Check AFI/SAFI before comparing them in X509v3_addr_is_canonical()

As mentioned in a previous commit, IPAddressFamily_cmp() can't really
check for trailing garbage in addressFamily->data. Since the path
validation and hence the X.509 validator call X509v3_addr_is_canonical(),
this deals with only partially validated data.

ok jsing

1 files changed, 8 insertions, 1 deletions

diff --git a/src/lib/libcrypto/x509/x509_addr.c b/src/lib/libcrypto/x509/x509_addr.c
index 5f31d7307f..242d1b4982 100644
--- a/src/lib/libcrypto/x509/x509_addr.c
+++ b/src/lib/libcrypto/x509/x509_addr.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: x509_addr.c,v 1.41 2021/12/28 20:07:17 tb Exp $ */
+/*      $OpenBSD: x509_addr.c,v 1.42 2021/12/28 20:44:56 tb Exp $ */
 /*
  * Contributed to the OpenSSL Project by the American Registry for
  * Internet Numbers ("ARIN").
@@ -1092,6 +1092,13 @@ X509v3_addr_is_canonical(IPAddrBlocks *addr)
         for (i = 0; i < sk_IPAddressFamily_num(addr) - 1; i++) {
                 const IPAddressFamily *a = sk_IPAddressFamily_value(addr, i);
                 const IPAddressFamily *b = sk_IPAddressFamily_value(addr, i + 1);
+
+                /* Check that both have valid AFIs before comparing them. */
+                if (X509v3_addr_get_afi(a) == 0)
+                        return 0;
+                if (X509v3_addr_get_afi(b) == 0)
+                        return 0;
+
                 if (IPAddressFamily_cmp(&a, &b) >= 0)
                         return 0;
         }