From: Dmitry Belyavskiy <beldmit@gmail.com>
Date: Wed, 14 Aug 2024 12:40:39 +0000 (+0200)
Subject: We can't check policy if we got an empty stack of certs
X-Git-Tag: openssl-3.4.0-alpha1~111
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8d28402ce38842e8aca9e0ce26ae44fa10c7b62e;p=thirdparty%2Fopenssl.git

We can't check policy if we got an empty stack of certs

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25186)
---

diff --git a/crypto/x509/pcy_tree.c b/crypto/x509/pcy_tree.c
index d7307b12dab..86e3afc8814 100644
--- a/crypto/x509/pcy_tree.c
+++ b/crypto/x509/pcy_tree.c
@@ -110,6 +110,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
 
     *ptree = NULL;
 
+    if (n < 0)
+        return X509_PCY_TREE_INTERNAL;
     /* Can't do anything with just a trust anchor */
     if (n == 0)
         return X509_PCY_TREE_EMPTY;