From 3a5c085c10a0a22d49b7feb82ffc906f8c48a2e1 Mon Sep 17 00:00:00 2001
From: liwei3013 <liwei455@huawei.com>
Date: Wed, 8 Oct 2025 10:40:12 +0800
Subject: [PATCH] [Backport] kek_unwrap_key(): fix incorrent check of unwrapped
 key size

CVE: CVE-2025-9230

The check is off by 8 bytes so it is possible to overread by
up to 8 bytes and overwrite up to 4 bytes.

Signed-off-by: liwei3013 <liwei455@huawei.com>
---
 crypto/cms/cms_pwri.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c
index d741488339..9f98840244 100644
--- a/crypto/cms/cms_pwri.c
+++ b/crypto/cms/cms_pwri.c
@@ -215,7 +215,7 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen,
         /* Check byte failure */
         goto err;
     }
-    if (inlen < (size_t)(tmp[0] - 4)) {
+    if (inlen < 4 + (size_t)tmp[0]) {
         /* Invalid length value */
         goto err;
     }
-- 
Gitee