When sending a routing message, don't allow the user to set the

RTF_RNH_LOCKED flag in rtm_flags, since this flag is used only internally. Reported by: syzbot+65c676f5248a13753ea0@syzkaller.appspotmail.com Reviewed by: ae@ MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D19898
2019-04-14 10:18:14 +00:00 · 2019-04-14 10:18:14 +00:00 · e6481fd4c4
commit e6481fd4c4
parent b3d01a2ad7
1 changed files with 2 additions and 0 deletions
--- a/sys/net/rtsock.c
+++ b/sys/net/rtsock.c
@ -618,6 +618,8 @@ route_output(struct mbuf *m, struct socket *so, ...)
 	if (rt_xaddrs((caddr_t)(rtm + 1), len + (caddr_t)rtm, &info))
 		senderr(EINVAL);

+	if (rtm->rtm_flags & RTF_RNH_LOCKED)
+		senderr(EINVAL);
 	info.rti_flags = rtm->rtm_flags;
 	if (info.rti_info[RTAX_DST] == NULL ||
 	    info.rti_info[RTAX_DST]->sa_family >= AF_MAX ||