From: Tomas Mraz <tomas@openssl.org>
Date: Wed, 12 Nov 2025 15:49:04 +0000 (+0100)
Subject: Add safety checks to PKCS12_SAFEBAG_get0_bag*() functions
X-Git-Tag: 3.6-PRE-CLANG-FORMAT-WEBKIT~60
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c3f8e83069ea6ec59a21fa209c108f58a6f557d8;p=thirdparty%2Fopenssl.git

Add safety checks to PKCS12_SAFEBAG_get0_bag*() functions

Fixes #26655

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29128)

(cherry picked from commit 7776744a5912ac9346bf04bf60570b149243eb33)
---

diff --git a/crypto/pkcs12/p12_sbag.c b/crypto/pkcs12/p12_sbag.c
index 04ef0b74ede..c7ecfb24391 100644
--- a/crypto/pkcs12/p12_sbag.c
+++ b/crypto/pkcs12/p12_sbag.c
@@ -74,11 +74,20 @@ int PKCS12_SAFEBAG_get_bag_nid(const PKCS12_SAFEBAG *bag)
 
 const ASN1_OBJECT *PKCS12_SAFEBAG_get0_bag_type(const PKCS12_SAFEBAG *bag)
 {
+    int btype = PKCS12_SAFEBAG_get_nid(bag);
+
+    if (btype != NID_certBag && btype != NID_crlBag && btype != NID_secretBag)
+        return NULL;
     return bag->value.bag->type;
 }
 
 const ASN1_TYPE *PKCS12_SAFEBAG_get0_bag_obj(const PKCS12_SAFEBAG *bag)
 {
+    int vtype = PKCS12_SAFEBAG_get_bag_nid(bag);
+
+    if (vtype == -1 || vtype == NID_x509Certificate || vtype == NID_x509Crl
+        || vtype == NID_sdsiCertificate)
+        return NULL;
     return bag->value.bag->value.other;
 }