diff --git a/meta-networking/recipes-connectivity/wolfssl/files/CVE-2026-3229-1.patch b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2026-3229-1.patch new file mode 100644 index 0000000000..e442028146 --- /dev/null +++ b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2026-3229-1.patch @@ -0,0 +1,104 @@ +From 136f9cd0250a6f5d24cdda95118ae4e8eed23dd7 Mon Sep 17 00:00:00 2001 +From: Eric Blankenhorn +Date: Tue, 24 Feb 2026 09:27:42 -0600 +Subject: [PATCH] Fix cert chain size issue + +(cherry picked from commit 2ae3164c6f2db5fdd9f7a6be344e068cd3264bde) + +CVE: CVE-2026-3229 +Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/2ae3164c6f2db5fdd9f7a6be344e068cd3264bde] +Signed-off-by: Ankur Tyagi +--- + src/ssl_load.c | 8 +++++++- + tests/api.c | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 59 insertions(+), 1 deletion(-) + +diff --git a/src/ssl_load.c b/src/ssl_load.c +index d803b4093..54e1a3095 100644 +--- a/src/ssl_load.c ++++ b/src/ssl_load.c +@@ -4773,7 +4773,13 @@ static int wolfssl_add_to_chain(DerBuffer** chain, int weOwn, const byte* cert, + /* Get length of previous chain. */ + len = oldChain->length; + } +- /* Allocate DER buffer bug enough to hold old and new certificates. */ ++ /* Check for integer overflow in size calculation. */ ++ if ((len > WOLFSSL_MAX_32BIT - CERT_HEADER_SZ) || ++ (certSz > WOLFSSL_MAX_32BIT - CERT_HEADER_SZ - len)) { ++ WOLFSSL_MSG("wolfssl_add_to_chain overflow"); ++ return 0; ++ } ++ /* Allocate DER buffer big enough to hold old and new certificates. */ + ret = AllocDer(&newChain, len + CERT_HEADER_SZ + certSz, CERT_TYPE, heap); + if (ret != 0) { + WOLFSSL_MSG("AllocDer error"); +diff --git a/tests/api.c b/tests/api.c +index a8449cc71..02da904f2 100644 +--- a/tests/api.c ++++ b/tests/api.c +@@ -5262,6 +5262,57 @@ static int test_wolfSSL_CTX_add1_chain_cert(void) + return EXPECT_RESULT(); + } + ++/* Test that wolfssl_add_to_chain rejects sizes that would overflow word32. ++ * ZD #21241 */ ++static int test_wolfSSL_add_to_chain_overflow(void) ++{ ++ EXPECT_DECLS; ++#if !defined(NO_CERTS) && defined(OPENSSL_EXTRA) && \ ++ defined(KEEP_OUR_CERT) && !defined(NO_RSA) && !defined(NO_TLS) && \ ++ !defined(NO_WOLFSSL_CLIENT) && !defined(NO_FILESYSTEM) ++ WOLFSSL_CTX* ctx = NULL; ++ WOLFSSL_X509* x509 = NULL; ++ DerBuffer* fakeChain = NULL; ++ ++ ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); ++ ++ /* Load a real cert so ctx->certificate is set (first add goes there). */ ++ ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file( ++ "./certs/intermediate/client-int-cert.pem", WOLFSSL_FILETYPE_PEM)); ++ ExpectIntEQ(SSL_CTX_add1_chain_cert(ctx, x509), 1); ++ wolfSSL_X509_free(x509); ++ x509 = NULL; ++ ++ /* Now ctx->certificate is set, next add goes to certChain via ++ * wolfssl_add_to_chain. Fake a chain whose length is near UINT32_MAX ++ * so the size calculation (len + CERT_HEADER_SZ + certSz) overflows. */ ++ fakeChain = (DerBuffer*)XMALLOC(sizeof(DerBuffer) + 16, ctx->heap, ++ DYNAMIC_TYPE_CERT); ++ ExpectNotNull(fakeChain); ++ if (EXPECT_SUCCESS()) { ++ XMEMSET(fakeChain, 0, sizeof(DerBuffer) + 16); ++ fakeChain->buffer = (byte*)(fakeChain + 1); ++ fakeChain->length = WOLFSSL_MAX_32BIT - 2; /* will overflow with any cert */ ++ fakeChain->type = CERT_TYPE; ++ fakeChain->dynType = DYNAMIC_TYPE_CERT; ++ /* Replace the real chain with our fake one. */ ++ if (ctx->certChain != NULL) { ++ XFREE(ctx->certChain, ctx->heap, DYNAMIC_TYPE_CERT); ++ } ++ ctx->certChain = fakeChain; ++ } ++ ++ /* Try to add another cert - this MUST fail due to overflow guard. */ ++ ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file( ++ "./certs/intermediate/ca-int2-cert.pem", WOLFSSL_FILETYPE_PEM)); ++ ExpectIntEQ(SSL_CTX_add1_chain_cert(ctx, x509), 0); ++ wolfSSL_X509_free(x509); ++ ++ wolfSSL_CTX_free(ctx); ++#endif ++ return EXPECT_RESULT(); ++} ++ + static int test_wolfSSL_CTX_use_certificate_chain_buffer_format(void) + { + EXPECT_DECLS; +@@ -67594,6 +67645,7 @@ TEST_CASE testCases[] = { + TEST_DECL(test_wolfSSL_CTX_load_verify_buffer_ex), + TEST_DECL(test_wolfSSL_CTX_load_verify_chain_buffer_format), + TEST_DECL(test_wolfSSL_CTX_add1_chain_cert), ++ TEST_DECL(test_wolfSSL_add_to_chain_overflow), + TEST_DECL(test_wolfSSL_CTX_use_certificate_chain_buffer_format), + TEST_DECL(test_wolfSSL_CTX_use_certificate_chain_file_format), + TEST_DECL(test_wolfSSL_use_certificate_chain_file), diff --git a/meta-networking/recipes-connectivity/wolfssl/files/CVE-2026-3229-2.patch b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2026-3229-2.patch new file mode 100644 index 0000000000..e382dd5542 --- /dev/null +++ b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2026-3229-2.patch @@ -0,0 +1,42 @@ +From 62ab2c90ac6ad82a7586224096a73f84beac64c3 Mon Sep 17 00:00:00 2001 +From: Eric Blankenhorn +Date: Tue, 24 Feb 2026 11:17:42 -0600 +Subject: [PATCH] Fix from review + +(cherry picked from commit 8f787909da890e5830a9a6f73d3c4ff0d9bd7da9) + +CVE: CVE-2026-3229 +Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/8f787909da890e5830a9a6f73d3c4ff0d9bd7da9] +Signed-off-by: Ankur Tyagi +--- + src/ssl_load.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/src/ssl_load.c b/src/ssl_load.c +index 54e1a3095..8533d9a12 100644 +--- a/src/ssl_load.c ++++ b/src/ssl_load.c +@@ -4777,14 +4777,17 @@ static int wolfssl_add_to_chain(DerBuffer** chain, int weOwn, const byte* cert, + if ((len > WOLFSSL_MAX_32BIT - CERT_HEADER_SZ) || + (certSz > WOLFSSL_MAX_32BIT - CERT_HEADER_SZ - len)) { + WOLFSSL_MSG("wolfssl_add_to_chain overflow"); +- return 0; +- } +- /* Allocate DER buffer big enough to hold old and new certificates. */ +- ret = AllocDer(&newChain, len + CERT_HEADER_SZ + certSz, CERT_TYPE, heap); +- if (ret != 0) { +- WOLFSSL_MSG("AllocDer error"); + res = 0; + } ++ if (res == 1) { ++ /* Allocate DER buffer big enough to hold old and new certificates. */ ++ ret = AllocDer(&newChain, len + CERT_HEADER_SZ + certSz, CERT_TYPE, ++ heap); ++ if (ret != 0) { ++ WOLFSSL_MSG("AllocDer error"); ++ res = 0; ++ } ++ } + + if (res == 1) { + if (oldChain != NULL) { diff --git a/meta-networking/recipes-connectivity/wolfssl/files/CVE-2026-3229-3.patch b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2026-3229-3.patch new file mode 100644 index 0000000000..44c7960d35 --- /dev/null +++ b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2026-3229-3.patch @@ -0,0 +1,28 @@ +From a64133c8e0ec3463d9fffc9a2f95c48f3e7be24a Mon Sep 17 00:00:00 2001 +From: Eric Blankenhorn +Date: Tue, 24 Feb 2026 12:43:46 -0600 +Subject: [PATCH] Fix issue from review + +(cherry picked from commit 5536ecf026151f1cdc80f6908fe8820e798dcd58) + +CVE: CVE-2026-3229 +Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/5536ecf026151f1cdc80f6908fe8820e798dcd58] +Signed-off-by: Ankur Tyagi +--- + tests/api.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/tests/api.c b/tests/api.c +index 02da904f2..9dc92e84a 100644 +--- a/tests/api.c ++++ b/tests/api.c +@@ -5301,6 +5301,9 @@ static int test_wolfSSL_add_to_chain_overflow(void) + } + ctx->certChain = fakeChain; + } ++ else { ++ XFREE(fakeChain, ctx ? ctx->heap : NULL, DYNAMIC_TYPE_CERT); ++ } + + /* Try to add another cert - this MUST fail due to overflow guard. */ + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file( diff --git a/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.8.0.bb b/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.8.0.bb index 5db019c9cb..7c46c01ff0 100644 --- a/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.8.0.bb +++ b/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.8.0.bb @@ -30,6 +30,9 @@ SRC_URI = " \ file://CVE-2026-0819.patch \ file://CVE-2026-2646-1.patch \ file://CVE-2026-2646-2.patch \ + file://CVE-2026-3229-1.patch \ + file://CVE-2026-3229-2.patch \ + file://CVE-2026-3229-3.patch \ " SRCREV = "b077c81eb635392e694ccedbab8b644297ec0285"