Avoid underflowing a variable, which would result in taking more

data from the stream queues then needed. Thanks to Timo Voelker for finding this bug and providing a fix.
author: Michael Tuexen <tuexen@fh-muenster.de> 2020-05-05 21:59:32 +0200
committer: Michael Tuexen <tuexen@fh-muenster.de> 2020-05-05 21:59:32 +0200
commit: 0cb61bc48f7fda14aea12d34dcd3ae3ac136e076 (patch)
tree: e17330eabfb7a93a9b3326fe5a02161176c46f6e
parent: 23a8eca13e0a9ec79272eb2e40a567308b4aba67 (diff)
download: usrsctp-0cb61bc48f7fda14aea12d34dcd3ae3ac136e076.tar.gz
1 files changed, 6 insertions, 2 deletions
diff --git a/usrsctplib/netinet/sctp_output.c b/usrsctplib/netinet/sctp_output.c
index ee62b7ea..d4595fe7 100755
--- a/usrsctplib/netinet/sctp_output.c
+++ b/usrsctplib/netinet/sctp_output.c
@@ -34,7 +34,7 @@
 
 #ifdef __FreeBSD__
 #include <sys/cdefs.h>
-__FBSDID("$FreeBSD: head/sys/netinet/sctp_output.c 360662 2020-05-05 17:52:44Z tuexen $");
+__FBSDID("$FreeBSD: head/sys/netinet/sctp_output.c 360671 2020-05-05 19:54:30Z tuexen $");
 #endif
 
 #include <netinet/sctp_os.h>
@@ -8276,7 +8276,11 @@ sctp_fill_outqueue(struct sctp_tcb *stcb,
 		}
 		strq = stcb->asoc.ss_functions.sctp_ss_select_stream(stcb, net, asoc);
 		total_moved += moved;
-		space_left -= moved;
+		if (space_left >= moved) {
+			space_left -= moved;
+		} else {
+			space_left = 0;
+		}
 		if (space_left >= SCTP_DATA_CHUNK_OVERHEAD(stcb)) {
 			space_left -= SCTP_DATA_CHUNK_OVERHEAD(stcb);
 		} else {
author	Michael Tuexen <tuexen@fh-muenster.de>	2020-05-05 21:59:32 +0200
committer	Michael Tuexen <tuexen@fh-muenster.de>	2020-05-05 21:59:32 +0200
commit	0cb61bc48f7fda14aea12d34dcd3ae3ac136e076 (patch)
tree	e17330eabfb7a93a9b3326fe5a02161176c46f6e
parent	23a8eca13e0a9ec79272eb2e40a567308b4aba67 (diff)
download	usrsctp-0cb61bc48f7fda14aea12d34dcd3ae3ac136e076.tar.gz