> On 25. Oct 2017, at 16:57, Rodney W. Grimes <free...@pdx.rh.cn85.dnsmgr.net>
> wrote:
>
> [ Charset UTF-8 unsupported, converting... ]
>> Author: tuexen
>> Date: Wed Oct 25 09:12:22 2017
>> New Revision: 324971
>> URL: https://svnweb.freebsd.org/changeset/base/324971
>>
>> Log:
>> Fix a bug reported by Felix Weinrank using the libfuzzer on the
>> userland stack.
>
> Please try to say what the bug was, why it was a bug, and
> how it was fixed in any bug commit message.
Yepp, you are right. The bug was that when taking the length
of what is used in a buffer, the offset was not taken into account.
The fix is to do that...
Best regards
Michael
>
> External vague references are of little value when reading
> through a files svn history.
>
> Thanks,
>>
>> MFC after: 3 days
>>
>> Modified:
>> head/sys/netinet/sctp_auth.c
>>
>> Modified: head/sys/netinet/sctp_auth.c
>> ==============================================================================
>> --- head/sys/netinet/sctp_auth.c Wed Oct 25 05:55:13 2017
>> (r324970)
>> +++ head/sys/netinet/sctp_auth.c Wed Oct 25 09:12:22 2017
>> (r324971)
>> @@ -1606,9 +1606,9 @@ sctp_zero_m(struct mbuf *m, uint32_t m_offset, uint32_
>> /* now use the rest of the mbuf chain */
>> while ((m_tmp != NULL) && (size > 0)) {
>> data = mtod(m_tmp, uint8_t *)+m_offset;
>> - if (size > (uint32_t)SCTP_BUF_LEN(m_tmp)) {
>> - memset(data, 0, SCTP_BUF_LEN(m_tmp));
>> - size -= SCTP_BUF_LEN(m_tmp);
>> + if (size > (uint32_t)(SCTP_BUF_LEN(m_tmp) - m_offset)) {
>> + memset(data, 0, SCTP_BUF_LEN(m_tmp) - m_offset);
>> + size -= SCTP_BUF_LEN(m_tmp) - m_offset;
>> } else {
>> memset(data, 0, size);
>> size = 0;
>>
>>
>
> --
> Rod Grimes rgri...@freebsd.org
>
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
