Bound agent signature copies

LinuxJedi · LinuxJedi · commit ec9ca4fe64f3 · 2025-10-22T14:52:13.000+01:00
Treat *sigSz as the caller-provided capacity, raise WS_BUFFER_E if the agent response is larger, and clear the size on failure to avoid buffer overruns.
diff --git a/src/agent.c b/src/agent.c
@@ -1823,13 +1823,25 @@ int wolfSSH_AGENT_SignRequest(WOLFSSH* ssh,
                 ret = WS_AGENT_NO_KEY_E;
             }
             else {
-                WMEMCPY(sig, ssh->agent->msg, ssh->agent->msgSz);
-                *sigSz = ssh->agent->msgSz;
+                word32 maxSigSz = *sigSz;
+
+                if (ssh->agent->msgSz > maxSigSz) {
+                    WLOG(WS_LOG_AGENT,
+                        "agent signature too large for caller buffer");
+                    ret = WS_BUFFER_E;
+                }
+                else {
+                    WMEMCPY(sig, ssh->agent->msg, ssh->agent->msgSz);
+                    *sigSz = ssh->agent->msgSz;
+                }
             }
         }
         else ret = WS_AGENT_NO_KEY_E;
     }
 
+    if (ret != WS_SUCCESS && sigSz != NULL)
+        *sigSz = 0;
+
     if (agent != NULL) {
         agent->msg = NULL;
         agent->msgSz = 0;
