Commit 8dae5605a7 for strongswan.org

commit 8dae5605a79666c6def907efd8c872c91d93de5b
Author: Tobias Brunner <tobias@strongswan.org>
Date:   Wed Mar 25 10:35:03 2026 +0100

    pkcs7: Avoid NULL pointer dereference when verifying padding in enveloped content

    As the previous issue, this can be triggered via IKEv1 CERT payloads.

    Fixes: d7aa09104f08 ("Implement PKCS#7 enveloped-data parsing and decryption")
    Fixes: CVE-2026-35329

diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_enveloped_data.c b/src/libstrongswan/plugins/pkcs7/pkcs7_enveloped_data.c
index 8b26bad3ac..795d979fd4 100644
--- a/src/libstrongswan/plugins/pkcs7/pkcs7_enveloped_data.c
+++ b/src/libstrongswan/plugins/pkcs7/pkcs7_enveloped_data.c
@@ -182,9 +182,17 @@ static bool decrypt(private_key_t *private, chunk_t key, chunk_t iv, int oid,
  */
 static bool remove_padding(private_pkcs7_enveloped_data_t *this)
 {
-	u_char *pos = this->content.ptr + this->content.len - 1;
-	u_char pattern = *pos;
-	size_t padding = pattern;
+	u_char *pos, pattern;
+	size_t padding;
+
+	if (!this->content.len)
+	{
+		return FALSE;
+	}
+
+	pos = this->content.ptr + this->content.len - 1;
+	pattern = *pos;
+	padding = pattern;

 	if (padding > this->content.len)
 	{