From 811b750fb6c93bc0816060746e3e5ef17930f675 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Wed, 25 Mar 2026 10:28:45 +0100
Subject: [PATCH] pkcs7: Avoid NULL pointer dereference when verifying padding

Can be triggered via empty PKCS#7 enveloped-data content in IKEv1 CERT
payload.

Fixes: d7aa09104f08 ("Implement PKCS#7 enveloped-data parsing and decryption")
Fixes: CVE-2026-35329
---
 .../plugins/pkcs7/pkcs7_enveloped_data.c           | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_enveloped_data.c b/src/libstrongswan/plugins/pkcs7/pkcs7_enveloped_data.c
index 8b26bad3ac43..795d979fd49b 100644
--- a/src/libstrongswan/plugins/pkcs7/pkcs7_enveloped_data.c
+++ b/src/libstrongswan/plugins/pkcs7/pkcs7_enveloped_data.c
@@ -182,9 +182,17 @@ static bool decrypt(private_key_t *private, chunk_t key, chunk_t iv, int oid,
  */
 static bool remove_padding(private_pkcs7_enveloped_data_t *this)
 {
-	u_char *pos = this->content.ptr + this->content.len - 1;
-	u_char pattern = *pos;
-	size_t padding = pattern;
+	u_char *pos, pattern;
+	size_t padding;
+
+	if (!this->content.len)
+	{
+		return FALSE;
+	}
+
+	pos = this->content.ptr + this->content.len - 1;
+	pattern = *pos;
+	padding = pattern;
 
 	if (padding > this->content.len)
 	{
-- 
2.43.0