From 7db6eebe2275424b4cc5d4a0e511766614000000 Mon Sep 17 00:00:00 2001
From: tb <>
Date: Wed, 5 Jan 2022 07:28:41 +0000
Subject: Fix a bug in addr_contains() introduced in OpenSSL commit be71c372 by
 returning 0 instead of -1 on extract_min_max() failure. Callers would
 interpret -1 as success of addr_contains().

ok inoguchi jsing
---
 src/lib/libcrypto/x509/x509_addr.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src/lib')

diff --git a/src/lib/libcrypto/x509/x509_addr.c b/src/lib/libcrypto/x509/x509_addr.c
index edb85f3493..92d540dbe5 100644
--- a/src/lib/libcrypto/x509/x509_addr.c
+++ b/src/lib/libcrypto/x509/x509_addr.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: x509_addr.c,v 1.58 2022/01/04 20:52:34 tb Exp $ */
+/*	$OpenBSD: x509_addr.c,v 1.59 2022/01/05 07:28:41 tb Exp $ */
 /*
  * Contributed to the OpenSSL Project by the American Registry for
  * Internet Numbers ("ARIN").
@@ -1648,7 +1648,7 @@ addr_contains(IPAddressOrRanges *parent, IPAddressOrRanges *child, int length)
 	for (c = 0; c < sk_IPAddressOrRange_num(child); c++) {
 		if (!extract_min_max(sk_IPAddressOrRange_value(child, c),
 		    c_min, c_max, length))
-			return -1;
+			return 0;
 		for (;; p++) {
 			if (p >= sk_IPAddressOrRange_num(parent))
 				return 0;
-- 
cgit v1.2.3-55-g6feb