From owner-svn-src-head@freebsd.org  Wed Oct 25 16:38:37 2017
Return-Path: <owner-svn-src-head@freebsd.org>
Delivered-To: svn-src-head@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id B9248E4F121;
 Wed, 25 Oct 2017 16:38:37 +0000 (UTC)
 (envelope-from tuexen@freebsd.org)
Received: from drew.franken.de (drew.ipv6.franken.de
 [IPv6:2001:638:a02:a001:20e:cff:fe4a:feaa])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "*.franken.de",
 Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 8212F74B46;
 Wed, 25 Oct 2017 16:38:37 +0000 (UTC)
 (envelope-from tuexen@freebsd.org)
Received: from [10.54.148.69] (unknown [88.128.80.78])
 (Authenticated sender: macmic)
 by mail-n.franken.de (Postfix) with ESMTPSA id 22E0672106C11;
 Wed, 25 Oct 2017 18:38:34 +0200 (CEST)
Content-Type: text/plain;
	charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 11.0 \(3445.1.7\))
Subject: Re: svn commit: r324971 - head/sys/netinet
From: Michael Tuexen <tuexen@freebsd.org>
In-Reply-To: <201710251457.v9PEvEZU052398@pdx.rh.CN85.dnsmgr.net>
Date: Wed, 25 Oct 2017 18:38:21 +0200
Cc: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <2342CC17-27C7-40B2-8FA4-E224A7BE1F38@freebsd.org>
References: <201710251457.v9PEvEZU052398@pdx.rh.CN85.dnsmgr.net>
To: rgrimes@freebsd.org
X-Mailer: Apple Mail (2.3445.1.7)
X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00
 autolearn=disabled version=3.4.1
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on mail-n.franken.de
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Oct 2017 16:38:37 -0000

> On 25. Oct 2017, at 16:57, Rodney W. Grimes =
<freebsd@pdx.rh.CN85.dnsmgr.net> wrote:
>=20
> [ Charset UTF-8 unsupported, converting... ]
>> Author: tuexen
>> Date: Wed Oct 25 09:12:22 2017
>> New Revision: 324971
>> URL: https://svnweb.freebsd.org/changeset/base/324971
>>=20
>> Log:
>>  Fix a bug reported by Felix Weinrank using the libfuzzer on the
>>  userland stack.
>=20
> Please try to say what the bug was, why it was a bug, and
> how it was fixed in any bug commit message.
Yepp, you are right. The bug was that when taking the length
of what is used in a buffer, the offset was not taken into account.
The fix is to do that...

Best regards
Michael
>=20
> External vague references are of little value when reading
> through a files svn history.
>=20
> Thanks,
>>=20
>>  MFC after:	3 days
>>=20
>> Modified:
>>  head/sys/netinet/sctp_auth.c
>>=20
>> Modified: head/sys/netinet/sctp_auth.c
>> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
>> --- head/sys/netinet/sctp_auth.c	Wed Oct 25 05:55:13 2017	=
(r324970)
>> +++ head/sys/netinet/sctp_auth.c	Wed Oct 25 09:12:22 2017	=
(r324971)
>> @@ -1606,9 +1606,9 @@ sctp_zero_m(struct mbuf *m, uint32_t m_offset, =
uint32_
>> 	/* now use the rest of the mbuf chain */
>> 	while ((m_tmp !=3D NULL) && (size > 0)) {
>> 		data =3D mtod(m_tmp, uint8_t *)+m_offset;
>> -		if (size > (uint32_t)SCTP_BUF_LEN(m_tmp)) {
>> -			memset(data, 0, SCTP_BUF_LEN(m_tmp));
>> -			size -=3D SCTP_BUF_LEN(m_tmp);
>> +		if (size > (uint32_t)(SCTP_BUF_LEN(m_tmp) - m_offset)) {
>> +			memset(data, 0, SCTP_BUF_LEN(m_tmp) - m_offset);
>> +			size -=3D SCTP_BUF_LEN(m_tmp) - m_offset;
>> 		} else {
>> 			memset(data, 0, size);
>> 			size =3D 0;
>>=20
>>=20
>=20
> --=20
> Rod Grimes                                                 =
rgrimes@freebsd.org
>=20