Index: tcp_input.c
===================================================================
RCS file: /home/imp/FreeBSD/CVS/src/sys/netinet/tcp_input.c,v
retrieving revision 1.54.2.6
retrieving revision 1.54.2.7
diff -u -r1.54.2.6 -r1.54.2.7
--- tcp_input.c	1997/11/20 21:45:34	1.54.2.6
+++ tcp_input.c	1998/01/30 19:13:55	1.54.2.7
@@ -627,6 +614,7 @@
 	 * If the state is LISTEN then ignore segment if it contains an RST.
 	 * If the segment contains an ACK then it is bad and send a RST.
 	 * If it does not contain a SYN then it is not interesting; drop it.
+	 * If it is from this socket, drop it, it must be forged.
 	 * Don't bother responding if the destination was a broadcast.
 	 * Otherwise initialize tp->rcv_nxt, and tp->irs, select an initial
 	 * tp->iss, and send a segment:
@@ -646,6 +634,9 @@
 			goto dropwithreset;
 		if ((tiflags & TH_SYN) == 0)
 			goto drop;
+		if ((ti->ti_dport == ti->ti_sport) &&
+		    (ti->ti_dst.s_addr == ti->ti_src.s_addr))
+			goto drop;
 		/*
 		 * RFC1122 4.2.3.10, p. 104: discard bcast/mcast SYN
 		 * in_broadcast() should never return true on a received
@@ -765,6 +756,23 @@
 		}
 
 	/*
+	 * If the state is SYN_RECEIVED:
+	 *	if seg contains SYN/ACK, send a RST.
+	 *	if seg contains an ACK, but not for our SYN/ACK, send a RST.
+	 */
+	case TCPS_SYN_RECEIVED:
+		if (tiflags & TH_ACK) {
+			if (tiflags & TH_SYN) {
+				tcpstat.tcps_badsyn++;
+				goto dropwithreset;
+			}
+			if (SEQ_LEQ(ti->ti_ack, tp->snd_una) ||
+			    SEQ_GT(ti->ti_ack, tp->snd_max))
+				goto dropwithreset;
+		}
+		break;
+
+	/*
 	 * If the state is SYN_SENT:
 	 *	if seg contains an ACK, but not for our SYN, drop the input.
 	 *	if seg contains a RST, then drop the connection.
@@ -1179,14 +1187,11 @@
 	switch (tp->t_state) {
 
 	/*
-	 * In SYN_RECEIVED state if the ack ACKs our SYN then enter
-	 * ESTABLISHED state and continue processing, otherwise
-	 * send an RST.
+	 * In SYN_RECEIVED state, the ack ACKs our SYN, so enter
+	 * ESTABLISHED state and continue processing.
+	 * The ACK was checked above.
 	 */
 	case TCPS_SYN_RECEIVED:
-		if (SEQ_GT(tp->snd_una, ti->ti_ack) ||
-		    SEQ_GT(ti->ti_ack, tp->snd_max))
-			goto dropwithreset;
 
 		tcpstat.tcps_connects++;
 		soisconnected(so);