mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-16 04:17:25 +00:00
wolfssl: patch CVE-2026-1005
Backport commit from the PR[1] mentioned in the nvd[2] [1]https://github.com/wolfSSL/wolfssl/pull/9571 [2]https://nvd.nist.gov/vuln/detail/CVE-2026-1005 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
@@ -0,0 +1,83 @@
|
|||||||
|
From dfd0c1c7e151e8995b037cd3a56c9ee6e5e44b1c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Mattia Moffa <mattia@moffa.xyz>
|
||||||
|
Date: Mon, 22 Dec 2025 16:13:27 +0100
|
||||||
|
Subject: [PATCH] Add missing length check in sniffer for
|
||||||
|
AES-GCM/AES-CCM/ARIA-GCM
|
||||||
|
|
||||||
|
(cherry picked from commit ca7899429844e8bd3824fe92a709978b51f750c4)
|
||||||
|
|
||||||
|
CVE: CVE-2026-1005
|
||||||
|
Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/ca7899429844e8bd3824fe92a709978b51f750c4]
|
||||||
|
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
|
||||||
|
---
|
||||||
|
src/sniffer.c | 49 +++++++++++++++++++++++++++++++------------------
|
||||||
|
1 file changed, 31 insertions(+), 18 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/sniffer.c b/src/sniffer.c
|
||||||
|
index 4d0c8e1ca..a9bf12035 100644
|
||||||
|
--- a/src/sniffer.c
|
||||||
|
+++ b/src/sniffer.c
|
||||||
|
@@ -4810,18 +4810,25 @@ static int DecryptDo(WOLFSSL* ssl, byte* plain, const byte* input,
|
||||||
|
XMEMCPY(ssl->decrypt.nonce, ssl->keys.aead_dec_imp_IV, AESGCM_IMP_IV_SZ);
|
||||||
|
XMEMCPY(ssl->decrypt.nonce + AESGCM_IMP_IV_SZ, input, AESGCM_EXP_IV_SZ);
|
||||||
|
|
||||||
|
- if ((ret = aes_auth_fn(ssl->decrypt.aes,
|
||||||
|
- plain,
|
||||||
|
- input + AESGCM_EXP_IV_SZ,
|
||||||
|
- sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
|
||||||
|
- ssl->decrypt.nonce, AESGCM_NONCE_SZ,
|
||||||
|
- ssl->decrypt.additional, AEAD_AUTH_DATA_SZ,
|
||||||
|
- NULL, 0)) < 0) {
|
||||||
|
- #ifdef WOLFSSL_ASYNC_CRYPT
|
||||||
|
- if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
|
||||||
|
- ret = wolfSSL_AsyncPush(ssl, &ssl->decrypt.aes->asyncDev);
|
||||||
|
+ if (sz < AESGCM_EXP_IV_SZ + ssl->specs.aead_mac_size) {
|
||||||
|
+ ret = BUFFER_ERROR;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (ret == 0) {
|
||||||
|
+ ret = aes_auth_fn(ssl->decrypt.aes,
|
||||||
|
+ plain,
|
||||||
|
+ input + AESGCM_EXP_IV_SZ,
|
||||||
|
+ sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
|
||||||
|
+ ssl->decrypt.nonce, AESGCM_NONCE_SZ,
|
||||||
|
+ ssl->decrypt.additional, AEAD_AUTH_DATA_SZ,
|
||||||
|
+ NULL, 0);
|
||||||
|
+ if (ret < 0) {
|
||||||
|
+ #ifdef WOLFSSL_ASYNC_CRYPT
|
||||||
|
+ if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
|
||||||
|
+ ret = wolfSSL_AsyncPush(ssl, &ssl->decrypt.aes->asyncDev);
|
||||||
|
+ }
|
||||||
|
+ #endif
|
||||||
|
}
|
||||||
|
- #endif
|
||||||
|
}
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
@@ -4829,13 +4836,19 @@ static int DecryptDo(WOLFSSL* ssl, byte* plain, const byte* input,
|
||||||
|
|
||||||
|
#ifdef HAVE_ARIA
|
||||||
|
case wolfssl_aria_gcm:
|
||||||
|
- ret = wc_AriaDecrypt(ssl->decrypt.aria,
|
||||||
|
- plain,
|
||||||
|
- (byte *)input + AESGCM_EXP_IV_SZ,
|
||||||
|
- sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
|
||||||
|
- ssl->decrypt.nonce, AESGCM_NONCE_SZ,
|
||||||
|
- ssl->decrypt.additional, ssl->specs.aead_mac_size,
|
||||||
|
- NULL, 0);
|
||||||
|
+ if (sz < AESGCM_EXP_IV_SZ + ssl->specs.aead_mac_size) {
|
||||||
|
+ ret = BUFFER_ERROR;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (ret == 0) {
|
||||||
|
+ ret = wc_AriaDecrypt(ssl->decrypt.aria,
|
||||||
|
+ plain,
|
||||||
|
+ (byte *)input + AESGCM_EXP_IV_SZ,
|
||||||
|
+ sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
|
||||||
|
+ ssl->decrypt.nonce, AESGCM_NONCE_SZ,
|
||||||
|
+ ssl->decrypt.additional, ssl->specs.aead_mac_size,
|
||||||
|
+ NULL, 0);
|
||||||
|
+ }
|
||||||
|
break;
|
||||||
|
#endif
|
||||||
|
|
||||||
@@ -37,6 +37,7 @@ SRC_URI = " \
|
|||||||
file://CVE-2026-3547.patch \
|
file://CVE-2026-3547.patch \
|
||||||
file://CVE-2026-4159.patch \
|
file://CVE-2026-4159.patch \
|
||||||
file://CVE-2026-4395.patch \
|
file://CVE-2026-4395.patch \
|
||||||
|
file://CVE-2026-1005.patch \
|
||||||
"
|
"
|
||||||
|
|
||||||
SRCREV = "b077c81eb635392e694ccedbab8b644297ec0285"
|
SRCREV = "b077c81eb635392e694ccedbab8b644297ec0285"
|
||||||
|
|||||||
Reference in New Issue
Block a user