Skip to content

Extended (stderr) data: accumulation and window flow control#1054

Open
ejohnstown wants to merge 2 commits into
wolfSSL:masterfrom
ejohnstown:stderr
Open

Extended (stderr) data: accumulation and window flow control#1054
ejohnstown wants to merge 2 commits into
wolfSSL:masterfrom
ejohnstown:stderr

Conversation

@ejohnstown

Copy link
Copy Markdown
Contributor
  • Accumulate extended data, ignore unknown types: buffer received stderr by appending (so unread data is preserved across packets) and ignore unknown EXTENDED_DATA type codes per RFC instead of rejecting them.
  • Window flow control for extended data: charge the channel window on receipt and replenish only when the application drains it via wolfSSH_extended_data_read (RFC 4254 section 5.2 back-pressure), reject extended data larger than the advertised window, gate the read on isKeying so no window adjust is emitted mid-KEX (RFC 4253 section 7.1), fail safe when a second channel sends stderr while another still has unread data, and document the mandatory-drain contract in the public header.

Issues: F-864, F-2078

- PutBuffer appends instead of resetting, preserving unread stderr
  across multiple packets.
- Ignore unknown EXTENDED_DATA type codes per RFC instead of returning
  WS_INVALID_EXTDATA.

Issues: F-864, F-2078
Copilot AI review requested due to automatic review settings June 24, 2026 00:44

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates wolfSSH’s handling of SSH_MSG_CHANNEL_EXTENDED_DATA (stderr) to (1) accumulate unread extended data instead of overwriting it, (2) ignore unknown extended-data type codes per RFC behavior, and (3) apply channel window back-pressure semantics for stderr by charging the receive window on receipt and replenishing it only when the application drains the buffered stderr.

Changes:

  • Accumulate buffered stderr across multiple packets and preserve unread data ordering.
  • Implement receive-window accounting for stderr (charge on receipt; replenish on wolfSSH_extended_data_read()), including a documented single-session limitation for multi-channel stderr buffering.
  • Add unit test coverage for accumulation, window back-pressure, overflow rejection, unknown-type ignore, and cross-channel fail-safe behavior.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
wolfssh/ssh.h Documents the public contract for draining stderr and the single-channel buffering limitation.
wolfssh/internal.h Adds internal tracking (extDataChannelId) and documents shared-buffer/window semantics.
wolfssh/error.h Clarifies WS_INVALID_EXTDATA is retained for compatibility but no longer produced.
src/internal.c Changes stderr buffering to append; adds window charging and unknown-type ignore behavior.
src/ssh.c Updates wolfSSH_extended_data_read() to replenish window on drain and gate sends during KEX.
tests/unit.c Adds a comprehensive unit test for extended-data accumulation + window flow control.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/internal.c
Comment thread wolfssh/internal.h
- Charge the channel window on receipt; replenish only when the
  application consumes bytes via wolfSSH_extended_data_read.
- Track extDataChannelId so the read path adjusts the right window.
- Reject extended data larger than the advertised window.
- stderr now shares the channel window with normal data (RFC 4254
  section 5.2 back-pressure).
- Gate window adjusts on isKeying both ways: IsMessageAllowed does not
  gate connection-layer messages, so they must not go out between
  KEXINIT and NEWKEYS (RFC 4253 section 7.1). The read path returns
  WS_REKEYING; the receive path parks owed credit in pendingWindowAdjust,
  flushed by SendPendingChannelWindowAdjust once keying completes.
- Fail safe when a second channel sends stderr while another still has
  unread data: drop it and replenish its window instead of leaking the
  displaced channel's window and over-crediting the survivor.
- Document the mandatory-drain contract in the public header.

Issue: F-864
@ejohnstown ejohnstown marked this pull request as ready for review June 24, 2026 16:47

@aidangarske aidangarske left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🐺 Skoll Code Review

Overall recommendation: REQUEST_CHANGES
Findings: 2 total — 2 posted, 0 skipped

Posted findings

  • [High] Deferred discarded extended data is not charged against the channel receive window during rekeysrc/internal.c:10296-10334
  • [Low] Extended-data read hides nonblocking WINDOW_ADJUST back-pressuresrc/ssh.c:1471-1475

Review generated by Skoll.

Comment thread src/internal.c
"has unread stderr buffered (only one channel's stderr "
"can be buffered at a time)",
channel->channel, ssh->extDataChannelId);
if (ssh->isKeying) {

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 [High] Deferred discarded extended data is not charged against the channel receive window during rekey
🚫 BLOCK

The new rekey deferral path accepts discarded extended data while ssh->isKeying by adding peer-controlled dataSz to channel->pendingWindowAdjust, but it leaves channel->windowSz unchanged. The only validation is per-packet (dataSz <= channel->maxPacketSz and dataSz <= channel->windowSz), so it never accounts for cumulative bytes received while window adjustments are deferred. A malicious authenticated peer can send repeated unknown extended-data packets, or repeated second-channel stderr packets that are dropped, each individually within the unchanged window, and this code accepts more bytes than were advertised. When keying completes, SendPendingChannelWindowAdjust() flushes the accumulated credit, potentially over-crediting the peer and wrapping the unchecked word32 pendingWindowAdjust += dataSz. The buffered stderr path correctly subtracts from windowSz, but the discarded-data rekey branches introduced by this PR do not. Data flow: encrypted peer packet -> DoPacket() -> DoChannelExtendedData() -> GetSize() -> per-packet dataSz checks -> uncharged pendingWindowAdjust accumulation. Impact is connection-level resource / flow-control DoS, not memory corruption. Severity views differ across modes: the review mode rated this High/BLOCK (cumulative window bypass + credit wrap); the security mode rated it Low (DoS only). The stricter High assessment is retained.

Recommendation: Charge the receive window whenever payload bytes are accepted from the peer, even when discarded, and guard the deferred-credit addition against overflow, e.g. if (dataSz > UINT32_MAX - channel->pendingWindowAdjust) ret = WS_OVERFLOW_E; else { channel->windowSz -= dataSz; channel->pendingWindowAdjust += dataSz; ret = WS_SUCCESS; }. In SendPendingChannelWindowAdjust(), restore windowSz by amount (with overflow check) after SendChannelWindowAdjust() returns WS_SUCCESS/WS_WANT_WRITE. Extend test_DoChannelExtendedData_keying() to cover cumulative deferred data and pendingWindowAdjust overflow boundaries.

Comment thread src/ssh.c
* the bundled adjust cannot be flushed in non-blocking mode, so
* save ssh->error across the send and restore it; a hard send
* failure is logged, not returned. */
adjustResult = SendChannelWindowAdjust(ssh, channel->channel,

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔵 [Low] Extended-data read hides nonblocking WINDOW_ADJUST back-pressure
💡 SUGGEST

The PR moves stderr receive-window replenishment from receipt time to wolfSSH_extended_data_read(), but then treats WS_WANT_WRITE from SendChannelWindowAdjust() as an invisible success. In nonblocking mode the adjust may be bundled in outputBuffer but not flushed; the function restores ssh->error and returns a byte count, so callers are not told to wait for writability or call a flushing path. Read-only loops then keep waiting for inbound data while the peer never receives the window credit it needs to send more, creating a remote-triggerable channel stall. Data flow: peer sends stderr -> DoChannelExtendedData() buffers it and decrements windowSz -> application calls wolfSSH_extended_data_read() -> SendChannelWindowAdjust() returns WS_WANT_WRITE -> error restored and byte count returned -> pending adjust may remain unsent. Impact is session/channel DoS.

Recommendation: Do not silently hide WS_WANT_WRITE for the window-adjust path. Mirror wolfSSH_stream_read() semantics: only advance extDataBuffer.idx and credit channel->windowSz after the adjust is queued/flushed successfully, and return WS_WANT_WRITE with ssh->error preserved when the caller must service the writable socket. Alternatively, flush pending output before blocking and preserve a visible writable-wakeup signal for callers.

@aidangarske aidangarske assigned ejohnstown and unassigned wolfSSL-Bot Jul 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants