Can someone give this diff for ospf6d a try? This fixes the same issue that I just committed for ospfd:
revision 1.48 date: 2020/05/06 14:40:54; author: claudio; state: Exp; lines: +5 -5; commitid: 1nh8JCAv0Kmqd1jV; Do not use the pointer returned by ibuf_reserve() after calling another ibuf function. After the call the internal buffer may have moved by realloc() and so the pointer is invalid. Instead use ibuf_size() to get the current offset in the buffer and use ibuf_seek() later on to write back the updated lsa age into the buffer at the right spot. This fixes an issue seen by Richard Chivers on routers with many passive interfaces. OK stsp@ deraadt@ Thanks -- :wq Claudio Index: lsupdate.c =================================================================== RCS file: /cvs/src/usr.sbin/ospf6d/lsupdate.c,v retrieving revision 1.16 diff -u -p -r1.16 lsupdate.c --- lsupdate.c 4 May 2020 14:36:51 -0000 1.16 +++ lsupdate.c 6 May 2020 14:33:40 -0000 @@ -194,13 +194,13 @@ int add_ls_update(struct ibuf *buf, struct iface *iface, void *data, u_int16_t len, u_int16_t older) { - void *lsage; - u_int16_t age; + size_t ageoff; + u_int16_t age; if (buf->wpos + len >= buf->max) return (0); - lsage = ibuf_reserve(buf, 0); + ageoff = ibuf_size(buf); if (ibuf_add(buf, data, len)) { log_warn("add_ls_update"); return (0); @@ -212,7 +212,7 @@ add_ls_update(struct ibuf *buf, struct i if ((age += older + iface->transmit_delay) >= MAX_AGE) age = MAX_AGE; age = htons(age); - memcpy(lsage, &age, sizeof(age)); + memcpy(ibuf_seek(buf, ageoff, sizeof(age)), &age, sizeof(age)); return (1); }