DF-0415
Signed integer overflow in keepalive t_maxidle: t_keepintvl*t_keepcnt exceeds INT_MAX at high hz
Summary
tcp_ctloutput TCP_KEEPINTVL(:1644) and TCP_KEEPCNT(:1655): product tp->t_keepintvl*tp->t_keepcnt computed as int*int assigned to t_maxidle(int). Bounds MAXKEEPALIVE=32767 and MAXKEEPCNT=127. At hz=1000: 32767*1000*127=4.16e9 > INT_MAX(2.1e9) -> signed overflow -> negative t_maxidle. Corrupts keepalive/2MSL drop timer semantics. Self-inflicted local DoS on own connection.