From c802a7faf48923b2cb6ddd4267436d69eea2424c Mon Sep 17 00:00:00 2001
From: John Safranek <john@wolfssl.com>
Date: Tue, 24 Feb 2026 16:15:11 -0800
Subject: [PATCH 1/5] Fix null check for duplicated string

When making a copy of a string, check the destination pointer of the
copy rather than the original.

Affected function: CheckPasswordUnix.
---
 apps/wolfsshd/auth.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/wolfsshd/auth.c b/apps/wolfsshd/auth.c
index 4a25b480c..03b15abe6 100644
--- a/apps/wolfsshd/auth.c
+++ b/apps/wolfsshd/auth.c
@@ -413,7 +413,7 @@ static int CheckPasswordUnix(const char* usr, const byte* pw, word32 pwSz, WOLFS
     }
     if (ret == WS_SUCCESS) {
         storedHashCpy = WSTRDUP(storedHash, NULL, DYNTYPE_STRING);
-        if (storedHash == NULL) {
+        if (storedHashCpy == NULL) {
             wolfSSH_Log(WS_LOG_ERROR,
                     "[SSHD] Error getting stored hash copy");
             ret = WS_MEMORY_E;

From 05ec8329390b87062873ebb1f912c616e3a13f4c Mon Sep 17 00:00:00 2001
From: John Safranek <john@wolfssl.com>
Date: Tue, 24 Feb 2026 16:18:26 -0800
Subject: [PATCH 2/5] Check bounds on addition with value from peer

Bounds check the bytes to add from the peer against the window size.

Affected function: DoChannelWindowAdjust.
---
 src/internal.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/src/internal.c b/src/internal.c
index f04797fd6..cca71b28b 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -30,6 +30,7 @@
 #endif
 
 #include <stdio.h>
+#include <stdint.h>
 #include <wolfssh/ssh.h>
 #include <wolfssh/internal.h>
 #include <wolfssh/log.h>
@@ -9469,11 +9470,15 @@ static int DoChannelWindowAdjust(WOLFSSH* ssh,
             WLOG(WS_LOG_INFO, "  peerWindowSz = %u",
                  channel->peerWindowSz);
 
-            channel->peerWindowSz += bytesToAdd;
-
-            WLOG(WS_LOG_INFO, "  update peerWindowSz = %u",
-                 channel->peerWindowSz);
-
+            if (bytesToAdd > UINT32_MAX - channel->peerWindowSz) {
+                ret = WS_OVERFLOW_E;
+                WLOG(WS_LOG_DEBUG, "peer window adjust would overflow");
+            }
+            else {
+                channel->peerWindowSz += bytesToAdd;
+                WLOG(WS_LOG_INFO, "  update peerWindowSz = %u",
+                     channel->peerWindowSz);
+            }
         }
     }
 

From 13ffca4828f4e18d8f10d025e22d7a70267ee2fd Mon Sep 17 00:00:00 2001
From: John Safranek <john@wolfssl.com>
Date: Tue, 24 Feb 2026 16:20:34 -0800
Subject: [PATCH 3/5] Fix null dereference after failed channel lookup

When looking up the channel object for the current channel ID, if the
lookup failed, we still checked if the channel had an EOF with a null
pointer. That function, does check for NULL and error, but it is better
to error out sooner.

Affected function: ReceiveScpMessage.
---
 src/wolfscp.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/wolfscp.c b/src/wolfscp.c
index f9774004a..9e61bd207 100644
--- a/src/wolfscp.c
+++ b/src/wolfscp.c
@@ -1423,9 +1423,10 @@ int ReceiveScpMessage(WOLFSSH* ssh)
         if (err == 0) {
             WOLFSSH_CHANNEL* channel;
             channel = wolfSSH_ChannelFind(ssh, lastChannel, WS_CHANNEL_ID_SELF);
-            if (channel == NULL)
+            if (channel == NULL) {
                 ret = WS_INVALID_CHANID;
-            if (wolfSSH_ChannelGetEof(channel)) {
+            }
+            else if (wolfSSH_ChannelGetEof(channel)) {
                 return WS_EOF;
             }
         }

From d6e1b043169c4d33ed546ea2a585dd831793c621 Mon Sep 17 00:00:00 2001
From: John Safranek <john@wolfssl.com>
Date: Tue, 24 Feb 2026 16:30:39 -0800
Subject: [PATCH 4/5] Check correct pointer for null

After creating a new SSH context, the pointer returned wasn't checked;
the pointer to the pointer was checked. Changed to the correct pointer.

Affected function: SetupCTX.
---
 apps/wolfsshd/wolfsshd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/wolfsshd/wolfsshd.c b/apps/wolfsshd/wolfsshd.c
index 182beffb6..f3f9251b8 100644
--- a/apps/wolfsshd/wolfsshd.c
+++ b/apps/wolfsshd/wolfsshd.c
@@ -316,7 +316,7 @@ static int SetupCTX(WOLFSSHD_CONFIG* conf, WOLFSSH_CTX** ctx,
 
     /* create a new WOLFSSH_CTX */
     *ctx = wolfSSH_CTX_new(WOLFSSH_ENDPOINT_SERVER, NULL);
-    if (ctx == NULL) {
+    if (*ctx == NULL) {
         wolfSSH_Log(WS_LOG_ERROR, "[SSHD] Couldn't allocate SSH CTX data.");
         ret = WS_MEMORY_E;
     }

From 961810b99308539e0f502d84ed8aa06890977611 Mon Sep 17 00:00:00 2001
From: John Safranek <john@wolfssl.com>
Date: Tue, 24 Feb 2026 16:33:03 -0800
Subject: [PATCH 5/5] Fix wrong bitwise operator for testing attribute

Was using OR to check if a bit was set in the read-only file attribute.
This was always succeeding. Needed to change to an AND to see if it is
set.

Affected function: GetFileStats.
---
 src/wolfscp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/wolfscp.c b/src/wolfscp.c
index 9e61bd207..f170444f4 100644
--- a/src/wolfscp.c
+++ b/src/wolfscp.c
@@ -2218,7 +2218,7 @@ static int GetFileStats(void *fs, ScpSendCtx* ctx, const char* fileName,
         (word64)ctx->s.ftLastWriteTime.dwLowDateTime;
 
     *fileMode = 0555 |
-        (ctx->s.dwFileAttributes | FILE_ATTRIBUTE_READONLY ? 0 : 0200);
+        (ctx->s.dwFileAttributes & FILE_ATTRIBUTE_READONLY ? 0 : 0200);
     *fileMode |= (ctx->s.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) ? 0x4000 : 0;
 #else
     if (WSTAT(fs, fileName, &ctx->s) < 0) {