Upstream-Status: Backport 
[https://github.com/strongswan/strongswan/commit/e067d24293953cff56011a1ea6989872bdd98fcd]

Signed-off-by: Nitin Wankhade <[email protected]>
---
 ...-undersized-attributes-in-enumerator.patch | 41 +++++++++++++++++++
 .../strongswan/strongswan_5.9.14.bb           |  1 +
 2 files changed, 42 insertions(+)
 create mode 100644 
meta-networking/recipes-support/strongswan/strongswan/libradius-Reject-undersized-attributes-in-enumerator.patch

diff --git 
a/meta-networking/recipes-support/strongswan/strongswan/libradius-Reject-undersized-attributes-in-enumerator.patch
 
b/meta-networking/recipes-support/strongswan/strongswan/libradius-Reject-undersized-attributes-in-enumerator.patch
new file mode 100644
index 0000000000..27cdb485e7
--- /dev/null
+++ 
b/meta-networking/recipes-support/strongswan/strongswan/libradius-Reject-undersized-attributes-in-enumerator.patch
@@ -0,0 +1,41 @@
+From: =?utf-8?q?Lukas_Johannes_M=C3=B6ller?= <[email protected]>
+Date: Thu, 12 Mar 2026 10:24:45 +0000
+Subject: libradius: Reject undersized attributes in enumerator
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+attribute_enumerate() accepts RADIUS attributes whose length byte is
+smaller than sizeof(rattr_t) (2).  For length == 0, the iterator never
+advances and traps callers — including verify() — in a non-advancing
+loop.  For length == 1, misaligned packed-struct reads occur.
+
+Add a separate check for this->next->length < sizeof(rattr_t) after
+the existing truncation guard.  This mirrors radius_message_parse(),
+which already distinguishes invalid length from truncation.
+
+Signed-off-by: Lukas Johannes Möller <[email protected]>
+
+Fixes: 4a6b84a93461 ("reintegrated eap-radius branch into trunk")
+Fixes: CVE-2026-35333
+
+CVE: CVE-2026-35333
+Upstream-Status: Backport 
[https://github.com/strongswan/strongswan/commit/e067d24293953cff56011a1ea6989872bdd98fcd]
+Signed-off-by: Nitin Wankhade <[email protected]>
+===
+diff --git a/src/libradius/radius_message.c b/src/libradius/radius_message.c
+index 8e2db0c..2bbbb48 100644
+--- a/src/libradius/radius_message.c
++++ b/src/libradius/radius_message.c
+@@ -261,6 +261,11 @@ METHOD(enumerator_t, attribute_enumerate, bool,
+               DBG1(DBG_IKE, "RADIUS message truncated");
+               return FALSE;
+       }
++      if (this->next->length < sizeof(rattr_t))
++      {
++                DBG1(DBG_IKE, "RADIUS attribute has invalid length");
++                return FALSE;
++       }
+       *type = this->next->type;
+       data->ptr = this->next->value;
+       data->len = this->next->length - sizeof(rattr_t);
diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb 
b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb
index f65a94dd73..661727e501 100644
--- a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb
+++ b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb
@@ -17,6 +17,7 @@ SRC_URI = 
"https://download.strongswan.org/strongswan-${PV}.tar.bz2 \
            file://libsimaka-Reject-zero-length-EAP-SIM-AKA-attributes.patch \
            file://constraints-Case-insensitive-matching-and-reject-exc.patch \
            file://tls-server-Only-accept-non-empty-ECDH-public-keys-wi.patch \
+           file://libradius-Reject-undersized-attributes-in-enumerator.patch \
            "
 
 SRC_URI[sha256sum] = 
"728027ddda4cb34c67c4cec97d3ddb8c274edfbabdaeecf7e74693b54fc33678"
-- 
2.34.1

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#127451): 
https://lists.openembedded.org/g/openembedded-devel/message/127451
Mute This Topic: https://lists.openembedded.org/mt/119720013/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to