From owner-svn-src-head@freebsd.org Wed Oct 25 14:57:18 2017 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D7846E4C50C; Wed, 25 Oct 2017 14:57:18 +0000 (UTC) (envelope-from freebsd@pdx.rh.CN85.dnsmgr.net) Received: from pdx.rh.CN85.dnsmgr.net (br1.CN84in.dnsmgr.net [69.59.192.140]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B5E697012B; Wed, 25 Oct 2017 14:57:17 +0000 (UTC) (envelope-from freebsd@pdx.rh.CN85.dnsmgr.net) Received: from pdx.rh.CN85.dnsmgr.net (localhost [127.0.0.1]) by pdx.rh.CN85.dnsmgr.net (8.13.3/8.13.3) with ESMTP id v9PEvECP052399; Wed, 25 Oct 2017 07:57:14 -0700 (PDT) (envelope-from freebsd@pdx.rh.CN85.dnsmgr.net) Received: (from freebsd@localhost) by pdx.rh.CN85.dnsmgr.net (8.13.3/8.13.3/Submit) id v9PEvEZU052398; Wed, 25 Oct 2017 07:57:14 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <201710251457.v9PEvEZU052398@pdx.rh.CN85.dnsmgr.net> Subject: Re: svn commit: r324971 - head/sys/netinet In-Reply-To: <201710250912.v9P9CMar060973@repo.freebsd.org> To: Michael Tuexen Date: Wed, 25 Oct 2017 07:57:14 -0700 (PDT) CC: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Reply-To: rgrimes@freebsd.org X-Mailer: ELM [version 2.4ME+ PL121h (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Oct 2017 14:57:19 -0000 [ Charset UTF-8 unsupported, converting... ] > Author: tuexen > Date: Wed Oct 25 09:12:22 2017 > New Revision: 324971 > URL: https://svnweb.freebsd.org/changeset/base/324971 > > Log: > Fix a bug reported by Felix Weinrank using the libfuzzer on the > userland stack. Please try to say what the bug was, why it was a bug, and how it was fixed in any bug commit message. External vague references are of little value when reading through a files svn history. Thanks, > > MFC after: 3 days > > Modified: > head/sys/netinet/sctp_auth.c > > Modified: head/sys/netinet/sctp_auth.c > ============================================================================== > --- head/sys/netinet/sctp_auth.c Wed Oct 25 05:55:13 2017 (r324970) > +++ head/sys/netinet/sctp_auth.c Wed Oct 25 09:12:22 2017 (r324971) > @@ -1606,9 +1606,9 @@ sctp_zero_m(struct mbuf *m, uint32_t m_offset, uint32_ > /* now use the rest of the mbuf chain */ > while ((m_tmp != NULL) && (size > 0)) { > data = mtod(m_tmp, uint8_t *)+m_offset; > - if (size > (uint32_t)SCTP_BUF_LEN(m_tmp)) { > - memset(data, 0, SCTP_BUF_LEN(m_tmp)); > - size -= SCTP_BUF_LEN(m_tmp); > + if (size > (uint32_t)(SCTP_BUF_LEN(m_tmp) - m_offset)) { > + memset(data, 0, SCTP_BUF_LEN(m_tmp) - m_offset); > + size -= SCTP_BUF_LEN(m_tmp) - m_offset; > } else { > memset(data, 0, size); > size = 0; > > -- Rod Grimes rgrimes@freebsd.org