From ce9bd2eccc20a62f4c8b24c28aa4ccf98639b0a0 Mon Sep 17 00:00:00 2001 From: bluhm Date: Mon, 13 Dec 2021 14:30:16 +0000 Subject: [PATCH] nd6_dad_ns_input() could trigger a NULL deref in nd6_dad_duplicated(). It checks dp in two of three places. One check got lost in revision 1.83. Do a dp == NULL once at the beginning. OK jsg@ Reported-by: syzbot+88c0ce914a0b10b7e1c8@syzkaller.appspotmail.com --- sys/netinet6/nd6_nbr.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/sys/netinet6/nd6_nbr.c b/sys/netinet6/nd6_nbr.c index b4ffd7a009d..8d6bf3841b8 100644 --- a/sys/netinet6/nd6_nbr.c +++ b/sys/netinet6/nd6_nbr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: nd6_nbr.c,v 1.129 2019/11/29 16:41:02 nayden Exp $ */ +/* $OpenBSD: nd6_nbr.c,v 1.130 2021/12/13 14:30:16 bluhm Exp $ */ /* $KAME: nd6_nbr.c,v 1.61 2001/02/10 16:06:14 jinmei Exp $ */ /* @@ -1327,12 +1327,16 @@ nd6_dad_ns_input(struct ifaddr *ifa) duplicate = 0; dp = nd6_dad_find(ifa); + if (dp == NULL) { + log(LOG_ERR, "%s: DAD structure not found\n", __func__); + return; + } /* * if I'm yet to start DAD, someone else started using this address * first. I have a duplicate and you win. */ - if (!dp || dp->dad_ns_ocount == 0) + if (dp->dad_ns_ocount == 0) duplicate++; /* XXX more checks for loopback situation - see nd6_dad_timer too */ @@ -1345,8 +1349,7 @@ nd6_dad_ns_input(struct ifaddr *ifa) * not sure if I got a duplicate. * increment ns count and see what happens. */ - if (dp) - dp->dad_ns_icount++; + dp->dad_ns_icount++; } } -- 2.20.1