Does it point to the last byte of urgent data, or the byte following the urgent data?
Update: RFC 6093:
2.2. Semantics of the Urgent Pointer
RFC 1011 [RFC1011] clarified this ambiguity in RFC 793 stating that
"Page 17 is wrong. The urgent pointer points to the last octet of
urgent data (not to the first octet of non-urgent data)". RFC 1122
[RFC1122] formally updated RFC 793 by stating, in Section 4.2.2.4
(page 84), that "the urgent pointer points to the sequence number of
the LAST octet (not LAST+1) in a sequence of urgent data".
TCP/IP Illustrated:
There is continuing debate about whether the urgent pointer points
to the last byte of urgent data, or to the byte following the last byte
of urgent data. The original TCP specification gave both interpretations
but the Host Requirements RFC identifies which is correct:
the urgent pointer points to the last byte of urgent data.
The problem, however, is that most implementations
(i.e., the Berkeley-derived implementations) continue to use the wrong
interpretation. An implementation that follows the specification in the
Host Requirements RFC might be compliant, but might not communicate
correctly with most other hosts.
For such questions, you should first refer to the source (simply search rfc tcp): RFC 793, Transmission Control Protocol, which is the definition of TCP, and it explains:
Urgent Pointer: 16 bits
This field communicates the current value of the urgent pointer as a positive offset from the sequence number in this segment. The urgent pointer points to the sequence number of the octet following the urgent data. This field is only be interpreted in segments with the URG control bit set.
Edit to accommodate your RFC 6093 update:
Your reference to RFC 6093, On the Implementation of the TCP Urgent Mechanism reinforces RFC 793:
4. Updating RFC 793, RFC 1011, and RFC 1122
Considering that as long as both the TCP sender and the TCP receiver implement the same semantics for the Urgent Pointer there is no functional difference in having the Urgent Pointer point to "the sequence number of the octet following the urgent data" vs. "the last octet of urgent data", and that all known implementations interpret the semantics of the Urgent Pointer as pointing to "the sequence number of the octet following the urgent data", we hereby update RFC 793 [RFC0793], RFC 1011 [RFC1011], and RFC 1122 [RFC1122] such that "the urgent pointer points to the sequence number of the octet following the urgent data" (in segments with the URG control bit set), thus accommodating virtually all existing TCP implementations.