untrusted comment: verify with openbsd-78-base.pub
RWS3/nvFmk4SWXQYDoBKCF185+tveq3Z2QeYepLv72mOmadwXy4NNmgdlEzT/PLu7edaMasfvOom8ZgJRu1wZmyoGAn4+/27Sw0=

OpenBSD 7.8 errata 025, March 25, 2026:

TCP packets with invalid SACK options could crash the kernel.

Apply by doing:
    signify -Vep /etc/signify/openbsd-78-base.pub -x 025_sack.patch.sig \
        -m - | (cd /usr/src && patch -p0)

And then rebuild and install a new kernel:
    KK=`sysctl -n kern.osversion | cut -d# -f1`
    cd /usr/src/sys/arch/`machine`/compile/$KK
    make obj
    make config
    make
    make install

Index: sys/netinet/tcp_input.c
===================================================================
RCS file: /cvs/src/sys/netinet/tcp_input.c,v
diff -u -p -r1.464 tcp_input.c
--- sys/netinet/tcp_input.c	16 Sep 2025 17:29:35 -0000	1.464
+++ sys/netinet/tcp_input.c	19 Mar 2026 13:56:56 -0000
@@ -2458,6 +2458,8 @@ tcp_sack_option(struct tcpcb *tp, struct
 		}
 		if (SEQ_GT(sack.end, tp->snd_max))
 			continue;
+		if (SEQ_LT(sack.start, tp->snd_una))
+			continue;
 		if (tp->snd_holes == NULL) { /* first hole */
 			tp->snd_holes = (struct sackhole *)
 			    pool_get(&sackhl_pool, PR_NOWAIT);
@@ -2564,7 +2566,7 @@ tcp_sack_option(struct tcpcb *tp, struct
 			}
 		}
 		/* At this point, p points to the last hole on the list */
-		if (SEQ_LT(tp->rcv_lastsack, sack.start)) {
+		if (p != NULL && SEQ_LT(tp->rcv_lastsack, sack.start)) {
 			/*
 			 * Need to append new hole at end.
 			 * Last hole is p (and it's not NULL).