Although it is a dead store here, always reassign the tcpcb after

calling tcp_close(), tcp_drop(), and tcp_disconnect().  Then no
freed memory can be used after closing a TCP connection.
OK mikeb@ mpi@

diff --git a/sys/netinet/tcp_timer.c b/sys/netinet/tcp_timer.c
index 1260d14..acacbe7 100644 (file)
--- a/sys/netinet/tcp_timer.c
+++ b/sys/netinet/tcp_timer.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: tcp_timer.c,v 1.60 2017/10/29 14:56:36 florian Exp $  */
+/*     $OpenBSD: tcp_timer.c,v 1.61 2018/01/23 21:06:47 bluhm Exp $    */
 /*     $NetBSD: tcp_timer.c,v 1.14 1996/02/13 23:44:09 christos Exp $  */
 
 /*
@@ -218,7 +218,7 @@ tcp_timer_rexmt(void *arg)
        if (++tp->t_rxtshift > TCP_MAXRXTSHIFT) {
                tp->t_rxtshift = TCP_MAXRXTSHIFT;
                tcpstat_inc(tcps_timeoutdrop);
-               (void)tcp_drop(tp, tp->t_softerror ?
+               tp = tcp_drop(tp, tp->t_softerror ?
                    tp->t_softerror : ETIMEDOUT);
                goto out;
        }