From: bluhm Date: Mon, 13 Dec 2021 14:30:16 +0000 (+0000) Subject: nd6_dad_ns_input() could trigger a NULL deref in nd6_dad_duplicated(). X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=ce9bd2eccc20a62f4c8b24c28aa4ccf98639b0a0;p=openbsd nd6_dad_ns_input() could trigger a NULL deref in nd6_dad_duplicated(). It checks dp in two of three places. One check got lost in revision 1.83. Do a dp == NULL once at the beginning. OK jsg@ Reported-by: syzbot+88c0ce914a0b10b7e1c8@syzkaller.appspotmail.com --- diff --git a/sys/netinet6/nd6_nbr.c b/sys/netinet6/nd6_nbr.c index b4ffd7a009d..8d6bf3841b8 100644 --- a/sys/netinet6/nd6_nbr.c +++ b/sys/netinet6/nd6_nbr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: nd6_nbr.c,v 1.129 2019/11/29 16:41:02 nayden Exp $ */ +/* $OpenBSD: nd6_nbr.c,v 1.130 2021/12/13 14:30:16 bluhm Exp $ */ /* $KAME: nd6_nbr.c,v 1.61 2001/02/10 16:06:14 jinmei Exp $ */ /* @@ -1327,12 +1327,16 @@ nd6_dad_ns_input(struct ifaddr *ifa) duplicate = 0; dp = nd6_dad_find(ifa); + if (dp == NULL) { + log(LOG_ERR, "%s: DAD structure not found\n", __func__); + return; + } /* * if I'm yet to start DAD, someone else started using this address * first. I have a duplicate and you win. */ - if (!dp || dp->dad_ns_ocount == 0) + if (dp->dad_ns_ocount == 0) duplicate++; /* XXX more checks for loopback situation - see nd6_dad_timer too */ @@ -1345,8 +1349,7 @@ nd6_dad_ns_input(struct ifaddr *ifa) * not sure if I got a duplicate. * increment ns count and see what happens. */ - if (dp) - dp->dad_ns_icount++; + dp->dad_ns_icount++; } }