Date: Sat, 7 Apr 2018 20:03:35 +0000 (UTC) From: Michael Tuexen <tuexen@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r332218 - stable/11/sys/netinet Message-ID: <201804072003.w37K3ZWx077754@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: tuexen Date: Sat Apr 7 20:03:35 2018 New Revision: 332218 URL: https://svnweb.freebsd.org/changeset/base/332218 Log: MFC r324971: Fix a bug reported by Felix Weinrank using the libfuzzer on the userland stack. Modified: stable/11/sys/netinet/sctp_auth.c Directory Properties: stable/11/ (props changed) Modified: stable/11/sys/netinet/sctp_auth.c ============================================================================== --- stable/11/sys/netinet/sctp_auth.c Sat Apr 7 20:02:08 2018 (r332217) +++ stable/11/sys/netinet/sctp_auth.c Sat Apr 7 20:03:35 2018 (r332218) @@ -1606,9 +1606,9 @@ sctp_zero_m(struct mbuf *m, uint32_t m_offset, uint32_ /* now use the rest of the mbuf chain */ while ((m_tmp != NULL) && (size > 0)) { data = mtod(m_tmp, uint8_t *)+m_offset; - if (size > (uint32_t)SCTP_BUF_LEN(m_tmp)) { - memset(data, 0, SCTP_BUF_LEN(m_tmp)); - size -= SCTP_BUF_LEN(m_tmp); + if (size > (uint32_t)(SCTP_BUF_LEN(m_tmp) - m_offset)) { + memset(data, 0, SCTP_BUF_LEN(m_tmp) - m_offset); + size -= SCTP_BUF_LEN(m_tmp) - m_offset; } else { memset(data, 0, size); size = 0;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201804072003.w37K3ZWx077754>