add ret checks for WS_SUCCESS to prevent dereference after null check

NULL check before dereferencing authData

additional checks

Author: rlm2002

src/internal.c

@@ -13377,7 +13377,7 @@ int SendUserAuthKeyboardRequest(WOLFSSH* ssh, WS_UserAuthData* authData)
         ret = WS_BAD_ARGUMENT;
     }
 
-    if (ssh->ctx->keyboardAuthCb == NULL) {
+    if (ssh->ctx && ssh->ctx->keyboardAuthCb == NULL) {
         WLOG(WS_LOG_DEBUG, "SendUserAuthKeyboardRequest called with no Cb set");
         ret = WS_BAD_USAGE;
     }
@@ -13387,19 +13387,21 @@ int SendUserAuthKeyboardRequest(WOLFSSH* ssh, WS_UserAuthData* authData)
                                        ssh->keyboardAuthCtx);
     }
 
-    if (authData->sf.keyboard.promptCount > 0 &&
+    if ((ret == WS_SUCCESS) && authData->sf.keyboard.promptCount > 0 &&
         (authData->sf.keyboard.prompts == NULL ||
          authData->sf.keyboard.promptLengths == NULL ||
          authData->sf.keyboard.promptEcho == NULL)) {
 
         ret = WS_BAD_USAGE;
     }
 
-    if (authData->sf.keyboard.promptCount > WOLFSSH_MAX_PROMPTS) {
+    if ((ret == WS_SUCCESS) &&
+         authData->sf.keyboard.promptCount > WOLFSSH_MAX_PROMPTS) {
         ret = WS_BAD_USAGE;
     }
 
-    ssh->kbAuth.promptCount = authData->sf.keyboard.promptCount;
+    if (ret == WS_SUCCESS)
+        ssh->kbAuth.promptCount = authData->sf.keyboard.promptCount;
 
     payloadSz = MSG_ID_SZ;
     if (ret == WS_SUCCESS) {
@@ -13410,12 +13412,12 @@ int SendUserAuthKeyboardRequest(WOLFSSH* ssh, WS_UserAuthData* authData)
         ret = PreparePacket(ssh, payloadSz);
     }
 
-    output = ssh->outputBuffer.buffer;
-    idx = ssh->outputBuffer.length;
+    if (ret == WS_SUCCESS) {
+        output = ssh->outputBuffer.buffer;
+        idx = ssh->outputBuffer.length;
 
-    output[idx++] = MSGID_USERAUTH_INFO_REQUEST;
+        output[idx++] = MSGID_USERAUTH_INFO_REQUEST;
 
-    if (ret == WS_SUCCESS) {
         ret = BuildUserAuthRequestKeyboard(ssh, output, &idx, authData);
     }