From 9e3d6c9645ed28ef5b07a9b13e380e13a86deeb8 Mon Sep 17 00:00:00 2001 From: Matthew Dillon Date: Sun, 3 Feb 2008 21:40:42 +0000 Subject: [PATCH] Make sure scb->lastfound is NULLed out when it matches the entry being removed from the scb->sackblocks list. Fix two places where this was not occuring, leading to memory and list corruption. Reported-by: Peter Avalos --- sys/netinet/tcp_sack.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/sys/netinet/tcp_sack.c b/sys/netinet/tcp_sack.c index 4492ad36bf..3a7740c27e 100644 --- a/sys/netinet/tcp_sack.c +++ b/sys/netinet/tcp_sack.c @@ -30,7 +30,7 @@ * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $DragonFly: src/sys/netinet/tcp_sack.c,v 1.6 2007/04/22 01:13:14 dillon Exp $ + * $DragonFly: src/sys/netinet/tcp_sack.c,v 1.7 2008/02/03 21:40:42 dillon Exp $ */ #include @@ -176,7 +176,7 @@ tcp_sack_ack_blocks(struct scoreboard *scb, tcp_seq th_ack) sb = TAILQ_FIRST(&scb->sackblocks); while (sb && SEQ_LEQ(sb->sblk_end, th_ack)) { nb = TAILQ_NEXT(sb, sblk_list); - if (sb == scb->lastfound) + if (scb->lastfound == sb) scb->lastfound = NULL; TAILQ_REMOVE(&scb->sackblocks, sb, sblk_list); free_sackblock(sb); @@ -334,6 +334,8 @@ insert_block(struct scoreboard *scb, struct sackblock *newblock) struct sackblock *nextblock; nextblock = TAILQ_NEXT(sb, sblk_list); + if (scb->lastfound == sb) + scb->lastfound = NULL; /* Remove completely overlapped block */ TAILQ_REMOVE(&scb->sackblocks, sb, sblk_list); free_sackblock(sb); @@ -346,6 +348,8 @@ insert_block(struct scoreboard *scb, struct sackblock *newblock) SEQ_GEQ(workingblock->sblk_end, sb->sblk_start)) { /* Extend new block to cover partially overlapped old block. */ workingblock->sblk_end = sb->sblk_end; + if (scb->lastfound == sb) + scb->lastfound = NULL; TAILQ_REMOVE(&scb->sackblocks, sb, sblk_list); free_sackblock(sb); --scb->nblocks; -- 2.11.4.GIT