David reported a possible used of uninitialized ``ifp'' in tcp_mss().
This cannot currently happen but I think the diff below should prevent
a bad dereference later.
Ok?
Index: netinet/tcp_input.c
===================================================================
RCS file: /cvs/src/sys/netinet/tcp_input.c,v
retrieving revision 1.309
diff -u -p -r1.309 tcp_input.c
--- netinet/tcp_input.c 20 Nov 2015 10:45:29 -0000 1.309
+++ netinet/tcp_input.c 21 Nov 2015 11:51:53 -0000
@@ -2988,6 +2988,10 @@ tcp_mss(struct tcpcb *tp, int offer)
if (rt == NULL)
goto out;
+ ifp = if_get(rt->rt_ifidx);
+ if (ifp == NULL)
+ goto out;
+
switch (tp->pf) {
#ifdef INET6
case AF_INET6:
@@ -3002,7 +3006,6 @@ tcp_mss(struct tcpcb *tp, int offer)
goto out;
}
- ifp = if_get(rt->rt_ifidx);
/*
* if there's an mtu associated with the route and we support
* path MTU discovery for the underlying protocol family, use it.
@@ -3024,13 +3027,6 @@ tcp_mss(struct tcpcb *tp, int offer)
mss = rt->rt_rmx.rmx_mtu - iphlen -
sizeof(struct tcphdr);
}
- } else if (ifp == NULL) {
- /*
- * ifp may be null and rmx_mtu may be zero in certain
- * v6 cases (e.g., if ND wasn't able to resolve the
- * destination host.
- */
- goto out;
} else if (ifp->if_flags & IFF_LOOPBACK) {
mss = ifp->if_mtu - iphlen - sizeof(struct tcphdr);
} else if (tp->pf == AF_INET) {
