From 193a7dce9c8194cd5ca7f1f2a645cefc68d03c35 Mon Sep 17 00:00:00 2001
From: Sepherosa Ziehau <sephe@dragonflybsd.org>
Date: Mon, 26 Mar 2012 11:36:53 +0800
Subject: [PATCH] tcp/sack: Prevent invalid SACK option from being processed

If the received SACK blocks contain one invalid SACK block,
discard the whole SACK blocks.
---
 sys/netinet/tcp_input.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index 2edd2ae951..eb066cfd92 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -2725,6 +2725,17 @@ tcp_dooptions(struct tcpopt *to, u_char *cp, int cnt, boolean_t is_syn)
 
 				r->rblk_start = ntohl(r->rblk_start);
 				r->rblk_end = ntohl(r->rblk_end);
+
+				if (SEQ_LEQ(r->rblk_end, r->rblk_start)) {
+					/*
+					 * Invalid SACK block; discard all
+					 * SACK blocks
+					 */
+					to->to_nsackblocks = 0;
+					to->to_sackblocks = NULL;
+					to->to_flags &= ~TOF_SACK;
+					break;
+				}
 			}
 			break;
 #ifdef TCP_SIGNATURE
-- 
2.41.0