34 lines
1.0 KiB
Diff
34 lines
1.0 KiB
Diff
From 9c462be2cea54ebfc62953224220b56f8ba22a0c Mon Sep 17 00:00:00 2001
|
|
From: Viktor Dukhovni <openssl-users@dukhovni.org>
|
|
Date: Thu, 11 Sep 2025 18:10:12 +0200
|
|
Subject: [PATCH] kek_unwrap_key(): Fix incorrect check of unwrapped key size
|
|
|
|
Fixes CVE-2025-9230
|
|
|
|
The check is off by 8 bytes so it is possible to overread by
|
|
up to 8 bytes and overwrite up to 4 bytes.
|
|
|
|
Reviewed-by: Neil Horman <nhorman@openssl.org>
|
|
Reviewed-by: Matt Caswell <matt@openssl.org>
|
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
---
|
|
crypto/cms/cms_pwri.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c
|
|
index 106bd98dc7..ba8646f93c 100644
|
|
--- a/crypto/cms/cms_pwri.c
|
|
+++ b/crypto/cms/cms_pwri.c
|
|
@@ -243,7 +243,7 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen,
|
|
/* Check byte failure */
|
|
goto err;
|
|
}
|
|
- if (inlen < (size_t)(tmp[0] - 4)) {
|
|
+ if (inlen < 4 + (size_t)tmp[0]) {
|
|
/* Invalid length value */
|
|
goto err;
|
|
}
|
|
--
|
|
2.51.0
|
|
|