Skip to content

Commit c11f316

Browse files
JacobBarthelmehJacobBarthelmeh
committed
additional sanity checks on SFTP handle size
1 parent 2a21844 commit c11f316

1 file changed

Lines changed: 5 additions & 5 deletions

File tree

src/wolfsftp.c

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -3595,7 +3595,7 @@ int wolfSSH_SFTP_RecvWrite(WOLFSSH* ssh, int reqId, byte* data, word32 maxSz)
35953595

35963596
/* get file handle */
35973597
ato32(data + idx, &sz); idx += UINT32_SZ;
3598-
if (sz + idx > maxSz || sz > WOLFSSH_MAX_HANDLE) {
3598+
if (sz + idx > maxSz || sz > WOLFSSH_MAX_HANDLE || sz != sizeof(WFD)) {
35993599
WLOG(WS_LOG_SFTP, "Error with file handle size");
36003600
res = err;
36013601
type = WOLFSSH_FTP_FAILURE;
@@ -3685,7 +3685,7 @@ int wolfSSH_SFTP_RecvWrite(WOLFSSH* ssh, int reqId, byte* data, word32 maxSz)
36853685
/* get file handle */
36863686
ato32(data + idx, &sz);
36873687
idx += UINT32_SZ;
3688-
if (sz + idx > maxSz || sz > WOLFSSH_MAX_HANDLE) {
3688+
if (sz + idx > maxSz || sz > WOLFSSH_MAX_HANDLE || sz != sizeof(HANDLE)) {
36893689
WLOG(WS_LOG_SFTP, "Error with file handle size");
36903690
res = err;
36913691
type = WOLFSSH_FTP_FAILURE;
@@ -3780,7 +3780,7 @@ int wolfSSH_SFTP_RecvRead(WOLFSSH* ssh, int reqId, byte* data, word32 maxSz)
37803780

37813781
/* get file handle */
37823782
ato32(data + idx, &sz); idx += UINT32_SZ;
3783-
if (sz + idx > maxSz || sz > WOLFSSH_MAX_HANDLE) {
3783+
if (sz + idx > maxSz || sz > WOLFSSH_MAX_HANDLE || sz != sizeof(WFD)) {
37843784
return WS_BUFFER_E;
37853785
}
37863786
WMEMSET((byte*)&fd, 0, sizeof(WFD));
@@ -3880,7 +3880,7 @@ int wolfSSH_SFTP_RecvRead(WOLFSSH* ssh, int reqId, byte* data, word32 maxSz)
38803880

38813881
/* get file handle */
38823882
ato32(data + idx, &sz); idx += UINT32_SZ;
3883-
if (sz > maxSz - idx || sz > WOLFSSH_MAX_HANDLE) {
3883+
if (sz > maxSz - idx || sz > WOLFSSH_MAX_HANDLE || sz != sizeof(HANDLE)) {
38843884
return WS_BUFFER_E;
38853885
}
38863886
WMEMSET((byte*)&fd, 0, sizeof(HANDLE));
@@ -5630,7 +5630,7 @@ int wolfSSH_SFTP_RecvFSetSTAT(WOLFSSH* ssh, int reqId, byte* data, word32 maxSz)
56305630

56315631
/* get file handle */
56325632
ato32(data + idx, &sz); idx += UINT32_SZ;
5633-
if (sz + idx > maxSz || sz > WOLFSSH_MAX_HANDLE) {
5633+
if (sz + idx > maxSz || sz > WOLFSSH_MAX_HANDLE || sz != sizeof(WFD)) {
56345634
return WS_BUFFER_E;
56355635
}
56365636
WMEMSET((byte*)&fd, 0, sizeof(WFD));

0 commit comments

Comments
 (0)