From 5965ea5dd6960f36d8b7f74f8eac67a8eb8f2b45 Mon Sep 17 00:00:00 2001 From: Viktor Dukhovni Date: Thu, 11 Sep 2025 18:10:12 +0200 Subject: [PATCH] kek_unwrap_key(): Fix incorrect check of unwrapped key size Fixes CVE-2025-9230 The check is off by 8 bytes so it is possible to overread by up to 8 bytes and overwrite up to 4 bytes. Reviewed-by: Neil Horman Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (cherry picked from commit 9c462be2cea54ebfc62953224220b56f8ba22a0c) --- crypto/cms/cms_pwri.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c index a7d609f8379..ee1b8aa6ed6 100644 --- a/crypto/cms/cms_pwri.c +++ b/crypto/cms/cms_pwri.c @@ -242,7 +242,7 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen, /* Check byte failure */ goto err; } - if (inlen < (size_t)(tmp[0] - 4)) { + if (inlen < 4 + (size_t)tmp[0]) { /* Invalid length value */ goto err; } -- 2.47.3