1 files changed, 12 insertions, 1 deletions

diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 08f2f74097..c6a01faa83 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.297 2022/07/20 13:57:49 tb Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.298 2022/07/20 14:08:49 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -162,6 +162,7 @@
 #include "dtls_locl.h"
 #include "ssl_locl.h"
 #include "ssl_sigalgs.h"
+#include "ssl_tlsext.h"
 
 const char *SSL_version_str = OPENSSL_VERSION_TEXT;
 
@@ -1771,6 +1772,11 @@ SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos,
 
         CBS_init(&cbs, protos, protos_len);
 
+        if (protos_len > 0) {
+                if (!tlsext_alpn_check_format(&cbs))
+                        goto err;
+        }
+
         if (!CBS_stow(&cbs, &ctx->internal->alpn_client_proto_list,
             &ctx->internal->alpn_client_proto_list_len))
                 goto err;
@@ -1799,6 +1805,11 @@ SSL_set_alpn_protos(SSL *ssl, const unsigned char *protos,
 
         CBS_init(&cbs, protos, protos_len);
 
+        if (protos_len > 0) {
+                if (!tlsext_alpn_check_format(&cbs))
+                        goto err;
+        }
+
         if (!CBS_stow(&cbs, &ssl->internal->alpn_client_proto_list,
             &ssl->internal->alpn_client_proto_list_len))
                 goto err;