Module Name: src
Committed By: maxv
Date: Sun Apr 1 12:58:47 UTC 2018
Modified Files:
src/sys/netinet: tcp_output.c
Log Message:
Change the check to be <= instead of <. This fixes one occurrence of an
apparently widespread division-by-zero bug in our TCP code: if a user adds
huge IPv6 options with setsockopt, and if the total size of the options
happens to be equal to the available space calculated for the TCP payload,
t_segsz gets set to zero, and given that we then divide several things by
it, the kernel crashes.
To generate a diff of this commit:
cvs rdiff -u -r1.203 -r1.204 src/sys/netinet/tcp_output.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet/tcp_output.c
diff -u src/sys/netinet/tcp_output.c:1.203 src/sys/netinet/tcp_output.c:1.204
--- src/sys/netinet/tcp_output.c:1.203 Sun Apr 1 12:46:50 2018
+++ src/sys/netinet/tcp_output.c Sun Apr 1 12:58:47 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: tcp_output.c,v 1.203 2018/04/01 12:46:50 maxv Exp $ */
+/* $NetBSD: tcp_output.c,v 1.204 2018/04/01 12:58:47 maxv Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -135,7 +135,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: tcp_output.c,v 1.203 2018/04/01 12:46:50 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: tcp_output.c,v 1.204 2018/04/01 12:58:47 maxv Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -358,9 +358,13 @@ tcp_segsize(struct tcpcb *tp, int *txseg
#endif
size -= optlen;
- /* there may not be any room for data if mtu is too small */
- if (size < 0)
+ /*
+ * There may not be any room for data if mtu is too small. This
+ * includes zero-sized.
+ */
+ if (size <= 0) {
return EMSGSIZE;
+ }
/*
* *rxsegsizep holds *estimated* inbound segment size (estimation
