On 2023/06/01 03:47, Claudio Jeker wrote: > CVSROOT: /cvs > Module name: src > Changes by: clau...@cvs.openbsd.org 2023/06/01 03:47:35 > > Modified files: > usr.sbin/bgpd : kroute.c > > Log message: > Check the F_NEXTHOP flag on the right kroute6 object. > > On multipath routes the check ended up checking the wrong route for the > nexthop update. This resulted in a use-after-free in kroute_detach_nexthop(). > This only affects IPv6 in the IPv4 code path the right object was already > used. > > Thanks to sthen@ for providing the debug information to track this down. > OK sthen@ tb@ >
I think this is one where we can definitely say "found the hard way", thank you Claudio for staring at the code..