Add missing NULL check for the protocol control block (pcb) pointer in

mrt{6,}_ioctl. Calling shutdown(2) on the socket prior to the ioctl
command can cause it to be NULL.

ok bluhm@ claudio@

Reported-by: syzbot+bdc489ecb509995a21ed@syzkaller.appspotmail.com
Reported-by: syzbot+156405fdea9f2ab15d40@syzkaller.appspotmail.com

2 files changed, 7 insertions, 1 deletions

diff --git a/sys/netinet/ip_mroute.c b/sys/netinet/ip_mroute.c
index 0862d377602..8df7b2aa3a5 100644
--- a/sys/netinet/ip_mroute.c
+++ b/sys/netinet/ip_mroute.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_mroute.c,v 1.125 2019/02/13 23:47:43 dlg Exp $	*/
+/*	$OpenBSD: ip_mroute.c,v 1.126 2019/06/04 16:11:13 anton Exp $	*/
 /*	$NetBSD: ip_mroute.c,v 1.85 2004/04/26 01:31:57 matt Exp $	*/
 
 /*
@@ -259,6 +259,9 @@ mrt_ioctl(struct socket *so, u_long cmd, caddr_t data)
 	struct inpcb *inp = sotoinpcb(so);
 	int error;
 
+	if (inp == NULL)
+		return (ENOTCONN);
+
 	if (so != ip_mrouter[inp->inp_rtableid])
 		error = EINVAL;
 	else
diff --git a/sys/netinet6/ip6_mroute.c b/sys/netinet6/ip6_mroute.c
index 37fb9e2f5d2..512353701b8 100644
--- a/sys/netinet6/ip6_mroute.c
+++ b/sys/netinet6/ip6_mroute.c
@@ -244,6 +244,9 @@ mrt6_ioctl(struct socket *so, u_long cmd, caddr_t data)
 	struct inpcb *inp = sotoinpcb(so);
 	int error;
 
+	if (inp == NULL)
+		return (ENOTCONN);
+
 	switch (cmd) {
 	case SIOCGETSGCNT_IN6:
 		NET_RLOCK();