From 2de5b9042014fd174cce0ef47d4c1cfee83fbf32 Mon Sep 17 00:00:00 2001
From: Michael Tuexen <tuexen@FreeBSD.org>
Date: Mon, 25 Mar 2019 09:47:22 +0000
Subject: [PATCH] Fix the handling of fragmented unordered messages when using
 DATA chunks and FORWARD-TSN.

This bug was reported in https://github.com/sctplab/usrsctp/issues/286
for the userland stack.

This is joint work with rrs@.

MFC after:		1 week
---
 sys/netinet/sctp_indata.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/sys/netinet/sctp_indata.c b/sys/netinet/sctp_indata.c
index 3c46ab4ebaf..45560a093ae 100644
--- a/sys/netinet/sctp_indata.c
+++ b/sys/netinet/sctp_indata.c
@@ -947,6 +947,15 @@ sctp_inject_old_unordered_data(struct sctp_tcb *stcb,
 		SCTPDBG(SCTP_DEBUG_XXX,
 		    "chunk is a first fsn: %u becomes fsn_included\n",
 		    chk->rec.data.fsn);
+		at = TAILQ_FIRST(&control->reasm);
+		if (at && SCTP_TSN_GT(chk->rec.data.fsn, at->rec.data.fsn)) {
+			/*
+			 * The first chunk in the reassembly is a smaller
+			 * TSN than this one, even though this has a first,
+			 * it must be from a subsequent msg.
+			 */
+			goto place_chunk;
+		}
 		if (control->first_frag_seen) {
 			/*
 			 * In old un-ordered we can reassembly on one