Fix for a SACK crash caused by a bug in tcp_reass(). tcp_reass()

does not clear tlen and frees the mbuf (leaving th pointing at
freed memory), if the data segment is a complete duplicate.
This change works around that bug. A fix for the tcp_reass() bug
will appear later (that bug is benign for now, as neither th nor
tlen is referenced in tcp_input() after the call to tcp_reass()).

Found by:	Pawel Jakub Dawidek.
Submitted by:	Raja Mukerji, Noritoshi Demizu.
Approved by:	re
This commit is contained in:
ps 2005-07-01 22:52:46 +00:00
parent 0b830ea12b
commit 513734e2fa
2 changed files with 6 additions and 2 deletions

View File

@ -2311,6 +2311,8 @@ tcp_input(m, off0)
*/
if ((tlen || (thflags & TH_FIN)) &&
TCPS_HAVERCVDFIN(tp->t_state) == 0) {
tcp_seq save_start = th->th_seq;
tcp_seq save_end = th->th_seq + tlen;
m_adj(m, drop_hdrlen); /* delayed header drop */
/*
* Insert segment which includes th into TCP reassembly queue
@ -2347,7 +2349,7 @@ tcp_input(m, off0)
tp->t_flags |= TF_ACKNOW;
}
if (tlen > 0 && tp->sack_enable)
tcp_update_sack_list(tp, th->th_seq, th->th_seq + tlen);
tcp_update_sack_list(tp, save_start, save_end);
/*
* Note the amount of data that peer has sent into
* our window, in order to estimate the sender's

View File

@ -2311,6 +2311,8 @@ tcp_input(m, off0)
*/
if ((tlen || (thflags & TH_FIN)) &&
TCPS_HAVERCVDFIN(tp->t_state) == 0) {
tcp_seq save_start = th->th_seq;
tcp_seq save_end = th->th_seq + tlen;
m_adj(m, drop_hdrlen); /* delayed header drop */
/*
* Insert segment which includes th into TCP reassembly queue
@ -2347,7 +2349,7 @@ tcp_input(m, off0)
tp->t_flags |= TF_ACKNOW;
}
if (tlen > 0 && tp->sack_enable)
tcp_update_sack_list(tp, th->th_seq, th->th_seq + tlen);
tcp_update_sack_list(tp, save_start, save_end);
/*
* Note the amount of data that peer has sent into
* our window, in order to estimate the sender's