wolfSSH 1.4.22 is now available, featuring important security hardening and stability improvements driven by valuable feedback from our users. This release demonstrates our commitment to continuous improvement and responsive support, with key bug fixes that also led to expanded test coverage, making wolfSSH more robust than ever for embedded SSH, SFTP, and SCP deployments.
User-Reported Issues Drive Better Testing
Two significant improvements in this release came directly from user reports and third-party security analysis, and both resulted in not just fixes but also comprehensive new regression tests that strengthen wolfSSH’s quality assurance.
SSH Agent Hardening and SCP Path Traversal Protection (PR 845)
Thanks to some new static analysis tools, we identified and addressed several potential issues in wolfSSH’s SSH agent handling and SCP path processing:
Security Improvements:
- Hardened SSH agent handling logic by validating response types, tracking message IDs, and enforcing strict buffer size limits
- Improved SCP path handling by canonicalizing client-supplied base paths before filesystem access
- Fixed SCP receive handling to reject traversal filenames containing path separators or “dot” components
New Test Coverage: These fixes led us to introduce regression tests covering SSH agent signing operations, including error paths and successful operation scenarios. This expanded test coverage ensures these code paths remain protected in future releases.
SFTP Stall Prevention for Small-Window Clients (PR 856)
A user-reported issue revealed that SFTP transfers could stall when working with clients that use small SSH channel windows. The root cause was a worker-thread deadlock where blocked sends prevented window-adjust packet processing.
The Fix: We improved worker thread behavior under window backpressure by prioritizing receive handling. This ensures window-adjust packets are processed even when the send path is congested, preventing stalls with small-window SFTP clients.
New Test Coverage: As part of this fix, we added regression tests that explicitly exercise the WANT_READ and WANT_WRITE code paths without relying on a TTY. This guards against similar deadlock scenarios and ensures reliable non-blocking I/O handling across diverse client configurations.
Why This Matters for Embedded SSH and IoT Security
wolfSSH is designed for resource-constrained embedded systems, IoT devices, and safety-critical applications. These environments often involve diverse client implementations with varying SSH window sizes and connection behaviors. The improvements in version 1.4.22 ensure:
- Reliable SFTP file transfers across different client implementations
- Secure SCP operations protected against path traversal attacks
- Robust SSH agent integration with proper validation and bounds checking
- Comprehensive test coverage that catches regressions before they reach production
Our Commitment to Continuous Improvement
At wolfSSL, we value the feedback we receive from our users and the security research community. Reports like these help us not only fix immediate issues but also improve our testing infrastructure to prevent similar problems in the future.
Every bug fix is an opportunity to strengthen our test suite. The regression tests added in this release will continue to validate these code paths across all future development, ensuring wolfSSH remains a secure and reliable choice for embedded SSH implementations.
Get wolfSSH 1.4.22
wolfSSH 1.4.22 is available for download now. For the complete list of changes, including other security fixes, new features, and improvements, please see the ChangeLog bundled with wolfSSH.
If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.
Download wolfSSL Now