From fd2a580db248502b5fd46867992e346a95298efe Mon Sep 17 00:00:00 2001
From: Michael Tuexen <tuexen@FreeBSD.org>
Date: Fri, 22 Mar 2024 11:12:56 +0100
Subject: [PATCH] tcp: no data on SYN segments unless doing TFO

Ensure that there is no data on SYN segments unless doing TFO.
This check is already in RACK and BBR.

Reported by:		glebius
Reviewed by:		rscheff
Sponsored by:		Netflix, Inc.
Differential Revision:	https://reviews.freebsd.org/D44384

(cherry picked from commit af700f430fd86ba3eae63e587985a12436db8f69)
---
 sys/netinet/tcp_output.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/sys/netinet/tcp_output.c b/sys/netinet/tcp_output.c
index 0d9fd813655..9269ba443bd 100644
--- a/sys/netinet/tcp_output.c
+++ b/sys/netinet/tcp_output.c
@@ -475,6 +475,12 @@ after_sack_rexmit:
 	      (tp->t_tfo_client_cookie_len == 0)) ||
 	     (flags & TH_RST)))
 		len = 0;
+
+	/* Without fast-open there should never be data sent on a SYN. */
+	if ((flags & TH_SYN) && !(tp->t_flags & TF_FASTOPEN)) {
+		len = 0;
+	}
+
 	if (len <= 0) {
 		/*
 		 * If FIN has been sent but not acked,