From b95f1ee0701f658fbbbe497f535564717fbe604e Mon Sep 17 00:00:00 2001
From: Shawn Routhier <sar@isc.org>
Date: Tue, 22 Nov 2011 23:56:50 +0000
Subject: [PATCH] Add a check for a null pointer before calling the regexec
 function. Without out this check we could, under some circumstances, pass a
 null pointer to the regexec function causing it to segfault. [ISC-Bugs
 #26704].

---
 RELNOTES      | 8 ++++++++
 common/tree.c | 1 +
 2 files changed, 9 insertions(+)

diff --git a/RELNOTES b/RELNOTES
index beeabf308..09becd0f1 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -39,6 +39,14 @@ The system has only been tested on Linux, FreeBSD, and Solaris, and may not
 work on other platforms. Please report any problems and suggested fixes to
 <dhcp-users@isc.org>.
 
+			Changes since 4.2.3
+
+! Add a check for a null pointer before calling the regexec function.
+  Without out this check we could, under some circumstances, pass
+  a null pointer to the regexec function causing it to segfault.
+  [ISC-Bugs #26704].
+  CVE:
+
 			Changes since 4.2.2
 
 - Fix the code that checks for an existing DDNS transaction to cancel
diff --git a/common/tree.c b/common/tree.c
index d09107b8b..20b2bc644 100644
--- a/common/tree.c
+++ b/common/tree.c
@@ -1120,6 +1120,7 @@ int evaluate_boolean_expression (result, packet, lease, client_state,
 		*result = 0;
 		memset(&re, 0, sizeof(re));
 		if (bleft && bright &&
+		    (left.data != NULL) &&
         	    (regcomp(&re, (char *)right.data, regflags) == 0) &&
 		    (regexec(&re, (char *)left.data, (size_t)0, NULL, 0) == 0))
 				*result = 1;
-- 
2.47.2