Hi,

as message_alloc() can return NULL let the callers check and fail
gracefully.

ok?

Take care,
HJ.

----------------------------------------------------------------------------

isakmpd: Fix NULL dereference in message_alloc_reply() and callers
    
message_alloc_reply() dereferences the returned pointer of message_alloc()
without a NULL check.  Add one so callers can handle the failure.
    
Also add NULL checks at both call sites in exchange.c.

diff --git a/sbin/isakmpd/exchange.c b/sbin/isakmpd/exchange.c
index 1aa8c519c74..b29c80d884d 100644
--- a/sbin/isakmpd/exchange.c
+++ b/sbin/isakmpd/exchange.c
@@ -279,8 +279,14 @@ exchange_run(struct message *msg)
 		 */
 		if (exchange->initiator ^ (exchange->step % 2)) {
 			done = 1;
-			if (exchange->step)
+			if (exchange->step) {
 				msg = message_alloc_reply(msg);
+				if (!msg) {
+					log_error("exchange_run: "
+					    "message_alloc_reply() failed");
+					return;
+				}
+			}
 			message_setup_header(msg, exchange->type, 0,
 			    exchange->message_id);
 			if (handler(msg)) {
@@ -939,6 +945,11 @@ exchange_establish_p2(struct sa *isakmp_sa, u_int8_t type, char *name,
 			}
 	}
 	msg = message_alloc(isakmp_sa->transport, 0, ISAKMP_HDR_SZ);
+	if (!msg) {
+		log_error("exchange_establish_p2: message_alloc() failed");
+		exchange_free(exchange);
+		return 0; /* exchange_free() runs finalize */
+	}
 	msg->isakmp_sa = isakmp_sa;
 	sa_reference(isakmp_sa);
 
diff --git a/sbin/isakmpd/message.c b/sbin/isakmpd/message.c
index 598a25fc435..685326ffd65 100644
--- a/sbin/isakmpd/message.c
+++ b/sbin/isakmpd/message.c
@@ -162,6 +162,8 @@ message_alloc_reply(struct message *msg)
 	struct message *reply;
 
 	reply = message_alloc(msg->transport, 0, ISAKMP_HDR_SZ);
+	if (!reply)
+		return NULL;
 	reply->exchange = msg->exchange;
 	reply->isakmp_sa = msg->isakmp_sa;
 	reply->flags = msg->flags;