Refuse to set 0 or a negative value for net.inet.tcp.synbucketlimit.

Prevent a panic in syn_cache_insert() found by syzbot.

Reported-by: syzbot+aee24ad9b7bf5665912d@syzkaller.appspotmail.com

ok sashan@, anton@, millert@

1 files changed, 14 insertions, 1 deletions

diff --git a/sys/netinet/tcp_usrreq.c b/sys/netinet/tcp_usrreq.c
index a2cf32f1f93..086fd603e19 100644
--- a/sys/netinet/tcp_usrreq.c
+++ b/sys/netinet/tcp_usrreq.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tcp_usrreq.c,v 1.172 2019/07/12 19:43:51 bluhm Exp $	*/
+/*	$OpenBSD: tcp_usrreq.c,v 1.173 2020/06/18 14:52:51 mpi Exp $	*/
 /*	$NetBSD: tcp_usrreq.c,v 1.20 1996/02/13 23:44:16 christos Exp $	*/
 
 /*
@@ -1061,6 +1061,19 @@ tcp_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp,
 	case TCPCTL_STATS:
 		return (tcp_sysctl_tcpstat(oldp, oldlenp, newp));
 
+	case TCPCTL_SYN_BUCKET_LIMIT:
+		NET_LOCK();
+		nval = tcp_syn_bucket_limit;
+		error = sysctl_int(oldp, oldlenp, newp, newlen, &nval);
+		if (!error && nval != tcp_syn_bucket_limit) {
+			if (nval > 0)
+				tcp_syn_bucket_limit = nval;
+			else
+				error = EINVAL;
+		}
+		NET_UNLOCK();
+		return (error);
+
 	case TCPCTL_SYN_USE_LIMIT:
 		NET_LOCK();
 		error = sysctl_int(oldp, oldlenp, newp, newlen,