On Fri, Mar 31, 2023 at 09:53:32AM +0200, Theo Buehler wrote: > group_get() can fail and return NULL. dh_getlen() accesses ie->group, > so this will crash. Not sure if this is actually reachable, but it seems > wrong. I've done what's done nearby. I don't want to look too closely...
phessler pointed out I sent the version of the diff that doesn't compile... This the one I wanted to send: Index: ike_quick_mode.c =================================================================== RCS file: /cvs/src/sbin/isakmpd/ike_quick_mode.c,v retrieving revision 1.114 diff -u -p -r1.114 ike_quick_mode.c --- ike_quick_mode.c 15 Jan 2018 09:54:48 -0000 1.114 +++ ike_quick_mode.c 31 Mar 2023 08:22:22 -0000 @@ -893,6 +893,8 @@ initiator_send_HASH_SA_NONCE(struct mess /* Generate optional KEY_EXCH payload. */ if (group_desc > 0) { ie->group = group_get(group_desc); + if (!ie->group) + return -1; ie->g_x_len = dh_getlen(ie->group); if (ipsec_gen_g_x(msg)) {