From d1bc776958b2d4297bbdf92531d092c3bb0f093f Mon Sep 17 00:00:00 2001 From: Florian Eckert Date: Tue, 14 Mar 2023 10:09:53 +0100 Subject: [PATCH] strongswan: add fix for CVE-2021-41991 Full details of the CVE can be found at the following link: https://www.strongswan.org/blog/2021/10/18/strongswan-vulnerability-(cve-2021-41991).html Signed-off-by: Florian Eckert --- ...ngswan-4.4.1-5.9.3_cert-cache-random.patch | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 net/strongswan/patches/700-strongswan-4.4.1-5.9.3_cert-cache-random.patch diff --git a/net/strongswan/patches/700-strongswan-4.4.1-5.9.3_cert-cache-random.patch b/net/strongswan/patches/700-strongswan-4.4.1-5.9.3_cert-cache-random.patch new file mode 100644 index 0000000000..075ba5e3b5 --- /dev/null +++ b/net/strongswan/patches/700-strongswan-4.4.1-5.9.3_cert-cache-random.patch @@ -0,0 +1,30 @@ +From b667237b3a84f601ef5a707ce8eb861c3a5002d3 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner +Date: Tue, 28 Sep 2021 19:38:22 +0200 +Subject: [PATCH] cert-cache: Prevent crash due to integer overflow/sign change + +random() allocates values in the range [0, RAND_MAX], with RAND_MAX usually +equaling INT_MAX = 2^31-1. Previously, values between 0 and 31 were added +directly to that offset before applying`% CACHE_SIZE` to get an index into +the cache array. If the random value was very high, this resulted in an +integer overflow and a negative index value and, therefore, an out-of-bounds +access of the array and in turn dereferencing invalid pointers when trying +to acquire the read lock. This most likely results in a segmentation fault. + +Fixes: 764e8b2211ce ("reimplemented certificate cache") +Fixes: CVE-2021-41991 +--- + src/libstrongswan/credentials/sets/cert_cache.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/src/libstrongswan/credentials/sets/cert_cache.c ++++ b/src/libstrongswan/credentials/sets/cert_cache.c +@@ -151,7 +151,7 @@ static void cache(private_cert_cache_t * + for (try = 0; try < REPLACE_TRIES; try++) + { + /* replace a random relation */ +- offset = random(); ++ offset = random() % CACHE_SIZE; + for (i = 0; i < CACHE_SIZE; i++) + { + rel = &this->relations[(i + offset) % CACHE_SIZE]; -- 2.30.2