Fix memory corruption in wssshd tunnel request parameter extraction

- Added bounds checking and validation for enc, service, and version parameter extraction
- Prevent buffer overflows by limiting parameter lengths to reasonable sizes (< 32 chars)
- Added null pointer and bounds validation before string operations
- Increased request_msg buffer size from 512 to 1024 bytes for safety
- Fixed potential heap corruption that was causing 'malloc(): invalid next size' errors

wssshd2/websocket.c

@@ -422,8 +422,9 @@ int websocket_handle_message(wssshd_state_t *state, ws_connection_t *conn __attr
         if (enc_start) {
             enc_start += strlen("\"enc\":\"");
             char *enc_end = strchr(enc_start, '"');
-            if (enc_end) {
+            if (enc_end && enc_end > enc_start) {
                 size_t enc_len = enc_end - enc_start;
+                if (enc_len > 0 && enc_len < 32) {  // Reasonable limit for encoding type
                     char *enc_copy = malloc(enc_len + 1);
                     if (enc_copy) {
                         memcpy(enc_copy, enc_start, enc_len);
@@ -433,14 +434,16 @@ int websocket_handle_message(wssshd_state_t *state, ws_connection_t *conn __attr
                     }
                 }
             }
+        }
 
         // Extract service
         char *service_start = strstr(msg_copy, "\"service\":\"");
         if (service_start) {
             service_start += strlen("\"service\":\"");
             char *service_end = strchr(service_start, '"');
-            if (service_end) {
+            if (service_end && service_end > service_start) {
                 size_t service_len = service_end - service_start;
+                if (service_len > 0 && service_len < 32) {  // Reasonable limit for service type
                     char *service_copy = malloc(service_len + 1);
                     if (service_copy) {
                         memcpy(service_copy, service_start, service_len);
@@ -450,14 +453,16 @@ int websocket_handle_message(wssshd_state_t *state, ws_connection_t *conn __attr
                     }
                 }
             }
+        }
 
         // Extract version
         char *version_start = strstr(msg_copy, "\"version\":\"");
         if (version_start) {
             version_start += strlen("\"version\":\"");
             char *version_end = strchr(version_start, '"');
-            if (version_end) {
+            if (version_end && version_end > version_start) {
                 size_t version_len = version_end - version_start;
+                if (version_len > 0 && version_len < 32) {  // Reasonable limit for version string
                     char *version_copy = malloc(version_len + 1);
                     if (version_copy) {
                         memcpy(version_copy, version_start, version_len);
@@ -467,6 +472,7 @@ int websocket_handle_message(wssshd_state_t *state, ws_connection_t *conn __attr
                     }
                 }
             }
+        }
 
 
         if (client_id && request_id) {
@@ -482,7 +488,7 @@ int websocket_handle_message(wssshd_state_t *state, ws_connection_t *conn __attr
                     tunnel_update_status(tunnel, TUNNEL_STATUS_ACTIVE, NULL);
 
                     // Send tunnel request to client (wssshc)
-                    char request_msg[512];
+                    char request_msg[1024];
                     // Use defaults if parameters not provided
                     const char *enc_val = enc ? enc : "hex";
                     const char *service_val = service ? service : "ssh";