wolfssl: ptach CVE-2026-3229

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-3229 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-06-13 17:39:57 +00:00 · 2026-04-06 00:49:06 +12:00
parent 40f7bfd054
commit d0e8fba3a1
4 changed files with 177 additions and 0 deletions
@@ -0,0 +1,104 @@
+From 136f9cd0250a6f5d24cdda95118ae4e8eed23dd7 Mon Sep 17 00:00:00 2001
+From: Eric Blankenhorn <eric@wolfssl.com>
+Date: Tue, 24 Feb 2026 09:27:42 -0600
+Subject: [PATCH] Fix cert chain size issue
+
+(cherry picked from commit 2ae3164c6f2db5fdd9f7a6be344e068cd3264bde)
+
+CVE: CVE-2026-3229
+Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/2ae3164c6f2db5fdd9f7a6be344e068cd3264bde]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/ssl_load.c |  8 +++++++-
+ tests/api.c    | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 59 insertions(+), 1 deletion(-)
+
+diff --git a/src/ssl_load.c b/src/ssl_load.c
+index d803b4093..54e1a3095 100644
+--- a/src/ssl_load.c
+++ b/src/ssl_load.c
+@@ -4773,7 +4773,13 @@ static int wolfssl_add_to_chain(DerBuffer** chain, int weOwn, const byte* cert,
+         /* Get length of previous chain. */
+         len = oldChain->length;
+     }
+-    /* Allocate DER buffer bug enough to hold old and new certificates. */
+    /* Check for integer overflow in size calculation. */
+    if ((len > WOLFSSL_MAX_32BIT - CERT_HEADER_SZ) ||
+            (certSz > WOLFSSL_MAX_32BIT - CERT_HEADER_SZ - len)) {
+        WOLFSSL_MSG("wolfssl_add_to_chain overflow");
+        return 0;
+    }
+    /* Allocate DER buffer big enough to hold old and new certificates. */
+     ret = AllocDer(&newChain, len + CERT_HEADER_SZ + certSz, CERT_TYPE, heap);
+     if (ret != 0) {
+         WOLFSSL_MSG("AllocDer error");
+diff --git a/tests/api.c b/tests/api.c
+index a8449cc71..02da904f2 100644
+--- a/tests/api.c
+++ b/tests/api.c
+@@ -5262,6 +5262,57 @@ static int test_wolfSSL_CTX_add1_chain_cert(void)
+     return EXPECT_RESULT();
+ }
+ 
+/* Test that wolfssl_add_to_chain rejects sizes that would overflow word32.
+ * ZD #21241 */
+static int test_wolfSSL_add_to_chain_overflow(void)
+{
+    EXPECT_DECLS;
+#if !defined(NO_CERTS) && defined(OPENSSL_EXTRA) && \
+    defined(KEEP_OUR_CERT) && !defined(NO_RSA) && !defined(NO_TLS) && \
+    !defined(NO_WOLFSSL_CLIENT) && !defined(NO_FILESYSTEM)
+    WOLFSSL_CTX* ctx = NULL;
+    WOLFSSL_X509* x509 = NULL;
+    DerBuffer* fakeChain = NULL;
+
+    ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
+
+    /* Load a real cert so ctx->certificate is set (first add goes there). */
+    ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(
+        "./certs/intermediate/client-int-cert.pem", WOLFSSL_FILETYPE_PEM));
+    ExpectIntEQ(SSL_CTX_add1_chain_cert(ctx, x509), 1);
+    wolfSSL_X509_free(x509);
+    x509 = NULL;
+
+    /* Now ctx->certificate is set, next add goes to certChain via
+     * wolfssl_add_to_chain.  Fake a chain whose length is near UINT32_MAX
+     * so the size calculation (len + CERT_HEADER_SZ + certSz) overflows. */
+    fakeChain = (DerBuffer*)XMALLOC(sizeof(DerBuffer) + 16, ctx->heap,
+        DYNAMIC_TYPE_CERT);
+    ExpectNotNull(fakeChain);
+    if (EXPECT_SUCCESS()) {
+        XMEMSET(fakeChain, 0, sizeof(DerBuffer) + 16);
+        fakeChain->buffer = (byte*)(fakeChain + 1);
+        fakeChain->length = WOLFSSL_MAX_32BIT - 2; /* will overflow with any cert */
+        fakeChain->type = CERT_TYPE;
+        fakeChain->dynType = DYNAMIC_TYPE_CERT;
+        /* Replace the real chain with our fake one. */
+        if (ctx->certChain != NULL) {
+            XFREE(ctx->certChain, ctx->heap, DYNAMIC_TYPE_CERT);
+        }
+        ctx->certChain = fakeChain;
+    }
+
+    /* Try to add another cert - this MUST fail due to overflow guard. */
+    ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(
+        "./certs/intermediate/ca-int2-cert.pem", WOLFSSL_FILETYPE_PEM));
+    ExpectIntEQ(SSL_CTX_add1_chain_cert(ctx, x509), 0);
+    wolfSSL_X509_free(x509);
+
+    wolfSSL_CTX_free(ctx);
+#endif
+    return EXPECT_RESULT();
+}
+
+ static int test_wolfSSL_CTX_use_certificate_chain_buffer_format(void)
+ {
+     EXPECT_DECLS;
+@@ -67594,6 +67645,7 @@ TEST_CASE testCases[] = {
+     TEST_DECL(test_wolfSSL_CTX_load_verify_buffer_ex),
+     TEST_DECL(test_wolfSSL_CTX_load_verify_chain_buffer_format),
+     TEST_DECL(test_wolfSSL_CTX_add1_chain_cert),
+    TEST_DECL(test_wolfSSL_add_to_chain_overflow),
+     TEST_DECL(test_wolfSSL_CTX_use_certificate_chain_buffer_format),
+     TEST_DECL(test_wolfSSL_CTX_use_certificate_chain_file_format),
+     TEST_DECL(test_wolfSSL_use_certificate_chain_file),
@@ -0,0 +1,42 @@
+From 62ab2c90ac6ad82a7586224096a73f84beac64c3 Mon Sep 17 00:00:00 2001
+From: Eric Blankenhorn <eric@wolfssl.com>
+Date: Tue, 24 Feb 2026 11:17:42 -0600
+Subject: [PATCH] Fix from review
+
+(cherry picked from commit 8f787909da890e5830a9a6f73d3c4ff0d9bd7da9)
+
+CVE: CVE-2026-3229
+Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/8f787909da890e5830a9a6f73d3c4ff0d9bd7da9]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/ssl_load.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/src/ssl_load.c b/src/ssl_load.c
+index 54e1a3095..8533d9a12 100644
+--- a/src/ssl_load.c
+++ b/src/ssl_load.c
+@@ -4777,14 +4777,17 @@ static int wolfssl_add_to_chain(DerBuffer** chain, int weOwn, const byte* cert,
+     if ((len > WOLFSSL_MAX_32BIT - CERT_HEADER_SZ) ||
+             (certSz > WOLFSSL_MAX_32BIT - CERT_HEADER_SZ - len)) {
+         WOLFSSL_MSG("wolfssl_add_to_chain overflow");
+-        return 0;
+-    }
+-    /* Allocate DER buffer big enough to hold old and new certificates. */
+-    ret = AllocDer(&newChain, len + CERT_HEADER_SZ + certSz, CERT_TYPE, heap);
+-    if (ret != 0) {
+-        WOLFSSL_MSG("AllocDer error");
+         res = 0;
+     }
+    if (res == 1) {
+        /* Allocate DER buffer big enough to hold old and new certificates. */
+        ret = AllocDer(&newChain, len + CERT_HEADER_SZ + certSz, CERT_TYPE,
+            heap);
+        if (ret != 0) {
+            WOLFSSL_MSG("AllocDer error");
+            res = 0;
+        }
+    }
+ 
+     if (res == 1) {
+         if (oldChain != NULL) {
@@ -0,0 +1,28 @@
+From a64133c8e0ec3463d9fffc9a2f95c48f3e7be24a Mon Sep 17 00:00:00 2001
+From: Eric Blankenhorn <eric@wolfssl.com>
+Date: Tue, 24 Feb 2026 12:43:46 -0600
+Subject: [PATCH] Fix issue from review
+
+(cherry picked from commit 5536ecf026151f1cdc80f6908fe8820e798dcd58)
+
+CVE: CVE-2026-3229
+Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/5536ecf026151f1cdc80f6908fe8820e798dcd58]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ tests/api.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/tests/api.c b/tests/api.c
+index 02da904f2..9dc92e84a 100644
+--- a/tests/api.c
+++ b/tests/api.c
+@@ -5301,6 +5301,9 @@ static int test_wolfSSL_add_to_chain_overflow(void)
+         }
+         ctx->certChain = fakeChain;
+     }
+    else {
+        XFREE(fakeChain, ctx ? ctx->heap : NULL, DYNAMIC_TYPE_CERT);
+    }
+ 
+     /* Try to add another cert - this MUST fail due to overflow guard. */
+     ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(
@@ -30,6 +30,9 @@ SRC_URI = " \
    file://CVE-2026-0819.patch \
    file://CVE-2026-2646-1.patch \
    file://CVE-2026-2646-2.patch \
+    file://CVE-2026-3229-1.patch \
+    file://CVE-2026-3229-2.patch \
+    file://CVE-2026-3229-3.patch \
 "

 SRCREV = "b077c81eb635392e694ccedbab8b644297ec0285"