diff --git a/meta-networking/recipes-connectivity/wolfssl/files/CVE-2026-1005.patch b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2026-1005.patch new file mode 100644 index 0000000000..10f2092b26 --- /dev/null +++ b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2026-1005.patch @@ -0,0 +1,83 @@ +From dfd0c1c7e151e8995b037cd3a56c9ee6e5e44b1c Mon Sep 17 00:00:00 2001 +From: Mattia Moffa +Date: Mon, 22 Dec 2025 16:13:27 +0100 +Subject: [PATCH] Add missing length check in sniffer for + AES-GCM/AES-CCM/ARIA-GCM + +(cherry picked from commit ca7899429844e8bd3824fe92a709978b51f750c4) + +CVE: CVE-2026-1005 +Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/ca7899429844e8bd3824fe92a709978b51f750c4] +Signed-off-by: Ankur Tyagi +--- + src/sniffer.c | 49 +++++++++++++++++++++++++++++++------------------ + 1 file changed, 31 insertions(+), 18 deletions(-) + +diff --git a/src/sniffer.c b/src/sniffer.c +index 4d0c8e1ca..a9bf12035 100644 +--- a/src/sniffer.c ++++ b/src/sniffer.c +@@ -4810,18 +4810,25 @@ static int DecryptDo(WOLFSSL* ssl, byte* plain, const byte* input, + XMEMCPY(ssl->decrypt.nonce, ssl->keys.aead_dec_imp_IV, AESGCM_IMP_IV_SZ); + XMEMCPY(ssl->decrypt.nonce + AESGCM_IMP_IV_SZ, input, AESGCM_EXP_IV_SZ); + +- if ((ret = aes_auth_fn(ssl->decrypt.aes, +- plain, +- input + AESGCM_EXP_IV_SZ, +- sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size, +- ssl->decrypt.nonce, AESGCM_NONCE_SZ, +- ssl->decrypt.additional, AEAD_AUTH_DATA_SZ, +- NULL, 0)) < 0) { +- #ifdef WOLFSSL_ASYNC_CRYPT +- if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) { +- ret = wolfSSL_AsyncPush(ssl, &ssl->decrypt.aes->asyncDev); ++ if (sz < AESGCM_EXP_IV_SZ + ssl->specs.aead_mac_size) { ++ ret = BUFFER_ERROR; ++ } ++ ++ if (ret == 0) { ++ ret = aes_auth_fn(ssl->decrypt.aes, ++ plain, ++ input + AESGCM_EXP_IV_SZ, ++ sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size, ++ ssl->decrypt.nonce, AESGCM_NONCE_SZ, ++ ssl->decrypt.additional, AEAD_AUTH_DATA_SZ, ++ NULL, 0); ++ if (ret < 0) { ++ #ifdef WOLFSSL_ASYNC_CRYPT ++ if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) { ++ ret = wolfSSL_AsyncPush(ssl, &ssl->decrypt.aes->asyncDev); ++ } ++ #endif + } +- #endif + } + } + break; +@@ -4829,13 +4836,19 @@ static int DecryptDo(WOLFSSL* ssl, byte* plain, const byte* input, + + #ifdef HAVE_ARIA + case wolfssl_aria_gcm: +- ret = wc_AriaDecrypt(ssl->decrypt.aria, +- plain, +- (byte *)input + AESGCM_EXP_IV_SZ, +- sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size, +- ssl->decrypt.nonce, AESGCM_NONCE_SZ, +- ssl->decrypt.additional, ssl->specs.aead_mac_size, +- NULL, 0); ++ if (sz < AESGCM_EXP_IV_SZ + ssl->specs.aead_mac_size) { ++ ret = BUFFER_ERROR; ++ } ++ ++ if (ret == 0) { ++ ret = wc_AriaDecrypt(ssl->decrypt.aria, ++ plain, ++ (byte *)input + AESGCM_EXP_IV_SZ, ++ sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size, ++ ssl->decrypt.nonce, AESGCM_NONCE_SZ, ++ ssl->decrypt.additional, ssl->specs.aead_mac_size, ++ NULL, 0); ++ } + break; + #endif + diff --git a/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.8.0.bb b/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.8.0.bb index a700e8a820..e1147a8028 100644 --- a/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.8.0.bb +++ b/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.8.0.bb @@ -37,6 +37,7 @@ SRC_URI = " \ file://CVE-2026-3547.patch \ file://CVE-2026-4159.patch \ file://CVE-2026-4395.patch \ + file://CVE-2026-1005.patch \ " SRCREV = "b077c81eb635392e694ccedbab8b644297ec0285"