Avoid kernel panic when tcp rfc1323 and rfc1644 options are enabled

at the same time.

   When rfc1323 and rfc1644 option are enabled by sysctl,
   and tcp over IPv6 is tried, kernel panic happens by the
   following check in tcp_output(), because now hdrlen is bigger
   in such case than before.

/*#ifdef DIAGNOSTIC*/
        if (max_linkhdr + hdrlen > MHLEN)
                panic("tcphdr too big");
/*#endif*/

   So change the above check to compare with MCLBYTES in #ifdef INET6 case.
   Also, allocate a mbuf cluster for the header mbuf, in that case.

Bug reported at KAME environment.
Approved by: jkh

Reviewed by: sumikawa
Obtained from: KAME project

1 files changed, 13 insertions, 4 deletions

diff --git a/sys/netinet/tcp_output.c b/sys/netinet/tcp_output.c
index bbae03fdc494..ae85e84ef327 100644
--- a/sys/netinet/tcp_output.c
+++ b/sys/netinet/tcp_output.c
@@ -530,8 +530,13 @@ send:
 	}
 
 /*#ifdef DIAGNOSTIC*/
+#ifdef INET6
+ 	if (max_linkhdr + hdrlen > MCLBYTES)
+		panic("tcphdr too big");
+#else
  	if (max_linkhdr + hdrlen > MHLEN)
 		panic("tcphdr too big");
+#endif
 /*#endif*/
 
 	/*
@@ -567,10 +572,14 @@ send:
 			goto out;
 		}
 #ifdef INET6
-		if (isipv6 && (MHLEN < hdrlen + max_linkhdr) &&
-		    MHLEN >= hdrlen) {
-			MH_ALIGN(m, hdrlen);
-		} else
+		if (MHLEN < hdrlen + max_linkhdr) {
+			MCLGET(m, M_DONTWAIT);
+			if ((m->m_flags & M_EXT) == 0) {
+				m_freem(m);
+				error = ENOBUFS;
+				goto out;
+			}
+		}
 #endif
 		m->m_data += max_linkhdr;
 		m->m_len = hdrlen;