From d8a5ee8e621c63f99eecdbaa663caea2aca756ac Mon Sep 17 00:00:00 2001 From: tb Date: Wed, 31 Aug 2022 07:15:31 +0000 Subject: [PATCH] Switch loop bounds from size_t to int in check_hosts() sk_num() can return a negative value, in which case the upper bound is SIZE_MAX, which results in a very long for loop. CID 153997 ok jsing --- lib/libcrypto/x509/x509_vfy.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/libcrypto/x509/x509_vfy.c b/lib/libcrypto/x509/x509_vfy.c index 18cf08a07c4..fb87877e72c 100644 --- a/lib/libcrypto/x509/x509_vfy.c +++ b/lib/libcrypto/x509/x509_vfy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vfy.c,v 1.102 2022/06/27 14:10:22 tb Exp $ */ +/* $OpenBSD: x509_vfy.c,v 1.103 2022/08/31 07:15:31 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -186,7 +186,7 @@ check_id_error(X509_STORE_CTX *ctx, int errcode) static int check_hosts(X509 *x, X509_VERIFY_PARAM_ID *id) { - size_t i, n; + int i, n; char *name; n = sk_OPENSSL_STRING_num(id->hosts); -- 2.20.1