From 27915097139478ec4738bc593e79601d71a18898 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lukas=20Johannes=20M=C3=B6ller?= Date: Wed, 11 Mar 2026 16:07:10 +0000 Subject: [PATCH] libsimaka: Reject zero-length EAP-SIM/AKA attributes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit parse_attributes() accepts hdr->length == 0 in the AT_ENCR_DATA, AT_RAND, AT_PADDING, default branches. The code then subtracts the fixed attribute header size from the encoded length, which underflows and exposes a wrapped payload length to later code. In particular, for the cases where add_attribute() is called, this causes a heap-based buffer overflow (a buffer of 12 bytes is allocated to which the wrapped length is written). For AT_PADDING, the underflow is irrelevant as add_attribute() is not called. Instead, this results in an infinite loop. Reject zero-length attributes before subtracting the attribute header. Signed-off-by: Lukas Johannes Möller Fixes: f8330d03953b ("Added a libsimaka library with shared message handling code for EAP-SIM/AKA") Fixes: CVE-2026-35330 --- src/libsimaka/simaka_message.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/libsimaka/simaka_message.c b/src/libsimaka/simaka_message.c index 670656811e33..4862048da9d6 100644 --- a/src/libsimaka/simaka_message.c +++ b/src/libsimaka/simaka_message.c @@ -416,7 +416,7 @@ static bool parse_attributes(private_simaka_message_t *this, chunk_t in) case AT_ENCR_DATA: case AT_RAND: { - if (hdr->length * 4 > in.len || in.len < 4) + if (hdr->length == 0 || hdr->length * 4 > in.len || in.len < 4) { return invalid_length(hdr->type); } @@ -439,7 +439,7 @@ static bool parse_attributes(private_simaka_message_t *this, chunk_t in) case AT_PADDING: default: { - if (hdr->length * 4 > in.len || in.len < 4) + if (hdr->length == 0 || hdr->length * 4 > in.len || in.len < 4) { return invalid_length(hdr->type); } @@ -932,4 +932,3 @@ simaka_message_t *simaka_message_create(bool request, uint8_t identifier, return simaka_message_create_data(chunk_create((char*)&hdr, sizeof(hdr)), crypto); } - -- 2.43.0