Date: Wed, 25 Oct 2017 18:38:21 +0200 From: Michael Tuexen <tuexen@freebsd.org> To: rgrimes@freebsd.org Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r324971 - head/sys/netinet Message-ID: <2342CC17-27C7-40B2-8FA4-E224A7BE1F38@freebsd.org> In-Reply-To: <201710251457.v9PEvEZU052398@pdx.rh.CN85.dnsmgr.net> References: <201710251457.v9PEvEZU052398@pdx.rh.CN85.dnsmgr.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 25. Oct 2017, at 16:57, Rodney W. Grimes = <freebsd@pdx.rh.CN85.dnsmgr.net> wrote: >=20 > [ Charset UTF-8 unsupported, converting... ] >> Author: tuexen >> Date: Wed Oct 25 09:12:22 2017 >> New Revision: 324971 >> URL: https://svnweb.freebsd.org/changeset/base/324971 >>=20 >> Log: >> Fix a bug reported by Felix Weinrank using the libfuzzer on the >> userland stack. >=20 > Please try to say what the bug was, why it was a bug, and > how it was fixed in any bug commit message. Yepp, you are right. The bug was that when taking the length of what is used in a buffer, the offset was not taken into account. The fix is to do that... Best regards Michael >=20 > External vague references are of little value when reading > through a files svn history. >=20 > Thanks, >>=20 >> MFC after: 3 days >>=20 >> Modified: >> head/sys/netinet/sctp_auth.c >>=20 >> Modified: head/sys/netinet/sctp_auth.c >> = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D >> --- head/sys/netinet/sctp_auth.c Wed Oct 25 05:55:13 2017 = (r324970) >> +++ head/sys/netinet/sctp_auth.c Wed Oct 25 09:12:22 2017 = (r324971) >> @@ -1606,9 +1606,9 @@ sctp_zero_m(struct mbuf *m, uint32_t m_offset, = uint32_ >> /* now use the rest of the mbuf chain */ >> while ((m_tmp !=3D NULL) && (size > 0)) { >> data =3D mtod(m_tmp, uint8_t *)+m_offset; >> - if (size > (uint32_t)SCTP_BUF_LEN(m_tmp)) { >> - memset(data, 0, SCTP_BUF_LEN(m_tmp)); >> - size -=3D SCTP_BUF_LEN(m_tmp); >> + if (size > (uint32_t)(SCTP_BUF_LEN(m_tmp) - m_offset)) { >> + memset(data, 0, SCTP_BUF_LEN(m_tmp) - m_offset); >> + size -=3D SCTP_BUF_LEN(m_tmp) - m_offset; >> } else { >> memset(data, 0, size); >> size =3D 0; >>=20 >>=20 >=20 > --=20 > Rod Grimes = rgrimes@freebsd.org >=20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2342CC17-27C7-40B2-8FA4-E224A7BE1F38>