizeSz, &wrtn, 0);

heightRows and widthChar are word32 values supplied by the authenticated peer via pty-req. For large decimal dimensions, C99 snprintf returns the length it would have written (>20), so WriteFile reads past the end of the 20-byte stack buffer, leaking adjacent stack contents into the pseudo-console fed to the child shell. With legacy MSVC _snprintf truncation semantics (returns -1), the cast to DWORD becomes ~4 GiB and can crash with an access violation.

Changes

  • Enlarge cmdWSize to 32 bytes to hold the worst-case \x1b[8;%u;%ut expansion (26 bytes + NUL).
  • Format with %u since the values are unsigned word32, and use the repo's WSNPRINTF macro (consistent with other calls in this file).
  • Clamp the return value before WriteFile to handle both the C99 (>size) and legacy MSVC (-1) cases.

Addressed by f_4581

@yosuke-wolfssl yosuke-wolfssl self-assigned this Jun 8, 2026
Copilot AI review requested due to automatic review settings June 8, 2026 05:31
Copilot AI reviewed Jun 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes a Windows-specific information disclosure / crash risk in wolfsshd by ensuring the initial pseudo-console resize VT escape sequence cannot cause a peer-controlled over-read of a stack buffer when written via WriteFile.

Changes:

  • Enlarges the stack buffer used to build the initial ESC[8;...t resize sequence for ConPTY.
  • Switches formatting to WSNPRINTF with %u for the peer-supplied word32 dimensions.
  • Adds return-value clamping logic intended to prevent WriteFile from using an out-of-range byte count.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread apps/wolfsshd/wolfsshd.c Outdated
wolfSSL-Fenrir-bot
wolfSSL-Fenrir-bot reviewed Jun 8, 2026
View reviewed changes
Copy link
Copy Markdown

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #1005

Scan targets checked: none
Failed targets: wolfssh-bugs, wolfssh-src

⚠️ Review incomplete — one or more scan targets failed before findings could be produced. See the Fenrir PR review detail page for logs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@wolfSSL-Bot wolfSSL-Bot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@yosuke-wolfssl @wolfSSL-Fenrir-bot @wolfSSL-Bot