On Fri, Mar 31, 2023 at 09:53:32AM +0200, Theo Buehler wrote:
> group_get() can fail and return NULL. dh_getlen() accesses ie->group,
> so this will crash. Not sure if this is actually reachable, but it seems
> wrong. I've done what's done nearby. I don't want to look too closely...
phessler pointed out I sent the version of the diff that doesn't
compile... This the one I wanted to send:
Index: ike_quick_mode.c
===================================================================
RCS file: /cvs/src/sbin/isakmpd/ike_quick_mode.c,v
retrieving revision 1.114
diff -u -p -r1.114 ike_quick_mode.c
--- ike_quick_mode.c 15 Jan 2018 09:54:48 -0000 1.114
+++ ike_quick_mode.c 31 Mar 2023 08:22:22 -0000
@@ -893,6 +893,8 @@ initiator_send_HASH_SA_NONCE(struct mess
/* Generate optional KEY_EXCH payload. */
if (group_desc > 0) {
ie->group = group_get(group_desc);
+ if (!ie->group)
+ return -1;
ie->g_x_len = dh_getlen(ie->group);
if (ipsec_gen_g_x(msg)) {
