git: kernel - Fix sack NULL pointer dereference

Matthew Dillon dillon at crater.dragonflybsd.org
Tue Nov 13 11:17:58 PST 2018


commit 63f17add1cf6119ec8f692990df2892d86244f2f
Author: Matthew Dillon <dillon at apollo.backplane.com>
Date:   Tue Nov 13 11:12:36 2018 -0800

    kernel - Fix sack NULL pointer dereference
    
    * sack_block_lookup() can get confused when the passed-in sequence
      number appears to be less than sblk_start and greater than sblk_end.
      This situation can occur when the signed integer delta test has an
      overflow due to (sblk_end - seq) overflowing the sign bit verses
      (sblk_start - seq).
    
      The result is that sack_block_lookup() can crash on a NULL pointer
      indirection.
    
    * Check for the case, complain, and try to allow it.  Though I suspect
      if the case occurs at all SACK will wind up with a broken list anyway.
    
    * I don't think this case can occur under normal conditions since TCP
      buffers do not grow to 2GB+ in size, so the crash we got was triggered
      by either an accidently malformed packet or an intentional one.

Summary of changes:
 sys/netinet/tcp_sack.c | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)

http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/63f17add1cf6119ec8f692990df2892d86244f2f


-- 
DragonFly BSD source repository



More information about the Commits mailing list