From 323fff434ba47aecfe4fa3bdfd1fed9c8b8dfe1f Mon Sep 17 00:00:00 2001
From: Rahul Jain <rahul.jain@suse.com>
Date: Thu, 16 Apr 2026 21:54:32 +0530
Subject: [PATCH] Fix CVE-2026-35329: pkcs7 encrypted container processing

---
 src/libstrongswan/crypto/pkcs5.c                   |  5 +++++
 .../plugins/pkcs7/pkcs7_enveloped_data.c           | 14 +++++++++++---
 2 files changed, 16 insertions(+), 3 deletions(-)
 
diff --git a/src/libstrongswan/crypto/pkcs5.c b/src/libstrongswan/crypto/pkcs5.c
index 3b4df0e..fa2ed52 100644
--- a/src/libstrongswan/crypto/pkcs5.c
+++ b/src/libstrongswan/crypto/pkcs5.c
@@ -112,6 +112,11 @@ static bool verify_padding(chunk_t *blob)
 {
 	u_int8_t padding, count;
 
+	if (!blob->len)
+	{
+		return FALSE;
+	}
+
 	padding = count = blob->ptr[blob->len - 1];
 
 	if (padding > 8)
diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_enveloped_data.c b/src/libstrongswan/plugins/pkcs7/pkcs7_enveloped_data.c
index 5cd0d8f..74a939b 100644
--- a/src/libstrongswan/plugins/pkcs7/pkcs7_enveloped_data.c
+++ b/src/libstrongswan/plugins/pkcs7/pkcs7_enveloped_data.c
@@ -182,9 +182,17 @@ static bool decrypt(private_key_t *private, chunk_t key, chunk_t iv, int oid,
  */
 static bool remove_padding(private_pkcs7_enveloped_data_t *this)
 {
-	u_char *pos = this->content.ptr + this->content.len - 1;
-	u_char pattern = *pos;
-	size_t padding = pattern;
+	u_char *pos, pattern;
+	size_t padding;
+
+	if (!this->content.len)
+	{
+		return FALSE;
+	}
+
+	pos = this->content.ptr + this->content.len - 1;
+	pattern = *pos;
+	padding = pattern;
 
 	if (padding > this->content.len)
 	{
-- 
2.50