In article <20180407090627.20058f...@cvs.netbsd.org>, Maxime Villard <source-changes-d@NetBSD.org> wrote: >-=-=-=-=-=- > >Module Name: src >Committed By: maxv >Date: Sat Apr 7 09:06:27 UTC 2018 > >Modified Files: > src/sys/net/npf: npf_inet.c > >Log Message: >Rewrite npf_fetch_tcpopts: > > * Instead of doing several nbuf_advance/nbuf_ensure_contig and > playing with gotos, fetch the TCP options only once, and iterate over > the (safe) area. The code is similar to tcp_dooptions. > > * When handling TCPOPT_MAXSEG and TCPOPT_WINDOW, ensure the length is > the one we're expecting. If it isn't, then skip the option. This > wasn't done before, and not doing it allowed a packet to bypass the > max-mss clamping procedure. Discussed on tech-net@. >
This seems to break cvs -d cvs.netbsd.org:/cvsroot diff, with write via ssh returning ENETUNREACH. christos
