parse_attributes() accepts hdr->length == 0 in the AT_ENCR_DATA,
AT_RAND, AT_PADDING, default branches. The code then subtracts the
fixed attribute header size from the encoded length, which underflows
and exposes a wrapped payload length to later code. In particular,
for the cases where add_attribute() is called, this causes a heap-based
buffer overflow (a buffer of 12 bytes is allocated to which the wrapped
length is written). For AT_PADDING, the underflow is irrelevant as
add_attribute() is not called. Instead, this results in an infinite loop.
Reject zero-length attributes before subtracting the attribute header.
Signed-off-by: Lukas Johannes Möller <research@johannes-moeller.dev>
Fixes: f8330d03953b ("Added a libsimaka library with shared message handling code for EAP-SIM/AKA")
Fixes: CVE-2026-35330
case AT_ENCR_DATA:
case AT_RAND:
{
- if (hdr->length * 4 > in.len || in.len < 4)
+ if (hdr->length == 0 || hdr->length * 4 > in.len || in.len < 4)
{
return invalid_length(hdr->type);
}
case AT_PADDING:
default:
{
- if (hdr->length * 4 > in.len || in.len < 4)
+ if (hdr->length == 0 || hdr->length * 4 > in.len || in.len < 4)
{
return invalid_length(hdr->type);
}
return simaka_message_create_data(chunk_create((char*)&hdr, sizeof(hdr)),
crypto);
}
-
projects / thirdparty / strongswan.git / commitdiff
