Fix memory corruption in wssshd tunnel request parameter extraction

- Added bounds checking and validation for enc, service, and version parameter extraction - Prevent buffer overflows by limiting parameter lengths to reasonable sizes (< 32 chars) - Added null pointer and bounds validation before string operations - Increased request_msg buffer size from 512 to 1024 bytes for safety - Fixed potential heap corruption that was causing 'malloc(): invalid next size' errors

Fix memory corruption in wssshd tunnel request parameter extraction
- Added bounds checking and validation for enc, service, and version parameter extraction - Prevent buffer overflows by limiting parameter lengths to reasonable sizes (< 32 chars) - Added null pointer and bounds validation before string operations - Increased request_msg buffer size from 512 to 1024 bytes for safety - Fixed potential heap corruption that was causing 'malloc(): invalid next size' errors
4505d02e · Stefy Lanza (nextime / spora ) · 19382b9d · 4505d02e
Commit 4505d02e authored Sep 20, 2025 by Stefy Lanza (nextime / spora )
Hide whitespace changes
Inline Side-by-side

Showing with 28 additions and 22 deletions

websocket.c wssshd2/websocket.c +28 -22

No files found.
--- a/wssshd2/websocket.c
+++ b/wssshd2/websocket.c
@@ -422,14 +422,16 @@ int websocket_handle_message(wssshd_state_t *state, ws_connection_t *conn __attr
        if (enc_start) {
            enc_start += strlen("\"enc\":\"");
            char *enc_end = strchr(enc_start, '"');
-            if (enc_end) {
+            if (enc_end && enc_end > enc_start) {
                size_t enc_len = enc_end - enc_start;
-                char *enc_copy = malloc(enc_len + 1);
-                if (enc_copy) {
-                    memcpy(enc_copy, enc_start, enc_len);
-                    enc_copy[enc_len] = '\0';
-                    enc = enc_copy;
-                    if (state->debug) printf("[DEBUG - %s -> wssshd] Extracted enc: '%s'\n", direction, enc);
+                if (enc_len > 0 && enc_len < 32) {  // Reasonable limit for encoding type
+                    char *enc_copy = malloc(enc_len + 1);
+                    if (enc_copy) {
+                        memcpy(enc_copy, enc_start, enc_len);
+                        enc_copy[enc_len] = '\0';
+                        enc = enc_copy;
+                        if (state->debug) printf("[DEBUG - %s -> wssshd] Extracted enc: '%s'\n", direction, enc);
+                    }
                }
            }
        }
@@ -439,14 +441,16 @@ int websocket_handle_message(wssshd_state_t *state, ws_connection_t *conn __attr
        if (service_start) {
            service_start += strlen("\"service\":\"");
            char *service_end = strchr(service_start, '"');
-            if (service_end) {
+            if (service_end && service_end > service_start) {
                size_t service_len = service_end - service_start;
-                char *service_copy = malloc(service_len + 1);
-                if (service_copy) {
-                    memcpy(service_copy, service_start, service_len);
-                    service_copy[service_len] = '\0';
-                    service = service_copy;
-                    if (state->debug) printf("[DEBUG - %s -> wssshd] Extracted service: '%s'\n", direction, service);
+                if (service_len > 0 && service_len < 32) {  // Reasonable limit for service type
+                    char *service_copy = malloc(service_len + 1);
+                    if (service_copy) {
+                        memcpy(service_copy, service_start, service_len);
+                        service_copy[service_len] = '\0';
+                        service = service_copy;
+                        if (state->debug) printf("[DEBUG - %s -> wssshd] Extracted service: '%s'\n", direction, service);
+                    }
                }
            }
        }
@@ -456,14 +460,16 @@ int websocket_handle_message(wssshd_state_t *state, ws_connection_t *conn __attr
        if (version_start) {
            version_start += strlen("\"version\":\"");
            char *version_end = strchr(version_start, '"');
-            if (version_end) {
+            if (version_end && version_end > version_start) {
                size_t version_len = version_end - version_start;
-                char *version_copy = malloc(version_len + 1);
-                if (version_copy) {
-                    memcpy(version_copy, version_start, version_len);
-                    version_copy[version_len] = '\0';
-                    version = version_copy;
-                    if (state->debug) printf("[DEBUG - %s -> wssshd] Extracted version: '%s'\n", direction, version);
+                if (version_len > 0 && version_len < 32) {  // Reasonable limit for version string
+                    char *version_copy = malloc(version_len + 1);
+                    if (version_copy) {
+                        memcpy(version_copy, version_start, version_len);
+                        version_copy[version_len] = '\0';
+                        version = version_copy;
+                        if (state->debug) printf("[DEBUG - %s -> wssshd] Extracted version: '%s'\n", direction, version);
+                    }
                }
            }
        }
@@ -482,7 +488,7 @@ int websocket_handle_message(wssshd_state_t *state, ws_connection_t *conn __attr
                    tunnel_update_status(tunnel, TUNNEL_STATUS_ACTIVE, NULL);

                    // Send tunnel request to client (wssshc)
-                    char request_msg[512];
+                    char request_msg[1024];
                    // Use defaults if parameters not provided
                    const char *enc_val = enc ? enc : "hex";
                    const char *service_val = service ? service : "ssh";