dummynet: Avoid an out-of-bounds read in do_config()
do_config() processes a buffer of variable-length dummynet commands.
The loop which processes this buffer loads the fixed-length header
before checking whether there are any bytes left to read, so it performs
a 4-byte read past the end of the buffer before terminating.
Restructure the loop to avoid this.
Reported by: Jenkins (KASAN job)
Reviewed by: kp
Sponsored by: The FreeBSD Foundation
(cherry picked from commit
d5ea04ee7ba6c7cd8e0918a080caf5f2c8fb3955)
projects / FreeBSD / FreeBSD.git / commit