From 07e4740f85bb7e37ebff07421a133561825b178f Mon Sep 17 00:00:00 2001
From: claudio <claudio@openbsd.org>
Date: Wed, 3 Aug 2022 08:11:18 +0000
Subject: [PATCH] Fix possible NULL dereference in knexthop_validate().

kroute_match() may return NULL so setting kn->ifindex should only
be done if the kroute is valid. Also set the ifindex to 0 in
kroute_detach_nexthop().
Based on a bigger diff which is OK tb@ and sthen@
---
 usr.sbin/bgpd/kroute.c | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/usr.sbin/bgpd/kroute.c b/usr.sbin/bgpd/kroute.c
index d50aab12afe..ed9c523afe4 100644
--- a/usr.sbin/bgpd/kroute.c
+++ b/usr.sbin/bgpd/kroute.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kroute.c,v 1.285 2022/07/28 14:05:13 claudio Exp $ */
+/*	$OpenBSD: kroute.c,v 1.286 2022/08/03 08:11:18 claudio Exp $ */
 
 /*
  * Copyright (c) 2022 Claudio Jeker <claudio@openbsd.org>
@@ -2131,8 +2131,9 @@ knexthop_validate(struct ktable *kt, struct knexthop *kn)
 	case AID_INET:
 		kr = kroute_match(kt, &kn->nexthop, 0);
 
-		if (kr) {
+		if (kr != NULL) {
 			kn->kroute = kr;
+			kn->ifindex = kr->ifindex;
 			kr->flags |= F_NEXTHOP;
 		}
 
@@ -2141,23 +2142,20 @@ knexthop_validate(struct ktable *kt, struct knexthop *kn)
 		 * the route remains the same then the NH state has not
 		 * changed. State changes are tracked by knexthop_track().
 		 */
-		if (kr != oldk) {
-			kn->ifindex = kr->ifindex;
+		if (kr != oldk)
 			knexthop_send_update(kn);
-		}
 		break;
 	case AID_INET6:
 		kr6 = kroute6_match(kt, &kn->nexthop, 0);
 
-		if (kr6) {
+		if (kr6 != NULL) {
 			kn->kroute = kr6;
+			kn->ifindex = kr6->ifindex;
 			kr6->flags |= F_NEXTHOP;
 		}
 
-		if (kr6 != oldk) {
-			kn->ifindex = kr6->ifindex;
+		if (kr6 != oldk)
 			knexthop_send_update(kn);
-		}
 		break;
 	}
 }
@@ -2292,6 +2290,7 @@ kroute_detach_nexthop(struct ktable *kt, struct knexthop *kn)
 	}
 
 	kn->kroute = NULL;
+	kn->ifindex = 0;
 }
 
 /*
-- 
2.20.1