Commit 4df53109a5 for strongswan.org

commit 4df53109a5f18c56743dcf18f8bd5336352c8775
Author: Tobias Brunner <tobias@strongswan.org>
Date:   Thu Jun 4 11:31:11 2026 +0200

    eap-aka: Make sure AT_RAND has the correct length in AKA-Challenge

    This prevents an OOB read if the AT_RAND data is shorter than the
    expected 16 bytes.

    The check for AT_AUTN is changed for consistency even though its length
    is already enforced by the parser (for AT_RAND it isn't because EAP-SIM
    expects a length of either 32 or 48 bytes).

    Fixes: aea334ec1cbf ("Splitted EAP-AKA in peer and server implementations, use libsimaka helper library")

diff --git a/src/libcharon/plugins/eap_aka/eap_aka_peer.c b/src/libcharon/plugins/eap_aka/eap_aka_peer.c
index 3bdbafc5d9..ab8494b17a 100644
--- a/src/libcharon/plugins/eap_aka/eap_aka_peer.c
+++ b/src/libcharon/plugins/eap_aka/eap_aka_peer.c
@@ -244,7 +244,7 @@ static status_t process_challenge(private_eap_aka_peer_t *this,
 	}
 	enumerator->destroy(enumerator);

-	if (!rand.len || !autn.len)
+	if (rand.len != AKA_RAND_LEN || autn.len != AKA_AUTN_LEN)
 	{
 		DBG1(DBG_IKE, "received invalid EAP-AKA challenge message");
 		if (!create_client_error(this, out))