In internal.c, DoPacket() updates the input buffer's index unless WS_OVERFLOW_E or WS_BUFFER_E are returned:
|
ssh->inputBuffer.idx = idx; |
DoReceive() should consequently update its part of the input buffer's size - the mac size - in all the cases in which DoPacket() updates the buffer's index too. But because it returns early in the cases in which DoPacket() returns certain errors, even though DoPacket() does update the buffer in those cases, it happens that the buffer gets misaligned.
In certain situations not easy to reproduce, this can lead to WS_OVERFLOW_E being returned or even crashes.
In internal.c,
DoPacket()updates the input buffer's index unlessWS_OVERFLOW_EorWS_BUFFER_Eare returned:wolfssh/src/internal.c
Line 7697 in ec5a956
DoReceive()should consequently update its part of the input buffer's size - the mac size - in all the cases in whichDoPacket()updates the buffer's index too. But because it returns early in the cases in whichDoPacket()returns certain errors, even thoughDoPacket()does update the buffer in those cases, it happens that the buffer gets misaligned.In certain situations not easy to reproduce, this can lead to
WS_OVERFLOW_Ebeing returned or even crashes.