Don't write to memory outside of the allocated array for SACK blocks.

Obtained from: rrs@ MFC after: 3 days Sponsored by: Netflix, Inc.
svn path=/head/; revision=352386
2019-09-16 08:18:05 +00:00 · 2019-09-16 08:18:05 +00:00 · 5b66b7f11b · 2020-12-20 02:59:44 +00:00
commit 5b66b7f11b
parent f370355791
1 changed files with 1 additions and 1 deletions
--- a/sys/netinet/tcp_sack.c
+++ b/sys/netinet/tcp_sack.c
@ -235,7 +235,7 @@ tcp_update_dsack_list(struct tcpcb *tp, tcp_seq rcv_start, tcp_seq rcv_end)
 		saved_blks[n].start = mid_blk.start;
 		saved_blks[n++].end = mid_blk.end;
 	}
-	for (j = 0; (j < tp->rcv_numsacks) && (j < MAX_SACK_BLKS-1); j++) {
+	for (j = 0; (j < tp->rcv_numsacks) && (n < MAX_SACK_BLKS); j++) {
 		if (((SEQ_LT(tp->sackblks[j].end, mid_blk.start) ||
 		      SEQ_GT(tp->sackblks[j].start, mid_blk.end)) &&
 		    (SEQ_GT(tp->sackblks[j].start, tp->rcv_nxt))))