Commit aa5aaebc33 for strongswan.org
commit aa5aaebc33e0f326d8a0dbe01b236f2bfa0e6ea1
Author: Lukas Johannes Möller <research@johannes-moeller.dev>
Date: Wed Mar 11 16:07:10 2026 +0000
libsimaka: Reject zero-length EAP-SIM/AKA attributes
parse_attributes() accepts hdr->length == 0 in the AT_ENCR_DATA,
AT_RAND, AT_PADDING, default branches. The code then subtracts the
fixed attribute header size from the encoded length, which underflows
and exposes a wrapped payload length to later code. In particular,
for the cases where add_attribute() is called, this causes a heap-based
buffer overflow (a buffer of 12 bytes is allocated to which the wrapped
length is written). For AT_PADDING, the underflow is irrelevant as
add_attribute() is not called. Instead, this results in an infinite loop.
Reject zero-length attributes before subtracting the attribute header.
Signed-off-by: Lukas Johannes Möller <research@johannes-moeller.dev>
Fixes: f8330d03953b ("Added a libsimaka library with shared message handling code for EAP-SIM/AKA")
Fixes: CVE-2026-35330
diff --git a/src/libsimaka/simaka_message.c b/src/libsimaka/simaka_message.c
index 52c6f83e22..9c5363e41f 100644
--- a/src/libsimaka/simaka_message.c
+++ b/src/libsimaka/simaka_message.c
@@ -416,7 +416,7 @@ static bool parse_attributes(private_simaka_message_t *this, chunk_t in)
case AT_ENCR_DATA:
case AT_RAND:
{
- if (hdr->length * 4 > in.len || in.len < 4)
+ if (hdr->length == 0 || hdr->length * 4 > in.len || in.len < 4)
{
return invalid_length(hdr->type);
}
@@ -439,7 +439,7 @@ static bool parse_attributes(private_simaka_message_t *this, chunk_t in)
case AT_PADDING:
default:
{
- if (hdr->length * 4 > in.len || in.len < 4)
+ if (hdr->length == 0 || hdr->length * 4 > in.len || in.len < 4)
{
return invalid_length(hdr->type);
}
@@ -932,4 +932,3 @@ simaka_message_t *simaka_message_create(bool request, uint8_t identifier,
return simaka_message_create_data(chunk_create((char*)&hdr, sizeof(hdr)),
crypto);
}
-