From dffbb40d0a99266e5ea853dd1356ea5711594841 Mon Sep 17 00:00:00 2001
From: gnn <gnn@FreeBSD.org>
Date: Fri, 15 Jul 2005 09:18:34 +0000
Subject: Fix for PR 82974.  We were not checking that the route looked up in
 the case of an RTM_CHANGE was specific, i.e. that it matched completely. 
 This led to a route change of a non-existent route changing the default route
 as the radix code would simply back track to that point and hand that route
 back to the routing socket code.

PR: 82974
Reviewed by: Tai-hwa Liang <avatar@mmlab.cse.yzu.edu.tw>
             Ben Kaduk <minimarmot@gmail.com>
             Bjoern A. Zeeb <bzeeb-lists@lists.zabbadoz.net>
Obtained from:	OpenBSD with modifications.
MFC after: 2 weeks
---
 sys/net/rtsock.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

(limited to 'sys/net/rtsock.c')

diff --git a/sys/net/rtsock.c b/sys/net/rtsock.c
index 9c13a07..a1e759b 100644
--- a/sys/net/rtsock.c
+++ b/sys/net/rtsock.c
@@ -434,6 +434,25 @@ route_output(struct mbuf *m, struct socket *so)
 		RT_LOCK(rt);
 		RT_ADDREF(rt);
 
+		/* 
+		 * Fix for PR: 82974
+		 *
+		 * RTM_CHANGE/LOCK need a perfect match, rn_lookup()
+		 * returns a perfect match in case a netmask is
+		 * specified.  For host routes only a longest prefix
+		 * match is returned so it is necessary to compare the
+		 * existence of the netmask.  If both have a netmask
+		 * rnh_lookup() did a perfect match and if none of them
+		 * have a netmask both are host routes which is also a
+		 * perfect match.
+		 */
+
+		if (rtm->rtm_type != RTM_GET && 
+		    (!rt_mask(rt) != !info.rti_info[RTAX_NETMASK])) {
+			RT_UNLOCK(rt);
+			senderr(ESRCH);
+		}
+
 		switch(rtm->rtm_type) {
 
 		case RTM_GET:
-- 
cgit v1.1