diff --git a/meta-networking/recipes-connectivity/wolfssl/files/CVE-2026-3547.patch b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2026-3547.patch new file mode 100644 index 0000000000..e7e4f5de53 --- /dev/null +++ b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2026-3547.patch @@ -0,0 +1,30 @@ +From 2539e3b925481db1da9791ac2a75c98cf8a7c989 Mon Sep 17 00:00:00 2001 +From: Anthony Hu +Date: Wed, 4 Mar 2026 07:00:26 -0500 +Subject: [PATCH] Fix for loop exit condition. + +size should be length. s includes offset, so it must be compared against +length, not size because size is only what is after offset. + +(cherry picked from commit 9d3cc6e30c778b124002cc45b7974d718b6649fd) + +CVE: CVE-2026-3547 +Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/9d3cc6e30c778b124002cc45b7974d718b6649fd] +Signed-off-by: Ankur Tyagi +--- + src/tls.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/tls.c b/src/tls.c +index 8552e8daf..290d4b49d 100644 +--- a/src/tls.c ++++ b/src/tls.c +@@ -1923,7 +1923,7 @@ static int TLSX_ALPN_ParseAndSet(WOLFSSL *ssl, const byte *input, word16 length, + return BUFFER_ERROR; + + /* validating length of entries before accepting */ +- for (s = input + offset; (s - input) < size; s += wlen) { ++ for (s = input + offset; (s - input) < length; s += wlen) { + wlen = *s++; + if (wlen == 0 || (s + wlen - input) > length) + return BUFFER_ERROR; diff --git a/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.8.0.bb b/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.8.0.bb index bec2764ad1..1f5b051d16 100644 --- a/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.8.0.bb +++ b/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.8.0.bb @@ -34,6 +34,7 @@ SRC_URI = " \ file://CVE-2026-3229-2.patch \ file://CVE-2026-3229-3.patch \ file://CVE-2026-3230.patch \ + file://CVE-2026-3547.patch \ " SRCREV = "b077c81eb635392e694ccedbab8b644297ec0285"