strongswan: Fix CVE-2026-35330

Upstream-Status: Backport [https://github.com/strongswan/strongswan/commit/aa5aaebc33e0f326d8a0dbe01b236f2bfa0e6ea1]

Signed-off-by: Nitin Wankhade <nitin.wankhade333@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
Nitin Wankhade
2026-06-09 14:54:04 +05:30
committed by Anuj Mittal
parent 2150ad1cbf
commit 0d3124974e
2 changed files with 55 additions and 0 deletions
@@ -0,0 +1,54 @@
From: =?utf-8?q?Lukas_Johannes_M=C3=B6ller?= <research@johannes-moeller.dev>
Date: Wed, 11 Mar 2026 16:07:10 +0000
Subject: libsimaka: Reject zero-length EAP-SIM/AKA attributes
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
parse_attributes() accepts hdr->length == 0 in the AT_ENCR_DATA,
AT_RAND, AT_PADDING, default branches. The code then subtracts the
fixed attribute header size from the encoded length, which underflows
and exposes a wrapped payload length to later code. In particular,
for the cases where add_attribute() is called, this causes a heap-based
buffer overflow (a buffer of 12 bytes is allocated to which the wrapped
length is written). For AT_PADDING, the underflow is irrelevant as
add_attribute() is not called. Instead, this results in an infinite loop.
Reject zero-length attributes before subtracting the attribute header.
Signed-off-by: Lukas Johannes Möller <research@johannes-moeller.dev>
Fixes: f8330d03953b ("Added a libsimaka library with shared message handling code for EAP-SIM/AKA")
Fixes: CVE-2026-35330
CVE: CVE-2026-35330
Upstream-Status: Backport [https://github.com/strongswan/strongswan/commit/aa5aaebc33e0f326d8a0dbe01b236f2bfa0e6ea1]
Signed-off-by: Nitin Wankhade <nitin.wankhade333@gmail.com>
===
diff --git a/src/libsimaka/simaka_message.c b/src/libsimaka/simaka_message.c
index 6706568..4862048 100644
--- a/src/libsimaka/simaka_message.c
+++ b/src/libsimaka/simaka_message.c
@@ -416,7 +416,7 @@ static bool parse_attributes(private_simaka_message_t *this, chunk_t in)
case AT_ENCR_DATA:
case AT_RAND:
{
- if (hdr->length * 4 > in.len || in.len < 4)
+ if (hdr->length == 0 || hdr->length * 4 > in.len || in.len < 4)
{
return invalid_length(hdr->type);
}
@@ -439,7 +439,7 @@ static bool parse_attributes(private_simaka_message_t *this, chunk_t in)
case AT_PADDING:
default:
{
- if (hdr->length * 4 > in.len || in.len < 4)
+ if (hdr->length == 0 || hdr->length * 4 > in.len || in.len < 4)
{
return invalid_length(hdr->type);
}
@@ -932,4 +932,3 @@ simaka_message_t *simaka_message_create(bool request, uint8_t identifier,
return simaka_message_create_data(chunk_create((char*)&hdr, sizeof(hdr)),
crypto);
}
-
@@ -14,6 +14,7 @@ SRC_URI = "https://download.strongswan.org/strongswan-${PV}.tar.bz2 \
file://CVE-2026-35334.patch \
file://tls-server-Prevent-infinite-loop-if-supported-versio.patch \
file://pkcs5-pkcs7-Avoid-NULL-pointer-dereference-when-veri.patch \
file://libsimaka-Reject-zero-length-EAP-SIM-AKA-attributes.patch \
"
SRC_URI[sha256sum] = "728027ddda4cb34c67c4cec97d3ddb8c274edfbabdaeecf7e74693b54fc33678"