Fix potential NULL dereference in OSSL_CRMF_ENCRYPTEDVALUE_decrypt()

author Igor Ustinov <igus@openssl.foundation>

Mon, 11 May 2026 14:29:47 +0000 (16:29 +0200)

committer Tomas Mraz <tomas@openssl.foundation>

Thu, 11 Jun 2026 15:08:41 +0000 (17:08 +0200)
author Igor Ustinov <igus@openssl.foundation>
Mon, 11 May 2026 14:29:47 +0000 (16:29 +0200)
committer Tomas Mraz <tomas@openssl.foundation>
Thu, 11 Jun 2026 15:08:41 +0000 (17:08 +0200)
diff --git a/crypto/crmf/crmf_lib.c b/crypto/crmf/crmf_lib.c

index d5ad51e4503d6f498d39b50b06c06b979b5865c6..5747ab185697ec2ce93d1d36281abe4703372ae4 100644 (file)
--- a/crypto/crmf/crmf_lib.c
+++ b/crypto/crmf/crmf_lib.c
@@ -762,6 +762,7 @@ unsigned char *OSSL_CRMF_ENCRYPTEDVALUE_decrypt(const OSSL_CRMF_ENCRYPTEDVALUE *
      EVP_CIPHER *cipher = NULL; /* used cipher */
      int cikeysize = 0; /* key size from cipher */
      unsigned char *iv = NULL; /* initial vector for symmetric encryption */
+    int iv_len; /* iv length */
      unsigned char *out = NULL; /* decryption output buffer */
      int n, ret = 0;
      EVP_PKEY_CTX *pkctx = NULL; /* private key context */
@@ -811,11 +812,12 @@ unsigned char *OSSL_CRMF_ENCRYPTEDVALUE_decrypt(const OSSL_CRMF_ENCRYPTEDVALUE *
      } else {
          goto end;
      }
-    if ((iv = OPENSSL_malloc(EVP_CIPHER_get_iv_length(cipher))) == NULL)
+    iv_len = EVP_CIPHER_get_iv_length(cipher);
+    if ((iv = OPENSSL_malloc(iv_len)) == NULL)
          goto end;
-    if (ASN1_TYPE_get_octetstring(enc->symmAlg->parameter, iv,
-            EVP_CIPHER_get_iv_length(cipher))
-        != EVP_CIPHER_get_iv_length(cipher)) {
+    if (enc->symmAlg->parameter == NULL
+        || ASN1_TYPE_get_octetstring(enc->symmAlg->parameter, iv, iv_len)
+            != iv_len) {
          ERR_raise(ERR_LIB_CRMF, CRMF_R_MALFORMED_IV);
          goto end;
      }
author	Igor Ustinov <igus@openssl.foundation>
	Mon, 11 May 2026 14:29:47 +0000 (16:29 +0200)
committer	Tomas Mraz <tomas@openssl.foundation>
	Thu, 11 Jun 2026 15:08:41 +0000 (17:08 +0200)