Commit d53d793771 for openssl.org
commit d53d79377100b63378ab08e9006843a4fad10a09
Author: Bob Beck <beck@openssl.org>
Date: Fri Mar 27 16:14:10 2026 -0600
EVP_CIPHER_CTX_get_iv_length can not return a negative value
but it can return 0. Remove dead code and handle this
correctly - memcpy of 0 bytes from NULL is UB.
Reviewed-by: Saša NedvÄ›dický <sashan@openssl.org>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Fri May 8 12:15:17 2026
(Merged from https://github.com/openssl/openssl/pull/30609)
diff --git a/crypto/cms/cms_enc.c b/crypto/cms/cms_enc.c
index 2b0ccd62a1..01907a8d77 100644
--- a/crypto/cms/cms_enc.c
+++ b/crypto/cms/cms_enc.c
@@ -88,10 +88,6 @@ BIO *ossl_cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec,
}
/* Generate a random IV if we need one */
ivlen = EVP_CIPHER_CTX_get_iv_length(ctx);
- if (ivlen < 0) {
- ERR_raise(ERR_LIB_CMS, ERR_R_EVP_LIB);
- goto err;
- }
if (ivlen > 0) {
if (RAND_bytes_ex(libctx, iv, ivlen, 0) <= 0)
@@ -174,7 +170,12 @@ BIO *ossl_cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec,
goto err;
}
if ((EVP_CIPHER_get_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)) {
- memcpy(aparams.iv, piv, ivlen);
+ if (ivlen > EVP_MAX_IV_LENGTH || ivlen < 0) {
+ ERR_raise(ERR_LIB_CMS, ERR_R_EVP_LIB);
+ goto err;
+ }
+ if (ivlen != 0)
+ memcpy(aparams.iv, piv, ivlen);
aparams.iv_len = ivlen;
aparams.tag_len = EVP_CIPHER_CTX_get_tag_length(ctx);
if (aparams.tag_len <= 0) {