Skip to content

Commit d0071a0

Browse files
igus68t8m
igus68
authored and
t8m
committed
Correct handling of AEAD-encrypted CMS with inadmissibly long IV
Fixes CVE-2025-15467 Reviewed-by: Saša Nedvědický <[email protected]> Reviewed-by: Norbert Pocs <[email protected]> Reviewed-by: Eugene Syromiatnikov <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> MergeDate: Mon Jan 26 19:31:45 2026 (cherry picked from commit 0ddd6b6)
1 parent c716aca commit d0071a0

1 file changed

Lines changed: 2 additions & 3 deletions

File tree

crypto/evp/evp_lib.c

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -228,10 +228,9 @@ int evp_cipher_get_asn1_aead_params(EVP_CIPHER_CTX *c, ASN1_TYPE *type,
228228
if (type == NULL || asn1_params == NULL)
229229
return 0;
230230

231-
i = ossl_asn1_type_get_octetstring_int(type, &tl, NULL, EVP_MAX_IV_LENGTH);
232-
if (i <= 0)
231+
i = ossl_asn1_type_get_octetstring_int(type, &tl, iv, EVP_MAX_IV_LENGTH);
232+
if (i <= 0 || i > EVP_MAX_IV_LENGTH)
233233
return -1;
234-
ossl_asn1_type_get_octetstring_int(type, &tl, iv, i);
235234

236235
memcpy(asn1_params->iv, iv, i);
237236
asn1_params->iv_len = i;

0 commit comments

Comments
 (0)