v3_addr_canonize() mistakenly assumes that the comparision function
has already been set. IPAddrBlocks objects constructed by the decoder
do have the comparision function set, but it's possible for a program
to construct IPAddrBlocks for which the assumption is incorrect, which
can trigger a core dump.


--- crypto/x509v3/v3_addr.c.~1~ 2007-01-21 09:00:24.000000000 -0500
+++ crypto/x509v3/v3_addr.c 2008-10-06 12:19:08.000000000 -0400
@@ -869,22 +869,23 @@
*/
int v3_addr_canonize(IPAddrBlocks *addr)
{
int i;
for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {
IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);
if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges &&
!IPAddressOrRanges_canonize(f->ipAddressChoice->u.addressesOrRanges,
v3_addr_get_afi(f)))
return 0;
}
+ sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp);
sk_IPAddressFamily_sort(addr);
assert(v3_addr_is_canonical(addr));
return 1;
}

/*
* v2i handler for the IPAddrBlocks extension.
*/
static void *v2i_IPAddrBlocks(struct v3_ext_method *method,
struct v3_ext_ctx *ctx,
STACK_OF(CONF_VALUE) *values)

__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org