Make sure curve OID lengths match

LinuxJedi · LinuxJedi · commit 59bd7e3dffa8 · 2026-03-21T11:03:14.000Z
Could match with a weaker curve without full length matching (although
mostly mitigated anyway).

F-315
diff --git a/src/internal.c b/src/internal.c
@@ -8476,7 +8476,8 @@ static int ecc_lookup_curve(const byte* oid, word32 len)
 
     for (curve = DefinedCurves; curve->curve_id < ECC_CURVE_MAX; curve++)
     {
-        if (XMEMCMP(oid, curve->curve_oid, MIN(len, curve->curve_size)) == 0) {
+        if (len == curve->curve_size &&
+                XMEMCMP(oid, curve->curve_oid, len) == 0) {
             return curve->curve_id;
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -8476,7 +8476,8 @@ static int ecc_lookup_curve(const byte* oid, word32 len)`
`8476`	`8476`
`8477`	`8477`	`for (curve = DefinedCurves; curve->curve_id < ECC_CURVE_MAX; curve++)`
`8478`	`8478`	`{`
`8479`		`- if (XMEMCMP(oid, curve->curve_oid, MIN(len, curve->curve_size)) == 0) {`
	`8479`	`+ if (len == curve->curve_size &&`
	`8480`	`+ XMEMCMP(oid, curve->curve_oid, len) == 0) {`
`8480`	`8481`	`return curve->curve_id;`
`8481`	`8482`	`}`
`8482`	`8483`	`}`