openbsd/src
1
0
Fork 0
mirror of https://github.com/openbsd/src.git synced 2026-06-18 15:23:33 +02:00
Code Activity

Avoid out-of-bounds read in CMS password-based decryption

Browse Source 
The RFC 3211 PWRI integrity check when unwrapping the password-derived key
accesses seven bytes from a heap-allocated buffer. If an (invalid) block
cipher with short blocks is in use 2 * blocksize may not be sufficient room
for 7 bytes. In that silly case, the function performs an OOB read. Add
length check to avoid this situation

From Igor Ustinov via OpenSSL.
This commit is contained in:
tb
2026-06-09 12:20:34 +00:00
parent 3cfdab8ab2
commit 06bb1433e0
1 changed files with 5 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lib/libcrypto/cms/cms_pwri.c
+5 -1
View File
@@ -1,4 +1,4 @@
/* $OpenBSD: cms_pwri.c,v 1.36 2026/06/09 12:12:34 tb Exp $ */
/* $OpenBSD: cms_pwri.c,v 1.37 2026/06/09 12:20:34 tb Exp $ */
/*
* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project.
@@ -232,6 +232,10 @@ kek_unwrap_key(unsigned char *out, size_t *outlen, const unsigned char *in,
unsigned char *tmp;
int outl, rv = 0;
/* Ensure inlen is large enough that tmp[6] is in bounds. */
if (blocklen < 4)
return 0;
if (inlen < 2 * blocklen) {
/* too small */
return 0;