mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-16 16:27:27 +00:00
strongswan: patch CVE-2026-25075
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-25075 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
@@ -0,0 +1,48 @@
|
|||||||
|
From 5ed074270e74a44cede84357ce791a58d22c4cd8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tobias Brunner <tobias@strongswan.org>
|
||||||
|
Date: Thu, 5 Mar 2026 12:43:12 +0100
|
||||||
|
Subject: [PATCH] eap-ttls: Prevent crash if AVP length header field is invalid
|
||||||
|
|
||||||
|
The length field in the AVP header includes the 8 bytes of the header
|
||||||
|
itself. Not checking for that and later subtracting it causes an
|
||||||
|
integer underflow that usually triggers a crash when accessing a
|
||||||
|
NULL pointer that resulted from the failing chunk_alloc() call because
|
||||||
|
of the high value.
|
||||||
|
|
||||||
|
The attempted allocations for invalid lengths (0-7) are 0xfffffff8,
|
||||||
|
0xfffffffc, or 0x100000000 (0 on 32-bit hosts), so this doesn't result
|
||||||
|
in a buffer overflow even if the allocation succeeds.
|
||||||
|
|
||||||
|
Fixes: 79f2102cb442 ("implemented server side support for EAP-TTLS")
|
||||||
|
Fixes: CVE-2026-25075
|
||||||
|
(cherry picked from commit 73aff21077d88de7544e989a9af1485128fc5d6d)
|
||||||
|
|
||||||
|
CVE: CVE-2026-25075
|
||||||
|
Upstream-Status: Backport [https://github.com/strongswan/strongswan/commit/73aff21077d88de7544e989a9af1485128fc5d6d]
|
||||||
|
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
|
||||||
|
---
|
||||||
|
src/libcharon/plugins/eap_ttls/eap_ttls_avp.c | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c b/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c
|
||||||
|
index 06389f7ca..2983bd021 100644
|
||||||
|
--- a/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c
|
||||||
|
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c
|
||||||
|
@@ -119,7 +119,7 @@ METHOD(eap_ttls_avp_t, process, status_t,
|
||||||
|
chunk_free(&this->input);
|
||||||
|
this->inpos = 0;
|
||||||
|
|
||||||
|
- if (!success)
|
||||||
|
+ if (!success || avp_len < AVP_HEADER_LEN)
|
||||||
|
{
|
||||||
|
DBG1(DBG_IKE, "received invalid AVP header");
|
||||||
|
return FAILED;
|
||||||
|
@@ -130,7 +130,7 @@ METHOD(eap_ttls_avp_t, process, status_t,
|
||||||
|
return FAILED;
|
||||||
|
}
|
||||||
|
this->process_header = FALSE;
|
||||||
|
- this->data_len = avp_len - 8;
|
||||||
|
+ this->data_len = avp_len - AVP_HEADER_LEN;
|
||||||
|
this->input = chunk_alloc(this->data_len + (4 - avp_len) % 4);
|
||||||
|
}
|
||||||
|
|
||||||
@@ -8,7 +8,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
|
|||||||
DEPENDS = "flex-native flex bison-native"
|
DEPENDS = "flex-native flex bison-native"
|
||||||
DEPENDS:append = "${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', ' tpm2-tss', '', d)}"
|
DEPENDS:append = "${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', ' tpm2-tss', '', d)}"
|
||||||
|
|
||||||
SRC_URI = "https://download.strongswan.org/strongswan-${PV}.tar.bz2"
|
SRC_URI = "https://download.strongswan.org/strongswan-${PV}.tar.bz2 \
|
||||||
|
file://CVE-2026-25075.patch \
|
||||||
|
"
|
||||||
|
|
||||||
SRC_URI[sha256sum] = "288f2111f5c9f6ec85fc08fa835bf39232f5c4044969bb4de7b4335163b1efa9"
|
SRC_URI[sha256sum] = "288f2111f5c9f6ec85fc08fa835bf39232f5c4044969bb4de7b4335163b1efa9"
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user