From d0e8fba3a104dd0038b38ac2f622f9ffd4c69bf0 Mon Sep 17 00:00:00 2001
From: Ankur Tyagi <ankur.tyagi85@gmail.com>
Date: Mon, 6 Apr 2026 00:49:06 +1200
Subject: [PATCH] wolfssl: ptach CVE-2026-3229

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-3229

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
---
 .../wolfssl/files/CVE-2026-3229-1.patch       | 104 ++++++++++++++++++
 .../wolfssl/files/CVE-2026-3229-2.patch       |  42 +++++++
 .../wolfssl/files/CVE-2026-3229-3.patch       |  28 +++++
 .../wolfssl/wolfssl_5.8.0.bb                  |   3 +
 4 files changed, 177 insertions(+)
 create mode 100644 meta-networking/recipes-connectivity/wolfssl/files/CVE-2026-3229-1.patch
 create mode 100644 meta-networking/recipes-connectivity/wolfssl/files/CVE-2026-3229-2.patch
 create mode 100644 meta-networking/recipes-connectivity/wolfssl/files/CVE-2026-3229-3.patch

diff --git a/meta-networking/recipes-connectivity/wolfssl/files/CVE-2026-3229-1.patch b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2026-3229-1.patch
new file mode 100644
index 0000000000..e442028146
--- /dev/null
+++ b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2026-3229-1.patch
@@ -0,0 +1,104 @@
+From 136f9cd0250a6f5d24cdda95118ae4e8eed23dd7 Mon Sep 17 00:00:00 2001
+From: Eric Blankenhorn <eric@wolfssl.com>
+Date: Tue, 24 Feb 2026 09:27:42 -0600
+Subject: [PATCH] Fix cert chain size issue
+
+(cherry picked from commit 2ae3164c6f2db5fdd9f7a6be344e068cd3264bde)
+
+CVE: CVE-2026-3229
+Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/2ae3164c6f2db5fdd9f7a6be344e068cd3264bde]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/ssl_load.c |  8 +++++++-
+ tests/api.c    | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 59 insertions(+), 1 deletion(-)
+
+diff --git a/src/ssl_load.c b/src/ssl_load.c
+index d803b4093..54e1a3095 100644
+--- a/src/ssl_load.c
++++ b/src/ssl_load.c
+@@ -4773,7 +4773,13 @@ static int wolfssl_add_to_chain(DerBuffer** chain, int weOwn, const byte* cert,
+         /* Get length of previous chain. */
+         len = oldChain->length;
+     }
+-    /* Allocate DER buffer bug enough to hold old and new certificates. */
++    /* Check for integer overflow in size calculation. */
++    if ((len > WOLFSSL_MAX_32BIT - CERT_HEADER_SZ) ||
++            (certSz > WOLFSSL_MAX_32BIT - CERT_HEADER_SZ - len)) {
++        WOLFSSL_MSG("wolfssl_add_to_chain overflow");
++        return 0;
++    }
++    /* Allocate DER buffer big enough to hold old and new certificates. */
+     ret = AllocDer(&newChain, len + CERT_HEADER_SZ + certSz, CERT_TYPE, heap);
+     if (ret != 0) {
+         WOLFSSL_MSG("AllocDer error");
+diff --git a/tests/api.c b/tests/api.c
+index a8449cc71..02da904f2 100644
+--- a/tests/api.c
++++ b/tests/api.c
+@@ -5262,6 +5262,57 @@ static int test_wolfSSL_CTX_add1_chain_cert(void)
+     return EXPECT_RESULT();
+ }
+ 
++/* Test that wolfssl_add_to_chain rejects sizes that would overflow word32.
++ * ZD #21241 */
++static int test_wolfSSL_add_to_chain_overflow(void)
++{
++    EXPECT_DECLS;
++#if !defined(NO_CERTS) && defined(OPENSSL_EXTRA) && \
++    defined(KEEP_OUR_CERT) && !defined(NO_RSA) && !defined(NO_TLS) && \
++    !defined(NO_WOLFSSL_CLIENT) && !defined(NO_FILESYSTEM)
++    WOLFSSL_CTX* ctx = NULL;
++    WOLFSSL_X509* x509 = NULL;
++    DerBuffer* fakeChain = NULL;
++
++    ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
++
++    /* Load a real cert so ctx->certificate is set (first add goes there). */
++    ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(
++        "./certs/intermediate/client-int-cert.pem", WOLFSSL_FILETYPE_PEM));
++    ExpectIntEQ(SSL_CTX_add1_chain_cert(ctx, x509), 1);
++    wolfSSL_X509_free(x509);
++    x509 = NULL;
++
++    /* Now ctx->certificate is set, next add goes to certChain via
++     * wolfssl_add_to_chain.  Fake a chain whose length is near UINT32_MAX
++     * so the size calculation (len + CERT_HEADER_SZ + certSz) overflows. */
++    fakeChain = (DerBuffer*)XMALLOC(sizeof(DerBuffer) + 16, ctx->heap,
++        DYNAMIC_TYPE_CERT);
++    ExpectNotNull(fakeChain);
++    if (EXPECT_SUCCESS()) {
++        XMEMSET(fakeChain, 0, sizeof(DerBuffer) + 16);
++        fakeChain->buffer = (byte*)(fakeChain + 1);
++        fakeChain->length = WOLFSSL_MAX_32BIT - 2; /* will overflow with any cert */
++        fakeChain->type = CERT_TYPE;
++        fakeChain->dynType = DYNAMIC_TYPE_CERT;
++        /* Replace the real chain with our fake one. */
++        if (ctx->certChain != NULL) {
++            XFREE(ctx->certChain, ctx->heap, DYNAMIC_TYPE_CERT);
++        }
++        ctx->certChain = fakeChain;
++    }
++
++    /* Try to add another cert - this MUST fail due to overflow guard. */
++    ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(
++        "./certs/intermediate/ca-int2-cert.pem", WOLFSSL_FILETYPE_PEM));
++    ExpectIntEQ(SSL_CTX_add1_chain_cert(ctx, x509), 0);
++    wolfSSL_X509_free(x509);
++
++    wolfSSL_CTX_free(ctx);
++#endif
++    return EXPECT_RESULT();
++}
++
+ static int test_wolfSSL_CTX_use_certificate_chain_buffer_format(void)
+ {
+     EXPECT_DECLS;
+@@ -67594,6 +67645,7 @@ TEST_CASE testCases[] = {
+     TEST_DECL(test_wolfSSL_CTX_load_verify_buffer_ex),
+     TEST_DECL(test_wolfSSL_CTX_load_verify_chain_buffer_format),
+     TEST_DECL(test_wolfSSL_CTX_add1_chain_cert),
++    TEST_DECL(test_wolfSSL_add_to_chain_overflow),
+     TEST_DECL(test_wolfSSL_CTX_use_certificate_chain_buffer_format),
+     TEST_DECL(test_wolfSSL_CTX_use_certificate_chain_file_format),
+     TEST_DECL(test_wolfSSL_use_certificate_chain_file),
diff --git a/meta-networking/recipes-connectivity/wolfssl/files/CVE-2026-3229-2.patch b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2026-3229-2.patch
new file mode 100644
index 0000000000..e382dd5542
--- /dev/null
+++ b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2026-3229-2.patch
@@ -0,0 +1,42 @@
+From 62ab2c90ac6ad82a7586224096a73f84beac64c3 Mon Sep 17 00:00:00 2001
+From: Eric Blankenhorn <eric@wolfssl.com>
+Date: Tue, 24 Feb 2026 11:17:42 -0600
+Subject: [PATCH] Fix from review
+
+(cherry picked from commit 8f787909da890e5830a9a6f73d3c4ff0d9bd7da9)
+
+CVE: CVE-2026-3229
+Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/8f787909da890e5830a9a6f73d3c4ff0d9bd7da9]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/ssl_load.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/src/ssl_load.c b/src/ssl_load.c
+index 54e1a3095..8533d9a12 100644
+--- a/src/ssl_load.c
++++ b/src/ssl_load.c
+@@ -4777,14 +4777,17 @@ static int wolfssl_add_to_chain(DerBuffer** chain, int weOwn, const byte* cert,
+     if ((len > WOLFSSL_MAX_32BIT - CERT_HEADER_SZ) ||
+             (certSz > WOLFSSL_MAX_32BIT - CERT_HEADER_SZ - len)) {
+         WOLFSSL_MSG("wolfssl_add_to_chain overflow");
+-        return 0;
+-    }
+-    /* Allocate DER buffer big enough to hold old and new certificates. */
+-    ret = AllocDer(&newChain, len + CERT_HEADER_SZ + certSz, CERT_TYPE, heap);
+-    if (ret != 0) {
+-        WOLFSSL_MSG("AllocDer error");
+         res = 0;
+     }
++    if (res == 1) {
++        /* Allocate DER buffer big enough to hold old and new certificates. */
++        ret = AllocDer(&newChain, len + CERT_HEADER_SZ + certSz, CERT_TYPE,
++            heap);
++        if (ret != 0) {
++            WOLFSSL_MSG("AllocDer error");
++            res = 0;
++        }
++    }
+ 
+     if (res == 1) {
+         if (oldChain != NULL) {
diff --git a/meta-networking/recipes-connectivity/wolfssl/files/CVE-2026-3229-3.patch b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2026-3229-3.patch
new file mode 100644
index 0000000000..44c7960d35
--- /dev/null
+++ b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2026-3229-3.patch
@@ -0,0 +1,28 @@
+From a64133c8e0ec3463d9fffc9a2f95c48f3e7be24a Mon Sep 17 00:00:00 2001
+From: Eric Blankenhorn <eric@wolfssl.com>
+Date: Tue, 24 Feb 2026 12:43:46 -0600
+Subject: [PATCH] Fix issue from review
+
+(cherry picked from commit 5536ecf026151f1cdc80f6908fe8820e798dcd58)
+
+CVE: CVE-2026-3229
+Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/5536ecf026151f1cdc80f6908fe8820e798dcd58]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ tests/api.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/tests/api.c b/tests/api.c
+index 02da904f2..9dc92e84a 100644
+--- a/tests/api.c
++++ b/tests/api.c
+@@ -5301,6 +5301,9 @@ static int test_wolfSSL_add_to_chain_overflow(void)
+         }
+         ctx->certChain = fakeChain;
+     }
++    else {
++        XFREE(fakeChain, ctx ? ctx->heap : NULL, DYNAMIC_TYPE_CERT);
++    }
+ 
+     /* Try to add another cert - this MUST fail due to overflow guard. */
+     ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(
diff --git a/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.8.0.bb b/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.8.0.bb
index 5db019c9cb..7c46c01ff0 100644
--- a/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.8.0.bb
+++ b/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.8.0.bb
@@ -30,6 +30,9 @@ SRC_URI = " \
     file://CVE-2026-0819.patch \
     file://CVE-2026-2646-1.patch \
     file://CVE-2026-2646-2.patch \
+    file://CVE-2026-3229-1.patch \
+    file://CVE-2026-3229-2.patch \
+    file://CVE-2026-3229-3.patch \
 "
 
 SRCREV = "b077c81eb635392e694ccedbab8b644297ec0285"