aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Tuexen <tuexen@FreeBSD.org>2020-05-07 03:50:34 +0000
committerMichael Tuexen <tuexen@FreeBSD.org>2020-05-07 03:50:34 +0000
commite2bf5f4a17eb4121a7abd8b64801ea4d9437af51 (patch)
tree070bc97845e078ebb52bca0520536c3beaf0373f
parent51dc5f2d1a45367c2dd8aa1ea12fd82072170fea (diff)
downloadsrc-e2bf5f4a17eb4121a7abd8b64801ea4d9437af51.tar.gz
src-e2bf5f4a17eb4121a7abd8b64801ea4d9437af51.zip
MFC r360671: Avoid integer underflow
Avoid underflowing a variable, which would result in taking more data from the stream queues then needed. Thanks to Timo Voelker for finding this bug and providing a fix.
Notes
Notes: svn path=/stable/11/; revision=360772
-rw-r--r--sys/netinet/sctp_output.c6
1 files changed, 5 insertions, 1 deletions
diff --git a/sys/netinet/sctp_output.c b/sys/netinet/sctp_output.c
index 1001a1933961..bf6adcc46cc9 100644
--- a/sys/netinet/sctp_output.c
+++ b/sys/netinet/sctp_output.c
@@ -7763,7 +7763,11 @@ sctp_fill_outqueue(struct sctp_tcb *stcb,
}
strq = stcb->asoc.ss_functions.sctp_ss_select_stream(stcb, net, asoc);
total_moved += moved;
- space_left -= moved;
+ if (space_left >= moved) {
+ space_left -= moved;
+ } else {
+ space_left = 0;
+ }
if (space_left >= SCTP_DATA_CHUNK_OVERHEAD(stcb)) {
space_left -= SCTP_DATA_CHUNK_OVERHEAD(stcb);
} else {