Commit e067d24293 for strongswan.org

commit e067d24293953cff56011a1ea6989872bdd98fcd
Author: Lukas Johannes Möller <research@johannes-moeller.dev>
Date:   Thu Mar 12 10:24:45 2026 +0000

    libradius: Reject undersized attributes in enumerator

    attribute_enumerate() accepts RADIUS attributes whose length byte is
    smaller than sizeof(rattr_t) (2).  For length == 0, the iterator never
    advances and traps callers — including verify() — in a non-advancing
    loop.  For length == 1, misaligned packed-struct reads occur.

    Add a separate check for this->next->length < sizeof(rattr_t) after
    the existing truncation guard.  This mirrors radius_message_parse(),
    which already distinguishes invalid length from truncation.

    Signed-off-by: Lukas Johannes Möller <research@johannes-moeller.dev>

    Fixes: 4a6b84a93461 ("reintegrated eap-radius branch into trunk")
    Fixes: CVE-2026-35333

diff --git a/src/libradius/radius_message.c b/src/libradius/radius_message.c
index 8e2db0ca2c..5679e47679 100644
--- a/src/libradius/radius_message.c
+++ b/src/libradius/radius_message.c
@@ -261,6 +261,11 @@ METHOD(enumerator_t, attribute_enumerate, bool,
 		DBG1(DBG_IKE, "RADIUS message truncated");
 		return FALSE;
 	}
+	if (this->next->length < sizeof(rattr_t))
+	{
+		DBG1(DBG_IKE, "RADIUS attribute has invalid length");
+		return FALSE;
+	}
 	*type = this->next->type;
 	data->ptr = this->next->value;
 	data->len = this->next->length - sizeof(rattr_t);