Upstream-Status: Backport 
[https://snapshot.debian.org/archive/debian-security-debug/20260422T125423Z/pool/updates/main/s/strongswan/strongswan_6.0.1-6%2Bdeb13u5.debian.tar.xz]

Signed-off-by: Nitin Wankhade <[email protected]>
---
 ...nt-infinite-loop-if-supported-versio.patch | 42 +++++++++++++++++++
 .../strongswan/strongswan_5.9.14.bb           |  1 +
 2 files changed, 43 insertions(+)
 create mode 100644 
meta-networking/recipes-support/strongswan/strongswan/tls-server-Prevent-infinite-loop-if-supported-versio.patch

diff --git 
a/meta-networking/recipes-support/strongswan/strongswan/tls-server-Prevent-infinite-loop-if-supported-versio.patch
 
b/meta-networking/recipes-support/strongswan/strongswan/tls-server-Prevent-infinite-loop-if-supported-versio.patch
new file mode 100644
index 0000000000..32a23b3be1
--- /dev/null
+++ 
b/meta-networking/recipes-support/strongswan/strongswan/tls-server-Prevent-infinite-loop-if-supported-versio.patch
@@ -0,0 +1,42 @@
+From: Tobias Brunner <[email protected]>
+Date: Wed, 25 Mar 2026 10:17:46 +0100
+Subject: tls-server: Prevent infinite loop if supported versions are too
+ short
+
+If the extension doesn't contain a multiple of two bytes, the previous
+code would get stuck in an infinite loop as `remaining()` continued to
+return TRUE while `read_uint16()` failed to parse a value. Initiating
+several connections with such an extension allows a DoS attack as no
+threads would eventually be available to handle packets/events.
+
+Fixes: 7fbe2e27ecf6 ("tls-server: TLS 1.3 support for TLS server 
implementation")
+Fixes: CVE-2026-35328
+
+CVE: CVE-2026-35328
+Upstream-Status: Backport 
[https://snapshot.debian.org/archive/debian-security-debug/20260422T125423Z/pool/updates/main/s/strongswan/strongswan_6.0.1-6%2Bdeb13u5.debian.tar.xz]
+Signed-off-by: Nitin Wankhade <[email protected]>
+===
+diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c
+index 3ad9fd2..7b2238e 100644
+--- a/src/libtls/tls_server.c
++++ b/src/libtls/tls_server.c
+@@ -471,15 +471,12 @@ static status_t 
process_client_hello(private_tls_server_t *this,
+               bio_reader_t *client_versions;
+ 
+               client_versions = bio_reader_create(versions);
+-              while (client_versions->remaining(client_versions))
++              while (client_versions->read_uint16(client_versions, &version))
+               {
+-                      if (client_versions->read_uint16(client_versions, 
&version))
++                      if (this->tls->set_version(this->tls, version, version))
+                       {
+-                              if (this->tls->set_version(this->tls, version, 
version))
+-                              {
+-                                      this->client_version = version;
+-                                      break;
+-                              }
++                              this->client_version = version;
++                              break;
+                       }
+               }
+               client_versions->destroy(client_versions);
diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb 
b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb
index 7cc67e4d92..6fbc345923 100644
--- a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb
+++ b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb
@@ -12,6 +12,7 @@ SRC_URI = 
"https://download.strongswan.org/strongswan-${PV}.tar.bz2 \
            file://CVE-2025-62291.patch \
            file://CVE-2026-25075.patch \
            file://CVE-2026-35334.patch \
+           file://tls-server-Prevent-infinite-loop-if-supported-versio.patch \
            "
 
 SRC_URI[sha256sum] = 
"728027ddda4cb34c67c4cec97d3ddb8c274edfbabdaeecf7e74693b54fc33678"
-- 
2.34.1

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#127438): 
https://lists.openembedded.org/g/openembedded-devel/message/127438
Mute This Topic: https://lists.openembedded.org/mt/119719766/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to