commit 63f17add1cf6119ec8f692990df2892d86244f2f
Author: Matthew Dillon <***@apollo.backplane.com>
Date: Tue Nov 13 11:12:36 2018 -0800

kernel - Fix sack NULL pointer dereference

* sack_block_lookup() can get confused when the passed-in sequence
number appears to be less than sblk_start and greater than sblk_end.
This situation can occur when the signed integer delta test has an
overflow due to (sblk_end - seq) overflowing the sign bit verses
(sblk_start - seq).

The result is that sack_block_lookup() can crash on a NULL pointer
indirection.

* Check for the case, complain, and try to allow it. Though I suspect
if the case occurs at all SACK will wind up with a broken list anyway.

* I don't think this case can occur under normal conditions since TCP
buffers do not grow to 2GB+ in size, so the crash we got was triggered
by either an accidently malformed packet or an intentional one.

Summary of changes:
sys/netinet/tcp_sack.c | 42 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 42 insertions(+)

http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/63f17add1cf6119ec8f692990df2892d86244f2f