test: remove the just added, but now unrealistic, shake128 OAEP tests

[openssl.git] / crypto / x509 / pcy_node.c

diff --git a/crypto/x509/pcy_node.c b/crypto/x509/pcy_node.c
index c69ccd7b23a6f588338d9ef86405d5ba7cbd112a..c6e7af5ab1985b749bdab3fc0c91d17a108db8ca 100644 (file)
--- a/crypto/x509/pcy_node.c
+++ b/crypto/x509/pcy_node.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -59,18 +59,21 @@ X509_POLICY_NODE *ossl_policy_level_find_node(const X509_POLICY_LEVEL *level,
 X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
                                              X509_POLICY_DATA *data,
                                              X509_POLICY_NODE *parent,
-                                             X509_POLICY_TREE *tree)
+                                             X509_POLICY_TREE *tree,
+                                             int extra_data)
 {
     X509_POLICY_NODE *node;
 
+    /* Verify that the tree isn't too large.  This mitigates CVE-2023-0464 */
+    if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum)
+        return NULL;
+
     node = OPENSSL_zalloc(sizeof(*node));
-    if (node == NULL) {
-        ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
+    if (node == NULL)
         return NULL;
-    }
     node->data = data;
     node->parent = parent;
-    if (level) {
+    if (level != NULL) {
         if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
             if (level->anyPolicy)
                 goto node_error;
@@ -80,34 +83,43 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
             if (level->nodes == NULL)
                 level->nodes = ossl_policy_node_cmp_new();
             if (level->nodes == NULL) {
-                ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
+                ERR_raise(ERR_LIB_X509V3, ERR_R_X509_LIB);
                 goto node_error;
             }
             if (!sk_X509_POLICY_NODE_push(level->nodes, node)) {
-                ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
+                ERR_raise(ERR_LIB_X509V3, ERR_R_CRYPTO_LIB);
                 goto node_error;
             }
         }
     }
 
-    if (tree) {
+    if (extra_data) {
         if (tree->extra_data == NULL)
             tree->extra_data = sk_X509_POLICY_DATA_new_null();
-        if (tree->extra_data == NULL){
-            ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
-            goto node_error;
+        if (tree->extra_data == NULL) {
+            ERR_raise(ERR_LIB_X509V3, ERR_R_CRYPTO_LIB);
+            goto extra_data_error;
         }
         if (!sk_X509_POLICY_DATA_push(tree->extra_data, data)) {
-            ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
-            goto node_error;
+            ERR_raise(ERR_LIB_X509V3, ERR_R_CRYPTO_LIB);
+            goto extra_data_error;
         }
     }
 
+    tree->node_count++;
     if (parent)
         parent->nchild++;
 
     return node;
 
+ extra_data_error:
+    if (level != NULL) {
+        if (level->anyPolicy == node)
+            level->anyPolicy = NULL;
+        else
+            (void) sk_X509_POLICY_NODE_pop(level->nodes);
+    }
+
  node_error:
     ossl_policy_node_free(node);
     return NULL;