From: Tomas Mraz Date: Thu, 31 Jul 2025 08:40:40 +0000 (+0200) Subject: cms_kemri.c: Fix Coverity issues X-Git-Tag: openssl-3.6.0-alpha1~193 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e729d7c7329200ab9152ad4817d09f0a65dec2d6;p=thirdparty%2Fopenssl.git cms_kemri.c: Fix Coverity issues Add return value check of ASN1_OCTET_STRING_set(). Do not call OPENSSL_cleanse() if keklen is greater than the cleaned buffer. Fixes Coverity 1660824, 1660825 Reviewed-by: Tim Hudson Reviewed-by: Dmitry Belyavskiy Reviewed-by: Saša Nedvědický Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/28132) --- diff --git a/crypto/cms/cms_kemri.c b/crypto/cms/cms_kemri.c index 55c3783479d..b3a07c19aeb 100644 --- a/crypto/cms/cms_kemri.c +++ b/crypto/cms/cms_kemri.c @@ -151,6 +151,7 @@ int CMS_RecipientInfo_kemri_set_ukm(CMS_RecipientInfo *ri, int ukmLength) { CMS_KEMRecipientInfo *kemri; + ASN1_OCTET_STRING *ukm_str; if (ri->type != CMS_RECIPINFO_KEM) { ERR_raise(ERR_LIB_CMS, CMS_R_NOT_KEM); @@ -164,11 +165,16 @@ int CMS_RecipientInfo_kemri_set_ukm(CMS_RecipientInfo *ri, kemri = ri->d.ori->d.kemri; - ASN1_OCTET_STRING_free(kemri->ukm); - kemri->ukm = ASN1_OCTET_STRING_new(); - if (kemri->ukm == NULL) + ukm_str = ASN1_OCTET_STRING_new(); + if (ukm_str == NULL) + return 0; + if (!ASN1_OCTET_STRING_set(ukm_str, ukm, ukmLength)) { + ASN1_OCTET_STRING_free(ukm_str); return 0; - return ASN1_OCTET_STRING_set(kemri->ukm, ukm, ukmLength); + } + ASN1_OCTET_STRING_free(kemri->ukm); + kemri->ukm = ukm_str; + return 1; } static EVP_KDF_CTX *create_kdf_ctx(CMS_KEMRecipientInfo *kemri) @@ -259,7 +265,7 @@ static int cms_kek_cipher(unsigned char **pout, size_t *poutlen, if (keklen > sizeof(kek)) { ERR_raise(ERR_LIB_CMS, CMS_R_INVALID_KEY_LENGTH); - goto err; + return 0; } if (!kdf_derive(kek, keklen, ss, sslen, kemri))