https://gitlab.synchro.net/main/sbbs/-/commit/45e6600f19b4e23f5dccbf4b
Modified Files:
src/ssh/TODO.md ssh-auth.c ssh-conn.c ssh-internal.h ssh-trans.c ssh.c src/ssh/test/test_alloc.c
Log Message:
Fix 5 security bugs: stack overflows, OOB read, use-after-free, truncation

- send_auth_failure(): replace msg[256] stack buffer with malloc
(methods string from app callback was unbounded)
- auth_server_impl() SERVICE_ACCEPT: replace accept[64] stack buffer
with malloc (service name length is attacker-controlled)
- Peer KEXINIT parsing: add minimum length check before setting ppos
(short packet caused unsigned wraparound in pk_len - ppos)
- find_channel(): hand-over-hand locking (channel_mtx then buf_mtx)
to prevent use-after-free when channel is closed during demux
- CHANNEL_DATA/EXTENDED_DATA: reject malformed packets where declared
length exceeds payload instead of silently truncating

Also: document lock ordering at declarations and cascade sites,
update alloc test countdowns for new mallocs, add TODO for
non-ASCII cleanup in source comments.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---
￭ Synchronet ￭ Vertrauen ￭ Home of Synchronet ￭ [vert/cvs/bbs].synchro.net