Upstream-Status: Backport [https://github.com/strongswan/strongswan/commit/e067d24293953cff56011a1ea6989872bdd98fcd]
Signed-off-by: Nitin Wankhade <[email protected]> --- ...-undersized-attributes-in-enumerator.patch | 41 +++++++++++++++++++ .../strongswan/strongswan_5.9.14.bb | 1 + 2 files changed, 42 insertions(+) create mode 100644 meta-networking/recipes-support/strongswan/strongswan/libradius-Reject-undersized-attributes-in-enumerator.patch diff --git a/meta-networking/recipes-support/strongswan/strongswan/libradius-Reject-undersized-attributes-in-enumerator.patch b/meta-networking/recipes-support/strongswan/strongswan/libradius-Reject-undersized-attributes-in-enumerator.patch new file mode 100644 index 0000000000..27cdb485e7 --- /dev/null +++ b/meta-networking/recipes-support/strongswan/strongswan/libradius-Reject-undersized-attributes-in-enumerator.patch @@ -0,0 +1,41 @@ +From: =?utf-8?q?Lukas_Johannes_M=C3=B6ller?= <[email protected]> +Date: Thu, 12 Mar 2026 10:24:45 +0000 +Subject: libradius: Reject undersized attributes in enumerator +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +attribute_enumerate() accepts RADIUS attributes whose length byte is +smaller than sizeof(rattr_t) (2). For length == 0, the iterator never +advances and traps callers — including verify() — in a non-advancing +loop. For length == 1, misaligned packed-struct reads occur. + +Add a separate check for this->next->length < sizeof(rattr_t) after +the existing truncation guard. This mirrors radius_message_parse(), +which already distinguishes invalid length from truncation. + +Signed-off-by: Lukas Johannes Möller <[email protected]> + +Fixes: 4a6b84a93461 ("reintegrated eap-radius branch into trunk") +Fixes: CVE-2026-35333 + +CVE: CVE-2026-35333 +Upstream-Status: Backport [https://github.com/strongswan/strongswan/commit/e067d24293953cff56011a1ea6989872bdd98fcd] +Signed-off-by: Nitin Wankhade <[email protected]> +=== +diff --git a/src/libradius/radius_message.c b/src/libradius/radius_message.c +index 8e2db0c..2bbbb48 100644 +--- a/src/libradius/radius_message.c ++++ b/src/libradius/radius_message.c +@@ -261,6 +261,11 @@ METHOD(enumerator_t, attribute_enumerate, bool, + DBG1(DBG_IKE, "RADIUS message truncated"); + return FALSE; + } ++ if (this->next->length < sizeof(rattr_t)) ++ { ++ DBG1(DBG_IKE, "RADIUS attribute has invalid length"); ++ return FALSE; ++ } + *type = this->next->type; + data->ptr = this->next->value; + data->len = this->next->length - sizeof(rattr_t); diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb index f65a94dd73..661727e501 100644 --- a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb +++ b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb @@ -17,6 +17,7 @@ SRC_URI = "https://download.strongswan.org/strongswan-${PV}.tar.bz2 \ file://libsimaka-Reject-zero-length-EAP-SIM-AKA-attributes.patch \ file://constraints-Case-insensitive-matching-and-reject-exc.patch \ file://tls-server-Only-accept-non-empty-ECDH-public-keys-wi.patch \ + file://libradius-Reject-undersized-attributes-in-enumerator.patch \ " SRC_URI[sha256sum] = "728027ddda4cb34c67c4cec97d3ddb8c274edfbabdaeecf7e74693b54fc33678" -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#127451): https://lists.openembedded.org/g/openembedded-devel/message/127451 Mute This Topic: https://lists.openembedded.org/mt/119720013/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
