Validate length before use it, not vice versa.

r353060 should have contained this...
This fixes
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18070
MFC after:		3 days
This commit is contained in:
Michael Tuexen 2019-10-08 11:07:16 +00:00
parent a362cf527e
commit 953b78bed9

View File

@ -334,11 +334,11 @@ sctp_process_asconf_delete_ip(struct sockaddr *src,
#endif
aparam_length = ntohs(aph->ph.param_length);
ph = (struct sctp_paramhdr *)(aph + 1);
param_type = ntohs(ph->param_type);
if (aparam_length < sizeof(struct sctp_asconf_paramhdr) + sizeof(struct sctp_paramhdr)) {
return (NULL);
}
ph = (struct sctp_paramhdr *)(aph + 1);
param_type = ntohs(ph->param_type);
#if defined(INET) || defined(INET6)
param_length = ntohs(ph->param_length);
if (param_length + sizeof(struct sctp_asconf_paramhdr) != aparam_length) {