nd6_dad_ns_input() could trigger a NULL deref in nd6_dad_duplicated().

It checks dp in two of three places.  One check got lost in revision
1.83.  Do a dp == NULL once at the beginning.
OK jsg@
Reported-by: syzbot+88c0ce914a0b10b7e1c8@syzkaller.appspotmail.com

diff --git a/sys/netinet6/nd6_nbr.c b/sys/netinet6/nd6_nbr.c
index b4ffd7a..8d6bf38 100644 (file)
--- a/sys/netinet6/nd6_nbr.c
+++ b/sys/netinet6/nd6_nbr.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: nd6_nbr.c,v 1.129 2019/11/29 16:41:02 nayden Exp $    */
+/*     $OpenBSD: nd6_nbr.c,v 1.130 2021/12/13 14:30:16 bluhm Exp $     */
 /*     $KAME: nd6_nbr.c,v 1.61 2001/02/10 16:06:14 jinmei Exp $        */
 
 /*
@@ -1327,12 +1327,16 @@ nd6_dad_ns_input(struct ifaddr *ifa)
 
        duplicate = 0;
        dp = nd6_dad_find(ifa);
+       if (dp == NULL) {
+               log(LOG_ERR, "%s: DAD structure not found\n", __func__);
+               return;
+       }
 
        /*
         * if I'm yet to start DAD, someone else started using this address
         * first.  I have a duplicate and you win.
         */
-       if (!dp || dp->dad_ns_ocount == 0)
+       if (dp->dad_ns_ocount == 0)
                duplicate++;
 
        /* XXX more checks for loopback situation - see nd6_dad_timer too */
@@ -1345,8 +1349,7 @@ nd6_dad_ns_input(struct ifaddr *ifa)
                 * not sure if I got a duplicate.
                 * increment ns count and see what happens.
                 */
-               if (dp)
-                       dp->dad_ns_icount++;
+               dp->dad_ns_icount++;
        }
 }