Validate length before use it, not vice versa.

r353060 should have contained this... This fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18070 MFC after: 3 days
svn path=/head/; revision=353303
2019-10-08 11:07:16 +00:00 · 2019-10-08 11:07:16 +00:00 · 953b78bed9 · 2020-12-20 02:59:44 +00:00
commit 953b78bed9
parent a362cf527e
1 changed files with 2 additions and 2 deletions
--- a/sys/netinet/sctp_asconf.c
+++ b/sys/netinet/sctp_asconf.c
@ -334,11 +334,11 @@ sctp_process_asconf_delete_ip(struct sockaddr *src,
 #endif

 	aparam_length = ntohs(aph->ph.param_length);
-	ph = (struct sctp_paramhdr *)(aph + 1);
-	param_type = ntohs(ph->param_type);
 	if (aparam_length < sizeof(struct sctp_asconf_paramhdr) + sizeof(struct sctp_paramhdr)) {
 		return (NULL);
 	}
+	ph = (struct sctp_paramhdr *)(aph + 1);
+	param_type = ntohs(ph->param_type);
 #if defined(INET) || defined(INET6)
 	param_length = ntohs(ph->param_length);
 	if (param_length + sizeof(struct sctp_asconf_paramhdr) != aparam_length) {