From: tb <tb@openbsd.org>
Date: Wed, 5 Jan 2022 07:28:41 +0000 (+0000)
Subject: Fix a bug in addr_contains() introduced in OpenSSL commit be71c372
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=e5e14cfc2866cfac67696e1a98f0cc55d2327596;p=openbsd

Fix a bug in addr_contains() introduced in OpenSSL commit be71c372
by returning 0 instead of -1 on extract_min_max() failure. Callers
would interpret -1 as success of addr_contains().

ok inoguchi jsing
---

diff --git a/lib/libcrypto/x509/x509_addr.c b/lib/libcrypto/x509/x509_addr.c
index edb85f34939..92d540dbe56 100644
--- a/lib/libcrypto/x509/x509_addr.c
+++ b/lib/libcrypto/x509/x509_addr.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: x509_addr.c,v 1.58 2022/01/04 20:52:34 tb Exp $ */
+/*	$OpenBSD: x509_addr.c,v 1.59 2022/01/05 07:28:41 tb Exp $ */
 /*
  * Contributed to the OpenSSL Project by the American Registry for
  * Internet Numbers ("ARIN").
@@ -1648,7 +1648,7 @@ addr_contains(IPAddressOrRanges *parent, IPAddressOrRanges *child, int length)
 	for (c = 0; c < sk_IPAddressOrRange_num(child); c++) {
 		if (!extract_min_max(sk_IPAddressOrRange_value(child, c),
 		    c_min, c_max, length))
-			return -1;
+			return 0;
 		for (;; p++) {
 			if (p >= sk_IPAddressOrRange_num(parent))
 				return 0;