/usr/src/lib/libcrypto/x509/x509

Bug Summary

File:	src/lib/libcrypto/x509/x509_addr.c
Warning:	line 1895, column 16 Access to field 'rfc3779_addr' results in a dereference of a null pointer (loaded from variable 'cert')
Annotated Source Code

Press '?' to see keyboard shortcuts
Show analyzer invocation
clang -cc1 -cc1 -triple amd64-unknown-openbsd7.0 -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name x509_addr.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -fhalf-no-semantic-interposition -mframe-pointer=all -relaxed-aliasing -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/lib/libcrypto/obj -resource-dir /usr/local/lib/clang/13.0.0 -D LIBRESSL_INTERNAL -D LIBRESSL_CRYPTO_INTERNAL -D DSO_DLFCN -D HAVE_DLFCN_H -D HAVE_FUNOPEN -D OPENSSL_NO_HW_PADLOCK -I /usr/src/lib/libcrypto -I /usr/src/lib/libcrypto/asn1 -I /usr/src/lib/libcrypto/bio -I /usr/src/lib/libcrypto/bn -I /usr/src/lib/libcrypto/bytestring -I /usr/src/lib/libcrypto/dh -I /usr/src/lib/libcrypto/dsa -I /usr/src/lib/libcrypto/ec -I /usr/src/lib/libcrypto/ecdh -I /usr/src/lib/libcrypto/ecdsa -I /usr/src/lib/libcrypto/evp -I /usr/src/lib/libcrypto/hmac -I /usr/src/lib/libcrypto/modes -I /usr/src/lib/libcrypto/ocsp -I /usr/src/lib/libcrypto/rsa -I /usr/src/lib/libcrypto/x509 -I /usr/src/lib/libcrypto/obj -D AES_ASM -D BSAES_ASM -D VPAES_ASM -D OPENSSL_IA32_SSE2 -D RSA_ASM -D OPENSSL_BN_ASM_MONT -D OPENSSL_BN_ASM_MONT5 -D OPENSSL_BN_ASM_GF2m -D MD5_ASM -D GHASH_ASM -D RC4_MD5_ASM -D SHA1_ASM -D SHA256_ASM -D SHA512_ASM -D WHIRLPOOL_ASM -D OPENSSL_CPUID_OBJ -D PIC -internal-isystem /usr/local/lib/clang/13.0.0/include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/usr/src/lib/libcrypto/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/vmm/scan-build/2022-01-12-194120-40624-1 -x c /usr/src/lib/libcrypto/x509/x509_addr.c
1/*	$OpenBSD: x509_addr.c,v 1.76 2022/01/06 14:08:15 tb Exp $ */
2/*
* Contributed to the OpenSSL Project by the American Registry for
* Internet Numbers ("ARIN").
*/
6/* ====================================================================
* Copyright (c) 2006-2016 The OpenSSL Project.  All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
*    notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
*    notice, this list of conditions and the following disclaimer in
*    the documentation and/or other materials provided with the
*    distribution.
*
* 3. All advertising materials mentioning features or use of this
*    software must display the following acknowledgment:
*    "This product includes software developed by the OpenSSL Project
*    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
*    endorse or promote products derived from this software without
*    prior written permission. For written permission, please contact
*    licensing@OpenSSL.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
*    nor may "OpenSSL" appear in their names without prior written
*    permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
*    acknowledgment:
*    "This product includes software developed by the OpenSSL Project
*    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com).  This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*/

59/*
* Implementation of RFC 3779 section 2.2.
*/

63#include <limits.h>
64#include <stdio.h>
65#include <stdlib.h>
66#include <string.h>

68#include <openssl/asn1.h>
69#include <openssl/asn1t.h>
70#include <openssl/buffer.h>
71#include <openssl/conf.h>
72#include <openssl/err.h>
73#include <openssl/x509.h>
74#include <openssl/x509v3.h>

76#include "bytestring.h"
77#include "x509_lcl.h"

79#ifndef OPENSSL_NO_RFC3779

81/*
* OpenSSL ASN.1 template translation of RFC 3779 2.2.3.
*/

85static const ASN1_TEMPLATE IPAddressRange_seq_tt[] = {
{
.flags = 0,
.tag = 0,
.offset = offsetof(IPAddressRange, min)__builtin_offsetof(IPAddressRange, min),
.field_name = "min",
.item = &ASN1_BIT_STRING_it,
},
{
.flags = 0,
.tag = 0,
.offset = offsetof(IPAddressRange, max)__builtin_offsetof(IPAddressRange, max),
.field_name = "max",
.item = &ASN1_BIT_STRING_it,
},
100};

102const ASN1_ITEM IPAddressRange_it = {
.itype = ASN1_ITYPE_SEQUENCE0x1,
.utype = V_ASN1_SEQUENCE16,
.templates = IPAddressRange_seq_tt,
.tcount = sizeof(IPAddressRange_seq_tt) / sizeof(ASN1_TEMPLATE),
.funcs = NULL((void*)0),
.size = sizeof(IPAddressRange),
.sname = "IPAddressRange",
110};

112static const ASN1_TEMPLATE IPAddressOrRange_ch_tt[] = {
{
.flags = 0,
.tag = 0,
.offset = offsetof(IPAddressOrRange, u.addressPrefix)__builtin_offsetof(IPAddressOrRange, u.addressPrefix),
.field_name = "u.addressPrefix",
.item = &ASN1_BIT_STRING_it,
},
{
.flags = 0,
.tag = 0,
.offset = offsetof(IPAddressOrRange, u.addressRange)__builtin_offsetof(IPAddressOrRange, u.addressRange),
.field_name = "u.addressRange",
.item = &IPAddressRange_it,
},
127};

129const ASN1_ITEM IPAddressOrRange_it = {
.itype = ASN1_ITYPE_CHOICE0x2,
.utype = offsetof(IPAddressOrRange, type)__builtin_offsetof(IPAddressOrRange, type),
.templates = IPAddressOrRange_ch_tt,
.tcount = sizeof(IPAddressOrRange_ch_tt) / sizeof(ASN1_TEMPLATE),
.funcs = NULL((void*)0),
.size = sizeof(IPAddressOrRange),
.sname = "IPAddressOrRange",
137};

139static const ASN1_TEMPLATE IPAddressChoice_ch_tt[] = {
{
.flags = 0,
.tag = 0,
.offset = offsetof(IPAddressChoice, u.inherit)__builtin_offsetof(IPAddressChoice, u.inherit),
.field_name = "u.inherit",
.item = &ASN1_NULL_it,
},
{
.flags = ASN1_TFLG_SEQUENCE_OF(0x2 << 1),
.tag = 0,
.offset = offsetof(IPAddressChoice, u.addressesOrRanges)__builtin_offsetof(IPAddressChoice, u.addressesOrRanges),
.field_name = "u.addressesOrRanges",
.item = &IPAddressOrRange_it,
},
154};

156const ASN1_ITEM IPAddressChoice_it = {
.itype = ASN1_ITYPE_CHOICE0x2,
.utype = offsetof(IPAddressChoice, type)__builtin_offsetof(IPAddressChoice, type),
.templates = IPAddressChoice_ch_tt,
.tcount = sizeof(IPAddressChoice_ch_tt) / sizeof(ASN1_TEMPLATE),
.funcs = NULL((void*)0),
.size = sizeof(IPAddressChoice),
.sname = "IPAddressChoice",
164};

166static const ASN1_TEMPLATE IPAddressFamily_seq_tt[] = {
{
.flags = 0,
.tag = 0,
.offset = offsetof(IPAddressFamily, addressFamily)__builtin_offsetof(IPAddressFamily, addressFamily),
.field_name = "addressFamily",
.item = &ASN1_OCTET_STRING_it,
},
{
.flags = 0,
.tag = 0,
.offset = offsetof(IPAddressFamily, ipAddressChoice)__builtin_offsetof(IPAddressFamily, ipAddressChoice),
.field_name = "ipAddressChoice",
.item = &IPAddressChoice_it,
},
181};

183const ASN1_ITEM IPAddressFamily_it = {
.itype = ASN1_ITYPE_SEQUENCE0x1,
.utype = V_ASN1_SEQUENCE16,
.templates = IPAddressFamily_seq_tt,
.tcount = sizeof(IPAddressFamily_seq_tt) / sizeof(ASN1_TEMPLATE),
.funcs = NULL((void*)0),
.size = sizeof(IPAddressFamily),
.sname = "IPAddressFamily",
191};

193static const ASN1_TEMPLATE IPAddrBlocks_item_tt = {
.flags = ASN1_TFLG_SEQUENCE_OF(0x2 << 1),
.tag = 0,
.offset = 0,
.field_name = "IPAddrBlocks",
.item = &IPAddressFamily_it,
199};

201static const ASN1_ITEM IPAddrBlocks_it = {
.itype = ASN1_ITYPE_PRIMITIVE0x0,
.utype = -1,
.templates = &IPAddrBlocks_item_tt,
.tcount = 0,
.funcs = NULL((void*)0),
.size = 0,
.sname = "IPAddrBlocks",
209};

211IPAddressRange *
212d2i_IPAddressRange(IPAddressRange **a, const unsigned char **in, long len)
213{
return (IPAddressRange *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
   &IPAddressRange_it);
216}

218int
219i2d_IPAddressRange(IPAddressRange *a, unsigned char **out)
220{
return ASN1_item_i2d((ASN1_VALUE *)a, out, &IPAddressRange_it);
222}

224IPAddressRange *
225IPAddressRange_new(void)
226{
return (IPAddressRange *)ASN1_item_new(&IPAddressRange_it);
228}

230void
231IPAddressRange_free(IPAddressRange *a)
232{
ASN1_item_free((ASN1_VALUE *)a, &IPAddressRange_it);
234}

236IPAddressOrRange *
237d2i_IPAddressOrRange(IPAddressOrRange **a, const unsigned char **in, long len)
238{
return (IPAddressOrRange *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
   &IPAddressOrRange_it);
241}

243int
244i2d_IPAddressOrRange(IPAddressOrRange *a, unsigned char **out)
245{
return ASN1_item_i2d((ASN1_VALUE *)a, out, &IPAddressOrRange_it);
247}

249IPAddressOrRange *
250IPAddressOrRange_new(void)
251{
return (IPAddressOrRange *)ASN1_item_new(&IPAddressOrRange_it);
253}

255void
256IPAddressOrRange_free(IPAddressOrRange *a)
257{
ASN1_item_free((ASN1_VALUE *)a, &IPAddressOrRange_it);
259}

261IPAddressChoice *
262d2i_IPAddressChoice(IPAddressChoice **a, const unsigned char **in, long len)
263{
return (IPAddressChoice *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
   &IPAddressChoice_it);
266}

268int
269i2d_IPAddressChoice(IPAddressChoice *a, unsigned char **out)
270{
return ASN1_item_i2d((ASN1_VALUE *)a, out, &IPAddressChoice_it);
272}

274IPAddressChoice *
275IPAddressChoice_new(void)
276{
return (IPAddressChoice *)ASN1_item_new(&IPAddressChoice_it);
278}

280void
281IPAddressChoice_free(IPAddressChoice *a)
282{
ASN1_item_free((ASN1_VALUE *)a, &IPAddressChoice_it);
284}

286IPAddressFamily *
287d2i_IPAddressFamily(IPAddressFamily **a, const unsigned char **in, long len)
288{
return (IPAddressFamily *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
   &IPAddressFamily_it);
291}

293int
294i2d_IPAddressFamily(IPAddressFamily *a, unsigned char **out)
295{
return ASN1_item_i2d((ASN1_VALUE *)a, out, &IPAddressFamily_it);
297}

299IPAddressFamily *
300IPAddressFamily_new(void)
301{
return (IPAddressFamily *)ASN1_item_new(&IPAddressFamily_it);
303}

305void
306IPAddressFamily_free(IPAddressFamily *a)
307{
ASN1_item_free((ASN1_VALUE *)a, &IPAddressFamily_it);
309}

311/*
* Convenience accessors for IPAddressFamily.
*/

315static int
316IPAddressFamily_type(IPAddressFamily *af)
317{
/* XXX - can af->ipAddressChoice == NULL actually happen? */
if (af == NULL((void*)0) || af->ipAddressChoice == NULL((void*)0))
return -1;

switch (af->ipAddressChoice->type) {
case IPAddressChoice_inherit0:
case IPAddressChoice_addressesOrRanges1:
return af->ipAddressChoice->type;
default:
return -1;
}
329}

331static IPAddressOrRanges *
332IPAddressFamily_addressesOrRanges(IPAddressFamily *af)
333{
if (IPAddressFamily_type(af) == IPAddressChoice_addressesOrRanges1)
return af->ipAddressChoice->u.addressesOrRanges;

return NULL((void*)0);
338}

340static ASN1_NULL *
341IPAddressFamily_inheritance(IPAddressFamily *af)
342{
if (IPAddressFamily_type(af) == IPAddressChoice_inherit0)
return af->ipAddressChoice->u.inherit;

return NULL((void*)0);
347}

349static int
350IPAddressFamily_set_inheritance(IPAddressFamily *af)
351{
if (IPAddressFamily_addressesOrRanges(af) != NULL((void*)0))
return 0;

if (IPAddressFamily_inheritance(af) != NULL((void*)0))
return 1;

if ((af->ipAddressChoice->u.inherit = ASN1_NULL_new()) == NULL((void*)0))
return 0;
af->ipAddressChoice->type = IPAddressChoice_inherit0;

return 1;
363}

365/*
* How much buffer space do we need for a raw address?
*/
368#define ADDR_RAW_BUF_LEN16        16

370/*
* What's the address length associated with this AFI?
*/
373static int
374length_from_afi(const unsigned afi)
375{
switch (afi) {
case IANA_AFI_IPV41:
return 4;
case IANA_AFI_IPV62:
return 16;
default:
return 0;
}
384}

386/*
* Get AFI and optional SAFI from an IPAddressFamily. All three out arguments
* are optional; if |out_safi| is non-NULL, |safi_is_set| must be non-NULL.
*/
390static int
391IPAddressFamily_afi_safi(const IPAddressFamily *af, uint16_t *out_afi,
  uint8_t *out_safi, int *safi_is_set)
393{
CBS cbs;
uint16_t afi;
uint8_t safi = 0;
int got_safi = 0;

CBS_init(&cbs, af->addressFamily->data, af->addressFamily->length);

if (!CBS_get_u16(&cbs, &afi))
return 0;

/* Fetch the optional SAFI. */
if (CBS_len(&cbs) != 0) {
if (!CBS_get_u8(&cbs, &safi))
	return 0;
got_safi = 1;
}

/* If there's anything left, it's garbage. */
if (CBS_len(&cbs) != 0)
return 0;

/* XXX - error on reserved AFI/SAFI? */

if (out_afi != NULL((void*)0))
*out_afi = afi;

if (out_safi != NULL((void*)0)) {
*out_safi = safi;
*safi_is_set = got_safi;
}

return 1;
426}

428static int
429IPAddressFamily_afi(const IPAddressFamily *af, uint16_t *out_afi)
430{
return IPAddressFamily_afi_safi(af, out_afi, NULL((void*)0), NULL((void*)0));
432}

434static int
435IPAddressFamily_afi_is_valid(const IPAddressFamily *af)
436{
return IPAddressFamily_afi_safi(af, NULL((void*)0), NULL((void*)0), NULL((void*)0));
438}

440static int
441IPAddressFamily_afi_length(const IPAddressFamily *af, int *out_length)
442{
uint16_t afi;

*out_length = 0;

if (!IPAddressFamily_afi(af, &afi))
return 0;

*out_length = length_from_afi(afi);

return 1;
453}

455#define MINIMUM(a, b)(((a) < (b)) ? (a) : (b)) (((a) < (b)) ? (a) : (b))

457/*
* Sort comparison function for a sequence of IPAddressFamily.
*
* The last paragraph of RFC 3779 2.2.3.3 is slightly ambiguous about
* the ordering: I can read it as meaning that IPv6 without a SAFI
* comes before IPv4 with a SAFI, which seems pretty weird.  The
* examples in appendix B suggest that the author intended the
* null-SAFI rule to apply only within a single AFI, which is what I
* would have expected and is what the following code implements.
*/
467static int
468IPAddressFamily_cmp(const IPAddressFamily *const *a_,
  const IPAddressFamily *const *b_)
470{
const ASN1_OCTET_STRING *a = (*a_)->addressFamily;
const ASN1_OCTET_STRING *b = (*b_)->addressFamily;
int len, cmp;

len = MINIMUM(a->length, b->length)(((a->length) < (b->length)) ? (a->length) : (b->
length));

if ((cmp = memcmp(a->data, b->data, len)) != 0)
return cmp;

return a->length - b->length;
481}

483static IPAddressFamily *
484IPAddressFamily_find_in_parent(IPAddrBlocks *parent, IPAddressFamily *child_af)
485{
int index;

sk_IPAddressFamily_set_cmp_func(parent, IPAddressFamily_cmp)((int (*)(const IPAddressFamily * const *,const IPAddressFamily
 * const *)) sk_set_cmp_func(((_STACK*) (1 ? (parent) : (struct
 stack_st_IPAddressFamily*)0)), ((int (*)(const void *, const
 void *)) ((1 ? (IPAddressFamily_cmp) : (int (*)(const IPAddressFamily
 * const *, const IPAddressFamily * const *))0)))));

if ((index = sk_IPAddressFamily_find(parent, child_af)sk_find(((_STACK*) (1 ? (parent) : (struct stack_st_IPAddressFamily
*)0)), ((void*) (1 ? (child_af) : (IPAddressFamily*)0)))) < 0)
return NULL((void*)0);

return sk_IPAddressFamily_value(parent, index)((IPAddressFamily *)sk_value(((_STACK*) (1 ? (parent) : (struct
 stack_st_IPAddressFamily*)0)), (index)));
494}

496/*
* Extract the AFI from an IPAddressFamily.
*
* This is public API. It uses the reserved AFI 0 as an in-band error
* while it doesn't care about the reserved AFI 65535...
*/
502unsigned int
503X509v3_addr_get_afi(const IPAddressFamily *af)
504{
uint16_t afi;

/*
* XXX are these NULL checks really sensible? If af is non-NULL, it
* should have both addressFamily and ipAddressChoice...
*/
if (af == NULL((void*)0) || af->addressFamily == NULL((void*)0) ||
   af->addressFamily->data == NULL((void*)0))
return 0;

if (!IPAddressFamily_afi(af, &afi))
return 0;

return afi;
519}

521/*
* Expand the bitstring form (RFC 3779, section 2.1.2) of an address into
* a raw byte array.  At the moment this is coded for simplicity, not speed.
*
* Unused bits in the last octet of |bs| and all bits in subsequent bytes
* of |addr| are set to 0 or 1 depending on whether |fill| is 0 or not.
*/
528static int
529addr_expand(unsigned char *addr, const ASN1_BIT_STRING *bs, const int length,
  uint8_t fill)
531{
if (bs->length < 0 || bs->length > length)
return 0;

if (fill != 0)
fill = 0xff;

if (bs->length > 0) {
/* XXX - shouldn't this check ASN1_STRING_FLAG_BITS_LEFT? */
uint8_t unused_bits = bs->flags & 7;
uint8_t mask = (1 << unused_bits) - 1;

memcpy(addr, bs->data, bs->length);

if (fill == 0)
	addr[bs->length - 1] &= ~mask;
else
	addr[bs->length - 1] |= mask;
}

memset(addr + bs->length, fill, length - bs->length);

return 1;
554}

556/*
* Extract the prefix length from a bitstring: 8 * length - unused bits.
*/
559#define addr_prefix_len(bs)((int) ((bs)->length * 8 - ((bs)->flags & 7))) ((int) ((bs)->length * 8 - ((bs)->flags & 7)))

561/*
* i2r handler for one address bitstring.
*/
564static int
565i2r_address(BIO *out, const unsigned afi, const unsigned char fill,
  const ASN1_BIT_STRING *bs)
567{
unsigned char addr[ADDR_RAW_BUF_LEN16];
int i, n;

if (bs->length < 0)
return 0;
switch (afi) {
case IANA_AFI_IPV41:
if (!addr_expand(addr, bs, 4, fill))
	return 0;
BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2],
    addr[3]);
break;
case IANA_AFI_IPV62:
if (!addr_expand(addr, bs, 16, fill))
	return 0;
for (n = 16;
    n > 1 && addr[n - 1] == 0x00 && addr[n - 2] == 0x00; n -= 2)
	continue;
for (i = 0; i < n; i += 2)
	BIO_printf(out, "%x%s", (addr[i] << 8) | addr[i + 1],
	    (i < 14 ? ":" : ""));
if (i < 16)
	BIO_puts(out, ":");
if (i == 0)
	BIO_puts(out, ":");
break;
default:
for (i = 0; i < bs->length; i++)
	BIO_printf(out, "%s%02x", (i > 0 ? ":" : ""),
	    bs->data[i]);
BIO_printf(out, "[%d]", (int)(bs->flags & 7));
break;
}
return 1;
602}

604/*
* i2r handler for a sequence of addresses and ranges.
*/
607static int
608i2r_IPAddressOrRanges(BIO *out, const int indent,
  const IPAddressOrRanges *aors, const unsigned afi)
610{
const IPAddressOrRange *aor;
const ASN1_BIT_STRING *prefix;
const IPAddressRange *range;
int i;

for (i = 0; i < sk_IPAddressOrRange_num(aors)sk_num(((_STACK*) (1 ? (aors) : (struct stack_st_IPAddressOrRange
*)0))); i++) {
aor = sk_IPAddressOrRange_value(aors, i)((IPAddressOrRange *)sk_value(((_STACK*) (1 ? (aors) : (struct
 stack_st_IPAddressOrRange*)0)), (i)));

BIO_printf(out, "%*s", indent, "");

switch (aor->type) {
case IPAddressOrRange_addressPrefix0:
	prefix = aor->u.addressPrefix;

	if (!i2r_address(out, afi, 0x00, prefix))
		return 0;
	BIO_printf(out, "/%d\n", addr_prefix_len(prefix)((int) ((prefix)->length * 8 - ((prefix)->flags & 7
))));
	continue;
case IPAddressOrRange_addressRange1:
	range = aor->u.addressRange;

	if (!i2r_address(out, afi, 0x00, range->min))
		return 0;
	BIO_puts(out, "-");
	if (!i2r_address(out, afi, 0xff, range->max))
		return 0;
	BIO_puts(out, "\n");
	continue;
}
}

return 1;
643}

645/*
* i2r handler for an IPAddrBlocks extension.
*/
648static int
649i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method, void *ext, BIO *out,
  int indent)
651{
const IPAddrBlocks *addr = ext;
IPAddressFamily *af;
uint16_t afi;
uint8_t safi;
int i, safi_is_set;

for (i = 0; i < sk_IPAddressFamily_num(addr)sk_num(((_STACK*) (1 ? (addr) : (struct stack_st_IPAddressFamily
*)0))); i++) {
af = sk_IPAddressFamily_value(addr, i)((IPAddressFamily *)sk_value(((_STACK*) (1 ? (addr) : (struct
 stack_st_IPAddressFamily*)0)), (i)));

if (!IPAddressFamily_afi_safi(af, &afi, &safi, &safi_is_set))
	goto print_addresses;

switch (afi) {
case IANA_AFI_IPV41:
	BIO_printf(out, "%*sIPv4", indent, "");
	break;
case IANA_AFI_IPV62:
	BIO_printf(out, "%*sIPv6", indent, "");
	break;
default:
	BIO_printf(out, "%*sUnknown AFI %u", indent, "", afi);
	break;
}
if (safi_is_set) {
	switch (safi) {
	case 1:
		BIO_puts(out, " (Unicast)");
		break;
	case 2:
		BIO_puts(out, " (Multicast)");
		break;
	case 3:
		BIO_puts(out, " (Unicast/Multicast)");
		break;
	case 4:
		BIO_puts(out, " (MPLS)");
		break;
	case 64:
		BIO_puts(out, " (Tunnel)");
		break;
	case 65:
		BIO_puts(out, " (VPLS)");
		break;
	case 66:
		BIO_puts(out, " (BGP MDT)");
		break;
	case 128:
		BIO_puts(out, " (MPLS-labeled VPN)");
		break;
	default:
		BIO_printf(out, " (Unknown SAFI %u)", safi);
		break;
	}
}

print_addresses:
switch (IPAddressFamily_type(af)) {
case IPAddressChoice_inherit0:
	BIO_puts(out, ": inherit\n");
	break;
case IPAddressChoice_addressesOrRanges1:
	BIO_puts(out, ":\n");
	if (!i2r_IPAddressOrRanges(out, indent + 2,
	    IPAddressFamily_addressesOrRanges(af), afi))
		return 0;
	break;
/* XXX - how should we handle -1 here? */
}
}
return 1;
722}

724/*
* Sort comparison function for a sequence of IPAddressOrRange
* elements.
*
* There's no sane answer we can give if addr_expand() fails, and an
* assertion failure on externally supplied data is seriously uncool,
* so we just arbitrarily declare that if given invalid inputs this
* function returns -1.  If this messes up your preferred sort order
* for garbage input, tough noogies.
*/
734static int
735IPAddressOrRange_cmp(const IPAddressOrRange *a, const IPAddressOrRange *b,
  const int length)
737{
unsigned char addr_a[ADDR_RAW_BUF_LEN16], addr_b[ADDR_RAW_BUF_LEN16];
int prefix_len_a = 0, prefix_len_b = 0;
int r;

switch (a->type) {
case IPAddressOrRange_addressPrefix0:
if (!addr_expand(addr_a, a->u.addressPrefix, length, 0x00))
	return -1;
prefix_len_a = addr_prefix_len(a->u.addressPrefix)((int) ((a->u.addressPrefix)->length * 8 - ((a->u.addressPrefix
)->flags & 7)));
break;
case IPAddressOrRange_addressRange1:
if (!addr_expand(addr_a, a->u.addressRange->min, length, 0x00))
	return -1;
prefix_len_a = length * 8;
break;
}

switch (b->type) {
case IPAddressOrRange_addressPrefix0:
if (!addr_expand(addr_b, b->u.addressPrefix, length, 0x00))
	return -1;
prefix_len_b = addr_prefix_len(b->u.addressPrefix)((int) ((b->u.addressPrefix)->length * 8 - ((b->u.addressPrefix
)->flags & 7)));
break;
case IPAddressOrRange_addressRange1:
if (!addr_expand(addr_b, b->u.addressRange->min, length, 0x00))
	return -1;
prefix_len_b = length * 8;
break;
}

if ((r = memcmp(addr_a, addr_b, length)) != 0)
return r;
else
return prefix_len_a - prefix_len_b;
772}

774/*
* IPv4-specific closure over IPAddressOrRange_cmp, since sk_sort()
* comparison routines are only allowed two arguments.
*/
778static int
779v4IPAddressOrRange_cmp(const IPAddressOrRange *const *a,
  const IPAddressOrRange *const *b)
781{
return IPAddressOrRange_cmp(*a, *b, 4);
783}

785/*
* IPv6-specific closure over IPAddressOrRange_cmp, since sk_sort()
* comparison routines are only allowed two arguments.
*/
789static int
790v6IPAddressOrRange_cmp(const IPAddressOrRange *const *a,
  const IPAddressOrRange *const *b)
792{
return IPAddressOrRange_cmp(*a, *b, 16);
794}

796/*
* Calculate whether a range collapses to a prefix.
* See last paragraph of RFC 3779 2.2.3.7.
*
* It's the caller's responsibility to ensure that min <= max.
*/
802static int
803range_should_be_prefix(const unsigned char *min, const unsigned char *max,
  const int length)
805{
unsigned char mask;
int i, j;

for (i = 0; i < length && min[i] == max[i]; i++)
continue;
for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xff; j--)
continue;
if (i < j)
return -1;
if (i > j)
return i * 8;
mask = min[i] ^ max[i];
switch (mask) {
case 0x01:
j = 7;
break;
case 0x03:
j = 6;
break;
case 0x07:
j = 5;
break;
case 0x0f:
j = 4;
break;
case 0x1f:
j = 3;
break;
case 0x3f:
j = 2;
break;
case 0x7f:
j = 1;
break;
default:
return -1;
}
if ((min[i] & mask) != 0 || (max[i] & mask) != mask)
return -1;
else
return i * 8 + j;
847}

849/*
* Construct a prefix.
*/
852static int
853make_addressPrefix(IPAddressOrRange **result, unsigned char *addr,
  unsigned int afi, int prefix_len)
855{
IPAddressOrRange *aor;
int afi_len, byte_len, bit_len, max_len;

if (prefix_len < 0)
return 0;

max_len = 16;
if ((afi_len = length_from_afi(afi)) > 0)
max_len = afi_len;
if (prefix_len > 8 * max_len)
return 0;

byte_len = (prefix_len + 7) / 8;
bit_len = prefix_len % 8;

if ((aor = IPAddressOrRange_new()) == NULL((void*)0))
return 0;
aor->type = IPAddressOrRange_addressPrefix0;
if ((aor->u.addressPrefix = ASN1_BIT_STRING_new()) == NULL((void*)0))
goto err;

if (!ASN1_BIT_STRING_set(aor->u.addressPrefix, addr, byte_len))
goto err;

aor->u.addressPrefix->flags &= ~7;
aor->u.addressPrefix->flags |= ASN1_STRING_FLAG_BITS_LEFT0x08;
if (bit_len > 0) {
aor->u.addressPrefix->data[byte_len - 1] &= ~(0xff >> bit_len);
aor->u.addressPrefix->flags |= 8 - bit_len;
}

*result = aor;
return 1;

err:
IPAddressOrRange_free(aor);
return 0;
893}

895/*
* Construct a range.  If it can be expressed as a prefix,
* return a prefix instead.  Doing this here simplifies
* the rest of the code considerably.
*/
900static int
901make_addressRange(IPAddressOrRange **result, unsigned char *min,
  unsigned char *max, unsigned int afi, int length)
903{
IPAddressOrRange *aor;
int i, prefix_len;

if (memcmp(min, max, length) > 0)
return 0;

if ((prefix_len = range_should_be_prefix(min, max, length)) >= 0)
return make_addressPrefix(result, min, afi, prefix_len);

if ((aor = IPAddressOrRange_new()) == NULL((void*)0))
return 0;
aor->type = IPAddressOrRange_addressRange1;
if ((aor->u.addressRange = IPAddressRange_new()) == NULL((void*)0))
goto err;

for (i = length; i > 0 && min[i - 1] == 0x00; --i)
continue;
if (!ASN1_BIT_STRING_set(aor->u.addressRange->min, min, i))
goto err;
aor->u.addressRange->min->flags &= ~7;
aor->u.addressRange->min->flags |= ASN1_STRING_FLAG_BITS_LEFT0x08;
if (i > 0) {
unsigned char b = min[i - 1];
int j = 1;
while ((b & (0xffU >> j)) != 0)
	++j;
aor->u.addressRange->min->flags |= 8 - j;
}

for (i = length; i > 0 && max[i - 1] == 0xff; --i)
continue;
if (!ASN1_BIT_STRING_set(aor->u.addressRange->max, max, i))
goto err;
aor->u.addressRange->max->flags &= ~7;
aor->u.addressRange->max->flags |= ASN1_STRING_FLAG_BITS_LEFT0x08;
if (i > 0) {
unsigned char b = max[i - 1];
int j = 1;
while ((b & (0xffU >> j)) != (0xffU >> j))
	++j;
aor->u.addressRange->max->flags |= 8 - j;
}

*result = aor;
return 1;

err:
IPAddressOrRange_free(aor);
return 0;
953}

955/*
* Construct a new address family or find an existing one.
*/
958static IPAddressFamily *
959make_IPAddressFamily(IPAddrBlocks *addr, const unsigned afi,
  const unsigned *safi)
961{
IPAddressFamily *af = NULL((void*)0);
CBB cbb;
CBS cbs;
uint8_t *key = NULL((void*)0);
size_t keylen;
int i;

if (!CBB_init(&cbb, 0))
goto err;

/* XXX - should afi <= 65535 and *safi <= 255 be checked here? */

if (!CBB_add_u16(&cbb, afi))
goto err;
if (safi != NULL((void*)0)) {
if (!CBB_add_u8(&cbb, *safi))
	goto err;
}

if (!CBB_finish(&cbb, &key, &keylen))
goto err;

for (i = 0; i < sk_IPAddressFamily_num(addr)sk_num(((_STACK*) (1 ? (addr) : (struct stack_st_IPAddressFamily
*)0))); i++) {
af = sk_IPAddressFamily_value(addr, i)((IPAddressFamily *)sk_value(((_STACK*) (1 ? (addr) : (struct
 stack_st_IPAddressFamily*)0)), (i)));

CBS_init(&cbs, af->addressFamily->data,
    af->addressFamily->length);
if (CBS_mem_equal(&cbs, key, keylen))
	goto done;
}

if ((af = IPAddressFamily_new()) == NULL((void*)0))
goto err;
if (!ASN1_OCTET_STRING_set(af->addressFamily, key, keylen))
goto err;
if (!sk_IPAddressFamily_push(addr, af)sk_push(((_STACK*) (1 ? (addr) : (struct stack_st_IPAddressFamily
*)0)), ((void*) (1 ? (af) : (IPAddressFamily*)0))))
goto err;

done:
free(key);

return af;

err:
CBB_cleanup(&cbb);
free(key);
IPAddressFamily_free(af);

return NULL((void*)0);
1011}

1013/*
* Add an inheritance element.
*/
1016int
1017X509v3_addr_add_inherit(IPAddrBlocks *addr, const unsigned afi,
  const unsigned *safi)
1019{
IPAddressFamily *af;

if ((af = make_IPAddressFamily(addr, afi, safi)) == NULL((void*)0))
return 0;

return IPAddressFamily_set_inheritance(af);
1026}

1028/*
* Construct an IPAddressOrRange sequence, or return an existing one.
*/
1031static IPAddressOrRanges *
1032make_prefix_or_range(IPAddrBlocks *addr, const unsigned afi,
  const unsigned *safi)
1034{
IPAddressFamily *af;
IPAddressOrRanges *aors = NULL((void*)0);

if ((af = make_IPAddressFamily(addr, afi, safi)) == NULL((void*)0))
return NULL((void*)0);

if (IPAddressFamily_inheritance(af) != NULL((void*)0))
return NULL((void*)0);

if ((aors = IPAddressFamily_addressesOrRanges(af)) != NULL((void*)0))
return aors;

if ((aors = sk_IPAddressOrRange_new_null()((struct stack_st_IPAddressOrRange *)sk_new_null())) == NULL((void*)0))
return NULL((void*)0);

switch (afi) {
case IANA_AFI_IPV41:
sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp)((int (*)(const IPAddressOrRange * const *,const IPAddressOrRange
 * const *)) sk_set_cmp_func(((_STACK*) (1 ? (aors) : (struct
 stack_st_IPAddressOrRange*)0)), ((int (*)(const void *, const
 void *)) ((1 ? (v4IPAddressOrRange_cmp) : (int (*)(const IPAddressOrRange
 * const *, const IPAddressOrRange * const *))0)))));
break;
case IANA_AFI_IPV62:
sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp)((int (*)(const IPAddressOrRange * const *,const IPAddressOrRange
 * const *)) sk_set_cmp_func(((_STACK*) (1 ? (aors) : (struct
 stack_st_IPAddressOrRange*)0)), ((int (*)(const void *, const
 void *)) ((1 ? (v6IPAddressOrRange_cmp) : (int (*)(const IPAddressOrRange
 * const *, const IPAddressOrRange * const *))0)))));
break;
}

af->ipAddressChoice->type = IPAddressChoice_addressesOrRanges1;
af->ipAddressChoice->u.addressesOrRanges = aors;

return aors;
1063}

1065/*
* Add a prefix.
*/
1068int
1069X509v3_addr_add_prefix(IPAddrBlocks *addr, const unsigned afi,
  const unsigned *safi, unsigned char *a, const int prefix_len)
1071{
IPAddressOrRanges *aors;
IPAddressOrRange *aor;

if ((aors = make_prefix_or_range(addr, afi, safi)) == NULL((void*)0))
return 0;

if (!make_addressPrefix(&aor, a, afi, prefix_len))
return 0;

if (sk_IPAddressOrRange_push(aors, aor)sk_push(((_STACK*) (1 ? (aors) : (struct stack_st_IPAddressOrRange
*)0)), ((void*) (1 ? (aor) : (IPAddressOrRange*)0))) <= 0) {
IPAddressOrRange_free(aor);
return 0;
}

return 1;
1087}

1089/*
* Add a range.
*/
1092int
1093X509v3_addr_add_range(IPAddrBlocks *addr, const unsigned afi,
  const unsigned *safi, unsigned char *min, unsigned char *max)
1095{
IPAddressOrRanges *aors;
IPAddressOrRange *aor;
int length;

if ((aors = make_prefix_or_range(addr, afi, safi)) == NULL((void*)0))
return 0;

length = length_from_afi(afi);

if (!make_addressRange(&aor, min, max, afi, length))
return 0;

if (sk_IPAddressOrRange_push(aors, aor)sk_push(((_STACK*) (1 ? (aors) : (struct stack_st_IPAddressOrRange
*)0)), ((void*) (1 ? (aor) : (IPAddressOrRange*)0))) <= 0) {
IPAddressOrRange_free(aor);
return 0;
}

return 1;
1114}

1116static int
1117extract_min_max_bitstr(IPAddressOrRange *aor, ASN1_BIT_STRING **out_min,
  ASN1_BIT_STRING **out_max)
1119{
switch (aor->type) {
case IPAddressOrRange_addressPrefix0:
*out_min = *out_max = aor->u.addressPrefix;
return 1;
case IPAddressOrRange_addressRange1:
*out_min = aor->u.addressRange->min;
*out_max = aor->u.addressRange->max;
return 1;
default:
return 0;
}
1131}

1133/*
* Extract min and max values from an IPAddressOrRange.
*/
1136static int
1137extract_min_max(IPAddressOrRange *aor, unsigned char *min, unsigned char *max,
  int length)
1139{
ASN1_BIT_STRING *min_bitstr, *max_bitstr;

if (aor == NULL((void*)0) || min == NULL((void*)0) || max == NULL((void*)0))
return 0;

if (!extract_min_max_bitstr(aor, &min_bitstr, &max_bitstr))
return 0;

if (!addr_expand(min, min_bitstr, length, 0))
return 0;

return addr_expand(max, max_bitstr, length, 1);
1152}

1154/*
* Public wrapper for extract_min_max().
*/
1157int
1158X509v3_addr_get_range(IPAddressOrRange *aor, const unsigned afi,
  unsigned char *min, unsigned char *max, const int length)
1160{
int afi_len;

if ((afi_len = length_from_afi(afi)) == 0)
return 0;

if (length < afi_len)
return 0;

if (!extract_min_max(aor, min, max, afi_len))
return 0;

return afi_len;
1173}

1175/*
* Check whether an IPAddrBLocks is in canonical form.
*/
1178int
1179X509v3_addr_is_canonical(IPAddrBlocks *addr)
1180{
unsigned char a_min[ADDR_RAW_BUF_LEN16], a_max[ADDR_RAW_BUF_LEN16];
unsigned char b_min[ADDR_RAW_BUF_LEN16], b_max[ADDR_RAW_BUF_LEN16];
IPAddressFamily *af;
IPAddressOrRanges *aors;
IPAddressOrRange *aor, *aor_a, *aor_b;
int i, j, k, length;

/*
* Empty extension is canonical.
*/
if (addr9.1
'addr' is not equal to NULL
 == NULL((void*)0))
10
←
Taking false branch→
return 1;

/*
* Check whether the top-level list is in order.
*/
for (i = 0; i < sk_IPAddressFamily_num(addr)sk_num(((_STACK*) (1 ? (addr) : (struct stack_st_IPAddressFamily
*)0))) - 1; i++) {
11
←
'?' condition is true→
12
←
Assuming the condition is false→
13
←
Loop condition is false. Execution continues on line 1214→
const IPAddressFamily *a = sk_IPAddressFamily_value(addr, i)((IPAddressFamily *)sk_value(((_STACK*) (1 ? (addr) : (struct
 stack_st_IPAddressFamily*)0)), (i)));
const IPAddressFamily *b = sk_IPAddressFamily_value(addr, i + 1)((IPAddressFamily *)sk_value(((_STACK*) (1 ? (addr) : (struct
 stack_st_IPAddressFamily*)0)), (i + 1)));

/* Check that both have valid AFIs before comparing them. */
if (!IPAddressFamily_afi_is_valid(a))
	return 0;
if (!IPAddressFamily_afi_is_valid(b))
	return 0;

if (IPAddressFamily_cmp(&a, &b) >= 0)
	return 0;
}

/*
* Top level's ok, now check each address family.
*/
for (i = 0; i < sk_IPAddressFamily_num(addr)sk_num(((_STACK*) (1 ? (addr) : (struct stack_st_IPAddressFamily
*)0))); i++) {
14
←
'?' condition is true→
15
←
Assuming the condition is false→
16
←
Loop condition is false. Execution continues on line 1294→
af = sk_IPAddressFamily_value(addr, i)((IPAddressFamily *)sk_value(((_STACK*) (1 ? (addr) : (struct
 stack_st_IPAddressFamily*)0)), (i)));

if (!IPAddressFamily_afi_length(af, &length))
	return 0;

/*
 * If this family has an inheritance element, it is canonical.
 */
if (IPAddressFamily_inheritance(af) != NULL((void*)0))
	continue;

/*
 * If this family has neither an inheritance element nor an
 * addressesOrRanges, we don't know what this is.
 */
if ((aors = IPAddressFamily_addressesOrRanges(af)) == NULL((void*)0))
	return 0;

if (sk_IPAddressOrRange_num(aors)sk_num(((_STACK*) (1 ? (aors) : (struct stack_st_IPAddressOrRange
*)0))) == 0)
	return 0;

for (j = 0; j < sk_IPAddressOrRange_num(aors)sk_num(((_STACK*) (1 ? (aors) : (struct stack_st_IPAddressOrRange
*)0))) - 1; j++) {
	aor_a = sk_IPAddressOrRange_value(aors, j)((IPAddressOrRange *)sk_value(((_STACK*) (1 ? (aors) : (struct
 stack_st_IPAddressOrRange*)0)), (j)));
	aor_b = sk_IPAddressOrRange_value(aors, j + 1)((IPAddressOrRange *)sk_value(((_STACK*) (1 ? (aors) : (struct
 stack_st_IPAddressOrRange*)0)), (j + 1)));

	/*
	 * XXX - check that both are either a prefix or a range.
	 */

	if (!extract_min_max(aor_a, a_min, a_max, length) ||
	    !extract_min_max(aor_b, b_min, b_max, length))
		return 0;

	/*
	 * Punt misordered list, overlapping start, or inverted
	 * range.
	 */
	if (memcmp(a_min, b_min, length) >= 0 ||
	    memcmp(a_min, a_max, length) > 0 ||
	    memcmp(b_min, b_max, length) > 0)
		return 0;

	/*
	 * Punt if adjacent or overlapping.  Check for adjacency
	 * by subtracting one from b_min first.
	 */
	for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--)
		continue;
	if (memcmp(a_max, b_min, length) >= 0)
		return 0;

	/*
	 * Check for range that should be expressed as a prefix.
	 */
	if (aor_a->type == IPAddressOrRange_addressPrefix0)
		continue;

	if (range_should_be_prefix(a_min, a_max, length) >= 0)
		return 0;
}

/*
 * Check final range to see if it's inverted or should be a
 * prefix.
 */
aor = sk_IPAddressOrRange_value(aors, j)((IPAddressOrRange *)sk_value(((_STACK*) (1 ? (aors) : (struct
 stack_st_IPAddressOrRange*)0)), (j)));
if (aor->type == IPAddressOrRange_addressRange1) {
	if (!extract_min_max(aor, a_min, a_max, length))
		return 0;
	if (memcmp(a_min, a_max, length) > 0)
		return 0;
	if (range_should_be_prefix(a_min, a_max, length) >= 0)
		return 0;
}
}

/*
* If we made it through all that, we're happy.
*/
return 1;
17
←
Returning the value 1, which participates in a condition later→
1295}

1297/*
* Whack an IPAddressOrRanges into canonical form.
*/
1300static int
1301IPAddressOrRanges_canonize(IPAddressOrRanges *aors, const unsigned afi)
1302{
IPAddressOrRange *a, *b, *merged;
unsigned char a_min[ADDR_RAW_BUF_LEN16], a_max[ADDR_RAW_BUF_LEN16];
unsigned char b_min[ADDR_RAW_BUF_LEN16], b_max[ADDR_RAW_BUF_LEN16];
int i, j, length;

length = length_from_afi(afi);

/*
* Sort the IPAddressOrRanges sequence.
*/
sk_IPAddressOrRange_sort(aors)sk_sort(((_STACK*) (1 ? (aors) : (struct stack_st_IPAddressOrRange
*)0)));

/*
* Clean up representation issues, punt on duplicates or overlaps.
*/
for (i = 0; i < sk_IPAddressOrRange_num(aors)sk_num(((_STACK*) (1 ? (aors) : (struct stack_st_IPAddressOrRange
*)0))) - 1; i++) {
a = sk_IPAddressOrRange_value(aors, i)((IPAddressOrRange *)sk_value(((_STACK*) (1 ? (aors) : (struct
 stack_st_IPAddressOrRange*)0)), (i)));
b = sk_IPAddressOrRange_value(aors, i + 1)((IPAddressOrRange *)sk_value(((_STACK*) (1 ? (aors) : (struct
 stack_st_IPAddressOrRange*)0)), (i + 1)));

if (!extract_min_max(a, a_min, a_max, length) ||
    !extract_min_max(b, b_min, b_max, length))
	return 0;

/*
 * Punt inverted ranges.
 */
if (memcmp(a_min, a_max, length) > 0 ||
    memcmp(b_min, b_max, length) > 0)
	return 0;

/*
 * Punt overlaps.
 */
if (memcmp(a_max, b_min, length) >= 0)
	return 0;

/*
 * Merge if a and b are adjacent.  We check for
 * adjacency by subtracting one from b_min first.
 */
for (j = length - 1; j >= 0 && b_min[j]-- == 0x00; j--)
	continue;

if (memcmp(a_max, b_min, length) != 0)
	continue;

if (!make_addressRange(&merged, a_min, b_max, afi, length))
	return 0;
sk_IPAddressOrRange_set(aors, i, merged)sk_set(((_STACK*) (1 ? (aors) : (struct stack_st_IPAddressOrRange
*)0)), (i), ((void*) (1 ? (merged) : (IPAddressOrRange*)0)));
sk_IPAddressOrRange_delete(aors, i + 1)(IPAddressOrRange *)sk_delete(((_STACK*) (1 ? (aors) : (struct
 stack_st_IPAddressOrRange*)0)), (i + 1));
IPAddressOrRange_free(a);
IPAddressOrRange_free(b);
i--;
}

/*
* Check for inverted final range.
*/
a = sk_IPAddressOrRange_value(aors, i)((IPAddressOrRange *)sk_value(((_STACK*) (1 ? (aors) : (struct
 stack_st_IPAddressOrRange*)0)), (i)));
if (a != NULL((void*)0) && a->type == IPAddressOrRange_addressRange1) {
if (!extract_min_max(a, a_min, a_max, length))
	return 0;
if (memcmp(a_min, a_max, length) > 0)
	return 0;
}

return 1;
1370}

1372/*
* Whack an IPAddrBlocks extension into canonical form.
*/
1375int
1376X509v3_addr_canonize(IPAddrBlocks *addr)
1377{
IPAddressFamily *af;
IPAddressOrRanges *aors;
uint16_t afi;
int i;

for (i = 0; i < sk_IPAddressFamily_num(addr)sk_num(((_STACK*) (1 ? (addr) : (struct stack_st_IPAddressFamily
*)0))); i++) {
af = sk_IPAddressFamily_value(addr, i)((IPAddressFamily *)sk_value(((_STACK*) (1 ? (addr) : (struct
 stack_st_IPAddressFamily*)0)), (i)));

/* Check AFI/SAFI here - IPAddressFamily_cmp() can't error. */
if (!IPAddressFamily_afi(af, &afi))
	return 0;

if ((aors = IPAddressFamily_addressesOrRanges(af)) == NULL((void*)0))
	continue;

if (!IPAddressOrRanges_canonize(aors, afi))
	return 0;
}

sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp)((int (*)(const IPAddressFamily * const *,const IPAddressFamily
 * const *)) sk_set_cmp_func(((_STACK*) (1 ? (addr) : (struct
 stack_st_IPAddressFamily*)0)), ((int (*)(const void *, const
 void *)) ((1 ? (IPAddressFamily_cmp) : (int (*)(const IPAddressFamily
 * const *, const IPAddressFamily * const *))0)))));
sk_IPAddressFamily_sort(addr)sk_sort(((_STACK*) (1 ? (addr) : (struct stack_st_IPAddressFamily
*)0)));

return X509v3_addr_is_canonical(addr);
1401}

1403/*
* v2i handler for the IPAddrBlocks extension.
*/
1406static void *
1407v2i_IPAddrBlocks(const struct v3_ext_method *method, struct v3_ext_ctx *ctx,
  STACK_OF(CONF_VALUE)struct stack_st_CONF_VALUE*values)
1409{
static const char v4addr_chars[] = "0123456789.";
static const char v6addr_chars[] = "0123456789.:abcdefABCDEF";
IPAddrBlocks *addr = NULL((void*)0);
char *s = NULL((void*)0), *t;
int i;

if ((addr = sk_IPAddressFamily_new(IPAddressFamily_cmp)((struct stack_st_IPAddressFamily *)sk_new(((int (*)(const void
 *, const void *)) ((1 ? (IPAddressFamily_cmp) : (int (*)(const
 IPAddressFamily * const *, const IPAddressFamily * const *))
0)))))) == NULL((void*)0)) {
X509V3error(ERR_R_MALLOC_FAILURE)ERR_put_error(34,(0xfff),((1|64)),"/usr/src/lib/libcrypto/x509/x509_addr.c"
,1417);
return NULL((void*)0);
}

for (i = 0; i < sk_CONF_VALUE_num(values)sk_num(((_STACK*) (1 ? (values) : (struct stack_st_CONF_VALUE
*)0))); i++) {
CONF_VALUE *val = sk_CONF_VALUE_value(values, i)((CONF_VALUE *)sk_value(((_STACK*) (1 ? (values) : (struct stack_st_CONF_VALUE
*)0)), (i)));
unsigned char min[ADDR_RAW_BUF_LEN16], max[ADDR_RAW_BUF_LEN16];
unsigned afi, *safi = NULL((void*)0), safi_;
const char *addr_chars = NULL((void*)0);
const char *errstr;
int prefix_len, i1, i2, delim, length;

if (!name_cmp(val->name, "IPv4")) {
	afi = IANA_AFI_IPV41;
} else if (!name_cmp(val->name, "IPv6")) {
	afi = IANA_AFI_IPV62;
} else if (!name_cmp(val->name, "IPv4-SAFI")) {
	afi = IANA_AFI_IPV41;
	safi = &safi_;
} else if (!name_cmp(val->name, "IPv6-SAFI")) {
	afi = IANA_AFI_IPV62;
	safi = &safi_;
} else {
	X509V3error(X509V3_R_EXTENSION_NAME_ERROR)ERR_put_error(34,(0xfff),(115),"/usr/src/lib/libcrypto/x509/x509_addr.c"
,1440);
	X509V3_conf_err(val)ERR_asprintf_error_data( "section:%s,name:%s,value:%s", val->
section, val->name, val->value);;
	goto err;
}

switch (afi) {
case IANA_AFI_IPV41:
	addr_chars = v4addr_chars;
	break;
case IANA_AFI_IPV62:
	addr_chars = v6addr_chars;
	break;
}

length = length_from_afi(afi);

/*
 * Handle SAFI, if any, and strdup() so we can null-terminate
 * the other input values.
 */
if (safi != NULL((void*)0)) {
	unsigned long parsed_safi;
	int saved_errno = errno(*__errno());

	errno(*__errno()) = 0;
	parsed_safi = strtoul(val->value, &t, 0);

	/* Value must be present, then a tab, space or colon. */
	if (val->value[0] == '\0' ||
	    (*t != '\t' && *t != ' ' && *t != ':')) {
		X509V3error(X509V3_R_INVALID_SAFI)ERR_put_error(34,(0xfff),(164),"/usr/src/lib/libcrypto/x509/x509_addr.c"
,1470);
		X509V3_conf_err(val)ERR_asprintf_error_data( "section:%s,name:%s,value:%s", val->
section, val->name, val->value);;
		goto err;
	}
	/* Range and overflow check. */
	if ((errno(*__errno()) == ERANGE34 && parsed_safi == ULONG_MAX(9223372036854775807L *2UL+1UL)) ||
	    parsed_safi > 0xff) {
		X509V3error(X509V3_R_INVALID_SAFI)ERR_put_error(34,(0xfff),(164),"/usr/src/lib/libcrypto/x509/x509_addr.c"
,1477);
		X509V3_conf_err(val)ERR_asprintf_error_data( "section:%s,name:%s,value:%s", val->
section, val->name, val->value);;
		goto err;
	}
	errno(*__errno()) = saved_errno;

	*safi = parsed_safi;

	/* Check possible whitespace is followed by a colon. */
	t += strspn(t, " \t");
	if (*t != ':') {
		X509V3error(X509V3_R_INVALID_SAFI)ERR_put_error(34,(0xfff),(164),"/usr/src/lib/libcrypto/x509/x509_addr.c"
,1488);
		X509V3_conf_err(val)ERR_asprintf_error_data( "section:%s,name:%s,value:%s", val->
section, val->name, val->value);;
		goto err;
	}

	/* Skip over colon. */
	t++;

	/* Then over any trailing whitespace. */
	t += strspn(t, " \t");

	s = strdup(t);
} else {
	s = strdup(val->value);
}
if (s == NULL((void*)0)) {
	X509V3error(ERR_R_MALLOC_FAILURE)ERR_put_error(34,(0xfff),((1|64)),"/usr/src/lib/libcrypto/x509/x509_addr.c"
,1504);
	goto err;
}

/*
 * Check for inheritance. Not worth additional complexity to
 * optimize this (seldom-used) case.
 */
if (strcmp(s, "inherit") == 0) {
	if (!X509v3_addr_add_inherit(addr, afi, safi)) {
		X509V3error(X509V3_R_INVALID_INHERITANCE)ERR_put_error(34,(0xfff),(165),"/usr/src/lib/libcrypto/x509/x509_addr.c"
,1514);
		X509V3_conf_err(val)ERR_asprintf_error_data( "section:%s,name:%s,value:%s", val->
section, val->name, val->value);;
		goto err;
	}
	free(s);
	s = NULL((void*)0);
	continue;
}

i1 = strspn(s, addr_chars);
i2 = i1 + strspn(s + i1, " \t");
delim = s[i2++];
s[i1] = '\0';

if (a2i_ipadd(min, s) != length) {
	X509V3error(X509V3_R_INVALID_IPADDRESS)ERR_put_error(34,(0xfff),(166),"/usr/src/lib/libcrypto/x509/x509_addr.c"
,1529);
	X509V3_conf_err(val)ERR_asprintf_error_data( "section:%s,name:%s,value:%s", val->
section, val->name, val->value);;
	goto err;
}

switch (delim) {
case '/':
	/* length contains the size of the address in bytes. */
	if (length != 4 && length != 16)
		goto err;
	prefix_len = strtonum(s + i2, 0, 8 * length, &errstr);
	if (errstr != NULL((void*)0)) {
		X509V3error(X509V3_R_EXTENSION_VALUE_ERROR)ERR_put_error(34,(0xfff),(116),"/usr/src/lib/libcrypto/x509/x509_addr.c"
,1541);
		X509V3_conf_err(val)ERR_asprintf_error_data( "section:%s,name:%s,value:%s", val->
section, val->name, val->value);;
		goto err;
	}
	if (!X509v3_addr_add_prefix(addr, afi, safi, min,
	    prefix_len)) {
		X509V3error(ERR_R_MALLOC_FAILURE)ERR_put_error(34,(0xfff),((1|64)),"/usr/src/lib/libcrypto/x509/x509_addr.c"
,1547);
		goto err;
	}
	break;
case '-':
	i1 = i2 + strspn(s + i2, " \t");
	i2 = i1 + strspn(s + i1, addr_chars);
	if (i1 == i2 || s[i2] != '\0') {
		X509V3error(X509V3_R_EXTENSION_VALUE_ERROR)ERR_put_error(34,(0xfff),(116),"/usr/src/lib/libcrypto/x509/x509_addr.c"
,1555);
		X509V3_conf_err(val)ERR_asprintf_error_data( "section:%s,name:%s,value:%s", val->
section, val->name, val->value);;
		goto err;
	}
	if (a2i_ipadd(max, s + i1) != length) {
		X509V3error(X509V3_R_INVALID_IPADDRESS)ERR_put_error(34,(0xfff),(166),"/usr/src/lib/libcrypto/x509/x509_addr.c"
,1560);
		X509V3_conf_err(val)ERR_asprintf_error_data( "section:%s,name:%s,value:%s", val->
section, val->name, val->value);;
		goto err;
	}
	if (memcmp(min, max, length_from_afi(afi)) > 0) {
		X509V3error(X509V3_R_EXTENSION_VALUE_ERROR)ERR_put_error(34,(0xfff),(116),"/usr/src/lib/libcrypto/x509/x509_addr.c"
,1565);
		X509V3_conf_err(val)ERR_asprintf_error_data( "section:%s,name:%s,value:%s", val->
section, val->name, val->value);;
		goto err;
	}
	if (!X509v3_addr_add_range(addr, afi, safi, min, max)) {
		X509V3error(ERR_R_MALLOC_FAILURE)ERR_put_error(34,(0xfff),((1|64)),"/usr/src/lib/libcrypto/x509/x509_addr.c"
,1570);
		goto err;
	}
	break;
case '\0':
	if (!X509v3_addr_add_prefix(addr, afi, safi, min,
	    length * 8)) {
		X509V3error(ERR_R_MALLOC_FAILURE)ERR_put_error(34,(0xfff),((1|64)),"/usr/src/lib/libcrypto/x509/x509_addr.c"
,1577);
		goto err;
	}
	break;
default:
	X509V3error(X509V3_R_EXTENSION_VALUE_ERROR)ERR_put_error(34,(0xfff),(116),"/usr/src/lib/libcrypto/x509/x509_addr.c"
,1582);
	X509V3_conf_err(val)ERR_asprintf_error_data( "section:%s,name:%s,value:%s", val->
section, val->name, val->value);;
	goto err;
}

free(s);
s = NULL((void*)0);
}

/*
* Canonize the result, then we're done.
*/
if (!X509v3_addr_canonize(addr))
goto err;
return addr;

err:
free(s);
sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free)sk_pop_free(((_STACK*) (1 ? (addr) : (struct stack_st_IPAddressFamily
*)0)), ((void (*)(void *)) ((1 ? (IPAddressFamily_free) : (void
 (*)(IPAddressFamily *))0))));
return NULL((void*)0);
1602}

1604/*
* OpenSSL dispatch
*/
1607const X509V3_EXT_METHOD v3_addr = {
.ext_nid = NID_sbgp_ipAddrBlock290,
.ext_flags = 0,
.it = &IPAddrBlocks_it,
.ext_new = NULL((void*)0),
.ext_free = NULL((void*)0),
.d2i = NULL((void*)0),
.i2d = NULL((void*)0),
.i2s = NULL((void*)0),
.s2i = NULL((void*)0),
.i2v = NULL((void*)0),
.v2i = v2i_IPAddrBlocks,
.i2r = i2r_IPAddrBlocks,
.r2i = NULL((void*)0),
.usr_data = NULL((void*)0),
1622};

1624/*
* Figure out whether extension uses inheritance.
*/
1627int
1628X509v3_addr_inherits(IPAddrBlocks *addr)
1629{
IPAddressFamily *af;
int i;

if (addr == NULL((void*)0))
return 0;

for (i = 0; i < sk_IPAddressFamily_num(addr)sk_num(((_STACK*) (1 ? (addr) : (struct stack_st_IPAddressFamily
*)0))); i++) {
af = sk_IPAddressFamily_value(addr, i)((IPAddressFamily *)sk_value(((_STACK*) (1 ? (addr) : (struct
 stack_st_IPAddressFamily*)0)), (i)));

if (IPAddressFamily_inheritance(af) != NULL((void*)0))
	return 1;
}

return 0;
1644}

1646/*
* Figure out whether parent contains child.
*
* This only works correctly if both parent and child are in canonical form.
*/
1651static int
1652addr_contains(IPAddressOrRanges *parent, IPAddressOrRanges *child, int length)
1653{
IPAddressOrRange *child_aor, *parent_aor;
uint8_t parent_min[ADDR_RAW_BUF_LEN16], parent_max[ADDR_RAW_BUF_LEN16];
uint8_t child_min[ADDR_RAW_BUF_LEN16], child_max[ADDR_RAW_BUF_LEN16];
int p, c;

if (child == NULL((void*)0) || parent == child)
return 1;
if (parent == NULL((void*)0))
return 0;

p = 0;
for (c = 0; c < sk_IPAddressOrRange_num(child)sk_num(((_STACK*) (1 ? (child) : (struct stack_st_IPAddressOrRange
*)0))); c++) {
child_aor = sk_IPAddressOrRange_value(child, c)((IPAddressOrRange *)sk_value(((_STACK*) (1 ? (child) : (struct
 stack_st_IPAddressOrRange*)0)), (c)));

if (!extract_min_max(child_aor, child_min, child_max, length))
	return 0;

for (;; p++) {
	if (p >= sk_IPAddressOrRange_num(parent)sk_num(((_STACK*) (1 ? (parent) : (struct stack_st_IPAddressOrRange
*)0))))
		return 0;

	parent_aor = sk_IPAddressOrRange_value(parent, p)((IPAddressOrRange *)sk_value(((_STACK*) (1 ? (parent) : (struct
 stack_st_IPAddressOrRange*)0)), (p)));

	if (!extract_min_max(parent_aor, parent_min, parent_max,
	    length))
		return 0;

	if (memcmp(parent_max, child_max, length) < 0)
		continue;
	if (memcmp(parent_min, child_min, length) > 0)
		return 0;
	break;
}
}

return 1;
1690}

1692/*
* Test whether |child| is a subset of |parent|.
*/
1695int
1696X509v3_addr_subset(IPAddrBlocks *child, IPAddrBlocks *parent)
1697{
IPAddressFamily *child_af, *parent_af;
IPAddressOrRanges *child_aor, *parent_aor;
int i, length;

if (child == NULL((void*)0) || child == parent)
return 1;
if (parent == NULL((void*)0))
return 0;

if (X509v3_addr_inherits(child) || X509v3_addr_inherits(parent))
return 0;

for (i = 0; i < sk_IPAddressFamily_num(child)sk_num(((_STACK*) (1 ? (child) : (struct stack_st_IPAddressFamily
*)0))); i++) {
child_af = sk_IPAddressFamily_value(child, i)((IPAddressFamily *)sk_value(((_STACK*) (1 ? (child) : (struct
 stack_st_IPAddressFamily*)0)), (i)));

parent_af = IPAddressFamily_find_in_parent(parent, child_af);
if (parent_af == NULL((void*)0))
	return 0;

if (!IPAddressFamily_afi_length(parent_af, &length))
	return 0;

child_aor = IPAddressFamily_addressesOrRanges(child_af);
parent_aor = IPAddressFamily_addressesOrRanges(parent_af);

if (!addr_contains(parent_aor, child_aor, length))
	return 0;
}
return 1;
1727}

1729static int
1730verify_error(X509_STORE_CTX *ctx, X509 *cert, int error, int depth)
1731{
if (ctx == NULL((void*)0))
return 0;

ctx->current_cert = cert;
ctx->error = error;
ctx->error_depth = depth;

return ctx->verify_cb(0, ctx);
1740}

1742/*
* Core code for RFC 3779 2.3 path validation.
*
* Returns 1 for success, 0 on error.
*
* When returning 0, ctx->error MUST be set to an appropriate value other than
* X509_V_OK.
*/
1750static int
1751addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509)struct stack_st_X509 *chain,
  IPAddrBlocks *ext)
1753{
IPAddrBlocks *child = NULL((void*)0), *parent = NULL((void*)0);
IPAddressFamily *child_af, *parent_af;
IPAddressOrRanges *child_aor, *parent_aor;
X509 *cert = NULL((void*)0);
1
'cert' initialized to a null pointer value→
int depth = -1;
int i;
unsigned int length;
int ret = 1;

/* We need a non-empty chain to test against. */
if (sk_X509_num(chain)sk_num(((_STACK*) (1 ? (chain) : (struct stack_st_X509*)0))) <= 0)
2
←
'?' condition is true→
3
←
Assuming the condition is false→
4
←
Taking false branch→
goto err;
/* We need either a store ctx or an extension to work with. */
if (ctx == NULL((void*)0) && ext == NULL((void*)0))
5
←
Assuming 'ctx' is equal to NULL→
6
←
Assuming 'ext' is not equal to NULL→
7
←
Taking false branch→
goto err;
/* If there is a store ctx, it needs a verify_cb. */
if (ctx7.1
'ctx' is equal to NULL
 != NULL((void*)0) && ctx->verify_cb == NULL((void*)0))
goto err;

/*
* Figure out where to start. If we don't have an extension to check,
* we're done.  Otherwise, check canonical form and set up for walking
* up the chain.
*/
if (ext7.2
'ext' is not equal to NULL
 == NULL((void*)0)) {
8
←
Taking false branch→
depth = 0;
cert = sk_X509_value(chain, depth)((X509 *)sk_value(((_STACK*) (1 ? (chain) : (struct stack_st_X509
*)0)), (depth)));
if ((ext = cert->rfc3779_addr) == NULL((void*)0))
	goto done;
}

if (!X509v3_addr_is_canonical(ext)) {
9
←
Calling 'X509v3_addr_is_canonical'→
18
←
Returning from 'X509v3_addr_is_canonical'→
19
←
Taking false branch→
if ((ret = verify_error(ctx, cert,
    X509_V_ERR_INVALID_EXTENSION41, depth)) == 0)
	goto done;
}

(void)sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp)((int (*)(const IPAddressFamily * const *,const IPAddressFamily
 * const *)) sk_set_cmp_func(((_STACK*) (1 ? (ext) : (struct stack_st_IPAddressFamily
*)0)), ((int (*)(const void *, const void *)) ((1 ? (IPAddressFamily_cmp
) : (int (*)(const IPAddressFamily * const *, const IPAddressFamily
 * const *))0)))));
20
←
'?' condition is true→
21
←
'?' condition is true→
if ((child = sk_IPAddressFamily_dup(ext)(struct stack_st_IPAddressFamily *)sk_dup(((_STACK*) (1 ? ext
 : (struct stack_st_IPAddressFamily*)0)))) == NULL((void*)0)) {
22
←
'?' condition is true→
23
←
Assuming the condition is false→
24
←
Taking false branch→
X509V3error(ERR_R_MALLOC_FAILURE)ERR_put_error(34,(0xfff),((1|64)),"/usr/src/lib/libcrypto/x509/x509_addr.c"
,1793);
if (ctx != NULL((void*)0))
	ctx->error = X509_V_ERR_OUT_OF_MEM17;
ret = 0;
goto done;
}

/*
* Now walk up the chain. No cert may list resources that its parent
* doesn't list.
*/
for (depth++; depth < sk_X509_num(chain)sk_num(((_STACK*) (1 ? (chain) : (struct stack_st_X509*)0))); depth++) {
25
←
'?' condition is true→
26
←
Assuming the condition is false→
27
←
Loop condition is false. Execution continues on line 1895→
cert = sk_X509_value(chain, depth)((X509 *)sk_value(((_STACK*) (1 ? (chain) : (struct stack_st_X509
*)0)), (depth)));

if ((parent = cert->rfc3779_addr) == NULL((void*)0)) {
	for (i = 0; i < sk_IPAddressFamily_num(child)sk_num(((_STACK*) (1 ? (child) : (struct stack_st_IPAddressFamily
*)0))); i++) {
		child_af = sk_IPAddressFamily_value(child, i)((IPAddressFamily *)sk_value(((_STACK*) (1 ? (child) : (struct
 stack_st_IPAddressFamily*)0)), (i)));

		if (IPAddressFamily_inheritance(child_af) !=
		    NULL((void*)0))
			continue;

		if ((ret = verify_error(ctx, cert,
		    X509_V_ERR_UNNESTED_RESOURCE46, depth)) == 0)
			goto done;
		break;
	}
	continue;
}

if (!X509v3_addr_is_canonical(parent)) {
	if ((ret = verify_error(ctx, cert,
	    X509_V_ERR_INVALID_EXTENSION41, depth)) == 0)
		goto done;
}

/*
 * Check that the child's resources are covered by the parent.
 * Each covered resource is replaced with the parent's resource
 * covering it, so the next iteration will check that the
 * parent's resources are covered by the grandparent.
 */
for (i = 0; i < sk_IPAddressFamily_num(child)sk_num(((_STACK*) (1 ? (child) : (struct stack_st_IPAddressFamily
*)0))); i++) {
	child_af = sk_IPAddressFamily_value(child, i)((IPAddressFamily *)sk_value(((_STACK*) (1 ? (child) : (struct
 stack_st_IPAddressFamily*)0)), (i)));

	if ((parent_af = IPAddressFamily_find_in_parent(parent,
	    child_af)) == NULL((void*)0)) {
		/*
		 * If we have no match in the parent and the
		 * child inherits, that's fine.
		 */
		if (IPAddressFamily_inheritance(child_af) !=
		    NULL((void*)0))
			continue;

		/* Otherwise the child isn't covered. */
		if ((ret = verify_error(ctx, cert,
		    X509_V_ERR_UNNESTED_RESOURCE46, depth)) == 0)
			goto done;
		break;
	}

	/* Parent inherits, nothing to do. */
	if (IPAddressFamily_inheritance(parent_af) != NULL((void*)0))
		continue;

	/* Child inherits. Use parent's address family. */
	if (IPAddressFamily_inheritance(child_af) != NULL((void*)0)) {
		sk_IPAddressFamily_set(child, i, parent_af)sk_set(((_STACK*) (1 ? (child) : (struct stack_st_IPAddressFamily
*)0)), (i), ((void*) (1 ? (parent_af) : (IPAddressFamily*)0))
);
		continue;
	}

	child_aor = IPAddressFamily_addressesOrRanges(child_af);
	parent_aor =
	    IPAddressFamily_addressesOrRanges(parent_af);

	/*
	 * Child and parent are canonical and neither inherits.
	 * If either addressesOrRanges is NULL, something's
	 * very wrong.
	 */
	if (child_aor == NULL((void*)0) || parent_aor == NULL((void*)0))
		goto err;

	if (!IPAddressFamily_afi_length(child_af, &length))
		goto err;

	/* Now check containment and replace or error. */
	if (addr_contains(parent_aor, child_aor, length)) {
		sk_IPAddressFamily_set(child, i, parent_af)sk_set(((_STACK*) (1 ? (child) : (struct stack_st_IPAddressFamily
*)0)), (i), ((void*) (1 ? (parent_af) : (IPAddressFamily*)0))
);
		continue;
	}

	if ((ret = verify_error(ctx, cert,
	    X509_V_ERR_UNNESTED_RESOURCE46, depth)) == 0)
		goto done;
}
}

/*
* Trust anchor can't inherit.
*/
if ((parent = cert->rfc3779_addr) != NULL((void*)0)) {
28
←
Access to field 'rfc3779_addr' results in a dereference of a null pointer (loaded from variable 'cert')
for (i = 0; i < sk_IPAddressFamily_num(parent)sk_num(((_STACK*) (1 ? (parent) : (struct stack_st_IPAddressFamily
*)0))); i++) {
	parent_af = sk_IPAddressFamily_value(parent, i)((IPAddressFamily *)sk_value(((_STACK*) (1 ? (parent) : (struct
 stack_st_IPAddressFamily*)0)), (i)));

	if (IPAddressFamily_inheritance(parent_af) == NULL((void*)0))
		continue;

	if (sk_IPAddressFamily_find(child, parent_af)sk_find(((_STACK*) (1 ? (child) : (struct stack_st_IPAddressFamily
*)0)), ((void*) (1 ? (parent_af) : (IPAddressFamily*)0))) < 0)
		continue;

	if ((ret = verify_error(ctx, cert,
	    X509_V_ERR_UNNESTED_RESOURCE46, depth)) == 0)
		goto done;
}
}

done:
sk_IPAddressFamily_free(child)sk_free(((_STACK*) (1 ? (child) : (struct stack_st_IPAddressFamily
*)0)));
return ret;

err:
sk_IPAddressFamily_free(child)sk_free(((_STACK*) (1 ? (child) : (struct stack_st_IPAddressFamily
*)0)));

if (ctx != NULL((void*)0))
ctx->error = X509_V_ERR_UNSPECIFIED1;

return 0;
1922}

1924/*
* RFC 3779 2.3 path validation -- called from X509_verify_cert().
*/
1927int
1928X509v3_addr_validate_path(X509_STORE_CTX *ctx)
1929{
if (sk_X509_num(ctx->chain)sk_num(((_STACK*) (1 ? (ctx->chain) : (struct stack_st_X509
*)0))) <= 0 || ctx->verify_cb == NULL((void*)0)) {
ctx->error = X509_V_ERR_UNSPECIFIED1;
return 0;
}
return addr_validate_path_internal(ctx, ctx->chain, NULL((void*)0));
1935}

1937/*
* RFC 3779 2.3 path validation of an extension.
* Test whether chain covers extension.
*/
1941int
1942X509v3_addr_validate_resource_set(STACK_OF(X509)struct stack_st_X509 *chain, IPAddrBlocks *ext,
  int allow_inheritance)
1944{
if (ext == NULL((void*)0))
return 1;
if (sk_X509_num(chain)sk_num(((_STACK*) (1 ? (chain) : (struct stack_st_X509*)0))) <= 0)
return 0;
if (!allow_inheritance && X509v3_addr_inherits(ext))
return 0;
return addr_validate_path_internal(NULL((void*)0), chain, ext);
1952}

1954#endif /* OPENSSL_NO_RFC3779 */