Upstream-Status: Backport [https://github.com/strongswan/strongswan/commit/aa5aaebc33e0f326d8a0dbe01b236f2bfa0e6ea1]
Signed-off-by: Nitin Wankhade <[email protected]> --- ...-Reject-zero-length-EAP-SIM-AKA-attributes | 54 +++++++++++++++++++ .../strongswan/strongswan_5.9.14.bb | 1 + 2 files changed, 55 insertions(+) create mode 100644 meta-networking/recipes-support/strongswan/strongswan/libsimaka-Reject-zero-length-EAP-SIM-AKA-attributes diff --git a/meta-networking/recipes-support/strongswan/strongswan/libsimaka-Reject-zero-length-EAP-SIM-AKA-attributes b/meta-networking/recipes-support/strongswan/strongswan/libsimaka-Reject-zero-length-EAP-SIM-AKA-attributes new file mode 100644 index 0000000000..c9f647048f --- /dev/null +++ b/meta-networking/recipes-support/strongswan/strongswan/libsimaka-Reject-zero-length-EAP-SIM-AKA-attributes @@ -0,0 +1,54 @@ +From: =?utf-8?q?Lukas_Johannes_M=C3=B6ller?= <[email protected]> +Date: Wed, 11 Mar 2026 16:07:10 +0000 +Subject: libsimaka: Reject zero-length EAP-SIM/AKA attributes +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +parse_attributes() accepts hdr->length == 0 in the AT_ENCR_DATA, +AT_RAND, AT_PADDING, default branches. The code then subtracts the +fixed attribute header size from the encoded length, which underflows +and exposes a wrapped payload length to later code. In particular, +for the cases where add_attribute() is called, this causes a heap-based +buffer overflow (a buffer of 12 bytes is allocated to which the wrapped +length is written). For AT_PADDING, the underflow is irrelevant as +add_attribute() is not called. Instead, this results in an infinite loop. + +Reject zero-length attributes before subtracting the attribute header. + +Signed-off-by: Lukas Johannes Möller <[email protected]> + +Fixes: f8330d03953b ("Added a libsimaka library with shared message handling code for EAP-SIM/AKA") +Fixes: CVE-2026-35330 + +CVE: CVE-2026-35330 +Upstream-Status: Backport [https://github.com/strongswan/strongswan/commit/aa5aaebc33e0f326d8a0dbe01b236f2bfa0e6ea1] +Signed-off-by: Nitin Wankhade <[email protected]> +=== +diff --git a/src/libsimaka/simaka_message.c b/src/libsimaka/simaka_message.c +index 6706568..4862048 100644 +--- a/src/libsimaka/simaka_message.c ++++ b/src/libsimaka/simaka_message.c +@@ -416,7 +416,7 @@ static bool parse_attributes(private_simaka_message_t *this, chunk_t in) + case AT_ENCR_DATA: + case AT_RAND: + { +- if (hdr->length * 4 > in.len || in.len < 4) ++ if (hdr->length == 0 || hdr->length * 4 > in.len || in.len < 4) + { + return invalid_length(hdr->type); + } +@@ -439,7 +439,7 @@ static bool parse_attributes(private_simaka_message_t *this, chunk_t in) + case AT_PADDING: + default: + { +- if (hdr->length * 4 > in.len || in.len < 4) ++ if (hdr->length == 0 || hdr->length * 4 > in.len || in.len < 4) + { + return invalid_length(hdr->type); + } +@@ -932,4 +932,3 @@ simaka_message_t *simaka_message_create(bool request, uint8_t identifier, + return simaka_message_create_data(chunk_create((char*)&hdr, sizeof(hdr)), + crypto); + } +- diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb index ac4bc5380b..85fd95d6b8 100644 --- a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb +++ b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb @@ -14,6 +14,7 @@ SRC_URI = "https://download.strongswan.org/strongswan-${PV}.tar.bz2 \ file://CVE-2026-35334.patch \ file://tls-server-Prevent-infinite-loop-if-supported-versio.patch \ file://pkcs5-pkcs7-Avoid-NULL-pointer-dereference-when-veri.patch \ + file://libsimaka-Reject-zero-length-EAP-SIM-AKA-attributes.patch \ " SRC_URI[sha256sum] = "728027ddda4cb34c67c4cec97d3ddb8c274edfbabdaeecf7e74693b54fc33678" -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#127448): https://lists.openembedded.org/g/openembedded-devel/message/127448 Mute This Topic: https://lists.openembedded.org/mt/119720010/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
