From 1f65c2cd31a09f3a91158a4b0c2201e8c70f51de Mon Sep 17 00:00:00 2001
From: Mohan Srinivasan <mohans@FreeBSD.org>
Date: Wed, 5 Apr 2006 00:11:04 +0000
Subject: [PATCH] Certain (bad) values of sack blocks can end up corrupting the
 sack scoreboard. Make the checks in tcp_sack_doack() more robust to prevent
 this.

Submitted by: Raja Mukerji (raja@mukerji.com)
Reviewed by:  Mohan Srinivasan
---
 sys/netinet/tcp_sack.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sys/netinet/tcp_sack.c b/sys/netinet/tcp_sack.c
index aa096fae831e..2d0a2c1ea129 100644
--- a/sys/netinet/tcp_sack.c
+++ b/sys/netinet/tcp_sack.c
@@ -392,6 +392,8 @@ tcp_sack_doack(struct tcpcb *tp, struct tcpopt *to, tcp_seq th_ack)
 		if (SEQ_GT(sack.end, sack.start) &&
 		    SEQ_GT(sack.start, tp->snd_una) &&
 		    SEQ_GT(sack.start, th_ack) &&
+		    SEQ_LT(sack.start, tp->snd_max) &&
+		    SEQ_GT(sack.end, tp->snd_una) &&
 		    SEQ_LEQ(sack.end, tp->snd_max))
 			sack_blocks[num_sack_blks++] = sack;
 	}