1 files changed, 26 insertions, 13 deletions
diff --git a/src/lib/libcrypto/x509/x509_addr.c b/src/lib/libcrypto/x509/x509_addr.c
index a0c73bdee5..244eea1f23 100644
--- a/src/lib/libcrypto/x509/x509_addr.c
+++ b/src/lib/libcrypto/x509/x509_addr.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: x509_addr.c,v 1.31 2021/12/28 16:05:23 tb Exp $ */
+/*      $OpenBSD: x509_addr.c,v 1.32 2021/12/28 16:10:47 tb Exp $ */
 /*
 * Contributed to the OpenSSL Project by the American Registry for
 * Internet Numbers ("ARIN").
@@ -764,25 +764,32 @@ static IPAddressFamily *
 make_IPAddressFamily(IPAddrBlocks *addr, const unsigned afi,
    const unsigned *safi)
 {
-        IPAddressFamily *f;
+        IPAddressFamily *f = NULL;
-        unsigned char key[3];
+        CBB cbb;
-        int keylen;
+        CBS cbs;
+        uint8_t *key = NULL;
+        size_t keylen;
        int i;
-        key[0] = (afi >> 8) & 0xFF;
+        if (!CBB_init(&cbb, 0))
-        key[1] = afi & 0xFF;
+                goto err;
+        if (!CBB_add_u16(&cbb, afi))
+                goto err;
        if (safi != NULL) {
-                key[2] = *safi & 0xFF;
+                if (!CBB_add_u8(&cbb, *safi))
-                keylen = 3;
+                        goto err;
-        } else {
-                keylen = 2;
        }
+        if (!CBB_finish(&cbb, &key, &keylen))
+                goto err;
        for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
                f = sk_IPAddressFamily_value(addr, i);
-                if (f->addressFamily->length == keylen &&
-                    !memcmp(f->addressFamily->data, key, keylen))
+                CBS_init(&cbs, f->addressFamily->data, f->addressFamily->length);
-                        return f;
+                if (CBS_mem_equal(&cbs, key, keylen))
+                        goto done;
        }
        if ((f = IPAddressFamily_new()) == NULL)
@@ -792,10 +799,16 @@ make_IPAddressFamily(IPAddrBlocks *addr, const unsigned afi,
        if (!sk_IPAddressFamily_push(addr, f))
                goto err;
+ done:
+        free(key);
        return f;
 err:
+        CBB_cleanup(&cbb);
+        free(key);
        IPAddressFamily_free(f);
        return NULL;
 }

diff --git a/src/lib/libcrypto/x509/x509_addr.c b/src/lib/libcrypto/x509/x509_addr.c index a0c73bdee5..244eea1f23 100644 --- a/src/lib/libcrypto/x509/x509_addr.c +++ b/src/lib/libcrypto/x509/x509_addr.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_addr.c,v 1.31 2021/12/28 16:05:23 tb Exp $ */	1	/* $OpenBSD: x509_addr.c,v 1.32 2021/12/28 16:10:47 tb Exp $ */
2	/*	2	/*
3	* Contributed to the OpenSSL Project by the American Registry for	3	* Contributed to the OpenSSL Project by the American Registry for
4	* Internet Numbers ("ARIN").	4	* Internet Numbers ("ARIN").
@@ -764,25 +764,32 @@ static IPAddressFamily *
764	make_IPAddressFamily(IPAddrBlocks *addr, const unsigned afi,	764	make_IPAddressFamily(IPAddrBlocks *addr, const unsigned afi,
765	const unsigned *safi)	765	const unsigned *safi)
766	{	766	{
767	IPAddressFamily *f;	767	IPAddressFamily *f = NULL;
768	unsigned char key[3];	768	CBB cbb;
769	int keylen;	769	CBS cbs;
		770	uint8_t *key = NULL;
		771	size_t keylen;
770	int i;	772	int i;
771		773
772	key[0] = (afi >> 8) & 0xFF;	774	if (!CBB_init(&cbb, 0))
773	key[1] = afi & 0xFF;	775	goto err;
		776
		777	if (!CBB_add_u16(&cbb, afi))
		778	goto err;
774	if (safi != NULL) {	779	if (safi != NULL) {
775	key[2] = *safi & 0xFF;	780	if (!CBB_add_u8(&cbb, *safi))
776	keylen = 3;	781	goto err;
777	} else {
778	keylen = 2;
779	}	782	}
780		783
		784	if (!CBB_finish(&cbb, &key, &keylen))
		785	goto err;
		786
781	for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {	787	for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
782	f = sk_IPAddressFamily_value(addr, i);	788	f = sk_IPAddressFamily_value(addr, i);
783	if (f->addressFamily->length == keylen &&	789
784	!memcmp(f->addressFamily->data, key, keylen))	790	CBS_init(&cbs, f->addressFamily->data, f->addressFamily->length);
785	return f;	791	if (CBS_mem_equal(&cbs, key, keylen))
		792	goto done;
786	}	793	}
787		794
788	if ((f = IPAddressFamily_new()) == NULL)	795	if ((f = IPAddressFamily_new()) == NULL)
@@ -792,10 +799,16 @@ make_IPAddressFamily(IPAddrBlocks *addr, const unsigned afi,
792	if (!sk_IPAddressFamily_push(addr, f))	799	if (!sk_IPAddressFamily_push(addr, f))
793	goto err;	800	goto err;
794		801
		802	done:
		803	free(key);
		804
795	return f;	805	return f;
796		806
797	err:	807	err:
		808	CBB_cleanup(&cbb);
		809	free(key);
798	IPAddressFamily_free(f);	810	IPAddressFamily_free(f);
		811
799	return NULL;	812	return NULL;
800	}	813	}
801		814