Make IPAddressFamily_cmp safe for 0 length objects with NULL data.

Found while adjusting the fuzzer to test for the requirement to
add NUL bytes on the end of ASN1 Strings. If we end up with a 0
length object here we can end up in a crash with memcmp.

This makes this cmp function test comparison like our others
that are 0 length object safe.

Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Tue May 26 08:51:35 2026
(Merged from https://github.com/openssl/openssl/pull/31201)

diff --git a/crypto/x509/v3_addr.c b/crypto/x509/v3_addr.c
index 1871a221a28ee37819c34e5ca4aaa5e1e8e0bbea..1e0d94babf1390c4102d13858fad531ad64bc7f8 100644 (file)
--- a/crypto/x509/v3_addr.c
+++ b/crypto/x509/v3_addr.c
@@ -680,10 +680,15 @@ static int IPAddressFamily_cmp(const IPAddressFamily *const *a_,
 {
     const ASN1_OCTET_STRING *a = (*a_)->addressFamily;
     const ASN1_OCTET_STRING *b = (*b_)->addressFamily;
-    int len = ((a->length <= b->length) ? a->length : b->length);
-    int cmp = memcmp(a->data, b->data, len);
+    int cmp, len = (a->length <= b->length) ? a->length : b->length;
 
-    return cmp ? cmp : a->length - b->length;
+    if (len > 0) {
+        cmp = memcmp(a->data, b->data, len);
+        if (cmp != 0)
+            return cmp;
+    }
+
+    return a->length - b->length;
 }
 
 static int IPAddressFamily_check_len(const IPAddressFamily *f)