From 3cfdab8ab21b2cb7dbbdf7be7bc803fea8b5e2b6 Mon Sep 17 00:00:00 2001 From: tb Date: Tue, 9 Jun 2026 12:12:34 +0000 Subject: [PATCH] Avoid NULL dereference in password-based CMS decryption The keyDerivationAlgorithm field is OPTIONAL in the ASN.1 but required for password-based CMS. Check that the field is present before using it to avoid a crash. From Igor Ustinov via OpenSSL --- lib/libcrypto/cms/cms_pwri.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/lib/libcrypto/cms/cms_pwri.c b/lib/libcrypto/cms/cms_pwri.c index f64f4ab68c9..d282d1d42f7 100644 --- a/lib/libcrypto/cms/cms_pwri.c +++ b/lib/libcrypto/cms/cms_pwri.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cms_pwri.c,v 1.35 2025/09/30 12:51:16 tb Exp $ */ +/* $OpenBSD: cms_pwri.c,v 1.36 2026/06/09 12:12:34 tb Exp $ */ /* * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. @@ -386,6 +386,10 @@ cms_RecipientInfo_pwri_crypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri, } algtmp = pwri->keyDerivationAlgorithm; + if (algtmp == NULL) { + CMSerror(CMS_R_INVALID_KEY_ENCRYPTION_PARAMETER); + goto err; + } /* Finish password based key derivation to setup key in "ctx" */