src/ssh/TODO.md ssh-auth.c ssh-conn.c ssh-internal.h ssh-trans.c ssh.c

BBS:      TELESC.NET.BR
Assunto:  src/ssh/TODO.md ssh-auth.c ssh-conn.c ssh-internal.h ssh-trans.c ssh.c
De:       Deuc¨
Data:     Fri, 27 Mar 2026 05:30:23 -0700
-----------------------------------------------------------
https://gitlab.synchro.net/main/sbbs/-/commit/45e6600f19b4e23f5dccbf4b
Modified Files:
	src/ssh/TODO.md ssh-auth.c ssh-conn.c ssh-internal.h ssh-trans.c ssh.c src/ssh/test/test_alloc.c
Log Message:
Fix 5 security bugs: stack overflows, OOB read, use-after-free, truncation

- send_auth_failure(): replace msg[256] stack buffer with malloc
  (methods string from app callback was unbounded)
- auth_server_impl() SERVICE_ACCEPT: replace accept[64] stack buffer
  with malloc (service name length is attacker-controlled)
- Peer KEXINIT parsing: add minimum length check before setting ppos
  (short packet caused unsigned wraparound in pk_len - ppos)
- find_channel(): hand-over-hand locking (channel_mtx then buf_mtx)
  to prevent use-after-free when channel is closed during demux
- CHANNEL_DATA/EXTENDED_DATA: reject malformed packets where declared
  length exceeds payload instead of silently truncating

Also: document lock ordering at declarations and cascade sites,
update alloc test countdowns for new mallocs, add TODO for
non-ASCII cleanup in source comments.

Co-Authored-By: Claude Opus 4.6 (1M context) 
n
---
  mSynchronetn  hgVertrauen n hHome of Synchronet n gh[vert/cvs/bbs].synchro.net

-----------------------------------------------------------
[Voltar]