From 0e8206e596add74fef1653b4472de6b3723c435f Mon Sep 17 00:00:00 2001 From: bluhm Date: Fri, 20 Mar 2026 19:44:48 +0000 Subject: [PATCH] Ignore TCP SACK packets with invalid sequence numbers. Due to an integer overflow, sequence numbers in selective ACK packets were accepted. Such packets caused a NULL pointer dereference in the TCP stack, resulting in a kernel crash. Reported by Nicholas Carlini at anthropic dot com with deraadt@; OK markus@ --- sys/netinet/tcp_input.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index 07c0b0d1fec..e5b4c892acc 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tcp_input.c,v 1.464 2025/09/16 17:29:35 bluhm Exp $ */ +/* $OpenBSD: tcp_input.c,v 1.465 2026/03/20 19:44:48 bluhm Exp $ */ /* $NetBSD: tcp_input.c,v 1.23 1996/02/13 23:43:44 christos Exp $ */ /* @@ -2458,6 +2458,8 @@ tcp_sack_option(struct tcpcb *tp, struct tcphdr *th, u_char *cp, int optlen) } if (SEQ_GT(sack.end, tp->snd_max)) continue; + if (SEQ_LT(sack.start, tp->snd_una)) + continue; if (tp->snd_holes == NULL) { /* first hole */ tp->snd_holes = (struct sackhole *) pool_get(&sackhl_pool, PR_NOWAIT); @@ -2564,7 +2566,7 @@ tcp_sack_option(struct tcpcb *tp, struct tcphdr *th, u_char *cp, int optlen) } } /* At this point, p points to the last hole on the list */ - if (SEQ_LT(tp->rcv_lastsack, sack.start)) { + if (p != NULL && SEQ_LT(tp->rcv_lastsack, sack.start)) { /* * Need to append new hole at end. * Last hole is p (and it's not NULL).