Use explicit check for X509 path length (#3080)

nhatnghiho · justsmth · web-flow · commit a9e26fecfd2b · 2026-03-18T12:06:15.000-04:00
### Description of changes: 
Add an explicit bounds check for X509 path length

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.

---------

Co-authored-by: Justin W Smith &lt;103147162+justsmth@users.noreply.github.com&gt;
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
@@ -676,7 +676,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) {
     }
     // Check pathlen if not self issued
     if (i > 1 && !(x->ex_flags & EXFLAG_SI) && x->ex_pathlen != -1 &&
-        plen > x->ex_pathlen + 1) {
+        plen - 1 > x->ex_pathlen) {
       ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
       ctx->error_depth = i;
       ctx->current_cert = x;

Original file line number	Diff line number	Diff line change
`@@ -676,7 +676,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) {`
`676`	`676`	`}`
`677`	`677`	`// Check pathlen if not self issued`
`678`	`678`	`if (i > 1 && !(x->ex_flags & EXFLAG_SI) && x->ex_pathlen != -1 &&`
`679`		`- plen > x->ex_pathlen + 1) {`
	`679`	`+ plen - 1 > x->ex_pathlen) {`
`680`	`680`	`ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;`
`681`	`681`	`ctx->error_depth = i;`
`682`	`682`	`ctx->current_cert = x;`