# HG changeset patch
# User Robert Mustacchi <rm@joyent.com>
# Date 1319847464 14400
# Node ID 732144cfe2ef0ef82a65b7f3b4ea4aa049d7fe24
# Parent  4ac8112a8e30e13f2e9c2d71da7e71e38e1f3eec
1695 tcp_icmp_input sends packets with a closed connection
Reviewed by: Bryan Cantrill <bryan@joyent.com>
Reviewed by: Richard Lowe <richlowe@richlowe.net>
Reviewed by: Dan McDonald <danmcd@nexenta.com>
Reviewed by: Garrett D'Amore <garrett@nexenta.com>
Approved by: Richard Lowe <richlowe@richlowe.net>

diff -r 4ac8112a8e30 -r 732144cfe2ef usr/src/uts/common/inet/tcp/tcp_input.c
--- a/usr/src/uts/common/inet/tcp/tcp_input.c	Sun May 15 23:44:52 2011 +0100
+++ b/usr/src/uts/common/inet/tcp/tcp_input.c	Fri Oct 28 20:17:44 2011 -0400
@@ -22,6 +22,7 @@
 /*
  * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
  * Copyright 2011 Nexenta Systems, Inc. All rights reserved.
+ * Copyright (c) 2011 Joyent, Inc. All rights reserved.
  */
 
 /* This file contains all TCP input processing functions. */
@@ -5536,6 +5537,16 @@
 	ASSERT((MBLKL(mp) >= sizeof (ipha_t)));
 
 	/*
+	 * It's possible we have a closed, but not yet destroyed, TCP
+	 * connection. Several fields (e.g. conn_ixa->ixa_ire) are invalid
+	 * in the closed state, so don't take any chances and drop the packet.
+	 */
+	if (tcp->tcp_state == TCPS_CLOSED) {
+		freemsg(mp);
+		return;
+	}
+
+	/*
 	 * Verify IP version. Anything other than IPv4 or IPv6 packet is sent
 	 * upstream. ICMPv6 is handled in tcp_icmp_error_ipv6.
 	 */