diff options
author | andre <andre@FreeBSD.org> | 2007-03-01 13:12:09 +0000 |
---|---|---|
committer | andre <andre@FreeBSD.org> | 2007-03-01 13:12:09 +0000 |
commit | ccd57f97895c6b08bf86582931f854ab8e3a41fa (patch) | |
tree | d9d6b866374eea5766bc8ca79d4a06bf1dcd6c4c /sys/netinet/tcp_output.c | |
parent | 82f209d7c74dc2f9c83c1a1805c0b9ed75257e7c (diff) | |
download | FreeBSD-src-ccd57f97895c6b08bf86582931f854ab8e3a41fa.zip FreeBSD-src-ccd57f97895c6b08bf86582931f854ab8e3a41fa.tar.gz |
Prevent TSO mbuf chain from overflowing a few bytes by subtracting the
TCP options size before the TSO total length calculation.
Bug found by: kmacy
Diffstat (limited to 'sys/netinet/tcp_output.c')
-rw-r--r-- | sys/netinet/tcp_output.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/sys/netinet/tcp_output.c b/sys/netinet/tcp_output.c index ca21267..586a5bd 100644 --- a/sys/netinet/tcp_output.c +++ b/sys/netinet/tcp_output.c @@ -801,13 +801,14 @@ send: * IP, TCP and Options length to keep ip->ip_len from * overflowing. Prevent the last segment from being * fractional thus making them all equal sized and set - * the flag to continue sending. + * the flag to continue sending. TSO is disabled when + * IP options or IPSEC are present. */ if (len + optlen + ipoptlen > tp->t_maxopd) { flags &= ~TH_FIN; if (tso) { if (len > TCP_MAXWIN - hdrlen) { - len = TCP_MAXWIN - hdrlen; + len = TCP_MAXWIN - hdrlen - optlen; len = len - (len % (tp->t_maxopd - optlen)); sendalot = 1; } else if (tp->t_flags & TF_NEEDFIN) |