Hello, file openbsd-compat/port-tun.c, function sys_tun_outfilter(). This moves the "*dlen < sizeof(*af)" check inside the if-block above it, thus avoiding a potential NULL dereference. Found with clang's scan-build. --- a/openbsd-compat/port-tun.c +++ b/openbsd-compat/port-tun.c @@ -260,10 +260,11 @@ sys_tun_outfilter(struct Channel *c, u_char **data, u_int *dlen) /* XXX new API is incompatible with this signature. */ if ((r = sshbuf_get_string(&c->output, data, &xxx_dlen)) != 0) fatal("%s: buffer error: %s", __func__, ssh_err(r)); - if (dlen != NULL) + if (dlen != NULL) { *dlen = xxx_dlen; - if (*dlen < sizeof(*af)) - return (NULL); + if (*dlen < sizeof(*af)) + return (NULL); + } buf = *data; #if defined(SSH_TUN_PREPEND_AF) Best regards, Albert _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev