]> git.ipfire.org Git - thirdparty/openssl.git/commitdiff
projects / thirdparty / openssl.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 192fd36)
Correct handling of AEAD-encrypted CMS with inadmissibly long IV
authorIgor Ustinov <igus68@gmail.com>
Mon, 12 Jan 2026 11:13:35 +0000 (12:13 +0100)
committerTomas Mraz <tomas@openssl.org>
Mon, 26 Jan 2026 19:31:24 +0000 (20:31 +0100)
Fixes CVE-2025-15467

Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Mon Jan 26 19:31:45 2026

crypto/evp/evp_lib.c patch | blob | blame | history

diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c
index f5a4d24e300ac486d9c660a66b7cdfd7679c4c44..6c9421110b47293d8714d899ee186be5fb682593 100644 (file)
--- a/crypto/evp/evp_lib.c
+++ b/crypto/evp/evp_lib.c
@@ -214,10 +214,9 @@ int evp_cipher_get_asn1_aead_params(EVP_CIPHER_CTX *c, ASN1_TYPE *type,
     if (type == NULL || asn1_params == NULL)
         return 0;
 
-    i = ossl_asn1_type_get_octetstring_int(type, &tl, NULL, EVP_MAX_IV_LENGTH);
-    if (i <= 0)
+    i = ossl_asn1_type_get_octetstring_int(type, &tl, iv, EVP_MAX_IV_LENGTH);
+    if (i <= 0 || i > EVP_MAX_IV_LENGTH)
         return -1;
-    ossl_asn1_type_get_octetstring_int(type, &tl, iv, i);
 
     memcpy(asn1_params->iv, iv, i);
     asn1_params->iv_len = i;
Mirror of https://github.com/openssl/openssl.git