From: tb Date: Tue, 28 Dec 2021 20:44:56 +0000 (+0000) Subject: Check AFI/SAFI before comparing them in X509v3_addr_is_canonical() X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=f8fec339cdfda39838207e997e4a3383198ae858;p=openbsd Check AFI/SAFI before comparing them in X509v3_addr_is_canonical() As mentioned in a previous commit, IPAddressFamily_cmp() can't really check for trailing garbage in addressFamily->data. Since the path validation and hence the X.509 validator call X509v3_addr_is_canonical(), this deals with only partially validated data. ok jsing --- diff --git a/lib/libcrypto/x509/x509_addr.c b/lib/libcrypto/x509/x509_addr.c index 5f31d7307f6..242d1b49821 100644 --- a/lib/libcrypto/x509/x509_addr.c +++ b/lib/libcrypto/x509/x509_addr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_addr.c,v 1.41 2021/12/28 20:07:17 tb Exp $ */ +/* $OpenBSD: x509_addr.c,v 1.42 2021/12/28 20:44:56 tb Exp $ */ /* * Contributed to the OpenSSL Project by the American Registry for * Internet Numbers ("ARIN"). @@ -1092,6 +1092,13 @@ X509v3_addr_is_canonical(IPAddrBlocks *addr) for (i = 0; i < sk_IPAddressFamily_num(addr) - 1; i++) { const IPAddressFamily *a = sk_IPAddressFamily_value(addr, i); const IPAddressFamily *b = sk_IPAddressFamily_value(addr, i + 1); + + /* Check that both have valid AFIs before comparing them. */ + if (X509v3_addr_get_afi(a) == 0) + return 0; + if (X509v3_addr_get_afi(b) == 0) + return 0; + if (IPAddressFamily_cmp(&a, &b) >= 0) return 0; }