1 files changed, 34 insertions, 3 deletions
diff --git a/src/lib/libcrypto/x509/x509_addr.c b/src/lib/libcrypto/x509/x509_addr.c
index f628009eaa..266562fd9a 100644
--- a/src/lib/libcrypto/x509/x509_addr.c
+++ b/src/lib/libcrypto/x509/x509_addr.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: x509_addr.c,v 1.21 2021/12/23 23:41:26 tb Exp $ */
+/*      $OpenBSD: x509_addr.c,v 1.22 2021/12/23 23:48:38 tb Exp $ */
 /*
 * Contributed to the OpenSSL Project by the American Registry for
 * Internet Numbers ("ARIN").
@@ -60,6 +60,7 @@
 * Implementation of RFC 3779 section 2.2.
 */
+#include <limits.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -1216,14 +1217,44 @@ v2i_IPAddrBlocks(const struct v3_ext_method *method, struct v3_ext_ctx *ctx,
                 * the other input values.
                 */
                if (safi != NULL) {
-                        *safi = strtoul(val->value, &t, 0);
+                        unsigned long parsed_safi;
+                        int saved_errno = errno;
+                        errno = 0;
+                        parsed_safi = strtoul(val->value, &t, 0);
+                        /* Value must be present, then a tab, space or colon. */
+                        if (val->value[0] == '\0' ||
+                            (*t != '\t' && *t != ' ' && *t != ':')) {
+                                X509V3error(X509V3_R_INVALID_SAFI);
+                                X509V3_conf_err(val);
+                                goto err;
+                        }
+                        /* Range and overflow check. */
+                        if ((errno == ERANGE && parsed_safi == ULONG_MAX) ||
+                            parsed_safi > 0xFF) {
+                                X509V3error(X509V3_R_INVALID_SAFI);
+                                X509V3_conf_err(val);
+                                goto err;
+                        }
+                        errno = saved_errno;
+                        *safi = parsed_safi;
+                        /* Check possible whitespace is followed by a colon. */
                        t += strspn(t, " \t");
-                        if (*safi > 0xFF || *t++ != ':') {
+                        if (*t != ':') {
                                X509V3error(X509V3_R_INVALID_SAFI);
                                X509V3_conf_err(val);
                                goto err;
                        }
+                        /* Skip over colon. */
+                        t++;
+                        /* Then over any trailing whitespace. */
                        t += strspn(t, " \t");
                        s = strdup(t);
                } else {
                        s = strdup(val->value);

diff --git a/src/lib/libcrypto/x509/x509_addr.c b/src/lib/libcrypto/x509/x509_addr.c index f628009eaa..266562fd9a 100644 --- a/src/lib/libcrypto/x509/x509_addr.c +++ b/src/lib/libcrypto/x509/x509_addr.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_addr.c,v 1.21 2021/12/23 23:41:26 tb Exp $ */	1	/* $OpenBSD: x509_addr.c,v 1.22 2021/12/23 23:48:38 tb Exp $ */
2	/*	2	/*
3	* Contributed to the OpenSSL Project by the American Registry for	3	* Contributed to the OpenSSL Project by the American Registry for
4	* Internet Numbers ("ARIN").	4	* Internet Numbers ("ARIN").
@@ -60,6 +60,7 @@
60	* Implementation of RFC 3779 section 2.2.	60	* Implementation of RFC 3779 section 2.2.
61	*/	61	*/
62		62
		63	#include <limits.h>
63	#include <stdio.h>	64	#include <stdio.h>
64	#include <stdlib.h>	65	#include <stdlib.h>
65	#include <string.h>	66	#include <string.h>
@@ -1216,14 +1217,44 @@ v2i_IPAddrBlocks(const struct v3_ext_method method, struct v3_ext_ctx ctx,
1216	* the other input values.	1217	* the other input values.
1217	*/	1218	*/
1218	if (safi != NULL) {	1219	if (safi != NULL) {
1219	*safi = strtoul(val->value, &t, 0);	1220	unsigned long parsed_safi;
		1221	int saved_errno = errno;
		1222
		1223	errno = 0;
		1224	parsed_safi = strtoul(val->value, &t, 0);
		1225
		1226	/* Value must be present, then a tab, space or colon. */
		1227	if (val->value[0] == '\0' \|\|
		1228	(t != '\t' && t != ' ' && *t != ':')) {
		1229	X509V3error(X509V3_R_INVALID_SAFI);
		1230	X509V3_conf_err(val);
		1231	goto err;
		1232	}
		1233	/* Range and overflow check. */
		1234	if ((errno == ERANGE && parsed_safi == ULONG_MAX) \|\|
		1235	parsed_safi > 0xFF) {
		1236	X509V3error(X509V3_R_INVALID_SAFI);
		1237	X509V3_conf_err(val);
		1238	goto err;
		1239	}
		1240	errno = saved_errno;
		1241
		1242	*safi = parsed_safi;
		1243
		1244	/* Check possible whitespace is followed by a colon. */
1220	t += strspn(t, " \t");	1245	t += strspn(t, " \t");
1221	if (safi > 0xFF \|\| t++ != ':') {	1246	if (*t != ':') {
1222	X509V3error(X509V3_R_INVALID_SAFI);	1247	X509V3error(X509V3_R_INVALID_SAFI);
1223	X509V3_conf_err(val);	1248	X509V3_conf_err(val);
1224	goto err;	1249	goto err;
1225	}	1250	}
		1251
		1252	/* Skip over colon. */
		1253	t++;
		1254
		1255	/* Then over any trailing whitespace. */
1226	t += strspn(t, " \t");	1256	t += strspn(t, " \t");
		1257
1227	s = strdup(t);	1258	s = strdup(t);
1228	} else {	1259	} else {
1229	s = strdup(val->value);	1260	s = strdup(val->value);