From a6fab821267fe676e51e07ea2517c98f1ea34ed9 Mon Sep 17 00:00:00 2001
From: kefren <kefren@NetBSD.org>
Date: Sat, 16 May 2015 01:15:34 +0000
Subject: [PATCH] Don't put segment on the wire if security request can't be
 fulfilled

---
 sys/netinet/tcp_output.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/sys/netinet/tcp_output.c b/sys/netinet/tcp_output.c
index 29f62c5947dd..ff4d4ae02082 100644
--- a/sys/netinet/tcp_output.c
+++ b/sys/netinet/tcp_output.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: tcp_output.c,v 1.182 2015/04/27 16:50:17 christos Exp $	*/
+/*	$NetBSD: tcp_output.c,v 1.183 2015/05/16 01:15:34 kefren Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -135,7 +135,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: tcp_output.c,v 1.182 2015/04/27 16:50:17 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: tcp_output.c,v 1.183 2015/05/16 01:15:34 kefren Exp $");
 
 #include "opt_inet.h"
 #include "opt_ipsec.h"
@@ -1238,7 +1238,10 @@ send:
 		*bp++ = TCPOPT_NOP;
 		*bp++ = TCPOPT_EOL;
  		optlen += 2;
- 	}
+ 	} else if ((tp->t_flags & TF_SIGNATURE) != 0) {
+		error = ECONNABORTED;
+		goto out;
+	}
 #endif /* TCP_SIGNATURE */
 
 	hdrlen += optlen;