Skip to content

SSHD/Echoserver: Fix memory leaks and public-key lookup#1071

Open
stenslae wants to merge 1 commit into
wolfSSL:masterfrom
stenslae:patch/auth-bugfixes
Open

SSHD/Echoserver: Fix memory leaks and public-key lookup#1071
stenslae wants to merge 1 commit into
wolfSSL:masterfrom
stenslae:patch/auth-bugfixes

Conversation

@stenslae

Copy link
Copy Markdown
Member

Fixed: Memory leaks, multiple public-key lookups per user in the echoserver, and authentication privilege errors.

  • internal.c in internal.c: Fixed a memory leak where RSA/ECC keys in signature blocks were leaked if they matched X.509 format IDs instead of standard SSH format IDs.
  • auth.c: Freed promptData.prompts and promptData.promptLengths on allocation failure pathways.
  • echoserver.c: Fixed a copy-paste error and added cleanups on allocations failure.
  • Key Hash Lookup Correctness: Updated wsUserAuth in echoserver.c to traverse all
    registered public keys for a matching user name instead of immediately returning an invalid
    key error on the first hash mismatch.
  • Stack Buffer Cleanup: Freed keyLoadBuf under WOLFSSH_SMALL_STACK configurations for all early exit paths inside echoserver_test.
  • auth.c: Returns success immediately if privilege separation is explicitly disabled.
  • auth.c: Limits changing target user/group identifiers to environments where privilege separation or sandboxing is active.

@stenslae stenslae self-assigned this Jun 29, 2026

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #1071

Scan targets checked: wolfssh-bugs, wolfssh-src

Findings: 1
1 finding(s) posted as inline comments (see file-level comments below)

This review was generated automatically by Fenrir. Findings are non-blocking.

Comment thread examples/echoserver/echoserver.c
Comment thread examples/echoserver/echoserver.c

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #1071

Scan targets checked: wolfssh-bugs, wolfssh-src

Findings: 1
1 finding(s) posted as inline comments (see file-level comments below)

This review was generated automatically by Fenrir. Findings are non-blocking.

Comment thread examples/echoserver/echoserver.c
Comment thread examples/echoserver/echoserver.c

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #1071

Scan targets checked: wolfssh-bugs, wolfssh-src

No new issues found in the changed files. ✅

@stenslae stenslae force-pushed the patch/auth-bugfixes branch from 164dc44 to 7958c10 Compare July 7, 2026 17:53

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #1071

Scan targets checked: wolfssh-bugs, wolfssh-src

No new issues found in the changed files. ✅

@stenslae stenslae removed their assignment Jul 7, 2026

@aidangarske aidangarske left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🐺 Skoll Code Review

Overall recommendation: COMMENT
Findings: 3 total — 3 posted, 0 skipped

Posted findings

  • [Medium] Privilege-separation permission behavior lacks regression testsapps/wolfsshd/auth.c:1853-1961
  • [Medium] Multiple public-key lookup fix has no regression coverageexamples/echoserver/echoserver.c:2677-2727
  • [Low] New bare scope block violates local C conventionapps/wolfsshd/auth.c:1952-1974

Review generated by Skoll.

Comment thread apps/wolfsshd/auth.c
struct passwd* pwInfo;
int ret = WS_SUCCESS;

if (wolfSSHD_ConfigGetPrivilegeSeparation(auth->conf) ==

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 [Medium] Privilege-separation permission behavior lacks regression tests
💡 SUGGEST test

The PR changes daemon privilege behavior by returning success from SetDefaultUserID when UsePrivilegeSeparation no is configured, and by making wolfSSHD_AuthRaisePermissions a no-op unless the config is WOLFSSHD_PRIV_SEPARAT or WOLFSSHD_PRIV_SANDBOX. Grep found config parsing tests and reduce-permission tests, but no tests that exercise wolfSSHD_AuthRaisePermissions or auth creation under the new privilege modes. This is a user-visible daemon startup/auth behavior change, so it should have regression coverage.

Suggestion:

Suggested change
if (wolfSSHD_ConfigGetPrivilegeSeparation(auth->conf) ==
Add unit coverage for `UsePrivilegeSeparation no` returning success without requiring the configured sshd user, and for `wolfSSHD_AuthRaisePermissions` calling the uid/gid restore path only for `yes` and `sandbox` modes.

@@ -2676,12 +2675,12 @@ static int wsUserAuth(byte authType,
authData->type == map->type) {

if (authData->type == WOLFSSH_USERAUTH_PUBLICKEY) {

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 [Medium] Multiple public-key lookup fix has no regression coverage
💡 SUGGEST test

The PR fixes wsUserAuth so a hash mismatch for the first public key registered to a user does not immediately reject later keys. Existing public-key tests use their own serverPubkeyUserAuth callback and do not exercise the echoserver PwMapList traversal. The same fix is mirrored in the ESP-IDF echoserver, so a regression could silently return if this path is refactored.

Suggestion:

Suggested change
if (authData->type == WOLFSSH_USERAUTH_PUBLICKEY) {
Add a regression scenario with two public-key entries for the same username where the first key hash mismatches and the second matches.

Comment thread apps/wolfsshd/auth.c
int ret = WS_SUCCESS;

wolfSSH_Log(WS_LOG_INFO, "[SSHD] Attempting to raise permissions level");
#ifndef WIN32

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔵 [Low] New bare scope block violates local C convention
🔧 NIT convention

The PR adds a standalone scope block under #ifndef WIN32 only to limit flag. The project coding guidance treats newly added bare scope blocks as a convention issue; this can be written with the declaration inside the existing preprocessor region instead.

Suggestion:

Suggested change
#ifndef WIN32
#ifndef WIN32
byte flag = 0;
if (auth == NULL) {
return WS_BAD_ARGUMENT;
}
flag = wolfSSHD_ConfigGetPrivilegeSeparation(auth->conf);
if (flag == WOLFSSHD_PRIV_SEPARAT || flag == WOLFSSHD_PRIV_SANDBOX) {
...
}
#endif

@aidangarske aidangarske assigned stenslae and unassigned wolfSSL-Bot Jul 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants