From b6aab1919aadb0cb62f3e527fcf414a1fd252bf5 Mon Sep 17 00:00:00 2001 From: Yosuke Shimizu Date: Mon, 8 Jun 2026 14:16:40 +0900 Subject: [PATCH 1/2] wolfsshd: fix peer-controlled over-read in Windows pseudo-console resize --- apps/wolfsshd/wolfsshd.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/apps/wolfsshd/wolfsshd.c b/apps/wolfsshd/wolfsshd.c index 0d1785d08..0c2754b49 100644 --- a/apps/wolfsshd/wolfsshd.c +++ b/apps/wolfsshd/wolfsshd.c @@ -1002,8 +1002,10 @@ static int SHELL_Subsystem(WOLFSSHD_CONNECTION* conn, WOLFSSH* ssh, } if (ret == WS_SUCCESS) { - char cmdWSize[20]; - int cmdWSizeSz = 20; + /* Worst case "\x1b[8;%u;%ut" with two 10-digit word32 values is 26 + * bytes plus the terminator; size generously. */ + char cmdWSize[32]; + int cmdWSizeSz; DWORD wrtn = 0; wolfSSH_Log(WS_LOG_INFO, "[SSHD] Successfully created process for " @@ -1011,8 +1013,15 @@ static int SHELL_Subsystem(WOLFSSHD_CONNECTION* conn, WOLFSSH* ssh, WaitForInputIdle(processInfo.hProcess, 1000); - /* Send initial terminal size to pseudo console with VT control sequence */ - cmdWSizeSz = snprintf(cmdWSize, cmdWSizeSz, "\x1b[8;%d;%dt", ssh->heightRows, ssh->widthChar); + /* Send initial terminal size to pseudo console with VT control sequence. + * heightRows/widthChar are peer-supplied word32 values, so format them + * with %u and clamp the return value before handing it to WriteFile to + * avoid over-reading the stack buffer. */ + cmdWSizeSz = WSNPRINTF(cmdWSize, sizeof(cmdWSize), "\x1b[8;%u;%ut", + ssh->heightRows, ssh->widthChar); + if (cmdWSizeSz < 0 || cmdWSizeSz > (int)sizeof(cmdWSize)) { + cmdWSizeSz = (int)sizeof(cmdWSize); + } if (WriteFile(ptyIn, cmdWSize, cmdWSizeSz, &wrtn, 0) != TRUE) { WLOG(WS_LOG_ERROR, "Issue with pseudo console resize"); ret = WS_FATAL_ERROR; From 6756ff525014c635424c2be7d286fc715f59c6e5 Mon Sep 17 00:00:00 2001 From: Yosuke Shimizu Date: Mon, 8 Jun 2026 14:32:09 +0900 Subject: [PATCH 2/2] Fix --- apps/wolfsshd/wolfsshd.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apps/wolfsshd/wolfsshd.c b/apps/wolfsshd/wolfsshd.c index 0c2754b49..f841f6a5e 100644 --- a/apps/wolfsshd/wolfsshd.c +++ b/apps/wolfsshd/wolfsshd.c @@ -1019,8 +1019,8 @@ static int SHELL_Subsystem(WOLFSSHD_CONNECTION* conn, WOLFSSH* ssh, * avoid over-reading the stack buffer. */ cmdWSizeSz = WSNPRINTF(cmdWSize, sizeof(cmdWSize), "\x1b[8;%u;%ut", ssh->heightRows, ssh->widthChar); - if (cmdWSizeSz < 0 || cmdWSizeSz > (int)sizeof(cmdWSize)) { - cmdWSizeSz = (int)sizeof(cmdWSize); + if (cmdWSizeSz < 0 || cmdWSizeSz >= (int)sizeof(cmdWSize)) { + cmdWSizeSz = (int)sizeof(cmdWSize) - 1; } if (WriteFile(ptyIn, cmdWSize, cmdWSizeSz, &wrtn, 0) != TRUE) { WLOG(WS_LOG_ERROR, "Issue with pseudo console resize");