diff options
author | Michael Tuexen <tuexen@fh-muenster.de> | 2020-05-05 21:59:32 +0200 |
---|---|---|
committer | Michael Tuexen <tuexen@fh-muenster.de> | 2020-05-05 21:59:32 +0200 |
commit | 0cb61bc48f7fda14aea12d34dcd3ae3ac136e076 (patch) | |
tree | e17330eabfb7a93a9b3326fe5a02161176c46f6e | |
parent | 23a8eca13e0a9ec79272eb2e40a567308b4aba67 (diff) | |
download | usrsctp-0cb61bc48f7fda14aea12d34dcd3ae3ac136e076.tar.gz |
Avoid underflowing a variable, which would result in taking more
data from the stream queues then needed.
Thanks to Timo Voelker for finding this bug and providing a fix.
-rwxr-xr-x | usrsctplib/netinet/sctp_output.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/usrsctplib/netinet/sctp_output.c b/usrsctplib/netinet/sctp_output.c index ee62b7ea..d4595fe7 100755 --- a/usrsctplib/netinet/sctp_output.c +++ b/usrsctplib/netinet/sctp_output.c @@ -34,7 +34,7 @@ #ifdef __FreeBSD__ #include <sys/cdefs.h> -__FBSDID("$FreeBSD: head/sys/netinet/sctp_output.c 360662 2020-05-05 17:52:44Z tuexen $"); +__FBSDID("$FreeBSD: head/sys/netinet/sctp_output.c 360671 2020-05-05 19:54:30Z tuexen $"); #endif #include <netinet/sctp_os.h> @@ -8276,7 +8276,11 @@ sctp_fill_outqueue(struct sctp_tcb *stcb, } strq = stcb->asoc.ss_functions.sctp_ss_select_stream(stcb, net, asoc); total_moved += moved; - space_left -= moved; + if (space_left >= moved) { + space_left -= moved; + } else { + space_left = 0; + } if (space_left >= SCTP_DATA_CHUNK_OVERHEAD(stcb)) { space_left -= SCTP_DATA_CHUNK_OVERHEAD(stcb); } else { |