From 190ba58c0a1d995d4da8b017054d4b74d138291c Mon Sep 17 00:00:00 2001 From: Igor Ustinov Date: Mon, 12 Jan 2026 12:13:35 +0100 Subject: [PATCH] Correct handling of AEAD-encrypted CMS with inadmissibly long IV Fixes CVE-2025-15467 --- crypto/evp/evp_lib.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c index 9eae1d421c..58fa7ce43b 100644 --- a/crypto/evp/evp_lib.c +++ b/crypto/evp/evp_lib.c @@ -228,10 +228,9 @@ int evp_cipher_get_asn1_aead_params(EVP_CIPHER_CTX *c, ASN1_TYPE *type, if (type == NULL || asn1_params == NULL) return 0; - i = ossl_asn1_type_get_octetstring_int(type, &tl, NULL, EVP_MAX_IV_LENGTH); - if (i <= 0) + i = ossl_asn1_type_get_octetstring_int(type, &tl, iv, EVP_MAX_IV_LENGTH); + if (i <= 0 || i > EVP_MAX_IV_LENGTH) return -1; - ossl_asn1_type_get_octetstring_int(type, &tl, iv, i); memcpy(asn1_params->iv, iv, i); asn1_params->iv_len = i; -- 2.51.0