Skip to content

Memory-safety, zeroization, and correctness fixes across agent, SFTP, terminal, FPKI, and transport#1103

Open
aidangarske wants to merge 24 commits into
wolfSSL:masterfrom
aidangarske:fenrir-lowmed-fixes
Open

Memory-safety, zeroization, and correctness fixes across agent, SFTP, terminal, FPKI, and transport#1103
aidangarske wants to merge 24 commits into
wolfSSL:masterfrom
aidangarske:fenrir-lowmed-fixes

Conversation

@aidangarske

Copy link
Copy Markdown
Member
F-4582, F-2869, F-6268, F-4592, F-6693, F-1684, F-2082, F-6694, F-3881, F-5852, F-4795, F-3210, F-4583, F-3446,
F-1278, F-3453, F-6277, F-4794, F-4106, F-4105, F-4108, F-5900, F-6698, F-6703

Copilot AI review requested due to automatic review settings July 10, 2026 20:18
@aidangarske aidangarske self-assigned this Jul 10, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens wolfSSH against memory-safety issues, improves sensitive-data handling/zeroization, and tightens correctness checks across core protocol paths (agent/SFTP/transport) and user-facing tooling/examples.

Changes:

  • Strengthens bounds checks and parsing correctness in core code paths (e.g., RealPath sizing, SFTP handle parsing, path cleaning, console escape parsing).
  • Improves memory hygiene by zeroizing sensitive/large buffers before freeing and removing passphrase content from logs.
  • Extends test coverage for error paths (e.g., RealPath failure case; new internal unit test for AEAD tag failure).

Reviewed changes

Copilot reviewed 17 out of 17 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
wolfssh/internal.h Raises default GEXDH minimum size for stronger security defaults.
tests/unit.c Adds internal unit test for AEAD tag verification failure path.
tests/api.c Adds RealPath negative test for separator+segment NUL room edge case.
src/wolfterm.c Fixes console escape parsing state handling and newline writes.
src/wolfsftp.c Zeroizes SFTP GET/PUT state buffers on cleanup; improves handle-size validation; fixes Windows offset check.
src/ssh.c Tightens RealPath bounds checks for separator and NUL handling.
src/log.c Corrects compile-time macro guard for default logging callback.
src/internal.c Fixes key material lifecycle (leak prevention/zeroization) and path cleaning correctness; zeroizes ML-KEM private data.
src/certman.c Enforces FPKI-approved certificate signature algorithms.
src/agent.c Removes passphrase contents from logs; fixes potential key blob over-read; tightens message size validation; simplifies worker flow; uses ForceZero.
examples/portfwd/portfwd.c Prevents password buffer overflow by bounding copied password length.
examples/echoserver/echoserver.c Updates read usage in global-request thread (currently introduces a failure).
examples/client/common.c Prevents password buffer overflow by bounding copied password length.
examples/client/client.c Fixes Windows stdout WriteFile length to match actual bytes read.
apps/wolfsshd/configuration.c Fixes QNX include handling by using full path for lstat and validating snprintf result.
apps/wolfssh/wolfssh.c Fixes Windows stdout WriteFile length; avoids NULL deref when building command string.
apps/wolfssh/common.c Adds missing length guard before parsing pubkey type length field.
Comments suppressed due to low confidence (1)

examples/echoserver/echoserver.c:328

  • wolfSSH_stream_read() rejects bufSz==0 and returns WS_BAD_ARGUMENT, but this code now checks the return value and will always treat it as a failure (even though the intent seems to just service inbound packets for the global-request reply). Use wolfSSH_worker() here, and treat WS_WANT_READ as non-fatal in non-blocking mode.
        ret = wolfSSH_stream_read(threadCtx->ssh, buf, 0);
        if (ret != WS_SUCCESS)
        {
            printf("wolfSSH_stream_read Failed.\n");
            wolfSSH_shutdown(threadCtx->ssh);
            return NULL;
        }

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/ssh.c Outdated
@aidangarske aidangarske force-pushed the fenrir-lowmed-fixes branch from ef79d54 to abbe6d9 Compare July 10, 2026 20:47
@aidangarske aidangarske marked this pull request as ready for review July 10, 2026 22:47
@aidangarske aidangarske force-pushed the fenrir-lowmed-fixes branch from abbe6d9 to b99e75c Compare July 10, 2026 22:47
@aidangarske aidangarske assigned dgarske and unassigned aidangarske Jul 10, 2026
@aidangarske aidangarske self-assigned this Jul 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants