diff mbox series

[meta-networking,whinlatter,17/24] wolfssl: patch CVE-2026-1005

Message ID 20260430114649.4184890-17-ankur.tyagi85@gmail.com
State Under Review
Delegated to: Anuj Mittal
Headers show
Series [meta-oe,whinlatter,1/24] libgpiod: update to v2.2.3 | expand

Commit Message

Ankur Tyagi April 30, 2026, 11:46 a.m. UTC 
From: Ankur Tyagi <ankur.tyagi85@gmail.com>

Backport commit from the PR[1] mentioned in the nvd[2]

[1]https://github.com/wolfSSL/wolfssl/pull/9571
[2]https://nvd.nist.gov/vuln/detail/CVE-2026-1005

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../wolfssl/files/CVE-2026-1005.patch         | 83 +++++++++++++++++++
 .../wolfssl/wolfssl_5.8.0.bb                  |  1 +
 2 files changed, 84 insertions(+)
 create mode 100644 meta-networking/recipes-connectivity/wolfssl/files/CVE-2026-1005.patch
diff mbox series

Patch

diff --git a/meta-networking/recipes-connectivity/wolfssl/files/CVE-2026-1005.patch b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2026-1005.patch
new file mode 100644
index 0000000000..10f2092b26
--- /dev/null
+++ b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2026-1005.patch
@@ -0,0 +1,83 @@ 
+From dfd0c1c7e151e8995b037cd3a56c9ee6e5e44b1c Mon Sep 17 00:00:00 2001
+From: Mattia Moffa <mattia@moffa.xyz>
+Date: Mon, 22 Dec 2025 16:13:27 +0100
+Subject: [PATCH] Add missing length check in sniffer for
+ AES-GCM/AES-CCM/ARIA-GCM
+
+(cherry picked from commit ca7899429844e8bd3824fe92a709978b51f750c4)
+
+CVE: CVE-2026-1005
+Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/ca7899429844e8bd3824fe92a709978b51f750c4]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/sniffer.c | 49 +++++++++++++++++++++++++++++++------------------
+ 1 file changed, 31 insertions(+), 18 deletions(-)
+
+diff --git a/src/sniffer.c b/src/sniffer.c
+index 4d0c8e1ca..a9bf12035 100644
+--- a/src/sniffer.c
++++ b/src/sniffer.c
+@@ -4810,18 +4810,25 @@ static int DecryptDo(WOLFSSL* ssl, byte* plain, const byte* input,
+             XMEMCPY(ssl->decrypt.nonce, ssl->keys.aead_dec_imp_IV, AESGCM_IMP_IV_SZ);
+             XMEMCPY(ssl->decrypt.nonce + AESGCM_IMP_IV_SZ, input, AESGCM_EXP_IV_SZ);
+ 
+-            if ((ret = aes_auth_fn(ssl->decrypt.aes,
+-                        plain,
+-                        input + AESGCM_EXP_IV_SZ,
+-                          sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
+-                        ssl->decrypt.nonce, AESGCM_NONCE_SZ,
+-                        ssl->decrypt.additional, AEAD_AUTH_DATA_SZ,
+-                        NULL, 0)) < 0) {
+-            #ifdef WOLFSSL_ASYNC_CRYPT
+-                if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
+-                    ret = wolfSSL_AsyncPush(ssl, &ssl->decrypt.aes->asyncDev);
++            if (sz < AESGCM_EXP_IV_SZ + ssl->specs.aead_mac_size) {
++                ret = BUFFER_ERROR;
++            }
++
++            if (ret == 0) {
++                ret = aes_auth_fn(ssl->decrypt.aes,
++                       plain,
++                       input + AESGCM_EXP_IV_SZ,
++                       sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
++                       ssl->decrypt.nonce, AESGCM_NONCE_SZ,
++                       ssl->decrypt.additional, AEAD_AUTH_DATA_SZ,
++                       NULL, 0);
++                if (ret < 0) {
++                #ifdef WOLFSSL_ASYNC_CRYPT
++                    if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
++                        ret = wolfSSL_AsyncPush(ssl, &ssl->decrypt.aes->asyncDev);
++                    }
++                #endif
+                 }
+-            #endif
+             }
+         }
+         break;
+@@ -4829,13 +4836,19 @@ static int DecryptDo(WOLFSSL* ssl, byte* plain, const byte* input,
+ 
+     #ifdef HAVE_ARIA
+         case wolfssl_aria_gcm:
+-            ret = wc_AriaDecrypt(ssl->decrypt.aria,
+-                        plain,
+-                        (byte *)input + AESGCM_EXP_IV_SZ,
+-                          sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
+-                        ssl->decrypt.nonce, AESGCM_NONCE_SZ,
+-                        ssl->decrypt.additional, ssl->specs.aead_mac_size,
+-                        NULL, 0);
++            if (sz < AESGCM_EXP_IV_SZ + ssl->specs.aead_mac_size) {
++                ret = BUFFER_ERROR;
++            }
++
++            if (ret == 0) {
++                ret = wc_AriaDecrypt(ssl->decrypt.aria,
++                            plain,
++                            (byte *)input + AESGCM_EXP_IV_SZ,
++                            sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
++                            ssl->decrypt.nonce, AESGCM_NONCE_SZ,
++                            ssl->decrypt.additional, ssl->specs.aead_mac_size,
++                            NULL, 0);
++            }
+             break;
+     #endif
+ 
diff --git a/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.8.0.bb b/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.8.0.bb
index 78d17630c7..cb3184a40e 100644
--- a/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.8.0.bb
+++ b/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.8.0.bb
@@ -27,6 +27,7 @@  SRC_URI = " \
     file://CVE-2025-7394-4.patch \
     file://CVE-2025-7394-5.patch \
     file://CVE-2025-7394-6.patch \
+    file://CVE-2026-1005.patch \
 "
 
 SRCREV = "b077c81eb635392e694ccedbab8b644297ec0285"