Commit fce540139a for openssl.org
commit fce540139a7cf4de64d9ce8e17b9180778e12f4e
Author: Mounir IDRASSI <mounir.idrassi@idrix.fr>
Date: Wed Jul 1 23:43:18 2026 +0900
x509: avoid NULL memcmp argument in nc_dn()
An empty directoryName constraint has canon_enc == NULL and
canon_enclen == 0. nc_dn() must not pass that pointer to
memcmp(), even with a zero length.
Return X509_V_OK before comparing an empty base Name. This preserves
current match semantics and avoids UBSan-visible undefined behaviour.
Fixes #31687
Fixes #31688
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Daniel Kubec <kubec@openssl.foundation>
MergeDate: Fri Jul 10 15:51:01 2026
(Merged from https://github.com/openssl/openssl/pull/31814)
diff --git a/crypto/x509/v3_ncons.c b/crypto/x509/v3_ncons.c
index 8217bedc7b..5f2710e9f5 100644
--- a/crypto/x509/v3_ncons.c
+++ b/crypto/x509/v3_ncons.c
@@ -615,6 +615,12 @@ static int nc_dn(const X509_NAME *nm, const X509_NAME *base)
return X509_V_ERR_OUT_OF_MEM;
if (base->canon_enclen > nm->canon_enclen)
return X509_V_ERR_PERMITTED_VIOLATION;
+ /*
+ * An empty base Name has no canonical encoding (canon_enc == NULL) and is
+ * a prefix of every Name, so it matches unconditionally.
+ */
+ if (base->canon_enclen == 0)
+ return X509_V_OK;
if (memcmp(base->canon_enc, nm->canon_enc, base->canon_enclen))
return X509_V_ERR_PERMITTED_VIOLATION;
return X509_V_OK;