Fix for a SACK crash caused by a bug in tcp_reass(). tcp_reass()
does not clear tlen and frees the mbuf (leaving th pointing at freed memory), if the data segment is a complete duplicate. This change works around that bug. A fix for the tcp_reass() bug will appear later (that bug is benign for now, as neither th nor tlen is referenced in tcp_input() after the call to tcp_reass()). Found by: Pawel Jakub Dawidek. Submitted by: Raja Mukerji, Noritoshi Demizu. Approved by: re
This commit is contained in:
parent
0b830ea12b
commit
513734e2fa
@ -2311,6 +2311,8 @@ tcp_input(m, off0)
|
||||
*/
|
||||
if ((tlen || (thflags & TH_FIN)) &&
|
||||
TCPS_HAVERCVDFIN(tp->t_state) == 0) {
|
||||
tcp_seq save_start = th->th_seq;
|
||||
tcp_seq save_end = th->th_seq + tlen;
|
||||
m_adj(m, drop_hdrlen); /* delayed header drop */
|
||||
/*
|
||||
* Insert segment which includes th into TCP reassembly queue
|
||||
@ -2347,7 +2349,7 @@ tcp_input(m, off0)
|
||||
tp->t_flags |= TF_ACKNOW;
|
||||
}
|
||||
if (tlen > 0 && tp->sack_enable)
|
||||
tcp_update_sack_list(tp, th->th_seq, th->th_seq + tlen);
|
||||
tcp_update_sack_list(tp, save_start, save_end);
|
||||
/*
|
||||
* Note the amount of data that peer has sent into
|
||||
* our window, in order to estimate the sender's
|
||||
|
@ -2311,6 +2311,8 @@ tcp_input(m, off0)
|
||||
*/
|
||||
if ((tlen || (thflags & TH_FIN)) &&
|
||||
TCPS_HAVERCVDFIN(tp->t_state) == 0) {
|
||||
tcp_seq save_start = th->th_seq;
|
||||
tcp_seq save_end = th->th_seq + tlen;
|
||||
m_adj(m, drop_hdrlen); /* delayed header drop */
|
||||
/*
|
||||
* Insert segment which includes th into TCP reassembly queue
|
||||
@ -2347,7 +2349,7 @@ tcp_input(m, off0)
|
||||
tp->t_flags |= TF_ACKNOW;
|
||||
}
|
||||
if (tlen > 0 && tp->sack_enable)
|
||||
tcp_update_sack_list(tp, th->th_seq, th->th_seq + tlen);
|
||||
tcp_update_sack_list(tp, save_start, save_end);
|
||||
/*
|
||||
* Note the amount of data that peer has sent into
|
||||
* our window, in order to estimate the sender's
|
||||
|
Loading…
Reference in New Issue
Block a user