diff options
author | rea <rea@FreeBSD.org> | 2014-11-28 12:14:59 +0000 |
---|---|---|
committer | rea <rea@FreeBSD.org> | 2014-11-28 12:14:59 +0000 |
commit | 96e8d9b85a09160c8878c7036ab2e0ceb1859541 (patch) | |
tree | 0efb06e195668ff7da72f091b6d2d5040b203b4d | |
parent | 6c403c8a16dd64accc71c37393cf49990f4aad71 (diff) | |
download | FreeBSD-src-96e8d9b85a09160c8878c7036ab2e0ceb1859541.zip FreeBSD-src-96e8d9b85a09160c8878c7036ab2e0ceb1859541.tar.gz |
DRM2: fix off-by-one overflow in ioctl processing
Call to the driver-specific ioctl used to process ioctl number
that will lead to the out-of-bounds access to the ioctl handler
array.
PR: 193367
Approved by: kib
MFC after: 1 week
-rw-r--r-- | sys/dev/drm2/drm_drv.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/sys/dev/drm2/drm_drv.c b/sys/dev/drm2/drm_drv.c index 81fcee3..d86cbbd 100644 --- a/sys/dev/drm2/drm_drv.c +++ b/sys/dev/drm2/drm_drv.c @@ -905,7 +905,7 @@ int drm_ioctl(struct cdev *kdev, u_long cmd, caddr_t data, int flags, if (ioctl->func == NULL && nr >= DRM_COMMAND_BASE) { /* The array entries begin at DRM_COMMAND_BASE ioctl nr */ nr -= DRM_COMMAND_BASE; - if (nr > dev->driver->max_ioctl) { + if (nr >= dev->driver->max_ioctl) { DRM_DEBUG("Bad driver ioctl number, 0x%x (of 0x%x)\n", nr, dev->driver->max_ioctl); return EINVAL; |