From 7bc8ee17c0758449a29fcdc9585f8ec59e141fd5 Mon Sep 17 00:00:00 2001
From: bluhm <bluhm@openbsd.org>
Date: Mon, 27 Nov 2023 20:37:15 +0000
Subject: [PATCH] Add NULL check before dereferencing inp_seclevel.

In some cases inp may be NULL, so check that before passing
inp->inp_seclevel to ipsp_spd_lookup() or ip_output().

Missed in previous commit.
---
 sys/netinet/tcp_input.c  | 7 ++++---
 sys/netinet/udp_usrreq.c | 4 ++--
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index 0b36decfdda..2a4aec3e8d8 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tcp_input.c,v 1.393 2023/11/26 22:08:10 bluhm Exp $	*/
+/*	$OpenBSD: tcp_input.c,v 1.394 2023/11/27 20:37:15 bluhm Exp $	*/
 /*	$NetBSD: tcp_input.c,v 1.23 1996/02/13 23:43:44 christos Exp $	*/
 
 /*
@@ -586,7 +586,7 @@ findpcb:
 			    &tdbi->dst, tdbi->proto);
 		}
 		error = ipsp_spd_lookup(m, af, iphlen, IPSP_DIRECTION_IN,
-		    tdb, inp->inp_seclevel, NULL, NULL);
+		    tdb, inp ? inp->inp_seclevel : NULL, NULL, NULL);
 		tdb_unref(tdb);
 		if (error) {
 			tcpstat_inc(tcps_rcvnosec);
@@ -4162,7 +4162,8 @@ syn_cache_respond(struct syn_cache *sc, struct mbuf *m, uint64_t now)
 			ip->ip_tos = inp->inp_ip.ip_tos;
 
 		error = ip_output(m, sc->sc_ipopts, &sc->sc_route4,
-		    (ip_mtudisc ? IP_MTUDISC : 0),  NULL, inp->inp_seclevel, 0);
+		    (ip_mtudisc ? IP_MTUDISC : 0),  NULL,
+		    inp ? inp->inp_seclevel : NULL, 0);
 		break;
 #ifdef INET6
 	case AF_INET6:
diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c
index c9b4c51ea09..0ab353d8f28 100644
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: udp_usrreq.c,v 1.307 2023/11/26 22:08:10 bluhm Exp $	*/
+/*	$OpenBSD: udp_usrreq.c,v 1.308 2023/11/27 20:37:15 bluhm Exp $	*/
 /*	$NetBSD: udp_usrreq.c,v 1.28 1996/03/16 23:54:03 christos Exp $	*/
 
 /*
@@ -543,7 +543,7 @@ udp_input(struct mbuf **mp, int *offp, int proto, int af)
 		} else
 			tdb = NULL;
 		error = ipsp_spd_lookup(m, af, iphlen, IPSP_DIRECTION_IN,
-		    tdb, inp->inp_seclevel, NULL, NULL);
+		    tdb, inp ? inp->inp_seclevel : NULL, NULL, NULL);
 		if (error) {
 			udpstat_inc(udps_nosec);
 			tdb_unref(tdb);
-- 
2.20.1