mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-13 17:39:57 +00:00
Code Issues Projects Releases Wiki Activity

wolfssl: patch CVE-2026-1005

Browse Source 
Backport commit from the PR[1] mentioned in the nvd[2]

[1]https://github.com/wolfSSL/wolfssl/pull/9571
[2]https://nvd.nist.gov/vuln/detail/CVE-2026-1005

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
Ankur Tyagi
2026-04-30 23:46:40 +12:00
committed by Anuj Mittal
parent 8a69f13465
commit 657e8af9b5
2 changed files with 84 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-networking/recipes-connectivity/wolfssl/files/CVE-2026-1005.patch
+83
View File
@@ -0,0 +1,83 @@
From dfd0c1c7e151e8995b037cd3a56c9ee6e5e44b1c Mon Sep 17 00:00:00 2001
From: Mattia Moffa <mattia@moffa.xyz>
Date: Mon, 22 Dec 2025 16:13:27 +0100
Subject: [PATCH] Add missing length check in sniffer for
AES-GCM/AES-CCM/ARIA-GCM
(cherry picked from commit ca7899429844e8bd3824fe92a709978b51f750c4)
CVE: CVE-2026-1005
Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/ca7899429844e8bd3824fe92a709978b51f750c4]
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
src/sniffer.c | 49 +++++++++++++++++++++++++++++++------------------
1 file changed, 31 insertions(+), 18 deletions(-)
diff --git a/src/sniffer.c b/src/sniffer.c
index 4d0c8e1ca..a9bf12035 100644
--- a/src/sniffer.c
+++ b/src/sniffer.c
@@ -4810,18 +4810,25 @@ static int DecryptDo(WOLFSSL* ssl, byte* plain, const byte* input,
XMEMCPY(ssl->decrypt.nonce, ssl->keys.aead_dec_imp_IV, AESGCM_IMP_IV_SZ);
XMEMCPY(ssl->decrypt.nonce + AESGCM_IMP_IV_SZ, input, AESGCM_EXP_IV_SZ);
- if ((ret = aes_auth_fn(ssl->decrypt.aes,
- plain,
- input + AESGCM_EXP_IV_SZ,
- sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
- ssl->decrypt.nonce, AESGCM_NONCE_SZ,
- ssl->decrypt.additional, AEAD_AUTH_DATA_SZ,
- NULL, 0)) < 0) {
- #ifdef WOLFSSL_ASYNC_CRYPT
- if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
- ret = wolfSSL_AsyncPush(ssl, &ssl->decrypt.aes->asyncDev);
+ if (sz < AESGCM_EXP_IV_SZ + ssl->specs.aead_mac_size) {
+ ret = BUFFER_ERROR;
+ }
+
+ if (ret == 0) {
+ ret = aes_auth_fn(ssl->decrypt.aes,
+ plain,
+ input + AESGCM_EXP_IV_SZ,
+ sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
+ ssl->decrypt.nonce, AESGCM_NONCE_SZ,
+ ssl->decrypt.additional, AEAD_AUTH_DATA_SZ,
+ NULL, 0);
+ if (ret < 0) {
+ #ifdef WOLFSSL_ASYNC_CRYPT
+ if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
+ ret = wolfSSL_AsyncPush(ssl, &ssl->decrypt.aes->asyncDev);
+ }
+ #endif
}
- #endif
}
}
break;
@@ -4829,13 +4836,19 @@ static int DecryptDo(WOLFSSL* ssl, byte* plain, const byte* input,
#ifdef HAVE_ARIA
case wolfssl_aria_gcm:
- ret = wc_AriaDecrypt(ssl->decrypt.aria,
- plain,
- (byte *)input + AESGCM_EXP_IV_SZ,
- sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
- ssl->decrypt.nonce, AESGCM_NONCE_SZ,
- ssl->decrypt.additional, ssl->specs.aead_mac_size,
- NULL, 0);
+ if (sz < AESGCM_EXP_IV_SZ + ssl->specs.aead_mac_size) {
+ ret = BUFFER_ERROR;
+ }
+
+ if (ret == 0) {
+ ret = wc_AriaDecrypt(ssl->decrypt.aria,
+ plain,
+ (byte *)input + AESGCM_EXP_IV_SZ,
+ sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
+ ssl->decrypt.nonce, AESGCM_NONCE_SZ,
+ ssl->decrypt.additional, ssl->specs.aead_mac_size,
+ NULL, 0);
+ }
break;
#endif
meta-networking/recipes-connectivity/wolfssl/wolfssl_5.8.0.bb
+1
View File
@@ -37,6 +37,7 @@ SRC_URI = " \
file://CVE-2026-3547.patch \
file://CVE-2026-4159.patch \
file://CVE-2026-4395.patch \
file://CVE-2026-1005.patch \
"
SRCREV = "b077c81eb635392e694ccedbab8b644297ec0285"