From e41d07dbde6bf8553514fb2798c0e94170e1e50f Mon Sep 17 00:00:00 2001
From: claudio <claudio@openbsd.org>
Date: Wed, 27 May 2026 12:38:54 +0000
Subject: [PATCH] Sync the nexthop comperators in rde_rib.c and kroute.c

While nexthop_cmp() already looked for the scope_id for link-local IPv6
nexthops, knexthop_compare() did not.

Reported by 7Asecurity
OK tb@
---
 usr.sbin/bgpd/kroute.c  | 26 +++++++++++++++-----------
 usr.sbin/bgpd/rde_rib.c | 12 ++++++------
 2 files changed, 21 insertions(+), 17 deletions(-)

diff --git a/usr.sbin/bgpd/kroute.c b/usr.sbin/bgpd/kroute.c
index fe0e26001cf..c8a9c6ac18d 100644
--- a/usr.sbin/bgpd/kroute.c
+++ b/usr.sbin/bgpd/kroute.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kroute.c,v 1.313 2025/02/04 16:07:46 claudio Exp $ */
+/*	$OpenBSD: kroute.c,v 1.314 2026/05/27 12:38:54 claudio Exp $ */
 
 /*
  * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -1506,30 +1506,34 @@ kroute6_compare(struct kroute6 *a, struct kroute6 *b)
 int
 knexthop_compare(struct knexthop *a, struct knexthop *b)
 {
-	int	i;
+	int	r;
 
 	if (a->nexthop.aid != b->nexthop.aid)
-		return (b->nexthop.aid - a->nexthop.aid);
+		return (a->nexthop.aid - b->nexthop.aid);
 
 	switch (a->nexthop.aid) {
 	case AID_INET:
-		if (ntohl(a->nexthop.v4.s_addr) < ntohl(b->nexthop.v4.s_addr))
-			return (-1);
 		if (ntohl(a->nexthop.v4.s_addr) > ntohl(b->nexthop.v4.s_addr))
 			return (1);
+		if (ntohl(a->nexthop.v4.s_addr) < ntohl(b->nexthop.v4.s_addr))
+			return (-1);
 		break;
 	case AID_INET6:
-		for (i = 0; i < 16; i++) {
-			if (a->nexthop.v6.s6_addr[i] < b->nexthop.v6.s6_addr[i])
-				return (-1);
-			if (a->nexthop.v6.s6_addr[i] > b->nexthop.v6.s6_addr[i])
+		r = memcmp(&a->nexthop.v6, &b->nexthop.v6,
+		    sizeof(a->nexthop.v6));
+		if (r != 0)
+			return r;
+		if (IN6_IS_ADDR_LINKLOCAL(&a->nexthop.v6)) {
+			if (a->nexthop.scope_id > b->nexthop.scope_id)
 				return (1);
+			if (a->nexthop.scope_id < b->nexthop.scope_id)
+				return (-1);
 		}
 		break;
 	default:
-		fatalx("%s: unknown AF", __func__);
+		fatalx("%s: %s is unsupported", __func__,
+		    aid2str(a->nexthop.aid));
 	}
-
 	return (0);
 }
 
diff --git a/usr.sbin/bgpd/rde_rib.c b/usr.sbin/bgpd/rde_rib.c
index 4d205b6c94f..a0e67e67704 100644
--- a/usr.sbin/bgpd/rde_rib.c
+++ b/usr.sbin/bgpd/rde_rib.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: rde_rib.c,v 1.297 2026/05/27 08:28:35 claudio Exp $ */
+/*	$OpenBSD: rde_rib.c,v 1.298 2026/05/27 12:38:54 claudio Exp $ */
 
 /*
  * Copyright (c) 2003, 2004 Claudio Jeker <claudio@openbsd.org>
@@ -1495,9 +1495,9 @@ nexthop_cmp(struct nexthop *na, struct nexthop *nb)
 			return (1);
 		if (ntohl(a->v4.s_addr) < ntohl(b->v4.s_addr))
 			return (-1);
-		return (0);
+		break;
 	case AID_INET6:
-		r = memcmp(&a->v6, &b->v6, sizeof(struct in6_addr));
+		r = memcmp(&a->v6, &b->v6, sizeof(a->v6));
 		if (r != 0)
 			return r;
 		if (IN6_IS_ADDR_LINKLOCAL(&a->v6)) {
@@ -1506,11 +1506,11 @@ nexthop_cmp(struct nexthop *na, struct nexthop *nb)
 			if (a->scope_id < b->scope_id)
 				return (-1);
 		}
-		return (0);
+		break;
 	default:
-		fatalx("nexthop_cmp: %s is unsupported", aid2str(a->aid));
+		fatalx("%s: %s is unsupported", __func__, aid2str(a->aid));
 	}
-	return (-1);
+	return (0);
 }
 
 static struct nexthop *