diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -3493,7 +3493,14 @@
 	if (tp != NULL) {
 		INP_LOCK_ASSERT(tptoinpcb(tp));
 	}
-
+	/*
+	 * If more than one TCP specific rstreason should be supported,
+	 * ensure that no side channel is opened. In particular, consider
+	 * possible interactions with tcp_send_challenge_ack().
+	 * XXXMT: should we remove support for BANDLIM_UNLIMITED?
+	 */
+	KASSERT(rstreason == BANDLIM_UNLIMITED || rstreason == BANDLIM_TCP_RST,
+	    ("%s: unexpected rstreason %d", __func__, rstreason));
 	/* Don't bother if destination was broadcast/multicast. */
 	if ((tcp_get_flags(th) & TH_RST) || m->m_flags & (M_BCAST|M_MCAST))
 		goto drop;