ip4_frag/ip6_frag: fix potential NULL-pointer access on memory errors

CHANGELOG

@@ -6,6 +6,11 @@ HISTORY
 
   * [Enter new changes just after this line - do not remove this line]
 
+  ++ Bugfixes:
+
+  2025-06-03: Simon Goldschmidt
+  * ip4_frag/ip6_frag: fix potential NULL-pointer access on memory errors
+
 (STABLE-2.2.1):
 
   ++ New features:

src/core/ipv4/ip4_frag.c

@@ -175,6 +175,7 @@ ip_reass_free_complete_datagram(struct ip_reassdata *ipr, struct ip_reassdata *p
 
   MIB2_STATS_INC(mib2.ipreasmfails);
 #if LWIP_ICMP
+  if (ipr->p != NULL) {
     iprh = (struct ip_reass_helper *)ipr->p->payload;
     if (iprh->start == 0) {
       /* The first fragment was received, send ICMP time exceeded. */
@@ -189,6 +190,7 @@ ip_reass_free_complete_datagram(struct ip_reassdata *ipr, struct ip_reassdata *p
       pbufs_freed = (u16_t)(pbufs_freed + clen);
       pbuf_free(p);
     }
+  }
 #endif /* LWIP_ICMP */
 
   /* First, free all received pbufs.  The individual pbufs need to be released

src/core/ipv6/ip6_frag.c

@@ -154,6 +154,7 @@ ip6_reass_free_complete_datagram(struct ip6_reassdata *ipr)
   struct ip6_reass_helper *iprh;
 
 #if LWIP_ICMP6
+  if (ipr->p != NULL) {
     iprh = (struct ip6_reass_helper *)ipr->p->payload;
     if (iprh->start == 0) {
       /* The first fragment was received, send ICMP time exceeded. */
@@ -184,6 +185,7 @@ ip6_reass_free_complete_datagram(struct ip6_reassdata *ipr)
       pbufs_freed = (u16_t)(pbufs_freed + clen);
       pbuf_free(p);
     }
+  }
 #endif /* LWIP_ICMP6 */
 
   /* First, free all received pbufs.  The individual pbufs need to be released