The Impossible Condition

OpenBSD’s TCP SACK implementation tracked gaps in acknowledged data as a linked list of holes. Two comparisons guarded a codepath: the SACK start must be below the hole (to delete it) AND above the highest acknowledged byte (to append a new one). One number can’t be both. The codepath was unreachable. For 27 years.

TCP sequence numbers are 32-bit. The kernel compared them with (int)(a - b) < 0 — correct when values are within 2^31 of each other. Real traffic always is. But a missing bounds check let an attacker place values 2^31 apart, where signed subtraction overflows and both comparisons return true simultaneously.

The impossible condition becomes possible. The only hole is deleted, the append runs on an empty list, NULL pointer, kernel panic.

Every assumption in the code was correct for real inputs. The vulnerability existed only in the gap between “what the protocol guarantees” and “what the code is willing to receive.” The code didn’t fail — it trusted.