From: Claudio Jeker <cjeker@diehard.n-r-g.com>
Subject: bgpd: fix possible use-after-free in up_generate_addpath()
To: tech@openbsd.org
Date: Wed, 3 Dec 2025 10:44:14 +0100

The code around adjout_prefix_withdraw() is a bit too complex to be sure
that there is never a case where the prefix is removed and freed. So use
the safe idiom to fetch the next element before calling
adjout_prefix_withdraw().

Fix for CID 500335
-- 
:wq Claudio

Index: rde_update.c
===================================================================
RCS file: /cvs/src/usr.sbin/bgpd/rde_update.c,v
diff -u -p -r1.186 rde_update.c
--- rde_update.c	2 Dec 2025 13:03:35 -0000	1.186
+++ rde_update.c	3 Dec 2025 09:40:42 -0000
@@ -258,7 +258,7 @@ void
 up_generate_addpath(struct rde_peer *peer, struct rib_entry *re)
 {
 	struct prefix		*new;
-	struct adjout_prefix	*head, *p;
+	struct adjout_prefix	*head, *p, *np;
 	int			maxpaths = 0, extrapaths = 0, extra;
 	int			checkmode = 1;
 
@@ -332,7 +332,8 @@ up_generate_addpath(struct rde_peer *pee
 	}
 
 	/* withdraw stale paths */
-	for (p = head; p != NULL; p = adjout_prefix_next(peer, p)) {
+	for (p = head; p != NULL; p = np) {
+		np = adjout_prefix_next(peer, p);
 		if (p->flags & PREFIX_ADJOUT_FLAG_STALE)
 			adjout_prefix_withdraw(peer, p);
 	}