Upstream-Status: Backport 
[https://github.com/strongswan/strongswan/commit/aa5aaebc33e0f326d8a0dbe01b236f2bfa0e6ea1]

Signed-off-by: Nitin Wankhade <[email protected]>
---
 ...-Reject-zero-length-EAP-SIM-AKA-attributes | 54 +++++++++++++++++++
 .../strongswan/strongswan_5.9.14.bb           |  1 +
 2 files changed, 55 insertions(+)
 create mode 100644 
meta-networking/recipes-support/strongswan/strongswan/libsimaka-Reject-zero-length-EAP-SIM-AKA-attributes

diff --git 
a/meta-networking/recipes-support/strongswan/strongswan/libsimaka-Reject-zero-length-EAP-SIM-AKA-attributes
 
b/meta-networking/recipes-support/strongswan/strongswan/libsimaka-Reject-zero-length-EAP-SIM-AKA-attributes
new file mode 100644
index 0000000000..c9f647048f
--- /dev/null
+++ 
b/meta-networking/recipes-support/strongswan/strongswan/libsimaka-Reject-zero-length-EAP-SIM-AKA-attributes
@@ -0,0 +1,54 @@
+From: =?utf-8?q?Lukas_Johannes_M=C3=B6ller?= <[email protected]>
+Date: Wed, 11 Mar 2026 16:07:10 +0000
+Subject: libsimaka: Reject zero-length EAP-SIM/AKA attributes
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+parse_attributes() accepts hdr->length == 0 in the AT_ENCR_DATA,
+AT_RAND, AT_PADDING, default branches. The code then subtracts the
+fixed attribute header size from the encoded length, which underflows
+and exposes a wrapped payload length to later code.  In particular,
+for the cases where add_attribute() is called, this causes a heap-based
+buffer overflow (a buffer of 12 bytes is allocated to which the wrapped
+length is written).  For AT_PADDING, the underflow is irrelevant as
+add_attribute() is not called. Instead, this results in an infinite loop.
+
+Reject zero-length attributes before subtracting the attribute header.
+
+Signed-off-by: Lukas Johannes Möller <[email protected]>
+
+Fixes: f8330d03953b ("Added a libsimaka library with shared message handling 
code for EAP-SIM/AKA")
+Fixes: CVE-2026-35330
+
+CVE: CVE-2026-35330
+Upstream-Status: Backport 
[https://github.com/strongswan/strongswan/commit/aa5aaebc33e0f326d8a0dbe01b236f2bfa0e6ea1]
+Signed-off-by: Nitin Wankhade <[email protected]>
+===
+diff --git a/src/libsimaka/simaka_message.c b/src/libsimaka/simaka_message.c
+index 6706568..4862048 100644
+--- a/src/libsimaka/simaka_message.c
++++ b/src/libsimaka/simaka_message.c
+@@ -416,7 +416,7 @@ static bool parse_attributes(private_simaka_message_t 
*this, chunk_t in)
+                       case AT_ENCR_DATA:
+                       case AT_RAND:
+                       {
+-                              if (hdr->length * 4 > in.len || in.len < 4)
++                              if (hdr->length == 0 || hdr->length * 4 > 
in.len || in.len < 4)
+                               {
+                                       return invalid_length(hdr->type);
+                               }
+@@ -439,7 +439,7 @@ static bool parse_attributes(private_simaka_message_t 
*this, chunk_t in)
+                       case AT_PADDING:
+                       default:
+                       {
+-                              if (hdr->length * 4 > in.len || in.len < 4)
++                              if (hdr->length == 0 || hdr->length * 4 > 
in.len || in.len < 4)
+                               {
+                                       return invalid_length(hdr->type);
+                               }
+@@ -932,4 +932,3 @@ simaka_message_t *simaka_message_create(bool request, 
uint8_t identifier,
+       return simaka_message_create_data(chunk_create((char*)&hdr, 
sizeof(hdr)),
+                                                                         
crypto);
+ }
+-
diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb 
b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb
index ac4bc5380b..85fd95d6b8 100644
--- a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb
+++ b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb
@@ -14,6 +14,7 @@ SRC_URI = 
"https://download.strongswan.org/strongswan-${PV}.tar.bz2 \
            file://CVE-2026-35334.patch \
            file://tls-server-Prevent-infinite-loop-if-supported-versio.patch \
            file://pkcs5-pkcs7-Avoid-NULL-pointer-dereference-when-veri.patch \
+           file://libsimaka-Reject-zero-length-EAP-SIM-AKA-attributes.patch \
            "
 
 SRC_URI[sha256sum] = 
"728027ddda4cb34c67c4cec97d3ddb8c274edfbabdaeecf7e74693b54fc33678"
-- 
2.34.1

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#127448): 
https://lists.openembedded.org/g/openembedded-devel/message/127448
Mute This Topic: https://lists.openembedded.org/mt/119720010/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to