From 69e03620198499795cc0b0b7b0e18035376a9e23 Mon Sep 17 00:00:00 2001
From: Paul Saab <ps@FreeBSD.org>
Date: Fri, 1 Jul 2005 22:52:46 +0000
Subject: [PATCH] Fix for a SACK crash caused by a bug in tcp_reass().
 tcp_reass() does not clear tlen and frees the mbuf (leaving th pointing at
 freed memory), if the data segment is a complete duplicate. This change works
 around that bug. A fix for the tcp_reass() bug will appear later (that bug is
 benign for now, as neither th nor tlen is referenced in tcp_input() after the
 call to tcp_reass()).

Found by:	Pawel Jakub Dawidek.
Submitted by:	Raja Mukerji, Noritoshi Demizu.
Approved by:	re
---
 sys/netinet/tcp_input.c | 4 +++-
 sys/netinet/tcp_reass.c | 4 +++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index b6c2812db9ac..93cf27273367 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -2311,6 +2311,8 @@ tcp_input(m, off0)
 	 */
 	if ((tlen || (thflags & TH_FIN)) &&
 	    TCPS_HAVERCVDFIN(tp->t_state) == 0) {
+		tcp_seq save_start = th->th_seq;
+		tcp_seq save_end = th->th_seq + tlen;
 		m_adj(m, drop_hdrlen);	/* delayed header drop */
 		/*
 		 * Insert segment which includes th into TCP reassembly queue
@@ -2347,7 +2349,7 @@ tcp_input(m, off0)
 			tp->t_flags |= TF_ACKNOW;
 		}
 		if (tlen > 0 && tp->sack_enable)
-			tcp_update_sack_list(tp, th->th_seq, th->th_seq + tlen);
+			tcp_update_sack_list(tp, save_start, save_end);
 		/*
 		 * Note the amount of data that peer has sent into
 		 * our window, in order to estimate the sender's
diff --git a/sys/netinet/tcp_reass.c b/sys/netinet/tcp_reass.c
index b6c2812db9ac..93cf27273367 100644
--- a/sys/netinet/tcp_reass.c
+++ b/sys/netinet/tcp_reass.c
@@ -2311,6 +2311,8 @@ tcp_input(m, off0)
 	 */
 	if ((tlen || (thflags & TH_FIN)) &&
 	    TCPS_HAVERCVDFIN(tp->t_state) == 0) {
+		tcp_seq save_start = th->th_seq;
+		tcp_seq save_end = th->th_seq + tlen;
 		m_adj(m, drop_hdrlen);	/* delayed header drop */
 		/*
 		 * Insert segment which includes th into TCP reassembly queue
@@ -2347,7 +2349,7 @@ tcp_input(m, off0)
 			tp->t_flags |= TF_ACKNOW;
 		}
 		if (tlen > 0 && tp->sack_enable)
-			tcp_update_sack_list(tp, th->th_seq, th->th_seq + tlen);
+			tcp_update_sack_list(tp, save_start, save_end);
 		/*
 		 * Note the amount of data that peer has sent into
 		 * our window, in order to estimate the sender's