git: kernel - Fix sack NULL pointer dereference

Matthew Dillon dillon at
Tue Nov 13 11:17:58 PST 2018

commit 63f17add1cf6119ec8f692990df2892d86244f2f
Author: Matthew Dillon <dillon at>
Date:   Tue Nov 13 11:12:36 2018 -0800

    kernel - Fix sack NULL pointer dereference
    * sack_block_lookup() can get confused when the passed-in sequence
      number appears to be less than sblk_start and greater than sblk_end.
      This situation can occur when the signed integer delta test has an
      overflow due to (sblk_end - seq) overflowing the sign bit verses
      (sblk_start - seq).
      The result is that sack_block_lookup() can crash on a NULL pointer
    * Check for the case, complain, and try to allow it.  Though I suspect
      if the case occurs at all SACK will wind up with a broken list anyway.
    * I don't think this case can occur under normal conditions since TCP
      buffers do not grow to 2GB+ in size, so the crash we got was triggered
      by either an accidently malformed packet or an intentional one.

Summary of changes:
 sys/netinet/tcp_sack.c | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)

DragonFly BSD source repository

More information about the Commits mailing list