o Fix SCTP ICMPv6 error message vulnerability. [SA-16:01.sctp]

o Fix Linux compatibility layer incorrect futex handling. [SA-16:03.linux]
o Fix Linux compatibility layer setgroups(2) system call. [SA-16:04.linux]
o Fix TCP MD5 signature denial of service. [SA-16:05.tcp]
o Fix insecure default bsnmpd.conf permissions. [SA-16:06.bsnmpd]

Security:	FreeBSD-SA-16:01.sctp, CVE-2016-1879
Security:	FreeBSD-SA-16:03.linux, CVE-2016-1880
Security:	FreeBSD-SA-16:04.linux, CVE-2016-1881
Security:	FreeBSD-SA-16:05.tcp, CVE-2016-1882
Security:	FreeBSD-SA-16:06.bsnmpd, CVE-2015-5677

1 files changed, 4 insertions, 2 deletions

diff --git a/sys/netinet/tcp_output.c b/sys/netinet/tcp_output.c
index c7dc547..2ca0fb5 100644
--- a/sys/netinet/tcp_output.c
+++ b/sys/netinet/tcp_output.c
@@ -745,8 +745,8 @@ send:
 	 * segments.  Options for SYN-ACK segments are handled in TCP
 	 * syncache.
 	 */
+	to.to_flags = 0;
 	if ((tp->t_flags & TF_NOOPT) == 0) {
-		to.to_flags = 0;
 		/* Maximum segment size. */
 		if (flags & TH_SYN) {
 			tp->snd_nxt = tp->iss;
@@ -1226,7 +1226,7 @@ send:
 		tp->snd_up = tp->snd_una;		/* drag it along */
 
 #ifdef TCP_SIGNATURE
-	if (tp->t_flags & TF_SIGNATURE) {
+	if (to.to_flags & TOF_SIGNATURE) {
 		int sigoff = to.to_signature - opt;
 		tcp_signature_compute(m, 0, len, optlen,
 		    (u_char *)(th + 1) + sigoff, IPSEC_DIR_OUTBOUND);
@@ -1696,6 +1696,7 @@ tcp_addoptions(struct tcpopt *to, u_char *optp)
 			bcopy((u_char *)&to->to_tsecr, optp, sizeof(to->to_tsecr));
 			optp += sizeof(to->to_tsecr);
 			break;
+#ifdef TCP_SIGNATURE
 		case TOF_SIGNATURE:
 			{
 			int siglen = TCPOLEN_SIGNATURE - 2;
@@ -1714,6 +1715,7 @@ tcp_addoptions(struct tcpopt *to, u_char *optp)
 				 *optp++ = 0;
 			break;
 			}
+#endif
 		case TOF_SACK:
 			{
 			int sackblks = 0;