group_get() can fail and return NULL. dh_getlen() accesses ie->group, so this will crash. Not sure if this is actually reachable, but it seems wrong. I've done what's done nearby. I don't want to look too closely...
Index: ike_quick_mode.c =================================================================== RCS file: /cvs/src/sbin/isakmpd/ike_quick_mode.c,v retrieving revision 1.114 diff -u -p -U6 -r1.114 ike_quick_mode.c --- ike_quick_mode.c 15 Jan 2018 09:54:48 -0000 1.114 +++ ike_quick_mode.c 31 Mar 2023 07:31:44 -0000 @@ -890,12 +890,14 @@ initiator_send_HASH_SA_NONCE(struct mess if (exchange_gen_nonce(msg, 16)) return -1; /* Generate optional KEY_EXCH payload. */ if (group_desc > 0) { ie->group = group_get(group_desc); + if (!ie_group) + return -1; ie->g_x_len = dh_getlen(ie->group); if (ipsec_gen_g_x(msg)) { group_free(ie->group); ie->group = 0; return -1;