From 45d6875df658936696b22f7ad41755c163c49a03 Mon Sep 17 00:00:00 2001
From: Julian Elischer <julian@FreeBSD.org>
Date: Fri, 19 Dec 1997 03:36:15 +0000
Subject: [PATCH] Fix an incredibly horrible bug in the ipfw code where if you
 are using the "reset tcp" firewall command, the kernel would write ethernet
 headers onto random kernel stack locations.

Fought to the death by: terry, julian, archie.
fix valid for 2.2 series as well.
---
 sys/netinet/ip_fw.c        | 19 ++++++++++---------
 sys/netinet/tcp_subr.c     |  4 +++-
 sys/netinet/tcp_timewait.c |  4 +++-
 3 files changed, 16 insertions(+), 11 deletions(-)

diff --git a/sys/netinet/ip_fw.c b/sys/netinet/ip_fw.c
index c34323818443..dcc3bfe3fd41 100644
--- a/sys/netinet/ip_fw.c
+++ b/sys/netinet/ip_fw.c
@@ -12,7 +12,7 @@
  *
  * This software is provided ``AS IS'' without any warranties of any kind.
  *
- *	$Id: ip_fw.c,v 1.64 1997/10/12 20:25:25 phk Exp $
+ *	$Id: ip_fw.c,v 1.65 1997/11/05 20:17:19 joerg Exp $
  */
 
 /*
@@ -577,23 +577,24 @@ got_match:
 		  {
 			struct tcphdr *const tcp =
 				(struct tcphdr *) ((u_long *)ip + ip->ip_hl);
-			struct tcpiphdr ti;
+			struct tcpiphdr ti, *const tip = (struct tcpiphdr *) ip;
 
 			if (offset != 0 || (tcp->th_flags & TH_RST))
 				break;
 			ti.ti_i = *((struct ipovly *) ip);
 			ti.ti_t = *tcp;
-			NTOHL(ti.ti_seq);
-			NTOHL(ti.ti_ack);
-			ti.ti_len = ip->ip_len - hlen - (ti.ti_off << 2);
+			bcopy(&ti, ip, sizeof(ti));
+			NTOHL(tip->ti_seq);
+			NTOHL(tip->ti_ack);
+			tip->ti_len = ip->ip_len - hlen - (tip->ti_off << 2);
 			if (tcp->th_flags & TH_ACK) {
-				tcp_respond(NULL, &ti, *m,
+				tcp_respond(NULL, tip, *m,
 				    (tcp_seq)0, ntohl(tcp->th_ack), TH_RST);
 			} else {
 				if (tcp->th_flags & TH_SYN)
-					ti.ti_len++;
-				tcp_respond(NULL, &ti, *m, ti.ti_seq
-				    + ti.ti_len, (tcp_seq)0, TH_RST|TH_ACK);
+					tip->ti_len++;
+				tcp_respond(NULL, tip, *m, tip->ti_seq
+				    + tip->ti_len, (tcp_seq)0, TH_RST|TH_ACK);
 			}
 			*m = NULL;
 			break;
diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c
index 23d8a0b7dddc..97b2a54252cb 100644
--- a/sys/netinet/tcp_subr.c
+++ b/sys/netinet/tcp_subr.c
@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)tcp_subr.c	8.2 (Berkeley) 5/24/95
- *	$Id: tcp_subr.c,v 1.38 1997/09/16 18:36:06 joerg Exp $
+ *	$Id: tcp_subr.c,v 1.39 1997/10/28 15:58:53 bde Exp $
  */
 
 #include "opt_tcpdebug.h"
@@ -164,6 +164,8 @@ tcp_template(tp)
  *
  * In any case the ack and sequence number of the transmitted
  * segment are as specified by the parameters.
+ *
+ * NOTE: If m != NULL, then ti must point to *inside* the mbuf.
  */
 void
 tcp_respond(tp, ti, m, ack, seq, flags)
diff --git a/sys/netinet/tcp_timewait.c b/sys/netinet/tcp_timewait.c
index 23d8a0b7dddc..97b2a54252cb 100644
--- a/sys/netinet/tcp_timewait.c
+++ b/sys/netinet/tcp_timewait.c
@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)tcp_subr.c	8.2 (Berkeley) 5/24/95
- *	$Id: tcp_subr.c,v 1.38 1997/09/16 18:36:06 joerg Exp $
+ *	$Id: tcp_subr.c,v 1.39 1997/10/28 15:58:53 bde Exp $
  */
 
 #include "opt_tcpdebug.h"
@@ -164,6 +164,8 @@ tcp_template(tp)
  *
  * In any case the ack and sequence number of the transmitted
  * segment are as specified by the parameters.
+ *
+ * NOTE: If m != NULL, then ti must point to *inside* the mbuf.
  */
 void
 tcp_respond(tp, ti, m, ack, seq, flags)