From: Harry Betts <harrybetts06@proton.me>
Date: Sat, 9 May 2026 06:54:52 +0000 (+1000)
Subject: Fix OOB read in EC_GROUP_new_from_params() with zero-length generator
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2f3704f3b68485daaba5e9243bb8b13791ea023b;p=thirdparty%2Fopenssl.git

Fix OOB read in EC_GROUP_new_from_params() with zero-length generator

When OSSL_PKEY_PARAM_EC_GENERATOR is provided as an octet string of
length 0, buf[0] is read before validating data_size, causing a
heap-buffer-overflow detectable under ASan.

Reject zero-length generator octet strings before the dereference.

CLA: trivial
Resolves: https://github.com/openssl/openssl/issues/31125
Fixes: c0f39ded68ba "Add Explicit EC parameter support to providers."

Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
MergeDate: Mon May 11 08:34:15 2026
(Merged from https://github.com/openssl/openssl/pull/31128)
---

diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
index 87cd558e323..51f0457f65a 100644
--- a/crypto/ec/ec_lib.c
+++ b/crypto/ec/ec_lib.c
@@ -1731,7 +1731,8 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
     /* generator base point */
     ptmp = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_EC_GENERATOR);
     if (ptmp == NULL
-        || ptmp->data_type != OSSL_PARAM_OCTET_STRING) {
+        || ptmp->data_type != OSSL_PARAM_OCTET_STRING
+        || ptmp->data_size == 0) {
         ERR_raise(ERR_LIB_EC, EC_R_INVALID_GENERATOR);
         goto err;
     }