Fix a bug reported by Felix Weinrank using the libfuzzer on the

userland stack. MFC after: 3 days
svn path=/head/; revision=324971
2017-10-25 09:12:22 +00:00 · 2017-10-25 09:12:22 +00:00 · 8d9b040dd4 · 2020-12-20 02:59:44 +00:00
commit 8d9b040dd4
parent 64a16434d8
1 changed files with 3 additions and 3 deletions
--- a/sys/netinet/sctp_auth.c
+++ b/sys/netinet/sctp_auth.c
@ -1606,9 +1606,9 @@ sctp_zero_m(struct mbuf *m, uint32_t m_offset, uint32_t size)
 	/* now use the rest of the mbuf chain */
 	while ((m_tmp != NULL) && (size > 0)) {
 		data = mtod(m_tmp, uint8_t *)+m_offset;
-		if (size > (uint32_t)SCTP_BUF_LEN(m_tmp)) {
-			memset(data, 0, SCTP_BUF_LEN(m_tmp));
-			size -= SCTP_BUF_LEN(m_tmp);
+		if (size > (uint32_t)(SCTP_BUF_LEN(m_tmp) - m_offset)) {
+			memset(data, 0, SCTP_BUF_LEN(m_tmp) - m_offset);
+			size -= SCTP_BUF_LEN(m_tmp) - m_offset;
 		} else {
 			memset(data, 0, size);
 			size = 0;