summaryrefslogtreecommitdiff
path: root/sys
diff options
context:
space:
mode:
authorMarkus Friedl <markus@cvs.openbsd.org>2006-03-12 18:42:41 +0000
committerMarkus Friedl <markus@cvs.openbsd.org>2006-03-12 18:42:41 +0000
commit70e0f6a0ad3dd8cc4ae402879a0290cadd5916f3 (patch)
treeaf533464fdea6c72b09b529b2b091ccae230c349 /sys
parent9794eaeabc5d2738b14f469fae0b886e873f2855 (diff)
mbuf use-after-free; ok henning, djm, brad
Diffstat (limited to 'sys')
-rw-r--r--sys/netinet/tcp_input.c8
1 files changed, 6 insertions, 2 deletions
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index 3cceaacfa10..431ebdf1eed 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tcp_input.c,v 1.195 2006/02/26 17:50:45 markus Exp $ */
+/* $OpenBSD: tcp_input.c,v 1.196 2006/03/12 18:42:40 markus Exp $ */
/* $NetBSD: tcp_input.c,v 1.23 1996/02/13 23:43:44 christos Exp $ */
/*
@@ -2025,6 +2025,10 @@ dodata: /* XXX */
*/
if ((tlen || (tiflags & TH_FIN)) &&
TCPS_HAVERCVDFIN(tp->t_state) == 0) {
+#ifdef TCP_SACK
+ tcp_seq laststart = th->th_seq;
+ tcp_seq lastend = th->th_seq + tlen;
+#endif
tcp_reass_lock(tp);
if (th->th_seq == tp->rcv_nxt && TAILQ_EMPTY(&tp->t_segq) &&
tp->t_state == TCPS_ESTABLISHED) {
@@ -2050,7 +2054,7 @@ dodata: /* XXX */
}
#ifdef TCP_SACK
if (tp->sack_enable)
- tcp_update_sack_list(tp, th->th_seq, th->th_seq + tlen);
+ tcp_update_sack_list(tp, laststart, lastend);
#endif
/*