# Extended 3.16 — sqWin32SSL sqEncryptSSL: int-overflow defeats buffer-too-small check Bug ref : pharo.md §3.16 Severity : HIGH (heap overflow on signed-int wrap of SChannel buffer sizes) File : extracted/plugins/SqueakSSL/src/win/sqWin32SSL.c Lines (HEAD) : 746-769 ## Problem ```c ssl->inbuf[2].pvBuffer = dstBuf + ssl->inbuf[0].cbBuffer + ssl->inbuf[1].cbBuffer; ... total = ssl->inbuf[0].cbBuffer + ssl->inbuf[1].cbBuffer + ssl->inbuf[2].cbBuffer; if(dstLen < total) return SQSSL_BUFFER_TOO_SMALL; memcpy(ssl->inbuf[1].pvBuffer, srcBuf, srcLen); ``` `total` is a signed `int` sum of three SChannel-supplied DWORDs. The sum can wrap negative or to a small positive value, bypassing the `dstLen < total` check. The subsequent `memcpy` (and the post-encryption write through `ssl->inbuf[2].pvBuffer`) then overflows `dstBuf`. ## Fix Use unsigned 64-bit arithmetic for `total`. ```diff --- a/extracted/plugins/SqueakSSL/src/win/sqWin32SSL.c +++ b/extracted/plugins/SqueakSSL/src/win/sqWin32SSL.c @@ -762,9 +762,15 @@ ssl->sbdIn.cBuffers = 4; /* Check to ensure that encrypted contents fits dstBuf. Fail with BUFFER_TOO_SMALL to allow caller to retry. */ - total = ssl->inbuf[0].cbBuffer + ssl->inbuf[1].cbBuffer + ssl->inbuf[2].cbBuffer; - if(dstLen < total) return SQSSL_BUFFER_TOO_SMALL; + { + uint64_t total64 = (uint64_t)ssl->inbuf[0].cbBuffer + + (uint64_t)ssl->inbuf[1].cbBuffer + + (uint64_t)ssl->inbuf[2].cbBuffer; + if ((uint64_t)dstLen < total64) { + return SQSSL_BUFFER_TOO_SMALL; + } + } memcpy(ssl->inbuf[1].pvBuffer, srcBuf, srcLen); ``` ## Test plan - Inject SChannel sizes whose 32-bit sum wraps to a small positive number. Before: check passes, memcpy overflows dstBuf. After: caller sees BUFFER_TOO_SMALL and resizes. - Normal sizes: unchanged. ## Risk notes - `uint64_t` is C99 portable; works on every supported Windows toolchain. - The pre-existing `total` variable can be removed if it has no other use; verify it isn't referenced elsewhere in the function before deleting its declaration.