EVP_CIPHER_CTX_get_iv_length can not return a negative value

but it can return 0.  Remove dead code and handle this
correctly - memcpy of 0 bytes from NULL is UB.

Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Fri May  8 12:15:17 2026
(Merged from https://github.com/openssl/openssl/pull/30609)

diff --git a/crypto/cms/cms_enc.c b/crypto/cms/cms_enc.c
index 2b0ccd62a1cd028fcef3f2c28ca5081f37f5c343..01907a8d77e0e16b88a18ff190b5fcbcee286f51 100644 (file)
--- a/crypto/cms/cms_enc.c
+++ b/crypto/cms/cms_enc.c
@@ -88,10 +88,6 @@ BIO *ossl_cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec,
         }
         /* Generate a random IV if we need one */
         ivlen = EVP_CIPHER_CTX_get_iv_length(ctx);
-        if (ivlen < 0) {
-            ERR_raise(ERR_LIB_CMS, ERR_R_EVP_LIB);
-            goto err;
-        }
 
         if (ivlen > 0) {
             if (RAND_bytes_ex(libctx, iv, ivlen, 0) <= 0)
@@ -174,7 +170,12 @@ BIO *ossl_cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec,
             goto err;
         }
         if ((EVP_CIPHER_get_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)) {
-            memcpy(aparams.iv, piv, ivlen);
+            if (ivlen > EVP_MAX_IV_LENGTH || ivlen < 0) {
+                ERR_raise(ERR_LIB_CMS, ERR_R_EVP_LIB);
+                goto err;
+            }
+            if (ivlen != 0)
+                memcpy(aparams.iv, piv, ivlen);
             aparams.iv_len = ivlen;
             aparams.tag_len = EVP_CIPHER_CTX_get_tag_length(ctx);
             if (aparams.tag_len <= 0) {