This is the untested patch I sent to one of the FreeBSD lists.  It doesn't
apply cleanly to the NetBSD version of this file, but you should be
able to apply it by hand.

--- tcp_input.c.prev	Fri Nov 21 04:34:51 1997
+++ tcp_input.c	Fri Nov 21 05:00:07 1997
@@ -752,6 +752,17 @@
 		}
 
 	/*
+	 * If the state is SYN_RCVD:
+	 *	if seg contains an ACK, but not for our SYN,ACK, drop the input.
+	 * Otherwise continue processing
+	 */
+	case TCPS_SYN_RECEIVED:
+		if (SEQ_GT(tp->snd_una, ti->ti_ack) ||
+		    SEQ_GT(ti->ti_ack, tp->snd_max))
+			goto dropwithreset;
+ 		break;  /* continue normal processing */
+
+	/*
 	 * If the state is SYN_SENT:
 	 *	if seg contains an ACK, but not for our SYN, drop the input.
 	 *	if seg contains a RST, then drop the connection.
@@ -1171,9 +1182,7 @@
 	 * send an RST.
 	 */
 	case TCPS_SYN_RECEIVED:
-		if (SEQ_GT(tp->snd_una, ti->ti_ack) ||
-		    SEQ_GT(ti->ti_ack, tp->snd_max))
-			goto dropwithreset;
+		/* ACK validation was done earlier, before window trim */
 
 		tcpstat.tcps_connects++;
 		soisconnected(so);