From 76710a0821d7e117b562a41c1835966483d8acf4 Mon Sep 17 00:00:00 2001 From: claudio Date: Thu, 1 Jun 2023 09:47:34 +0000 Subject: [PATCH] Check the F_NEXTHOP flag on the right kroute6 object. On multipath routes the check ended up checking the wrong route for the nexthop update. This resulted in a use-after-free in kroute_detach_nexthop(). This only affects IPv6 in the IPv4 code path the right object was already used. Thanks to sthen@ for providing the debug information to track this down. OK sthen@ tb@ --- usr.sbin/bgpd/kroute.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr.sbin/bgpd/kroute.c b/usr.sbin/bgpd/kroute.c index 126c348ae1a..ac55f1033da 100644 --- a/usr.sbin/bgpd/kroute.c +++ b/usr.sbin/bgpd/kroute.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kroute.c,v 1.304 2023/03/07 10:30:38 claudio Exp $ */ +/* $OpenBSD: kroute.c,v 1.305 2023/06/01 09:47:34 claudio Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer @@ -1864,7 +1864,7 @@ kroute6_remove(struct ktable *kt, struct kroute_full *kf, int any) } /* check whether a nexthop depends on this kroute */ - if (kr->flags & F_NEXTHOP) { + if (krm->flags & F_NEXTHOP) { RB_FOREACH(n, knexthop_tree, KT2KNT(kt)) { if (n->kroute == krm) knexthop_validate(kt, n); -- 2.20.1