e4e2190aed
Fix devfs rules not applied by default for jails. [SA-14:07] Fix OpenSSL use-after-free vulnerability. [SA-14:08] Fix TCP reassembly vulnerability. [SA-14:09]
32 lines
1.2 KiB
Diff
32 lines
1.2 KiB
Diff
Index: sys/netinet/tcp_reass.c
|
|
===================================================================
|
|
--- sys/netinet/tcp_reass.c (revision 264836)
|
|
+++ sys/netinet/tcp_reass.c (working copy)
|
|
@@ -211,7 +211,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
|
|
* Investigate why and re-evaluate the below limit after the behaviour
|
|
* is understood.
|
|
*/
|
|
- if (th->th_seq != tp->rcv_nxt &&
|
|
+ if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) &&
|
|
tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) {
|
|
V_tcp_reass_overflows++;
|
|
TCPSTAT_INC(tcps_rcvmemdrop);
|
|
@@ -234,7 +234,7 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
|
|
*/
|
|
te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT);
|
|
if (te == NULL) {
|
|
- if (th->th_seq != tp->rcv_nxt) {
|
|
+ if (th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) {
|
|
TCPSTAT_INC(tcps_rcvmemdrop);
|
|
m_freem(m);
|
|
*tlenp = 0;
|
|
@@ -282,7 +282,8 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, int
|
|
TCPSTAT_INC(tcps_rcvduppack);
|
|
TCPSTAT_ADD(tcps_rcvdupbyte, *tlenp);
|
|
m_freem(m);
|
|
- uma_zfree(V_tcp_reass_zone, te);
|
|
+ if (te != &tqs)
|
|
+ uma_zfree(V_tcp_reass_zone, te);
|
|
tp->t_segqlen--;
|
|
/*
|
|
* Try to present any queued data
|