From 5949b2fdc919932754a233f1f579334b30bcde1f Mon Sep 17 00:00:00 2001 From: "R. Elliott Childre" Date: Mon, 18 May 2026 00:53:24 -0400 Subject: [PATCH] identification: Fix double-free when cloning empty IDs The clone() method was missing a branch when there is an encoded chunk of length 0 that still needed to be cloned. Otherwise, the destruction of the clone frees the same pointer that the original owns. This double free was found with an improved `fuzz_ids` fuzz harness and a two byte input to create an identification from "@#" or [0x40, 0x23]. It can also be triggered with `:#` e.g. `dns:#`. One of the problematic constructors is used to parse EAP-Identities, which are cloned before storing them in the auth-cfg. So this can be triggered by an unauthenticated attacker. Note that while the length check was already added with 418dbd624363 ("cloning %any ID without zero-byte memleak") and identities that trigger this can be created since 86ab5636c2c9 ("support for @#hex ID_KEY_ID identification_t"), it was the referenced commit that made the length check problematic. Fixes: 2147da40a5d7 ("simplified identification_t.clone() using memcpy") Fixes: CVE-2026-47895 --- src/libstrongswan/utils/identification.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c index 9c43ad5708d8..cb44a2104764 100644 --- a/src/libstrongswan/utils/identification.c +++ b/src/libstrongswan/utils/identification.c @@ -855,10 +855,7 @@ METHOD(identification_t, clone_, identification_t*, private_identification_t *clone = malloc_thing(private_identification_t); memcpy(clone, this, sizeof(private_identification_t)); - if (this->encoded.len) - { - clone->encoded = chunk_clone(this->encoded); - } + clone->encoded = chunk_clone(this->encoded); return &clone->public; } -- 2.43.0