From af6e43bb465f4fb403bfca61edcb731f5fc56935 Mon Sep 17 00:00:00 2001
From: Rahul Jain <rahul.jain@suse.com>
Date: Tue, 14 Apr 2026 18:33:06 +0530
Subject: [PATCH] FIX CVE-2026-35333: libradius RADIUS attribute processing

---
 src/libradius/radius_message.c | 5 +++++
 1 file changed, 5 insertions(+)
 
diff --git a/src/libradius/radius_message.c b/src/libradius/radius_message.c
index 3905a06..10b3205 100644
--- a/src/libradius/radius_message.c
+++ b/src/libradius/radius_message.c
@@ -249,6 +249,11 @@ METHOD(enumerator_t, attribute_enumerate, bool,
 		DBG1(DBG_IKE, "RADIUS message truncated");
 		return FALSE;
 	}
+	if (this->next->length < sizeof(rattr_t))
+	{
+		DBG1(DBG_IKE, "RADIUS attribute has invalid length");
+		return FALSE;
+	}
 	*type = this->next->type;
 	data->ptr = this->next->value;
 	data->len = this->next->length - sizeof(rattr_t);
-- 
2.50.0