From: hshoexer Subject: isakmpd: Fix NULL dereference in message_alloc_reply() callers To: tech@openbsd.org Date: Mon, 8 Jun 2026 18:37:37 +0200 Hi, as message_alloc() can return NULL let the callers check and fail gracefully. ok? Take care, HJ. ---------------------------------------------------------------------------- isakmpd: Fix NULL dereference in message_alloc_reply() and callers message_alloc_reply() dereferences the returned pointer of message_alloc() without a NULL check. Add one so callers can handle the failure. Also add NULL checks at both call sites in exchange.c. diff --git a/sbin/isakmpd/exchange.c b/sbin/isakmpd/exchange.c index 1aa8c519c74..b29c80d884d 100644 --- a/sbin/isakmpd/exchange.c +++ b/sbin/isakmpd/exchange.c @@ -279,8 +279,14 @@ exchange_run(struct message *msg) */ if (exchange->initiator ^ (exchange->step % 2)) { done = 1; - if (exchange->step) + if (exchange->step) { msg = message_alloc_reply(msg); + if (!msg) { + log_error("exchange_run: " + "message_alloc_reply() failed"); + return; + } + } message_setup_header(msg, exchange->type, 0, exchange->message_id); if (handler(msg)) { @@ -939,6 +945,11 @@ exchange_establish_p2(struct sa *isakmp_sa, u_int8_t type, char *name, } } msg = message_alloc(isakmp_sa->transport, 0, ISAKMP_HDR_SZ); + if (!msg) { + log_error("exchange_establish_p2: message_alloc() failed"); + exchange_free(exchange); + return 0; /* exchange_free() runs finalize */ + } msg->isakmp_sa = isakmp_sa; sa_reference(isakmp_sa); diff --git a/sbin/isakmpd/message.c b/sbin/isakmpd/message.c index 598a25fc435..685326ffd65 100644 --- a/sbin/isakmpd/message.c +++ b/sbin/isakmpd/message.c @@ -162,6 +162,8 @@ message_alloc_reply(struct message *msg) struct message *reply; reply = message_alloc(msg->transport, 0, ISAKMP_HDR_SZ); + if (!reply) + return NULL; reply->exchange = msg->exchange; reply->isakmp_sa = msg->isakmp_sa; reply->flags = msg->flags;