Sendmsg could crash in tcp_output due to a missing check after the

introduction of tcp_send.
OK mvs@, bluhm@, gnezdo@
Reported-by: syzbot+e859fd353c90eeac26f8@syzkaller.appspotmail.com

diff --git a/sys/netinet/tcp_usrreq.c b/sys/netinet/tcp_usrreq.c
index 889acc2..44722fd 100644 (file)
--- a/sys/netinet/tcp_usrreq.c
+++ b/sys/netinet/tcp_usrreq.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: tcp_usrreq.c,v 1.199 2022/08/29 08:08:17 mvs Exp $    */
+/*     $OpenBSD: tcp_usrreq.c,v 1.200 2022/08/29 09:50:38 mbuhl Exp $  */
 /*     $NetBSD: tcp_usrreq.c,v 1.20 1996/02/13 23:44:16 christos Exp $ */
 
 /*
@@ -915,6 +915,11 @@ tcp_send(struct socket *so, struct mbuf *m, struct mbuf *nam,
 
        soassertlocked(so);
 
+       if (control && control->m_len) {
+               error = EINVAL;
+               goto out;
+       }
+
        if ((error = tcp_sogetpcb(so, &inp, &tp)))
                goto out;