Check the F_NEXTHOP flag on the right kroute6 object.

On multipath routes the check ended up checking the wrong route for the
nexthop update. This resulted in a use-after-free in kroute_detach_nexthop().
This only affects IPv6 in the IPv4 code path the right object was already used.

Thanks to sthen@ for providing the debug information to track this down.
OK sthen@ tb@

diff --git a/usr.sbin/bgpd/kroute.c b/usr.sbin/bgpd/kroute.c
index 126c348..ac55f10 100644 (file)
--- a/usr.sbin/bgpd/kroute.c
+++ b/usr.sbin/bgpd/kroute.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: kroute.c,v 1.304 2023/03/07 10:30:38 claudio Exp $ */
+/*     $OpenBSD: kroute.c,v 1.305 2023/06/01 09:47:34 claudio Exp $ */
 
 /*
  * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -1864,7 +1864,7 @@ kroute6_remove(struct ktable *kt, struct kroute_full *kf, int any)
        }
 
        /* check whether a nexthop depends on this kroute */
-       if (kr->flags & F_NEXTHOP) {
+       if (krm->flags & F_NEXTHOP) {
                RB_FOREACH(n, knexthop_tree, KT2KNT(kt)) {
                        if (n->kroute == krm)
                                knexthop_validate(kt, n);