Correct ASN1_STRING_set() behaviour to match the documentation

ASN1_STRING_set() has never promised to call strlen() for other
negative values.  Other values here likely indicate an error,
such as an integer overflow.  Call strlen() only if the length
provided is -1.

Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
MergeDate: Mon May 11 00:34:25 2026
(Merged from https://github.com/openssl/openssl/pull/31113)

diff --git a/crypto/asn1/asn1_lib.c b/crypto/asn1/asn1_lib.c
index 4d61dfca5497be90f58506993a09b949d37db059..28898b49fff20b9a89a1371d37e2b064365fd5f7 100644 (file)
--- a/crypto/asn1/asn1_lib.c
+++ b/crypto/asn1/asn1_lib.c
@@ -289,7 +289,11 @@ int ASN1_STRING_set(ASN1_STRING *str, const void *_data, int len_in)
     const char *data = _data;
     size_t len;
 
-    if (len_in < 0) {
+    if (len_in < -1) {
+        ERR_raise(ERR_LIB_ASN1, ASN1_R_TOO_SMALL);
+        return 0;
+    }
+    if (len_in == -1) {
         if (data == NULL)
             return 0;
         len = strlen(data);