Fix signed integer comparison in tcp mss.

In tcp_mss_adv() max(9) was used to guarantee that mss it not too small. Unfortunately max() uses u_int and mss could get negative in some error conditions. Rearrange the code to directly return in case of errors. Also read tcp_mssdflt only once to head towards atomic integer sysctl. OK mvs@
2024-12-22 07:27:59 -08:00 · 2024-12-20 19:20:34 +00:00 · 2024-12-20 19:20:34 +00:00 · 3458005deb
commit 3458005deb
parent ae80fb09d1
1 changed files with 16 additions and 12 deletions
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@ -1,4 +1,4 @@
-/*	$OpenBSD: tcp_input.c,v 1.409 2024/12/19 22:11:35 mvs Exp $	*/
+/*	$OpenBSD: tcp_input.c,v 1.410 2024/12/20 19:20:34 bluhm Exp $	*/
 /*	$NetBSD: tcp_input.c,v 1.23 1996/02/13 23:43:44 christos Exp $	*/

 /*
@ -3067,32 +3067,36 @@ tcp_newreno_partialack(struct tcpcb *tp, struct tcphdr *th)
 int
 tcp_mss_adv(struct mbuf *m, int af)
 {
-	int mss = 0;
-	int iphlen;
-	struct ifnet *ifp = NULL;
+	struct ifnet *ifp;
+	int iphlen, mss, mssdflt;

-	if (m && (m->m_flags & M_PKTHDR))
-		ifp = if_get(m->m_pkthdr.ph_ifidx);
+	mssdflt = atomic_load_int(&tcp_mssdflt);
+
+	if (m == NULL || (m->m_flags & M_PKTHDR) == 0)
+		return mssdflt;
+
+	ifp = if_get(m->m_pkthdr.ph_ifidx);
+	if (ifp == NULL)
+		return mssdflt;

 	switch (af) {
 	case AF_INET:
-		if (ifp != NULL)
-			mss = ifp->if_mtu;
 		iphlen = sizeof(struct ip);
 		break;
 #ifdef INET6
 	case AF_INET6:
-		if (ifp != NULL)
-			mss = ifp->if_mtu;
 		iphlen = sizeof(struct ip6_hdr);
 		break;
 #endif
 	default:
 		unhandled_af(af);
 	}
+	mss = ifp->if_mtu - iphlen - sizeof(struct tcphdr);
 	if_put(ifp);
-	mss = mss - iphlen - sizeof(struct tcphdr);
-	return (max(mss, tcp_mssdflt));
+
+	if (mss < mssdflt)
+		return mssdflt;
+	return mss;
 }

 /*