From 8d9b040dd4b289964bdcd94f5f7250526b770d7b Mon Sep 17 00:00:00 2001
From: Michael Tuexen <tuexen@FreeBSD.org>
Date: Wed, 25 Oct 2017 09:12:22 +0000
Subject: Fix a bug reported by Felix Weinrank using the libfuzzer on the
 userland stack.

MFC after:	3 days
---
 sys/netinet/sctp_auth.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'sys/netinet/sctp_auth.c')

diff --git a/sys/netinet/sctp_auth.c b/sys/netinet/sctp_auth.c
index fd7dbd85dca2..371d01138446 100644
--- a/sys/netinet/sctp_auth.c
+++ b/sys/netinet/sctp_auth.c
@@ -1606,9 +1606,9 @@ sctp_zero_m(struct mbuf *m, uint32_t m_offset, uint32_t size)
 	/* now use the rest of the mbuf chain */
 	while ((m_tmp != NULL) && (size > 0)) {
 		data = mtod(m_tmp, uint8_t *)+m_offset;
-		if (size > (uint32_t)SCTP_BUF_LEN(m_tmp)) {
-			memset(data, 0, SCTP_BUF_LEN(m_tmp));
-			size -= SCTP_BUF_LEN(m_tmp);
+		if (size > (uint32_t)(SCTP_BUF_LEN(m_tmp) - m_offset)) {
+			memset(data, 0, SCTP_BUF_LEN(m_tmp) - m_offset);
+			size -= SCTP_BUF_LEN(m_tmp) - m_offset;
 		} else {
 			memset(data, 0, size);
 			size = 0;
-- 
cgit v1.2.3