untrusted comment: verify with openbsd-65-base.pub

untrusted comment: verify with openbsd-65-base.pub
RWSZaRmt1LEQT+pwpbWH8FN8t24wV95gelWn24UQfl/RJcWGu+pf1Ewxl+2xJEMDZr6mQ/PL0SO6GcEBBB/xBbugw73G693gMAY=

OpenBSD 6.5 errata 006, July 25, 2019:

By creating long chains of TCP SACK holes an attacker could possibly
slow down the system temporarily.

Apply by doing:
signify -Vep /etc/signify/openbsd-65-base.pub -x 006_tcpsack.patch.sig \
-m - | (cd /usr/src && patch -p0)

And then rebuild and install a new kernel:
KK=`sysctl -n kern.osversion | cut -d# -f1`
cd /usr/src/sys/arch/`machine`/compile/$KK
make obj
make config
make
make install

Index: sys/netinet/tcp_input.c
===================================================================
RCS file: /cvs/src/sys/netinet/tcp_input.c,v
retrieving revision 1.359
diff -u -p -r1.359 tcp_input.c
--- sys/netinet/tcp_input.c 17 Sep 2018 14:07:48 -0000 1.359
+++ sys/netinet/tcp_input.c 22 Jul 2019 12:14:58 -0000
@@ -2360,6 +2360,8 @@ tcp_update_sack_list(struct tcpcb *tp, t
return;
}

+#define TCP_SACKHOLE_LIMIT 128 /* SACK holes per connection at receiver side */
+
/*
* Process the TCP SACK option. tp->snd_holes is an ordered list
* of holes (oldest to newest, in terms of the sequence space).
@@ -2492,6 +2494,8 @@ tcp_sack_option(struct tcpcb *tp, struct
* ACKs some data in middle of a hole; need to
* split current hole
*/
+ if (tp->snd_numholes >= TCP_SACKHOLE_LIMIT)
+ goto done;
temp = (struct sackhole *)
pool_get(&sackhl_pool, PR_NOWAIT);
if (temp == NULL)
@@ -2519,6 +2523,8 @@ tcp_sack_option(struct tcpcb *tp, struct
* Need to append new hole at end.
* Last hole is p (and it's not NULL).
*/
+ if (tp->snd_numholes >= TCP_SACKHOLE_LIMIT)
+ goto done;
temp = (struct sackhole *)
pool_get(&sackhl_pool, PR_NOWAIT);
if (temp == NULL)