From 2f40354d9dcc3c0e59061d890e0d4696c61b9c1a Mon Sep 17 00:00:00 2001 From: Michael Tuexen Date: Mon, 30 Sep 2019 04:54:02 +0000 Subject: [PATCH] MFS r352508: Don't write to memory outside of the allocated array for SACK blocks. PR: 240837 Approved by: re (delphij@) Obtained from: rrs@ Sponsored by: Netflix, Inc. --- sys/netinet/tcp_sack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/netinet/tcp_sack.c b/sys/netinet/tcp_sack.c index 999fb4f5890..311a84b989a 100644 --- a/sys/netinet/tcp_sack.c +++ b/sys/netinet/tcp_sack.c @@ -235,7 +235,7 @@ tcp_update_dsack_list(struct tcpcb *tp, tcp_seq rcv_start, tcp_seq rcv_end) saved_blks[n].start = mid_blk.start; saved_blks[n++].end = mid_blk.end; } - for (j = 0; (j < tp->rcv_numsacks) && (j < MAX_SACK_BLKS-1); j++) { + for (j = 0; (j < tp->rcv_numsacks) && (n < MAX_SACK_BLKS); j++) { if (((SEQ_LT(tp->sackblks[j].end, mid_blk.start) || SEQ_GT(tp->sackblks[j].start, mid_blk.end)) && (SEQ_GT(tp->sackblks[j].start, tp->rcv_nxt)))) -- 2.45.0