diff options
author | dumbbell <dumbbell@FreeBSD.org> | 2015-04-28 12:37:09 +0000 |
---|---|---|
committer | dumbbell <dumbbell@FreeBSD.org> | 2015-04-28 12:37:09 +0000 |
commit | d4d41d1bcf6dd531947b3d93355298aa4db105de (patch) | |
tree | e61e49d0cabec3e152abfbee1deb6def6c651786 | |
parent | f30b599658deeca32c7549591c99036b30acbdef (diff) | |
download | FreeBSD-src-d4d41d1bcf6dd531947b3d93355298aa4db105de.zip FreeBSD-src-d4d41d1bcf6dd531947b3d93355298aa4db105de.tar.gz |
DRM2: fix off-by-one overflow in ioctl processing
Call to the driver-specific ioctl used to process ioctl number
that will lead to the out-of-bounds access to the ioctl handler
array.
PR: 193367
Approved by: kib
MFC of: r275209 (original commit by rea)
-rw-r--r-- | sys/dev/drm2/drm_drv.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/sys/dev/drm2/drm_drv.c b/sys/dev/drm2/drm_drv.c index f380894..1e6626f 100644 --- a/sys/dev/drm2/drm_drv.c +++ b/sys/dev/drm2/drm_drv.c @@ -909,7 +909,7 @@ int drm_ioctl(struct cdev *kdev, u_long cmd, caddr_t data, int flags, if (ioctl->func == NULL && nr >= DRM_COMMAND_BASE) { /* The array entries begin at DRM_COMMAND_BASE ioctl nr */ nr -= DRM_COMMAND_BASE; - if (nr > dev->driver->max_ioctl) { + if (nr >= dev->driver->max_ioctl) { DRM_DEBUG("Bad driver ioctl number, 0x%x (of 0x%x)\n", nr, dev->driver->max_ioctl); return EINVAL; |