From 5b66b7f11b9257c8c60819867877b46b1af0aff2 Mon Sep 17 00:00:00 2001
From: Michael Tuexen <tuexen@FreeBSD.org>
Date: Mon, 16 Sep 2019 08:18:05 +0000
Subject: [PATCH] Don't write to memory outside of the allocated array for SACK
 blocks.

Obtained from:		rrs@
MFC after:		3 days
Sponsored by:		Netflix, Inc.
---
 sys/netinet/tcp_sack.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sys/netinet/tcp_sack.c b/sys/netinet/tcp_sack.c
index 999fb4f5890..311a84b989a 100644
--- a/sys/netinet/tcp_sack.c
+++ b/sys/netinet/tcp_sack.c
@@ -235,7 +235,7 @@ tcp_update_dsack_list(struct tcpcb *tp, tcp_seq rcv_start, tcp_seq rcv_end)
 		saved_blks[n].start = mid_blk.start;
 		saved_blks[n++].end = mid_blk.end;
 	}
-	for (j = 0; (j < tp->rcv_numsacks) && (j < MAX_SACK_BLKS-1); j++) {
+	for (j = 0; (j < tp->rcv_numsacks) && (n < MAX_SACK_BLKS); j++) {
 		if (((SEQ_LT(tp->sackblks[j].end, mid_blk.start) ||
 		      SEQ_GT(tp->sackblks[j].start, mid_blk.end)) &&
 		    (SEQ_GT(tp->sackblks[j].start, tp->rcv_nxt))))