From e6481fd4c46a2294e892e19d72e6793ddc0a3ab6 Mon Sep 17 00:00:00 2001
From: Michael Tuexen <tuexen@FreeBSD.org>
Date: Sun, 14 Apr 2019 10:18:14 +0000
Subject: [PATCH] When sending a routing message, don't allow the user to set
 the RTF_RNH_LOCKED flag in rtm_flags, since this flag is used only
 internally.

Reported by:		syzbot+65c676f5248a13753ea0@syzkaller.appspotmail.com
Reviewed by:		ae@
MFC after:		1 week
Differential Revision:	https://reviews.freebsd.org/D19898
---
 sys/net/rtsock.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sys/net/rtsock.c b/sys/net/rtsock.c
index 5d50da01c8ba..06a9c7d640c6 100644
--- a/sys/net/rtsock.c
+++ b/sys/net/rtsock.c
@@ -618,6 +618,8 @@ route_output(struct mbuf *m, struct socket *so, ...)
 	if (rt_xaddrs((caddr_t)(rtm + 1), len + (caddr_t)rtm, &info))
 		senderr(EINVAL);
 
+	if (rtm->rtm_flags & RTF_RNH_LOCKED)
+		senderr(EINVAL);
 	info.rti_flags = rtm->rtm_flags;
 	if (info.rti_info[RTAX_DST] == NULL ||
 	    info.rti_info[RTAX_DST]->sa_family >= AF_MAX ||