DoReceive() should consequently update its part of the input buffer's size - the mac size - in all the cases in which DoPacket() updates the buffer's index too. But because it returns early in the cases in which DoPacket() returns certain errors, even though DoPacket()does update the buffer in those cases, it happens that the buffer gets misaligned.
In certain situations not easy to reproduce, this can lead to WS_OVERFLOW_E being returned or even crashes.
ejohnstown
commented
1 year ago
In internal.c,
DoPacket()updates the input buffer's index unlessWS_OVERFLOW_EorWS_BUFFER_Eare returned: https://github.com/wolfSSL/wolfssh/blob/ec5a9560a4d19d8774b17bef2b84549a8ad866ff/src/internal.c#L7697DoReceive()should consequently update its part of the input buffer's size - the mac size - in all the cases in whichDoPacket()updates the buffer's index too. But because it returns early in the cases in whichDoPacket()returns certain errors, even thoughDoPacket()does update the buffer in those cases, it happens that the buffer gets misaligned.In certain situations not easy to reproduce, this can lead to
WS_OVERFLOW_Ebeing returned or even crashes.