kek_unwrap_key(): Fix incorrect check of unwrapped key size

Viktor Dukhovni · zvonand · commit 5dfb0a79cf5c · 2025-10-18T15:03:26.000+02:00
Fixes CVE-2025-9230

The check is off by 8 bytes so it is possible to overread by
up to 8 bytes and overwrite up to 4 bytes.

Reviewed-by: Neil Horman &lt;nhorman@openssl.org&gt;
Reviewed-by: Matt Caswell &lt;matt@openssl.org&gt;
Reviewed-by: Tomas Mraz &lt;tomas@openssl.org&gt;
diff --git a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c
@@ -237,7 +237,7 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen,
         /* Check byte failure */
         goto err;
     }
-    if (inlen < (size_t)(tmp[0] - 4)) {
+    if (inlen < 4 + (size_t)tmp[0]) {
         /* Invalid length value */
         goto err;
     }

Original file line number	Diff line number	Diff line change
`@@ -237,7 +237,7 @@ static int kek_unwrap_key(unsigned char out, size_t outlen,`
`237`	`237`	`/* Check byte failure */`
`238`	`238`	`goto err;`
`239`	`239`	`}`
`240`		`- if (inlen < (size_t)(tmp[0] - 4)) {`
	`240`	`+ if (inlen < 4 + (size_t)tmp[0]) {`
`241`	`241`	`/* Invalid length value */`
`242`	`242`	`goto err;`
`243`	`243`	`}`