From 61a86a8cd73546c9fea916f3d304c1293e05c046 Mon Sep 17 00:00:00 2001
From: Igor Ustinov <igus@openssl.foundation>
Date: Mon, 11 May 2026 16:29:47 +0200
Subject: [PATCH] Fix potential NULL dereference in
OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert()
Check that 'parameter' != NULL before dereferencing in
OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert().
Fixes CVE-2026-42767
Co-authored-by: Tomas Mraz <tomas@openssl.foundation>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Milan Broz <mbroz@openssl.org>
MergeDate: Mon Jun 8 20:40:47 2026
(cherry picked from commit 665d5254083affde9982efca7c41dd01cacc8774)
crypto/crmf/crmf_lib.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
@@ -617,6 +617,7 @@ X509 *OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(const OSSL_CRMF_ENCRYPTEDVALUE *ecer
EVP_CIPHER *cipher = NULL; /* used cipher */
int cikeysize = 0; /* key size from cipher */
unsigned char *iv = NULL; /* initial vector for symmetric encryption */
+ int iv_len; /* iv length */
unsigned char *outbuf = NULL; /* decryption output buffer */
const unsigned char *p = NULL; /* needed for decoding ASN1 */
int n, outlen = 0;
@@ -670,11 +671,13 @@ X509 *OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(const OSSL_CRMF_ENCRYPTEDVALUE *ecer
} else {
goto end;
}
- if ((iv = OPENSSL_malloc(EVP_CIPHER_get_iv_length(cipher))) == NULL)
+
+ iv_len = EVP_CIPHER_get_iv_length(cipher);
+ if ((iv = OPENSSL_malloc(iv_len)) == NULL)
goto end;
- if (ASN1_TYPE_get_octetstring(ecert->symmAlg->parameter, iv,
- EVP_CIPHER_get_iv_length(cipher))
- != EVP_CIPHER_get_iv_length(cipher)) {
+ if (ecert->symmAlg->parameter == NULL
+ || ASN1_TYPE_get_octetstring(ecert->symmAlg->parameter, iv, iv_len)
+ != iv_len) {
ERR_raise(ERR_LIB_CRMF, CRMF_R_MALFORMED_IV);
goto end;
}
