strongswan: Fix CVE-2026-35333

Upstream-Status: Backport [https://github.com/strongswan/strongswan/commit/e067d24293953cff56011a1ea6989872bdd98fcd]

Signed-off-by: Nitin Wankhade <nitin.wankhade333@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
Nitin Wankhade
2026-06-09 14:54:07 +05:30
committed by Anuj Mittal
parent a7dc4178c9
commit 9f47f2e912
2 changed files with 42 additions and 0 deletions
@@ -0,0 +1,41 @@
From: =?utf-8?q?Lukas_Johannes_M=C3=B6ller?= <research@johannes-moeller.dev>
Date: Thu, 12 Mar 2026 10:24:45 +0000
Subject: libradius: Reject undersized attributes in enumerator
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
attribute_enumerate() accepts RADIUS attributes whose length byte is
smaller than sizeof(rattr_t) (2). For length == 0, the iterator never
advances and traps callers — including verify() — in a non-advancing
loop. For length == 1, misaligned packed-struct reads occur.
Add a separate check for this->next->length < sizeof(rattr_t) after
the existing truncation guard. This mirrors radius_message_parse(),
which already distinguishes invalid length from truncation.
Signed-off-by: Lukas Johannes Möller <research@johannes-moeller.dev>
Fixes: 4a6b84a93461 ("reintegrated eap-radius branch into trunk")
Fixes: CVE-2026-35333
CVE: CVE-2026-35333
Upstream-Status: Backport [https://github.com/strongswan/strongswan/commit/e067d24293953cff56011a1ea6989872bdd98fcd]
Signed-off-by: Nitin Wankhade <nitin.wankhade333@gmail.com>
===
diff --git a/src/libradius/radius_message.c b/src/libradius/radius_message.c
index 8e2db0c..2bbbb48 100644
--- a/src/libradius/radius_message.c
+++ b/src/libradius/radius_message.c
@@ -261,6 +261,11 @@ METHOD(enumerator_t, attribute_enumerate, bool,
DBG1(DBG_IKE, "RADIUS message truncated");
return FALSE;
}
+ if (this->next->length < sizeof(rattr_t))
+ {
+ DBG1(DBG_IKE, "RADIUS attribute has invalid length");
+ return FALSE;
+ }
*type = this->next->type;
data->ptr = this->next->value;
data->len = this->next->length - sizeof(rattr_t);
@@ -17,6 +17,7 @@ SRC_URI = "https://download.strongswan.org/strongswan-${PV}.tar.bz2 \
file://libsimaka-Reject-zero-length-EAP-SIM-AKA-attributes.patch \
file://constraints-Case-insensitive-matching-and-reject-exc.patch \
file://tls-server-Only-accept-non-empty-ECDH-public-keys-wi.patch \
file://libradius-Reject-undersized-attributes-in-enumerator.patch \
"
SRC_URI[sha256sum] = "728027ddda4cb34c67c4cec97d3ddb8c274edfbabdaeecf7e74693b54fc33678"