From 8f89bdfa9aabe95f91e32318296bc60eb8d614f8 Mon Sep 17 00:00:00 2001 From: tb Date: Fri, 28 Apr 2023 15:27:15 +0000 Subject: [PATCH] Deassert X509_policy_check() Instead of asserting that i == num_certs - 2, simply make that an error check. with beck ok jsing --- lib/libcrypto/x509/x509_policy.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/libcrypto/x509/x509_policy.c b/lib/libcrypto/x509/x509_policy.c index 0f60a11c77d..c2ef47aa0f5 100644 --- a/lib/libcrypto/x509/x509_policy.c +++ b/lib/libcrypto/x509/x509_policy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_policy.c,v 1.18 2023/04/28 15:21:22 tb Exp $ */ +/* $OpenBSD: x509_policy.c,v 1.19 2023/04/28 15:27:15 tb Exp $ */ /* * Copyright (c) 2022, Google Inc. * @@ -899,7 +899,8 @@ X509_policy_check(const STACK_OF(X509) *certs, is_self_issued = (cert->ex_flags & EXFLAG_SI) != 0; if (level == NULL) { - assert(i == num_certs - 2); + if (i != num_certs - 2) + goto err; level = x509_policy_level_new(); if (level == NULL) goto err; -- 2.20.1