> I have run into a bug in tcp_output_fill_options() while trying to add TCP-AO (RFC5925) support.
> it is my understanding that fourth argument in the callstack is the number of SACKs.
> static void
> tcp_output_fill_options(const struct tcp_pcb *pcb, struct pbuf *p, u8_t optflags, u8_t num_sacks)
> however there is still 4 calls which pass in the total option length which gets then
> misinterpreted as number of SACKs. which in my case caused a buffer overflow in
> Q: shouldn't all those arguments reset to zero as per below patch ?