Date: Mon, 16 Sep 2019 08:18:05 +0000 (UTC) From: Michael Tuexen <tuexen@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r352386 - head/sys/netinet Message-ID: <201909160818.x8G8I5KO067145@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: tuexen Date: Mon Sep 16 08:18:05 2019 New Revision: 352386 URL: https://svnweb.freebsd.org/changeset/base/352386 Log: Don't write to memory outside of the allocated array for SACK blocks. Obtained from: rrs@ MFC after: 3 days Sponsored by: Netflix, Inc. Modified: head/sys/netinet/tcp_sack.c Modified: head/sys/netinet/tcp_sack.c ============================================================================== --- head/sys/netinet/tcp_sack.c Mon Sep 16 07:31:59 2019 (r352385) +++ head/sys/netinet/tcp_sack.c Mon Sep 16 08:18:05 2019 (r352386) @@ -235,7 +235,7 @@ tcp_update_dsack_list(struct tcpcb *tp, tcp_seq rcv_st saved_blks[n].start = mid_blk.start; saved_blks[n++].end = mid_blk.end; } - for (j = 0; (j < tp->rcv_numsacks) && (j < MAX_SACK_BLKS-1); j++) { + for (j = 0; (j < tp->rcv_numsacks) && (n < MAX_SACK_BLKS); j++) { if (((SEQ_LT(tp->sackblks[j].end, mid_blk.start) || SEQ_GT(tp->sackblks[j].start, mid_blk.end)) && (SEQ_GT(tp->sackblks[j].start, tp->rcv_nxt))))
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201909160818.x8G8I5KO067145>