Doing a double reallocarray call is tricky.
If the first reallocarray succeeds and the 2nd one fails then the pointer
for the first reallocarray needs to be updated and not freed.

Simply update the t->ch_tables pointer to the new location and return an
error here. That way the ch_table remains consisten and can still be used.

-- 
:wq Claudio

Index: chash.c
===================================================================
RCS file: /cvs/src/usr.sbin/bgpd/chash.c,v
diff -u -p -r1.10 chash.c
--- chash.c	7 May 2026 09:22:10 -0000	1.10
+++ chash.c	12 May 2026 09:32:07 -0000
@@ -548,7 +548,13 @@ ch_table_resize(const struct ch_type *ty
 		return -1;
 	metas = reallocarray(t->ch_metas, newsize, sizeof(*metas));
 	if (metas == NULL) {
-		free(tables);
+		/*
+		 * tables was correctly reallocated, so update that
+		 * pointer before failing hard. If the caller recovers
+		 * somehow the next reallocarray of ch_tables will simply
+		 * do nothing.
+		 */
+		t->ch_tables = tables;
 		return -1;
 	}