Dev news

Commit febe474926 for strongswan.org

commit febe474926b85dc341cbbd5a46b1684bca20aed3
Author: Markus Theil <markus.theil@secunet.com>
Date:   Thu Apr 9 12:17:33 2026 +0200

    encrypted-payload: Check for non-zero payload size

    Signed-off-by: Markus Theil <markus.theil@secunet.com>

diff --git a/src/libcharon/encoding/payloads/encrypted_payload.c b/src/libcharon/encoding/payloads/encrypted_payload.c
index 4821c6108e..4ac7aba94e 100644
--- a/src/libcharon/encoding/payloads/encrypted_payload.c
+++ b/src/libcharon/encoding/payloads/encrypted_payload.c
@@ -637,7 +637,7 @@ static status_t decrypt_content(char *label, aead_t *aead, chunk_t encrypted,
 	crypt.ptr = iv.ptr + iv.len;
 	crypt.len = encrypted.len - iv.len;

-	if (iv.len + icv.len > encrypted.len ||
+	if (iv.len + icv.len >= encrypted.len ||
 		(crypt.len - icv.len) % bs)
 	{
 		DBG1(DBG_ENC, "decrypting %s payload failed, invalid length", label);