On 21/11/15(Sat) 12:55, Martin Pieuchot wrote:
> David reported a possible used of uninitialized ``ifp'' in tcp_mss().
> This cannot currently happen but I think the diff below should prevent
> a bad dereference later.
>
> Ok?
Anyone?
>
> Index: netinet/tcp_input.c
> ===================================================================
> RCS file: /cvs/src/sys/netinet/tcp_input.c,v
> retrieving revision 1.309
> diff -u -p -r1.309 tcp_input.c
> --- netinet/tcp_input.c 20 Nov 2015 10:45:29 -0000 1.309
> +++ netinet/tcp_input.c 21 Nov 2015 11:51:53 -0000
> @@ -2988,6 +2988,10 @@ tcp_mss(struct tcpcb *tp, int offer)
> if (rt == NULL)
> goto out;
>
> + ifp = if_get(rt->rt_ifidx);
> + if (ifp == NULL)
> + goto out;
> +
> switch (tp->pf) {
> #ifdef INET6
> case AF_INET6:
> @@ -3002,7 +3006,6 @@ tcp_mss(struct tcpcb *tp, int offer)
> goto out;
> }
>
> - ifp = if_get(rt->rt_ifidx);
> /*
> * if there's an mtu associated with the route and we support
> * path MTU discovery for the underlying protocol family, use it.
> @@ -3024,13 +3027,6 @@ tcp_mss(struct tcpcb *tp, int offer)
> mss = rt->rt_rmx.rmx_mtu - iphlen -
> sizeof(struct tcphdr);
> }
> - } else if (ifp == NULL) {
> - /*
> - * ifp may be null and rmx_mtu may be zero in certain
> - * v6 cases (e.g., if ND wasn't able to resolve the
> - * destination host.
> - */
> - goto out;
> } else if (ifp->if_flags & IFF_LOOPBACK) {
> mss = ifp->if_mtu - iphlen - sizeof(struct tcphdr);
> } else if (tp->pf == AF_INET) {
>
