diff options
| author | Theo Buehler <tb@cvs.openbsd.org> | 2021-12-28 20:58:06 +0000 |
|---|---|---|
| committer | Theo Buehler <tb@cvs.openbsd.org> | 2021-12-28 20:58:06 +0000 |
| commit | e967f861796845a43e93af41843457fcd991979e (patch) | |
| tree | 454f5a4259da9557b1251213cf109a336afe07fd /lib/libcrypto/x509/x509_addr.c | |
| parent | 5c180b16466e080da1ef00843b1b93f0635cdaf2 (diff) | |
Validate AFIs before sorting in X509v3_adr_canonize()
Again, we're dealing with necessarily not fully validated data here,
so a check up front seems prudent.
ok jsing
Diffstat (limited to 'lib/libcrypto/x509/x509_addr.c')
| -rw-r--r-- | lib/libcrypto/x509/x509_addr.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/lib/libcrypto/x509/x509_addr.c b/lib/libcrypto/x509/x509_addr.c index 3686d6a8236..225f9610020 100644 --- a/lib/libcrypto/x509/x509_addr.c +++ b/lib/libcrypto/x509/x509_addr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_addr.c,v 1.43 2021/12/28 20:50:37 tb Exp $ */ +/* $OpenBSD: x509_addr.c,v 1.44 2021/12/28 20:58:05 tb Exp $ */ /* * Contributed to the OpenSSL Project by the American Registry for * Internet Numbers ("ARIN"). @@ -1274,10 +1274,16 @@ IPAddressOrRanges_canonize(IPAddressOrRanges *aors, const unsigned afi) int X509v3_addr_canonize(IPAddrBlocks *addr) { + unsigned int afi; int i; for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); + + /* Check AFI/SAFI here - IPAddressFamily_cmp() can't error. */ + if ((afi = X509v3_addr_get_afi(f)) == 0) + return 0; + if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges && !IPAddressOrRanges_canonize(f->ipAddressChoice->u.addressesOrRanges, |