Sanity check for TSO payload length in TCP chopper.

Although it should not happen, check that ph_mss is not 0 in
tcp_chopper().  This could catch errors in the LRO path of network
drivers.  Better count bad packet and drop it rather than ending
in an endless loop.  The new logic is analog to a recent change in
the hardware TSO path in the drivers.

OK jan@

diff --git a/sys/netinet/tcp_output.c b/sys/netinet/tcp_output.c
index c695cb0..4016bd8 100644 (file)
--- a/sys/netinet/tcp_output.c
+++ b/sys/netinet/tcp_output.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: tcp_output.c,v 1.144 2024/04/17 20:48:51 bluhm Exp $  */
+/*     $OpenBSD: tcp_output.c,v 1.145 2024/05/14 09:39:02 bluhm Exp $  */
 /*     $NetBSD: tcp_output.c,v 1.16 1997/06/03 16:17:09 kml Exp $      */
 
 /*
@@ -1207,6 +1207,11 @@ tcp_chopper(struct mbuf *m0, struct mbuf_list *ml, struct ifnet *ifp,
        ml_init(ml);
        ml_enqueue(ml, m0);
 
+       if (mss == 0) {
+               error = EINVAL;
+               goto bad;
+       }
+
        ip = mtod(m0, struct ip *);
        switch (ip->ip_v) {
        case 4: