From 2f229140c828d0601a77c5ef0b140fd77ea8f13b Mon Sep 17 00:00:00 2001
From: hshoexer <hshoexer@openbsd.org>
Date: Tue, 16 Jun 2026 11:50:53 +0000
Subject: [PATCH] isakmpd: Fix NULL dereference in message_validate_sa()

When the responder cookie is non-zero but sa_lookup_by_header()
finds no matching SA, msg->isakmp_sa is NULL.  Thus check before
dereferencing.
---
 sbin/isakmpd/message.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/sbin/isakmpd/message.c b/sbin/isakmpd/message.c
index 7ba2386935b..9499e43e0e5 100644
--- a/sbin/isakmpd/message.c
+++ b/sbin/isakmpd/message.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: message.c,v 1.133 2026/06/11 09:55:17 hshoexer Exp $	 */
+/* $OpenBSD: message.c,v 1.134 2026/06/16 11:50:53 hshoexer Exp $	 */
 /* $EOM: message.c,v 1.156 2000/10/10 12:36:39 provos Exp $	 */
 
 /*
@@ -1053,7 +1053,8 @@ message_validate_sa(struct message *msg, struct payload *p)
 		if (zero_test(pkt + ISAKMP_HDR_RCOOKIE_OFF,
 		    ISAKMP_HDR_RCOOKIE_LEN))
 			exchange = exchange_setup_p1(msg, doi_id);
-		else if (msg->isakmp_sa->flags & SA_FLAG_READY)
+		else if (msg->isakmp_sa &&
+		    (msg->isakmp_sa->flags & SA_FLAG_READY))
 			exchange = exchange_setup_p2(msg, doi_id);
 		else {
 			/* XXX What to do here?  */