diff mbox series

[meta-lts-collab,kirkstone,6/7] strongswan: Fix CVE-2026-35333

Message ID 20260604080506.274123-6-nitin.wankhade@kpit.com
State New
Headers show
Series [meta-lts-collab,kirkstone,1/7] strongswan: Fix CVE-2026-35328 | expand

Commit Message

Nitin Wankhade June 4, 2026, 8:05 a.m. UTC 
From: Nitin Wankhade <nitin.wankhade333@gmail.com>

Upstream-Status: Backport [https://snapshot.debian.org/archive/debian-security-debug/20260422T125423Z/pool/updates/main/s/strongswan/strongswan_6.0.1-6%2Bdeb13u5.debian.tar.xz]

Signed-off-by: Nitin Wankhade <nitin.wankhade333@gmail.com>
---
 ...-undersized-attributes-in-enumerator.patch | 41 +++++++++++++++++++
 .../strongswan/strongswan_5.9.13.bbappend     |  1 +
 2 files changed, 42 insertions(+)
 create mode 100644 meta-networking/recipes-support/strongswan/files/libradius-Reject-undersized-attributes-in-enumerator.patch
diff mbox series

Patch

diff --git a/meta-networking/recipes-support/strongswan/files/libradius-Reject-undersized-attributes-in-enumerator.patch b/meta-networking/recipes-support/strongswan/files/libradius-Reject-undersized-attributes-in-enumerator.patch
new file mode 100644
index 0000000..0233ebf
--- /dev/null
+++ b/meta-networking/recipes-support/strongswan/files/libradius-Reject-undersized-attributes-in-enumerator.patch
@@ -0,0 +1,41 @@ 
+From: =?utf-8?q?Lukas_Johannes_M=C3=B6ller?= <research@johannes-moeller.dev>
+Date: Thu, 12 Mar 2026 10:24:45 +0000
+Subject: libradius: Reject undersized attributes in enumerator
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+attribute_enumerate() accepts RADIUS attributes whose length byte is
+smaller than sizeof(rattr_t) (2).  For length == 0, the iterator never
+advances and traps callers — including verify() — in a non-advancing
+loop.  For length == 1, misaligned packed-struct reads occur.
+
+Add a separate check for this->next->length < sizeof(rattr_t) after
+the existing truncation guard.  This mirrors radius_message_parse(),
+which already distinguishes invalid length from truncation.
+
+Signed-off-by: Lukas Johannes Möller <research@johannes-moeller.dev>
+
+Fixes: 4a6b84a93461 ("reintegrated eap-radius branch into trunk")
+Fixes: CVE-2026-35333
+
+CVE: CVE-2026-35333
+Upstream-Status: Backport [https://snapshot.debian.org/archive/debian-security-debug/20260422T125423Z/pool/updates/main/s/strongswan/strongswan_6.0.1-6%2Bdeb13u5.debian.tar.xz]
+Signed-off-by: Nitin Wankhade <nitin.wankhade333@gmail.com>
+===
+diff --git a/src/libradius/radius_message.c b/src/libradius/radius_message.c
+index 8e2db0c..2bbbb48 100644
+--- a/src/libradius/radius_message.c
++++ b/src/libradius/radius_message.c
+@@ -261,6 +261,11 @@ METHOD(enumerator_t, attribute_enumerate, bool,
+ 		DBG1(DBG_IKE, "RADIUS message truncated");
+ 		return FALSE;
+ 	}
++	if (this->next->length < sizeof(rattr_t))
++	{
++                DBG1(DBG_IKE, "RADIUS attribute has invalid length");
++                return FALSE;
++       }
+ 	*type = this->next->type;
+ 	data->ptr = this->next->value;
+ 	data->len = this->next->length - sizeof(rattr_t);
diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.9.13.bbappend b/meta-networking/recipes-support/strongswan/strongswan_5.9.13.bbappend
index 8ccb230..8d22b60 100644
--- a/meta-networking/recipes-support/strongswan/strongswan_5.9.13.bbappend
+++ b/meta-networking/recipes-support/strongswan/strongswan_5.9.13.bbappend
@@ -4,4 +4,5 @@  SRC_URI += "\
     file://libsimaka-Reject-zero-length-EAP-SIM-AKA-attributes.patch \
     file://constraints-Case-insensitive-matching-and-reject-exc.patch \
     file://tls-server-Only-accept-non-empty-ECDH-public-keys-wi.patch \
+    file://libradius-Reject-undersized-attributes-in-enumerator.patch \
 "