31 lines
1023 B
Diff
31 lines
1023 B
Diff
From 190ba58c0a1d995d4da8b017054d4b74d138291c Mon Sep 17 00:00:00 2001
|
|
From: Igor Ustinov <igus68@gmail.com>
|
|
Date: Mon, 12 Jan 2026 12:13:35 +0100
|
|
Subject: [PATCH] Correct handling of AEAD-encrypted CMS with inadmissibly long
|
|
IV
|
|
|
|
Fixes CVE-2025-15467
|
|
---
|
|
crypto/evp/evp_lib.c | 5 ++---
|
|
1 file changed, 2 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c
|
|
index 9eae1d421c..58fa7ce43b 100644
|
|
--- a/crypto/evp/evp_lib.c
|
|
+++ b/crypto/evp/evp_lib.c
|
|
@@ -228,10 +228,9 @@ int evp_cipher_get_asn1_aead_params(EVP_CIPHER_CTX *c, ASN1_TYPE *type,
|
|
if (type == NULL || asn1_params == NULL)
|
|
return 0;
|
|
|
|
- i = ossl_asn1_type_get_octetstring_int(type, &tl, NULL, EVP_MAX_IV_LENGTH);
|
|
- if (i <= 0)
|
|
+ i = ossl_asn1_type_get_octetstring_int(type, &tl, iv, EVP_MAX_IV_LENGTH);
|
|
+ if (i <= 0 || i > EVP_MAX_IV_LENGTH)
|
|
return -1;
|
|
- ossl_asn1_type_get_octetstring_int(type, &tl, iv, i);
|
|
|
|
memcpy(asn1_params->iv, iv, i);
|
|
asn1_params->iv_len = i;
|
|
--
|
|
2.51.0
|