From d06fd3068d2b8bb4dc68ed93f43de63065b4a558 Mon Sep 17 00:00:00 2001
From: tb <>
Date: Tue, 28 Dec 2021 20:58:05 +0000
Subject: Validate AFIs before sorting in X509v3_adr_canonize()

Again, we're dealing with necessarily not fully validated data here,
so a check up front seems prudent.

ok jsing
---
 src/lib/libcrypto/x509/x509_addr.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/lib/libcrypto/x509/x509_addr.c b/src/lib/libcrypto/x509/x509_addr.c
index 3686d6a823..225f961002 100644
--- a/src/lib/libcrypto/x509/x509_addr.c
+++ b/src/lib/libcrypto/x509/x509_addr.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: x509_addr.c,v 1.43 2021/12/28 20:50:37 tb Exp $ */
+/*	$OpenBSD: x509_addr.c,v 1.44 2021/12/28 20:58:05 tb Exp $ */
 /*
  * Contributed to the OpenSSL Project by the American Registry for
  * Internet Numbers ("ARIN").
@@ -1274,10 +1274,16 @@ IPAddressOrRanges_canonize(IPAddressOrRanges *aors, const unsigned afi)
 int
 X509v3_addr_canonize(IPAddrBlocks *addr)
 {
+	unsigned int afi;
 	int i;
 
 	for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
 		IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
+
+		/* Check AFI/SAFI here - IPAddressFamily_cmp() can't error. */
+		if ((afi = X509v3_addr_get_afi(f)) == 0)
+			return 0;
+
 		if (f->ipAddressChoice->type ==
 		    IPAddressChoice_addressesOrRanges &&
 		    !IPAddressOrRanges_canonize(f->ipAddressChoice->u.addressesOrRanges,
-- 
cgit v1.2.3-55-g6feb