From 0e99290a277d63a8358a221e9ab15b6adc2bc55b Mon Sep 17 00:00:00 2001
From: tb <>
Date: Tue, 4 Jan 2022 20:33:02 +0000
Subject: Only check the parent to be canonical once we know it is non-NULL.

suggested by jsing during review
---
 src/lib/libcrypto/x509/x509_addr.c | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

(limited to 'src/lib')

diff --git a/src/lib/libcrypto/x509/x509_addr.c b/src/lib/libcrypto/x509/x509_addr.c
index e80ba35661..0b735c3bc5 100644
--- a/src/lib/libcrypto/x509/x509_addr.c
+++ b/src/lib/libcrypto/x509/x509_addr.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: x509_addr.c,v 1.55 2022/01/04 20:30:30 tb Exp $ */
+/*	$OpenBSD: x509_addr.c,v 1.56 2022/01/04 20:33:02 tb Exp $ */
 /*
  * Contributed to the OpenSSL Project by the American Registry for
  * Internet Numbers ("ARIN").
@@ -1763,12 +1763,8 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain,
 	 */
 	for (i++; i < sk_X509_num(chain); i++) {
 		x = sk_X509_value(chain, i);
-		parent = x->rfc3779_addr;
 
-		if (!X509v3_addr_is_canonical(parent))
-			validation_err(X509_V_ERR_INVALID_EXTENSION);
-
-		if (parent == NULL) {
+		if ((parent = x->rfc3779_addr) == NULL) {
 			for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
 				fc = sk_IPAddressFamily_value(child, j);
 
@@ -1780,6 +1776,9 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain,
 			continue;
 		}
 
+		if (!X509v3_addr_is_canonical(parent))
+			validation_err(X509_V_ERR_INVALID_EXTENSION);
+
 		sk_IPAddressFamily_set_cmp_func(parent, IPAddressFamily_cmp);
 
 		/*
-- 
cgit v1.2.3-55-g6feb