DragonFlyBSD Kernel Audit
← dashboard
DF-0416

TCP_MAXSEG minmss floor can raise t_maxseg above current negotiated value on small-MTU paths

Summary

tcp_ctloutput TCP_MAXSEG(:1613-1619): guard optval<=t_maxseg intends only decrease. But minmss floor: if(optval+40<tcp_minmss) optval=tcp_minmss-40 can RAISE optval above t_maxseg when t_maxseg<176 (constrained PMTU). User requests 50, guard passes (50<=100), minmss bumps to 176 > 100 -> MSS raised beyond path MTU. Logic inconsistency violates "only reduce MSS" contract. No memory safety.