git: kernel - Fix sack NULL pointer dereference
Matthew Dillon
dillon at crater.dragonflybsd.org
Tue Nov 13 11:17:58 PST 2018
commit 63f17add1cf6119ec8f692990df2892d86244f2f
Author: Matthew Dillon <dillon at apollo.backplane.com>
Date: Tue Nov 13 11:12:36 2018 -0800
kernel - Fix sack NULL pointer dereference
* sack_block_lookup() can get confused when the passed-in sequence
number appears to be less than sblk_start and greater than sblk_end.
This situation can occur when the signed integer delta test has an
overflow due to (sblk_end - seq) overflowing the sign bit verses
(sblk_start - seq).
The result is that sack_block_lookup() can crash on a NULL pointer
indirection.
* Check for the case, complain, and try to allow it. Though I suspect
if the case occurs at all SACK will wind up with a broken list anyway.
* I don't think this case can occur under normal conditions since TCP
buffers do not grow to 2GB+ in size, so the crash we got was triggered
by either an accidently malformed packet or an intentional one.
Summary of changes:
sys/netinet/tcp_sack.c | 42 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 42 insertions(+)
http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/63f17add1cf6119ec8f692990df2892d86244f2f
--
DragonFly BSD source repository
More information about the Commits
mailing list