kernel - Fix sack NULL pointer dereference
* sack_block_lookup() can get confused when the passed-in sequence
number appears to be less than sblk_start and greater than sblk_end.
This situation can occur when the signed integer delta test has an
overflow due to (sblk_end - seq) overflowing the sign bit verses
(sblk_start - seq).
The result is that sack_block_lookup() can crash on a NULL pointer
indirection.
* Check for the case, complain, and try to allow it. Though I suspect
if the case occurs at all SACK will wind up with a broken list anyway.
* I don't think this case can occur under normal conditions since TCP
buffers do not grow to 2GB+ in size, so the crash we got was triggered
by either an accidently malformed packet or an intentional one.
ftigeot's projects / dragonfly.git / commit