From d4b3c39776f06948d875614a0eddea9561159f2a Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Thu, 5 Mar 2026 12:43:12 +0100 Subject: [PATCH] eap-ttls: Prevent crash if AVP length header field is invalid The length field in the AVP header includes the 8 bytes of the header itself. Not checking for that and later subtracting it causes an integer underflow that usually triggers a crash when accessing a NULL pointer that resulted from the failing chunk_alloc() call because of the high value. The attempted allocations for invalid lengths (0-7) are 0xfffffff8, 0xfffffffc, or 0x100000000 (0 on 32-bit hosts), so this doesn't result in a buffer overflow even if the allocation succeeds. Fixes: 79f2102cb442 ("implemented server side support for EAP-TTLS") Fixes: CVE-2026-25075 --- src/libcharon/plugins/eap_ttls/eap_ttls_avp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c b/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c index 06389f7ca73e..2983bd021ded 100644 --- a/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c +++ b/src/libcharon/plugins/eap_ttls/eap_ttls_avp.c @@ -119,7 +119,7 @@ METHOD(eap_ttls_avp_t, process, status_t, chunk_free(&this->input); this->inpos = 0; - if (!success) + if (!success || avp_len < AVP_HEADER_LEN) { DBG1(DBG_IKE, "received invalid AVP header"); return FAILED; @@ -130,7 +130,7 @@ METHOD(eap_ttls_avp_t, process, status_t, return FAILED; } this->process_header = FALSE; - this->data_len = avp_len - 8; + this->data_len = avp_len - AVP_HEADER_LEN; this->input = chunk_alloc(this->data_len + (4 - avp_len) % 4); } -- 2.43.0