strongswan: add fix for CVE-2021-41991

Full details of the CVE can be found at the following link:
https://www.strongswan.org/blog/2021/10/18/strongswan-vulnerability-(cve-2021-41991).html

Signed-off-by: Florian Eckert <fe@dev.tdt.de>

diff --git a/net/strongswan/patches/700-strongswan-4.4.1-5.9.3_cert-cache-random.patch b/net/strongswan/patches/700-strongswan-4.4.1-5.9.3_cert-cache-random.patch
new file mode 100644 (file)
index 0000000..075ba5e
--- /dev/null
+++ b/net/strongswan/patches/700-strongswan-4.4.1-5.9.3_cert-cache-random.patch
@@ -0,0 +1,30 @@
+From b667237b3a84f601ef5a707ce8eb861c3a5002d3 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Tue, 28 Sep 2021 19:38:22 +0200
+Subject: [PATCH] cert-cache: Prevent crash due to integer overflow/sign change
+
+random() allocates values in the range [0, RAND_MAX], with RAND_MAX usually
+equaling INT_MAX = 2^31-1.  Previously, values between 0 and 31 were added
+directly to that offset before applying`% CACHE_SIZE` to get an index into
+the cache array.  If the random value was very high, this resulted in an
+integer overflow and a negative index value and, therefore, an out-of-bounds
+access of the array and in turn dereferencing invalid pointers when trying
+to acquire the read lock.  This most likely results in a segmentation fault.
+
+Fixes: 764e8b2211ce ("reimplemented certificate cache")
+Fixes: CVE-2021-41991
+---
+ src/libstrongswan/credentials/sets/cert_cache.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/src/libstrongswan/credentials/sets/cert_cache.c
++++ b/src/libstrongswan/credentials/sets/cert_cache.c
+@@ -151,7 +151,7 @@ static void cache(private_cert_cache_t *
+       for (try = 0; try < REPLACE_TRIES; try++)
+       {
+               /* replace a random relation */
+-              offset = random();
++              offset = random() % CACHE_SIZE;
+               for (i = 0; i < CACHE_SIZE; i++)
+               {
+                       rel = &this->relations[(i + offset) % CACHE_SIZE];