From ac364403c13c5cefe2bc5e87b8bf730ba7d491a0 Mon Sep 17 00:00:00 2001
From: Michael Tuexen <tuexen@fh-muenster.de>
Date: Fri, 20 Sep 2019 10:26:17 +0200
Subject: [PATCH] Fix the handling of invalid parameters in ASCONF chunks.
 Thanks to Mark Wodrich from Google for reporting the issue in
 https://github.com/sctplab/usrsctp/issues/376 for the userland stack.

---
 usrsctplib/netinet/sctp_asconf.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/usrsctplib/netinet/sctp_asconf.c b/usrsctplib/netinet/sctp_asconf.c
index 00cfe1e49..b4d5f18f3 100755
--- a/usrsctplib/netinet/sctp_asconf.c
+++ b/usrsctplib/netinet/sctp_asconf.c
@@ -34,7 +34,7 @@
 
 #ifdef __FreeBSD__
 #include <sys/cdefs.h>
-__FBSDID("$FreeBSD: head/sys/netinet/sctp_asconf.c 350745 2019-08-08 08:23:27Z tuexen $");
+__FBSDID("$FreeBSD: head/sys/netinet/sctp_asconf.c 352550 2019-09-20 08:20:20Z tuexen $");
 #endif
 
 #include <netinet/sctp_os.h>
@@ -720,6 +720,7 @@ sctp_handle_asconf(struct mbuf *m, unsigned int offset,
 		if (param_length <= sizeof(struct sctp_paramhdr)) {
 			SCTPDBG(SCTP_DEBUG_ASCONF1, "handle_asconf: param length (%u) too short\n", param_length);
 			sctp_m_freem(m_ack);
+			return;
 		}
 		/* get the entire parameter */
 		aph = (struct sctp_asconf_paramhdr *)sctp_m_getptr(m, offset, param_length, aparam_buf);