group_get() can fail and return NULL. dh_getlen() accesses ie->group,
so this will crash. Not sure if this is actually reachable, but it seems
wrong. I've done what's done nearby. I don't want to look too closely...
Index: ike_quick_mode.c
===================================================================
RCS file: /cvs/src/sbin/isakmpd/ike_quick_mode.c,v
retrieving revision 1.114
diff -u -p -U6 -r1.114 ike_quick_mode.c
--- ike_quick_mode.c 15 Jan 2018 09:54:48 -0000 1.114
+++ ike_quick_mode.c 31 Mar 2023 07:31:44 -0000
@@ -890,12 +890,14 @@ initiator_send_HASH_SA_NONCE(struct mess
if (exchange_gen_nonce(msg, 16))
return -1;
/* Generate optional KEY_EXCH payload. */
if (group_desc > 0) {
ie->group = group_get(group_desc);
+ if (!ie_group)
+ return -1;
ie->g_x_len = dh_getlen(ie->group);
if (ipsec_gen_g_x(msg)) {
group_free(ie->group);
ie->group = 0;
return -1;
