Memory-safety, zeroization, and correctness fixes across agent, SFTP, terminal, FPKI, and transport#1103
Open
aidangarske wants to merge 24 commits into
Open
Memory-safety, zeroization, and correctness fixes across agent, SFTP, terminal, FPKI, and transport#1103aidangarske wants to merge 24 commits into
aidangarske wants to merge 24 commits into
Conversation
aidangarske
commented
Jul 10, 2026
Member
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens wolfSSH against memory-safety issues, improves sensitive-data handling/zeroization, and tightens correctness checks across core protocol paths (agent/SFTP/transport) and user-facing tooling/examples.
Changes:
- Strengthens bounds checks and parsing correctness in core code paths (e.g., RealPath sizing, SFTP handle parsing, path cleaning, console escape parsing).
- Improves memory hygiene by zeroizing sensitive/large buffers before freeing and removing passphrase content from logs.
- Extends test coverage for error paths (e.g., RealPath failure case; new internal unit test for AEAD tag failure).
Reviewed changes
Copilot reviewed 17 out of 17 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| wolfssh/internal.h | Raises default GEXDH minimum size for stronger security defaults. |
| tests/unit.c | Adds internal unit test for AEAD tag verification failure path. |
| tests/api.c | Adds RealPath negative test for separator+segment NUL room edge case. |
| src/wolfterm.c | Fixes console escape parsing state handling and newline writes. |
| src/wolfsftp.c | Zeroizes SFTP GET/PUT state buffers on cleanup; improves handle-size validation; fixes Windows offset check. |
| src/ssh.c | Tightens RealPath bounds checks for separator and NUL handling. |
| src/log.c | Corrects compile-time macro guard for default logging callback. |
| src/internal.c | Fixes key material lifecycle (leak prevention/zeroization) and path cleaning correctness; zeroizes ML-KEM private data. |
| src/certman.c | Enforces FPKI-approved certificate signature algorithms. |
| src/agent.c | Removes passphrase contents from logs; fixes potential key blob over-read; tightens message size validation; simplifies worker flow; uses ForceZero. |
| examples/portfwd/portfwd.c | Prevents password buffer overflow by bounding copied password length. |
| examples/echoserver/echoserver.c | Updates read usage in global-request thread (currently introduces a failure). |
| examples/client/common.c | Prevents password buffer overflow by bounding copied password length. |
| examples/client/client.c | Fixes Windows stdout WriteFile length to match actual bytes read. |
| apps/wolfsshd/configuration.c | Fixes QNX include handling by using full path for lstat and validating snprintf result. |
| apps/wolfssh/wolfssh.c | Fixes Windows stdout WriteFile length; avoids NULL deref when building command string. |
| apps/wolfssh/common.c | Adds missing length guard before parsing pubkey type length field. |
Comments suppressed due to low confidence (1)
examples/echoserver/echoserver.c:328
- wolfSSH_stream_read() rejects bufSz==0 and returns WS_BAD_ARGUMENT, but this code now checks the return value and will always treat it as a failure (even though the intent seems to just service inbound packets for the global-request reply). Use wolfSSH_worker() here, and treat WS_WANT_READ as non-fatal in non-blocking mode.
ret = wolfSSH_stream_read(threadCtx->ssh, buf, 0);
if (ret != WS_SUCCESS)
{
printf("wolfSSH_stream_read Failed.\n");
wolfSSH_shutdown(threadCtx->ssh);
return NULL;
}
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
ef79d54 to
abbe6d9
Compare
abbe6d9 to
b99e75c
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.