From 3aaf20a2dcca0a887b2d94dd65e9d7730fddae5b Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Tue, 21 Nov 2023 14:33:07 +1100
Subject: [PATCH] Ineffective DbC protections

Dereference before NULL checks.  Thanks to Eric Sesterhenn from X41
D-Sec GmbH for reporting this.

(cherry picked from commit decc17d3b0e0a30d9fdae6ed4b7efec46e30dd9b)
---
 lib/dns/stats.c       | 10 ++++++----
 lib/isc/netmgr/http.c |  1 +
 lib/isc/netmgr/udp.c  |  4 +++-
 3 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/lib/dns/stats.c b/lib/dns/stats.c
index 390a3978ea..238efacdda 100644
--- a/lib/dns/stats.c
+++ b/lib/dns/stats.c
@@ -367,11 +367,12 @@ void
 dns_dnssecsignstats_increment(dns_stats_t *stats, dns_keytag_t id, uint8_t alg,
 			      dnssecsignstats_type_t operation) {
 	uint32_t kval;
-	int num_keys = isc_stats_ncounters(stats->counters) /
-		       dnssecsign_block_size;
 
 	REQUIRE(DNS_STATS_VALID(stats) && stats->type == dns_statstype_dnssec);
 
+	int num_keys = isc_stats_ncounters(stats->counters) /
+		       dnssecsign_block_size;
+
 	/* Shift algorithm in front of key tag, which is 16 bits */
 	kval = (uint32_t)(alg << 16 | id);
 
@@ -414,11 +415,12 @@ dns_dnssecsignstats_increment(dns_stats_t *stats, dns_keytag_t id, uint8_t alg,
 void
 dns_dnssecsignstats_clear(dns_stats_t *stats, dns_keytag_t id, uint8_t alg) {
 	uint32_t kval;
-	int num_keys = isc_stats_ncounters(stats->counters) /
-		       dnssecsign_block_size;
 
 	REQUIRE(DNS_STATS_VALID(stats) && stats->type == dns_statstype_dnssec);
 
+	int num_keys = isc_stats_ncounters(stats->counters) /
+		       dnssecsign_block_size;
+
 	/* Shift algorithm in front of key tag, which is 16 bits */
 	kval = (uint32_t)(alg << 16 | id);
 
diff --git a/lib/isc/netmgr/http.c b/lib/isc/netmgr/http.c
index f2d3e2d558..d7a33d5abe 100644
--- a/lib/isc/netmgr/http.c
+++ b/lib/isc/netmgr/http.c
@@ -2493,6 +2493,7 @@ isc_nm_listenhttp(isc_nm_t *mgr, isc_sockaddr_t *iface, int backlog,
 	isc_nmsocket_t *sock = NULL;
 	isc_result_t result;
 
+	REQUIRE(VALID_NM(mgr));
 	REQUIRE(!ISC_LIST_EMPTY(eps->handlers));
 	REQUIRE(!ISC_LIST_EMPTY(eps->handler_cbargs));
 	REQUIRE(atomic_load(&eps->in_use) == false);
diff --git a/lib/isc/netmgr/udp.c b/lib/isc/netmgr/udp.c
index 1a0ee16831..476c7992f6 100644
--- a/lib/isc/netmgr/udp.c
+++ b/lib/isc/netmgr/udp.c
@@ -152,9 +152,10 @@ isc_nm_listenudp(isc_nm_t *mgr, isc_sockaddr_t *iface, isc_nm_recv_cb_t cb,
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_nmsocket_t *sock = NULL;
 	size_t children_size = 0;
-	REQUIRE(VALID_NM(mgr));
 	uv_os_sock_t fd = -1;
 
+	REQUIRE(VALID_NM(mgr));
+
 	/*
 	 * We are creating mgr->nworkers duplicated sockets, one
 	 * socket for each worker thread.
@@ -693,6 +694,7 @@ isc__nm_udp_send(isc_nmhandle_t *handle, const isc_region_t *region,
 	uint32_t maxudp = atomic_load(&sock->mgr->maxudp);
 	int ntid;
 
+	REQUIRE(VALID_NMSOCK(sock));
 	INSIST(sock->type == isc_nm_udpsocket);
 
 	/*