strongswan: Fix CVE-2026-35332

Upstream-Status: Backport [https://github.com/strongswan/strongswan/commit/1e0643bef105704337efc141a37dfcfbaa53cb1f]

Signed-off-by: Nitin Wankhade <nitin.wankhade333@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
Nitin Wankhade
2026-06-09 14:54:06 +05:30
committed by Anuj Mittal
parent fca99be2d5
commit a7dc4178c9
2 changed files with 52 additions and 0 deletions
@@ -0,0 +1,51 @@
From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 20 Mar 2026 17:38:07 +0100
Subject: tls-server: Only accept non-empty ECDH public keys with TLS < 1.3
This prevents a crash due to a null-pointer dereference when processing
an empty ECDH public key.
The previous length check only applied in the `!ec` case, so in the `ec`
case, the access to `pub.ptr[0]` was unguarded. If a crafted TLS
record ends with an empty ClientKeyExchange, then `read_data8` sets
`pub` to `chunk_empty`, causing a null-pointer dereference.
Note that if some data follows the empty ClientKeyExchange, this just
causes a 1-byte out-of-bounds read that has no further effect as the
TLS session is aborted immediately. Either because the read value
doesn't equal TLS_ANSI_UNCOMPRESSED or because the empty public key
is rejected by `set_public_key()`.
The referenced commit that introduced the pointer access, added the
check for `pub.len` specifically to the `!ec` case, while the pointer
access was initially unconditional (probably because the code was just
copied from `tls_peer.c` which processes ECDH public keys in a separate
function, so there was no `ec` flag). The latter was fixed a couple of
days later with 7b3c01845f63 ("Read the compression type byte for EC
groups, only"). However, that commit didn't change the length check.
Anyway, it's possible that the original intention was to add the check
to the `ec` case on the previous line, or that there was some confusion
with the parenthesis and something like the current code was intended to
begin with.
Fixes: e6cce7ff0d1b ("Prepend point format to ECDH public key")
Fixes: CVE-2026-35332
CVE: CVE-2026-35332
Upstream-Status: Backport [https://github.com/strongswan/strongswan/commit/1e0643bef105704337efc141a37dfcfbaa53cb1f]
Patch is refreshed as per the source code version 5.9.14
Signed-off-by: Nitin Wankhade <nitin.wankhade333@gmail.com>
===
diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c
index 7b2238e..bffc01c 100644
--- a/src/libtls/tls_server.c
+++ b/src/libtls/tls_server.c
@@ -857,7 +857,7 @@ static status_t process_key_exchange_dhe(private_tls_server_t *this,
group = this->dh->get_method(this->dh);
ec = key_exchange_is_ecdh(group);
if ((ec && !reader->read_data8(reader, &pub)) ||
- (!ec && (!reader->read_data16(reader, &pub) || pub.len == 0)))
+ (!ec && !reader->read_data16(reader, &pub)) || pub.len == 0)
{
DBG1(DBG_TLS, "received invalid Client Key Exchange");
this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
@@ -16,6 +16,7 @@ SRC_URI = "https://download.strongswan.org/strongswan-${PV}.tar.bz2 \
file://pkcs5-pkcs7-Avoid-NULL-pointer-dereference-when-veri.patch \
file://libsimaka-Reject-zero-length-EAP-SIM-AKA-attributes.patch \
file://constraints-Case-insensitive-matching-and-reject-exc.patch \
file://tls-server-Only-accept-non-empty-ECDH-public-keys-wi.patch \
"
SRC_URI[sha256sum] = "728027ddda4cb34c67c4cec97d3ddb8c274edfbabdaeecf7e74693b54fc33678"