mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-16 16:27:27 +00:00
strongswan: Fix CVE-2026-35333
Upstream-Status: Backport [https://github.com/strongswan/strongswan/commit/e067d24293953cff56011a1ea6989872bdd98fcd] Signed-off-by: Nitin Wankhade <nitin.wankhade333@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
committed by
Anuj Mittal
parent
a7dc4178c9
commit
9f47f2e912
+41
@@ -0,0 +1,41 @@
|
|||||||
|
From: =?utf-8?q?Lukas_Johannes_M=C3=B6ller?= <research@johannes-moeller.dev>
|
||||||
|
Date: Thu, 12 Mar 2026 10:24:45 +0000
|
||||||
|
Subject: libradius: Reject undersized attributes in enumerator
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset="utf-8"
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
attribute_enumerate() accepts RADIUS attributes whose length byte is
|
||||||
|
smaller than sizeof(rattr_t) (2). For length == 0, the iterator never
|
||||||
|
advances and traps callers — including verify() — in a non-advancing
|
||||||
|
loop. For length == 1, misaligned packed-struct reads occur.
|
||||||
|
|
||||||
|
Add a separate check for this->next->length < sizeof(rattr_t) after
|
||||||
|
the existing truncation guard. This mirrors radius_message_parse(),
|
||||||
|
which already distinguishes invalid length from truncation.
|
||||||
|
|
||||||
|
Signed-off-by: Lukas Johannes Möller <research@johannes-moeller.dev>
|
||||||
|
|
||||||
|
Fixes: 4a6b84a93461 ("reintegrated eap-radius branch into trunk")
|
||||||
|
Fixes: CVE-2026-35333
|
||||||
|
|
||||||
|
CVE: CVE-2026-35333
|
||||||
|
Upstream-Status: Backport [https://github.com/strongswan/strongswan/commit/e067d24293953cff56011a1ea6989872bdd98fcd]
|
||||||
|
Signed-off-by: Nitin Wankhade <nitin.wankhade333@gmail.com>
|
||||||
|
===
|
||||||
|
diff --git a/src/libradius/radius_message.c b/src/libradius/radius_message.c
|
||||||
|
index 8e2db0c..2bbbb48 100644
|
||||||
|
--- a/src/libradius/radius_message.c
|
||||||
|
+++ b/src/libradius/radius_message.c
|
||||||
|
@@ -261,6 +261,11 @@ METHOD(enumerator_t, attribute_enumerate, bool,
|
||||||
|
DBG1(DBG_IKE, "RADIUS message truncated");
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
+ if (this->next->length < sizeof(rattr_t))
|
||||||
|
+ {
|
||||||
|
+ DBG1(DBG_IKE, "RADIUS attribute has invalid length");
|
||||||
|
+ return FALSE;
|
||||||
|
+ }
|
||||||
|
*type = this->next->type;
|
||||||
|
data->ptr = this->next->value;
|
||||||
|
data->len = this->next->length - sizeof(rattr_t);
|
||||||
@@ -17,6 +17,7 @@ SRC_URI = "https://download.strongswan.org/strongswan-${PV}.tar.bz2 \
|
|||||||
file://libsimaka-Reject-zero-length-EAP-SIM-AKA-attributes.patch \
|
file://libsimaka-Reject-zero-length-EAP-SIM-AKA-attributes.patch \
|
||||||
file://constraints-Case-insensitive-matching-and-reject-exc.patch \
|
file://constraints-Case-insensitive-matching-and-reject-exc.patch \
|
||||||
file://tls-server-Only-accept-non-empty-ECDH-public-keys-wi.patch \
|
file://tls-server-Only-accept-non-empty-ECDH-public-keys-wi.patch \
|
||||||
|
file://libradius-Reject-undersized-attributes-in-enumerator.patch \
|
||||||
"
|
"
|
||||||
|
|
||||||
SRC_URI[sha256sum] = "728027ddda4cb34c67c4cec97d3ddb8c274edfbabdaeecf7e74693b54fc33678"
|
SRC_URI[sha256sum] = "728027ddda4cb34c67c4cec97d3ddb8c274edfbabdaeecf7e74693b54fc33678"
|
||||||
|
|||||||
Reference in New Issue
Block a user