From: Lukas Johannes Möller Date: Wed, 11 Mar 2026 16:07:10 +0000 (+0000) Subject: libsimaka: Reject zero-length EAP-SIM/AKA attributes X-Git-Tag: 6.0.6~12 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=aa5aaebc33e0f326d8a0dbe01b236f2bfa0e6ea1;p=thirdparty%2Fstrongswan.git libsimaka: Reject zero-length EAP-SIM/AKA attributes parse_attributes() accepts hdr->length == 0 in the AT_ENCR_DATA, AT_RAND, AT_PADDING, default branches. The code then subtracts the fixed attribute header size from the encoded length, which underflows and exposes a wrapped payload length to later code. In particular, for the cases where add_attribute() is called, this causes a heap-based buffer overflow (a buffer of 12 bytes is allocated to which the wrapped length is written). For AT_PADDING, the underflow is irrelevant as add_attribute() is not called. Instead, this results in an infinite loop. Reject zero-length attributes before subtracting the attribute header. Signed-off-by: Lukas Johannes Möller Fixes: f8330d03953b ("Added a libsimaka library with shared message handling code for EAP-SIM/AKA") Fixes: CVE-2026-35330 --- diff --git a/src/libsimaka/simaka_message.c b/src/libsimaka/simaka_message.c index 52c6f83e22..9c5363e41f 100644 --- a/src/libsimaka/simaka_message.c +++ b/src/libsimaka/simaka_message.c @@ -416,7 +416,7 @@ static bool parse_attributes(private_simaka_message_t *this, chunk_t in) case AT_ENCR_DATA: case AT_RAND: { - if (hdr->length * 4 > in.len || in.len < 4) + if (hdr->length == 0 || hdr->length * 4 > in.len || in.len < 4) { return invalid_length(hdr->type); } @@ -439,7 +439,7 @@ static bool parse_attributes(private_simaka_message_t *this, chunk_t in) case AT_PADDING: default: { - if (hdr->length * 4 > in.len || in.len < 4) + if (hdr->length == 0 || hdr->length * 4 > in.len || in.len < 4) { return invalid_length(hdr->type); } @@ -932,4 +932,3 @@ simaka_message_t *simaka_message_create(bool request, uint8_t identifier, return simaka_message_create_data(chunk_create((char*)&hdr, sizeof(hdr)), crypto); } -