add ret checks for WS_SUCCESS to prevent dereference after null check

rlm2002 · rlm2002 · commit cf5b35977c49 · 2025-07-21T11:13:26.000-06:00
NULL check before dereferencing authData
diff --git a/src/internal.c b/src/internal.c
@@ -13387,7 +13387,7 @@ int SendUserAuthKeyboardRequest(WOLFSSH* ssh, WS_UserAuthData* authData)
                                        ssh->keyboardAuthCtx);
     }
 
-    if (authData->sf.keyboard.promptCount > 0 &&
+    if (authData && authData->sf.keyboard.promptCount > 0 &&
         (authData->sf.keyboard.prompts == NULL ||
          authData->sf.keyboard.promptLengths == NULL ||
          authData->sf.keyboard.promptEcho == NULL)) {
@@ -13399,7 +13399,8 @@ int SendUserAuthKeyboardRequest(WOLFSSH* ssh, WS_UserAuthData* authData)
         ret = WS_BAD_USAGE;
     }
 
-    ssh->kbAuth.promptCount = authData->sf.keyboard.promptCount;
+    if (ret == WS_SUCCESS)
+        ssh->kbAuth.promptCount = authData->sf.keyboard.promptCount;
 
     payloadSz = MSG_ID_SZ;
     if (ret == WS_SUCCESS) {
@@ -13410,12 +13411,12 @@ int SendUserAuthKeyboardRequest(WOLFSSH* ssh, WS_UserAuthData* authData)
         ret = PreparePacket(ssh, payloadSz);
     }
 
-    output = ssh->outputBuffer.buffer;
-    idx = ssh->outputBuffer.length;
+    if (ret == WS_SUCCESS) {
+        output = ssh->outputBuffer.buffer;
+        idx = ssh->outputBuffer.length;
 
-    output[idx++] = MSGID_USERAUTH_INFO_REQUEST;
+        output[idx++] = MSGID_USERAUTH_INFO_REQUEST;
 
-    if (ret == WS_SUCCESS) {
         ret = BuildUserAuthRequestKeyboard(ssh, output, &idx, authData);
     }
 
