Harden KEXINIT parsing#1055
Conversation
ejohnstown
commented
Jun 24, 2026
- Strip trailing comma from peer name lists (F-2478): GetNameListRaw folded a legal trailing comma (e.g. aes128-cbc,) into the final name, decoding it as ID_UNKNOWN and failing negotiation. Now trims it, mirroring AlgoListSz.
- Bound KEXINIT language name-list skips (F-5576): the two language lists were skipped via an unchecked GetUint32 + begin += skipSz, letting a forged length wrap the parse offset back into earlier payload bytes and still return success. Both now use GetSkip, which validates the length against the remaining payload.
There was a problem hiding this comment.
Pull request overview
Hardens SSH_MSG_KEXINIT parsing to be more robust against edge-case (but wire-valid) name-lists and against malformed packets that attempt to manipulate parser offsets via oversized language list lengths.
Changes:
- Trim a trailing comma from incoming (peer) name-lists before decoding IDs to avoid mis-parsing the final algorithm name.
- Replace unchecked
GetUint32+begin += skipSzskipping of KEXINIT language name-lists withGetSkip()to enforce bounds and prevent offset wrap. - Add regression tests covering trailing-comma negotiation and overlong language length rejection.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
tests/regress.c |
Adds targeted regression tests to lock in the KEXINIT parsing hardening behaviors. |
src/internal.c |
Adjusts name-list decoding to ignore a trailing comma and uses bounded skipping for KEXINIT language fields. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
048dc7c to
e49154d
Compare
aidangarske
left a comment
There was a problem hiding this comment.
Skoll Multi-Scan Review
Modes: review + review-security + bugsOverall recommendation: COMMENT
Findings: 2 total — 1 posted, 1 skipped
1 finding(s) posted as inline comments (see file-level comments below)
Posted findings
- [Low] [review] Second KEXINIT language skip (server-to-client) has no independent regression coverage —
tests/regress.c:3042-3059
Skipped findings
- [Info]
Single trailing-comma trim changes outcome for doubly-trailing-comma name-lists
Review generated by Skoll
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #1055
Scan targets checked: wolfssh-bugs, wolfssh-src
No new issues found in the changed files. ✅
- GetNameListRaw folded a trailing comma into the last name, so NameToId returned ID_UNKNOWN and negotiation failed. - Trim one trailing comma up front, matching AlgoListSz. - Add regression test for a KEX list with a trailing comma. Issue: F-2478
- DoKexInit skipped both language name-lists with an unchecked begin += skipSz; a forged length could wrap begin into earlier payload bytes and still return success. - Use bounds-checked GetSkip for both language fields. - Add regression test; checked skip now rejects with WS_BUFFER_E. Issue: F-5576
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #1055
Scan targets checked: wolfssh-bugs, wolfssh-src
No new issues found in the changed files. ✅