From cc1cc8b8990b2eb474575cb454c93d98d9f468c6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lukas=20Johannes=20M=C3=B6ller?= Date: Thu, 12 Mar 2026 10:24:45 +0000 Subject: [PATCH] libradius: Reject undersized attributes in enumerator MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit attribute_enumerate() accepts RADIUS attributes whose length byte is smaller than sizeof(rattr_t) (2). For length == 0, the iterator never advances and traps callers — including verify() — in a non-advancing loop. For length == 1, misaligned packed-struct reads occur. Add a separate check for this->next->length < sizeof(rattr_t) after the existing truncation guard. This mirrors radius_message_parse(), which already distinguishes invalid length from truncation. Signed-off-by: Lukas Johannes Möller Fixes: 4a6b84a93461 ("reintegrated eap-radius branch into trunk") Fixes: CVE-2026-35333 --- src/libradius/radius_message.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/libradius/radius_message.c b/src/libradius/radius_message.c index 8e2db0ca2c95..5679e476794d 100644 --- a/src/libradius/radius_message.c +++ b/src/libradius/radius_message.c @@ -261,6 +261,11 @@ METHOD(enumerator_t, attribute_enumerate, bool, DBG1(DBG_IKE, "RADIUS message truncated"); return FALSE; } + if (this->next->length < sizeof(rattr_t)) + { + DBG1(DBG_IKE, "RADIUS attribute has invalid length"); + return FALSE; + } *type = this->next->type; data->ptr = this->next->value; data->len = this->next->length - sizeof(rattr_t); -- 2.43.0