OpenSSL 1.0.0f: merge

author: djm <> 2012-01-05 23:01:39 +0000
committer: djm <> 2012-01-05 23:01:39 +0000
commit: f48d9d4a955d7e4c1c692099ab67e1dbfeb51137 (patch)
tree: 866512933d8f0c1ea5465d0169915b36c1ca3cae /src/lib/libcrypto/x509v3/v3_addr.c
parent: 35dadfe897866818c3fd0350efefc5caae349fb6 (diff)
download: openbsd-f48d9d4a955d7e4c1c692099ab67e1dbfeb51137.tar.gz
openbsd-f48d9d4a955d7e4c1c692099ab67e1dbfeb51137.tar.bz2
openbsd-f48d9d4a955d7e4c1c692099ab67e1dbfeb51137.zip
1 files changed, 85 insertions, 40 deletions
diff --git a/src/lib/libcrypto/x509v3/v3_addr.c b/src/lib/libcrypto/x509v3/v3_addr.c
index 0d70e8696d..df46a4983b 100644
--- a/src/lib/libcrypto/x509v3/v3_addr.c
+++ b/src/lib/libcrypto/x509v3/v3_addr.c
@@ -142,12 +142,13 @@ unsigned int v3_addr_get_afi(const IPAddressFamily *f)
 * Expand the bitstring form of an address into a raw byte array.
 * At the moment this is coded for simplicity, not speed.
 */
-static void addr_expand(unsigned char *addr,
+static int addr_expand(unsigned char *addr,
                        const ASN1_BIT_STRING *bs,
                        const int length,
                        const unsigned char fill)
 {
-  OPENSSL_assert(bs->length >= 0 && bs->length <= length);
+  if (bs->length < 0 || bs->length > length)
+    return 0;
  if (bs->length > 0) {
    memcpy(addr, bs->data, bs->length);
    if ((bs->flags & 7) != 0) {
@@ -159,6 +160,7 @@ static void addr_expand(unsigned char *addr,
    }
  }
  memset(addr + bs->length, fill, length - bs->length);
+  return 1;
 }
 /*
@@ -181,15 +183,13 @@ static int i2r_address(BIO *out,
    return 0;
  switch (afi) {
  case IANA_AFI_IPV4:
-    if (bs->length > 4)
+    if (!addr_expand(addr, bs, 4, fill))
      return 0;
-    addr_expand(addr, bs, 4, fill);
    BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]);
    break;
  case IANA_AFI_IPV6:
-    if (bs->length > 16)
+    if (!addr_expand(addr, bs, 16, fill))
      return 0;
-    addr_expand(addr, bs, 16, fill);
    for (n = 16; n > 1 && addr[n-1] == 0x00 && addr[n-2] == 0x00; n -= 2)
      ;
    for (i = 0; i < n; i += 2)
@@ -315,6 +315,12 @@ static int i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method,
 /*
 * Sort comparison function for a sequence of IPAddressOrRange
 * elements.
+ *
+ * There's no sane answer we can give if addr_expand() fails, and an
+ * assertion failure on externally supplied data is seriously uncool,
+ * so we just arbitrarily declare that if given invalid inputs this
+ * function returns -1.  If this messes up your preferred sort order
+ * for garbage input, tough noogies.
 */
 static int IPAddressOrRange_cmp(const IPAddressOrRange *a,
                                const IPAddressOrRange *b,
@@ -326,22 +332,26 @@ static int IPAddressOrRange_cmp(const IPAddressOrRange *a,
  switch (a->type) {
  case IPAddressOrRange_addressPrefix:
-    addr_expand(addr_a, a->u.addressPrefix, length, 0x00);
+    if (!addr_expand(addr_a, a->u.addressPrefix, length, 0x00))
+      return -1;
    prefixlen_a = addr_prefixlen(a->u.addressPrefix);
    break;
  case IPAddressOrRange_addressRange:
-    addr_expand(addr_a, a->u.addressRange->min, length, 0x00);
+    if (!addr_expand(addr_a, a->u.addressRange->min, length, 0x00))
+      return -1;
    prefixlen_a = length * 8;
    break;
  }
  switch (b->type) {
  case IPAddressOrRange_addressPrefix:
-    addr_expand(addr_b, b->u.addressPrefix, length, 0x00);
+    if (!addr_expand(addr_b, b->u.addressPrefix, length, 0x00))
+      return -1;
    prefixlen_b = addr_prefixlen(b->u.addressPrefix);
    break;
  case IPAddressOrRange_addressRange:
-    addr_expand(addr_b, b->u.addressRange->min, length, 0x00);
+    if (!addr_expand(addr_b, b->u.addressRange->min, length, 0x00))
+      return -1;
    prefixlen_b = length * 8;
    break;
  }
@@ -383,6 +393,7 @@ static int range_should_be_prefix(const unsigned char *min,
  unsigned char mask;
  int i, j;
+  OPENSSL_assert(memcmp(min, max, length) <= 0);
  for (i = 0; i < length && min[i] == max[i]; i++)
    ;
  for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--)
@@ -601,10 +612,10 @@ static IPAddressOrRanges *make_prefix_or_range(IPAddrBlocks *addr,
    return NULL;
  switch (afi) {
  case IANA_AFI_IPV4:
-    sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp);
+    (void) sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp);
    break;
  case IANA_AFI_IPV6:
-    sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp);
+    (void) sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp);
    break;
  }
  f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges;
@@ -656,22 +667,22 @@ int v3_addr_add_range(IPAddrBlocks *addr,
 /*
 * Extract min and max values from an IPAddressOrRange.
 */
-static void extract_min_max(IPAddressOrRange *aor,
+static int extract_min_max(IPAddressOrRange *aor,
                            unsigned char *min,
                            unsigned char *max,
                            int length)
 {
-  OPENSSL_assert(aor != NULL && min != NULL && max != NULL);
+  if (aor == NULL || min == NULL || max == NULL)
+    return 0;
  switch (aor->type) {
  case IPAddressOrRange_addressPrefix:
-    addr_expand(min, aor->u.addressPrefix, length, 0x00);
+    return (addr_expand(min, aor->u.addressPrefix, length, 0x00) &&
-    addr_expand(max, aor->u.addressPrefix, length, 0xFF);
+            addr_expand(max, aor->u.addressPrefix, length, 0xFF));
-    return;
  case IPAddressOrRange_addressRange:
-    addr_expand(min, aor->u.addressRange->min, length, 0x00);
+    return (addr_expand(min, aor->u.addressRange->min, length, 0x00) &&
-    addr_expand(max, aor->u.addressRange->max, length, 0xFF);
+            addr_expand(max, aor->u.addressRange->max, length, 0xFF));
-    return;
  }
+  return 0;
 }
 /*
@@ -687,9 +698,10 @@ int v3_addr_get_range(IPAddressOrRange *aor,
  if (aor == NULL || min == NULL || max == NULL ||
      afi_length == 0 || length < afi_length ||
      (aor->type != IPAddressOrRange_addressPrefix &&
-       aor->type != IPAddressOrRange_addressRange))
+       aor->type != IPAddressOrRange_addressRange) ||
+      !extract_min_max(aor, min, max, afi_length))
    return 0;
-  extract_min_max(aor, min, max, afi_length);
  return afi_length;
 }
@@ -771,8 +783,9 @@ int v3_addr_is_canonical(IPAddrBlocks *addr)
      IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
      IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, j + 1);
-      extract_min_max(a, a_min, a_max, length);
+      if (!extract_min_max(a, a_min, a_max, length) ||
-      extract_min_max(b, b_min, b_max, length);
+          !extract_min_max(b, b_min, b_max, length))
+        return 0;
      /*
       * Punt misordered list, overlapping start, or inverted range.
@@ -800,14 +813,17 @@ int v3_addr_is_canonical(IPAddrBlocks *addr)
    }
    /*
-     * Check final range to see if it should be a prefix.
+     * Check range to see if it's inverted or should be a
+     * prefix.
     */
    j = sk_IPAddressOrRange_num(aors) - 1;
    {
      IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
-      if (a->type == IPAddressOrRange_addressRange) {
+      if (a != NULL && a->type == IPAddressOrRange_addressRange) {
-        extract_min_max(a, a_min, a_max, length);
+        if (!extract_min_max(a, a_min, a_max, length))
-        if (range_should_be_prefix(a_min, a_max, length) >= 0)
+          return 0;
+        if (memcmp(a_min, a_max, length) > 0 ||
+            range_should_be_prefix(a_min, a_max, length) >= 0)
          return 0;
      }
    }
@@ -841,8 +857,16 @@ static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors,
    unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
    unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
-    extract_min_max(a, a_min, a_max, length);
+    if (!extract_min_max(a, a_min, a_max, length) ||
-    extract_min_max(b, b_min, b_max, length);
+        !extract_min_max(b, b_min, b_max, length))
+      return 0;
+    /*
+     * Punt inverted ranges.
+     */
+    if (memcmp(a_min, a_max, length) > 0 ||
+        memcmp(b_min, b_max, length) > 0)
+      return 0;
    /*
     * Punt overlaps.
@@ -860,8 +884,8 @@ static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors,
      IPAddressOrRange *merged;
      if (!make_addressRange(&merged, a_min, b_max, length))
        return 0;
-      sk_IPAddressOrRange_set(aors, i, merged);
+      (void) sk_IPAddressOrRange_set(aors, i, merged);
-      sk_IPAddressOrRange_delete(aors, i + 1);
+      (void) sk_IPAddressOrRange_delete(aors, i + 1);
      IPAddressOrRange_free(a);
      IPAddressOrRange_free(b);
      --i;
@@ -869,6 +893,20 @@ static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors,
    }
  }
+  /*
+   * Check for inverted final range.
+   */
+  j = sk_IPAddressOrRange_num(aors) - 1;
+  {
+    IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
+    if (a != NULL && a->type == IPAddressOrRange_addressRange) {
+      unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
+      extract_min_max(a, a_min, a_max, length);
+      if (memcmp(a_min, a_max, length) > 0)
+        return 0;
+    }
+  }
  return 1;
 }
@@ -885,7 +923,7 @@ int v3_addr_canonize(IPAddrBlocks *addr)
                                    v3_addr_get_afi(f)))
      return 0;
  }
-  sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp);
+  (void) sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp);
  sk_IPAddressFamily_sort(addr);
  OPENSSL_assert(v3_addr_is_canonical(addr));
  return 1;
@@ -1017,6 +1055,11 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method,
        X509V3_conf_err(val);
        goto err;
      }
+      if (memcmp(min, max, length_from_afi(afi)) > 0) {
+        X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR);
+        X509V3_conf_err(val);
+        goto err;
+      }
      if (!v3_addr_add_range(addr, afi, safi, min, max)) {
        X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
        goto err;
@@ -1102,13 +1145,15 @@ static int addr_contains(IPAddressOrRanges *parent,
  p = 0;
  for (c = 0; c < sk_IPAddressOrRange_num(child); c++) {
-    extract_min_max(sk_IPAddressOrRange_value(child, c),
+    if (!extract_min_max(sk_IPAddressOrRange_value(child, c),
-                    c_min, c_max, length);
+                         c_min, c_max, length))
+      return -1;
    for (;; p++) {
      if (p >= sk_IPAddressOrRange_num(parent))
        return 0;
-      extract_min_max(sk_IPAddressOrRange_value(parent, p),
+      if (!extract_min_max(sk_IPAddressOrRange_value(parent, p),
-                      p_min, p_max, length);
+                           p_min, p_max, length))
+        return 0;
      if (memcmp(p_max, c_max, length) < 0)
        continue;
      if (memcmp(p_min, c_min, length) > 0)
@@ -1130,7 +1175,7 @@ int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)
    return 1;
  if (b == NULL || v3_addr_inherits(a) || v3_addr_inherits(b))
    return 0;
-  sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);
+  (void) sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);
  for (i = 0; i < sk_IPAddressFamily_num(a); i++) {
    IPAddressFamily *fa = sk_IPAddressFamily_value(a, i);
    int j = sk_IPAddressFamily_find(b, fa);
@@ -1195,7 +1240,7 @@ static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx,
  }
  if (!v3_addr_is_canonical(ext))
    validation_err(X509_V_ERR_INVALID_EXTENSION);
-  sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);
+  (void) sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);
  if ((child = sk_IPAddressFamily_dup(ext)) == NULL) {
    X509V3err(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL, ERR_R_MALLOC_FAILURE);
    ret = 0;
@@ -1221,7 +1266,7 @@ static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx,
      }
      continue;
    }
-    sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, IPAddressFamily_cmp);
+    (void) sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, IPAddressFamily_cmp);
    for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
      IPAddressFamily *fc = sk_IPAddressFamily_value(child, j);
      int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc);
author	djm <>	2012-01-05 23:01:39 +0000
committer	djm <>	2012-01-05 23:01:39 +0000
commit	f48d9d4a955d7e4c1c692099ab67e1dbfeb51137 (patch)
tree	866512933d8f0c1ea5465d0169915b36c1ca3cae /src/lib/libcrypto/x509v3/v3_addr.c
parent	35dadfe897866818c3fd0350efefc5caae349fb6 (diff)
download	openbsd-f48d9d4a955d7e4c1c692099ab67e1dbfeb51137.tar.gz openbsd-f48d9d4a955d7e4c1c692099ab67e1dbfeb51137.tar.bz2 openbsd-f48d9d4a955d7e4c1c692099ab67e1dbfeb51137.zip

diff --git a/src/lib/libcrypto/x509v3/v3_addr.c b/src/lib/libcrypto/x509v3/v3_addr.c index 0d70e8696d..df46a4983b 100644 --- a/src/lib/libcrypto/x509v3/v3_addr.c +++ b/src/lib/libcrypto/x509v3/v3_addr.c
@@ -142,12 +142,13 @@ unsigned int v3_addr_get_afi(const IPAddressFamily *f)
142	* Expand the bitstring form of an address into a raw byte array.	142	* Expand the bitstring form of an address into a raw byte array.
143	* At the moment this is coded for simplicity, not speed.	143	* At the moment this is coded for simplicity, not speed.
144	*/	144	*/
145	static void addr_expand(unsigned char *addr,	145	static int addr_expand(unsigned char *addr,
146	const ASN1_BIT_STRING *bs,	146	const ASN1_BIT_STRING *bs,
147	const int length,	147	const int length,
148	const unsigned char fill)	148	const unsigned char fill)
149	{	149	{
150	OPENSSL_assert(bs->length >= 0 && bs->length <= length);	150	if (bs->length < 0 \|\| bs->length > length)
		151	return 0;
151	if (bs->length > 0) {	152	if (bs->length > 0) {
152	memcpy(addr, bs->data, bs->length);	153	memcpy(addr, bs->data, bs->length);
153	if ((bs->flags & 7) != 0) {	154	if ((bs->flags & 7) != 0) {
@@ -159,6 +160,7 @@ static void addr_expand(unsigned char *addr,
159	}	160	}
160	}	161	}
161	memset(addr + bs->length, fill, length - bs->length);	162	memset(addr + bs->length, fill, length - bs->length);
		163	return 1;
162	}	164	}
163		165
164	/*	166	/*
@@ -181,15 +183,13 @@ static int i2r_address(BIO *out,
181	return 0;	183	return 0;
182	switch (afi) {	184	switch (afi) {
183	case IANA_AFI_IPV4:	185	case IANA_AFI_IPV4:
184	if (bs->length > 4)	186	if (!addr_expand(addr, bs, 4, fill))
185	return 0;	187	return 0;
186	addr_expand(addr, bs, 4, fill);
187	BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]);	188	BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]);
188	break;	189	break;
189	case IANA_AFI_IPV6:	190	case IANA_AFI_IPV6:
190	if (bs->length > 16)	191	if (!addr_expand(addr, bs, 16, fill))
191	return 0;	192	return 0;
192	addr_expand(addr, bs, 16, fill);
193	for (n = 16; n > 1 && addr[n-1] == 0x00 && addr[n-2] == 0x00; n -= 2)	193	for (n = 16; n > 1 && addr[n-1] == 0x00 && addr[n-2] == 0x00; n -= 2)
194	;	194	;
195	for (i = 0; i < n; i += 2)	195	for (i = 0; i < n; i += 2)
@@ -315,6 +315,12 @@ static int i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method,
315	/*	315	/*
316	* Sort comparison function for a sequence of IPAddressOrRange	316	* Sort comparison function for a sequence of IPAddressOrRange
317	* elements.	317	* elements.
		318	*
		319	* There's no sane answer we can give if addr_expand() fails, and an
		320	* assertion failure on externally supplied data is seriously uncool,
		321	* so we just arbitrarily declare that if given invalid inputs this
		322	* function returns -1. If this messes up your preferred sort order
		323	* for garbage input, tough noogies.
318	*/	324	*/
319	static int IPAddressOrRange_cmp(const IPAddressOrRange *a,	325	static int IPAddressOrRange_cmp(const IPAddressOrRange *a,
320	const IPAddressOrRange *b,	326	const IPAddressOrRange *b,
@@ -326,22 +332,26 @@ static int IPAddressOrRange_cmp(const IPAddressOrRange *a,
326		332
327	switch (a->type) {	333	switch (a->type) {
328	case IPAddressOrRange_addressPrefix:	334	case IPAddressOrRange_addressPrefix:
329	addr_expand(addr_a, a->u.addressPrefix, length, 0x00);	335	if (!addr_expand(addr_a, a->u.addressPrefix, length, 0x00))
		336	return -1;
330	prefixlen_a = addr_prefixlen(a->u.addressPrefix);	337	prefixlen_a = addr_prefixlen(a->u.addressPrefix);
331	break;	338	break;
332	case IPAddressOrRange_addressRange:	339	case IPAddressOrRange_addressRange:
333	addr_expand(addr_a, a->u.addressRange->min, length, 0x00);	340	if (!addr_expand(addr_a, a->u.addressRange->min, length, 0x00))
		341	return -1;
334	prefixlen_a = length * 8;	342	prefixlen_a = length * 8;
335	break;	343	break;
336	}	344	}
337		345
338	switch (b->type) {	346	switch (b->type) {
339	case IPAddressOrRange_addressPrefix:	347	case IPAddressOrRange_addressPrefix:
340	addr_expand(addr_b, b->u.addressPrefix, length, 0x00);	348	if (!addr_expand(addr_b, b->u.addressPrefix, length, 0x00))
		349	return -1;
341	prefixlen_b = addr_prefixlen(b->u.addressPrefix);	350	prefixlen_b = addr_prefixlen(b->u.addressPrefix);
342	break;	351	break;
343	case IPAddressOrRange_addressRange:	352	case IPAddressOrRange_addressRange:
344	addr_expand(addr_b, b->u.addressRange->min, length, 0x00);	353	if (!addr_expand(addr_b, b->u.addressRange->min, length, 0x00))
		354	return -1;
345	prefixlen_b = length * 8;	355	prefixlen_b = length * 8;
346	break;	356	break;
347	}	357	}
@@ -383,6 +393,7 @@ static int range_should_be_prefix(const unsigned char *min,
383	unsigned char mask;	393	unsigned char mask;
384	int i, j;	394	int i, j;
385		395
		396	OPENSSL_assert(memcmp(min, max, length) <= 0);
386	for (i = 0; i < length && min[i] == max[i]; i++)	397	for (i = 0; i < length && min[i] == max[i]; i++)
387	;	398	;
388	for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--)	399	for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--)
@@ -601,10 +612,10 @@ static IPAddressOrRanges make_prefix_or_range(IPAddrBlocks addr,
601	return NULL;	612	return NULL;
602	switch (afi) {	613	switch (afi) {
603	case IANA_AFI_IPV4:	614	case IANA_AFI_IPV4:
604	sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp);	615	(void) sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp);
605	break;	616	break;
606	case IANA_AFI_IPV6:	617	case IANA_AFI_IPV6:
607	sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp);	618	(void) sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp);
608	break;	619	break;
609	}	620	}
610	f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges;	621	f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges;
@@ -656,22 +667,22 @@ int v3_addr_add_range(IPAddrBlocks *addr,
656	/*	667	/*
657	* Extract min and max values from an IPAddressOrRange.	668	* Extract min and max values from an IPAddressOrRange.
658	*/	669	*/
659	static void extract_min_max(IPAddressOrRange *aor,	670	static int extract_min_max(IPAddressOrRange *aor,
660	unsigned char *min,	671	unsigned char *min,
661	unsigned char *max,	672	unsigned char *max,
662	int length)	673	int length)
663	{	674	{
664	OPENSSL_assert(aor != NULL && min != NULL && max != NULL);	675	if (aor == NULL \|\| min == NULL \|\| max == NULL)
		676	return 0;
665	switch (aor->type) {	677	switch (aor->type) {
666	case IPAddressOrRange_addressPrefix:	678	case IPAddressOrRange_addressPrefix:
667	addr_expand(min, aor->u.addressPrefix, length, 0x00);	679	return (addr_expand(min, aor->u.addressPrefix, length, 0x00) &&
668	addr_expand(max, aor->u.addressPrefix, length, 0xFF);	680	addr_expand(max, aor->u.addressPrefix, length, 0xFF));
669	return;
670	case IPAddressOrRange_addressRange:	681	case IPAddressOrRange_addressRange:
671	addr_expand(min, aor->u.addressRange->min, length, 0x00);	682	return (addr_expand(min, aor->u.addressRange->min, length, 0x00) &&
672	addr_expand(max, aor->u.addressRange->max, length, 0xFF);	683	addr_expand(max, aor->u.addressRange->max, length, 0xFF));
673	return;
674	}	684	}
		685	return 0;
675	}	686	}
676		687
677	/*	688	/*
@@ -687,9 +698,10 @@ int v3_addr_get_range(IPAddressOrRange *aor,
687	if (aor == NULL \|\| min == NULL \|\| max == NULL \|\|	698	if (aor == NULL \|\| min == NULL \|\| max == NULL \|\|
688	afi_length == 0 \|\| length < afi_length \|\|	699	afi_length == 0 \|\| length < afi_length \|\|
689	(aor->type != IPAddressOrRange_addressPrefix &&	700	(aor->type != IPAddressOrRange_addressPrefix &&
690	aor->type != IPAddressOrRange_addressRange))	701	aor->type != IPAddressOrRange_addressRange) \|\|
		702	!extract_min_max(aor, min, max, afi_length))
691	return 0;	703	return 0;
692	extract_min_max(aor, min, max, afi_length);	704
693	return afi_length;	705	return afi_length;
694	}	706	}
695		707
@@ -771,8 +783,9 @@ int v3_addr_is_canonical(IPAddrBlocks *addr)
771	IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);	783	IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
772	IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, j + 1);	784	IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, j + 1);
773		785
774	extract_min_max(a, a_min, a_max, length);	786	if (!extract_min_max(a, a_min, a_max, length) \|\|
775	extract_min_max(b, b_min, b_max, length);	787	!extract_min_max(b, b_min, b_max, length))
		788	return 0;
776		789
777	/*	790	/*
778	* Punt misordered list, overlapping start, or inverted range.	791	* Punt misordered list, overlapping start, or inverted range.
@@ -800,14 +813,17 @@ int v3_addr_is_canonical(IPAddrBlocks *addr)
800	}	813	}
801		814
802	/*	815	/*
803	* Check final range to see if it should be a prefix.	816	* Check range to see if it's inverted or should be a
		817	* prefix.
804	*/	818	*/
805	j = sk_IPAddressOrRange_num(aors) - 1;	819	j = sk_IPAddressOrRange_num(aors) - 1;
806	{	820	{
807	IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);	821	IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
808	if (a->type == IPAddressOrRange_addressRange) {	822	if (a != NULL && a->type == IPAddressOrRange_addressRange) {
809	extract_min_max(a, a_min, a_max, length);	823	if (!extract_min_max(a, a_min, a_max, length))
810	if (range_should_be_prefix(a_min, a_max, length) >= 0)	824	return 0;
		825	if (memcmp(a_min, a_max, length) > 0 \|\|
		826	range_should_be_prefix(a_min, a_max, length) >= 0)
811	return 0;	827	return 0;
812	}	828	}
813	}	829	}
@@ -841,8 +857,16 @@ static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors,
841	unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];	857	unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
842	unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];	858	unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
843		859
844	extract_min_max(a, a_min, a_max, length);	860	if (!extract_min_max(a, a_min, a_max, length) \|\|
845	extract_min_max(b, b_min, b_max, length);	861	!extract_min_max(b, b_min, b_max, length))
		862	return 0;
		863
		864	/*
		865	* Punt inverted ranges.
		866	*/
		867	if (memcmp(a_min, a_max, length) > 0 \|\|
		868	memcmp(b_min, b_max, length) > 0)
		869	return 0;
846		870
847	/*	871	/*
848	* Punt overlaps.	872	* Punt overlaps.
@@ -860,8 +884,8 @@ static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors,
860	IPAddressOrRange *merged;	884	IPAddressOrRange *merged;
861	if (!make_addressRange(&merged, a_min, b_max, length))	885	if (!make_addressRange(&merged, a_min, b_max, length))
862	return 0;	886	return 0;
863	sk_IPAddressOrRange_set(aors, i, merged);	887	(void) sk_IPAddressOrRange_set(aors, i, merged);
864	sk_IPAddressOrRange_delete(aors, i + 1);	888	(void) sk_IPAddressOrRange_delete(aors, i + 1);
865	IPAddressOrRange_free(a);	889	IPAddressOrRange_free(a);
866	IPAddressOrRange_free(b);	890	IPAddressOrRange_free(b);
867	--i;	891	--i;
@@ -869,6 +893,20 @@ static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors,
869	}	893	}
870	}	894	}
871		895
		896	/*
		897	* Check for inverted final range.
		898	*/
		899	j = sk_IPAddressOrRange_num(aors) - 1;
		900	{
		901	IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
		902	if (a != NULL && a->type == IPAddressOrRange_addressRange) {
		903	unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
		904	extract_min_max(a, a_min, a_max, length);
		905	if (memcmp(a_min, a_max, length) > 0)
		906	return 0;
		907	}
		908	}
		909
872	return 1;	910	return 1;
873	}	911	}
874		912
@@ -885,7 +923,7 @@ int v3_addr_canonize(IPAddrBlocks *addr)
885	v3_addr_get_afi(f)))	923	v3_addr_get_afi(f)))
886	return 0;	924	return 0;
887	}	925	}
888	sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp);	926	(void) sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp);
889	sk_IPAddressFamily_sort(addr);	927	sk_IPAddressFamily_sort(addr);
890	OPENSSL_assert(v3_addr_is_canonical(addr));	928	OPENSSL_assert(v3_addr_is_canonical(addr));
891	return 1;	929	return 1;
@@ -1017,6 +1055,11 @@ static void v2i_IPAddrBlocks(const struct v3_ext_method method,
1017	X509V3_conf_err(val);	1055	X509V3_conf_err(val);
1018	goto err;	1056	goto err;
1019	}	1057	}
		1058	if (memcmp(min, max, length_from_afi(afi)) > 0) {
		1059	X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR);
		1060	X509V3_conf_err(val);
		1061	goto err;
		1062	}
1020	if (!v3_addr_add_range(addr, afi, safi, min, max)) {	1063	if (!v3_addr_add_range(addr, afi, safi, min, max)) {
1021	X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);	1064	X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
1022	goto err;	1065	goto err;
@@ -1102,13 +1145,15 @@ static int addr_contains(IPAddressOrRanges *parent,
1102		1145
1103	p = 0;	1146	p = 0;
1104	for (c = 0; c < sk_IPAddressOrRange_num(child); c++) {	1147	for (c = 0; c < sk_IPAddressOrRange_num(child); c++) {
1105	extract_min_max(sk_IPAddressOrRange_value(child, c),	1148	if (!extract_min_max(sk_IPAddressOrRange_value(child, c),
1106	c_min, c_max, length);	1149	c_min, c_max, length))
		1150	return -1;
1107	for (;; p++) {	1151	for (;; p++) {
1108	if (p >= sk_IPAddressOrRange_num(parent))	1152	if (p >= sk_IPAddressOrRange_num(parent))
1109	return 0;	1153	return 0;
1110	extract_min_max(sk_IPAddressOrRange_value(parent, p),	1154	if (!extract_min_max(sk_IPAddressOrRange_value(parent, p),
1111	p_min, p_max, length);	1155	p_min, p_max, length))
		1156	return 0;
1112	if (memcmp(p_max, c_max, length) < 0)	1157	if (memcmp(p_max, c_max, length) < 0)
1113	continue;	1158	continue;
1114	if (memcmp(p_min, c_min, length) > 0)	1159	if (memcmp(p_min, c_min, length) > 0)
@@ -1130,7 +1175,7 @@ int v3_addr_subset(IPAddrBlocks a, IPAddrBlocks b)
1130	return 1;	1175	return 1;
1131	if (b == NULL \|\| v3_addr_inherits(a) \|\| v3_addr_inherits(b))	1176	if (b == NULL \|\| v3_addr_inherits(a) \|\| v3_addr_inherits(b))
1132	return 0;	1177	return 0;
1133	sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);	1178	(void) sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);
1134	for (i = 0; i < sk_IPAddressFamily_num(a); i++) {	1179	for (i = 0; i < sk_IPAddressFamily_num(a); i++) {
1135	IPAddressFamily *fa = sk_IPAddressFamily_value(a, i);	1180	IPAddressFamily *fa = sk_IPAddressFamily_value(a, i);
1136	int j = sk_IPAddressFamily_find(b, fa);	1181	int j = sk_IPAddressFamily_find(b, fa);
@@ -1195,7 +1240,7 @@ static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx,
1195	}	1240	}
1196	if (!v3_addr_is_canonical(ext))	1241	if (!v3_addr_is_canonical(ext))
1197	validation_err(X509_V_ERR_INVALID_EXTENSION);	1242	validation_err(X509_V_ERR_INVALID_EXTENSION);
1198	sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);	1243	(void) sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);
1199	if ((child = sk_IPAddressFamily_dup(ext)) == NULL) {	1244	if ((child = sk_IPAddressFamily_dup(ext)) == NULL) {
1200	X509V3err(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL, ERR_R_MALLOC_FAILURE);	1245	X509V3err(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL, ERR_R_MALLOC_FAILURE);
1201	ret = 0;	1246	ret = 0;
@@ -1221,7 +1266,7 @@ static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx,
1221	}	1266	}
1222	continue;	1267	continue;
1223	}	1268	}
1224	sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, IPAddressFamily_cmp);	1269	(void) sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, IPAddressFamily_cmp);
1225	for (j = 0; j < sk_IPAddressFamily_num(child); j++) {	1270	for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
1226	IPAddressFamily *fc = sk_IPAddressFamily_value(child, j);	1271	IPAddressFamily *fc = sk_IPAddressFamily_value(child, j);
1227	int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc);	1272	int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc);