fbt_typoff_init: fix an off by one in determining required memory size

This issue would be silent most of the time, but if the requested memory is a multiple of a page size, then accessing one element beyond the end would lead to a kernel page fault. Otherwise, the unlucky last type would just be inaccessible. Reported by: glebius Tested by: glebius MFC after: 6 days
author: avg <avg@FreeBSD.org> 2013-03-23 08:48:44 +0000
committer: avg <avg@FreeBSD.org> 2013-03-23 08:48:44 +0000
commit: 0f9660a6f046df842809e65ec9c455d67d6a66f6 (patch)
tree: 434772384522a4861192c55af96bdbb6c743d15b /sys/cddl/dev/fbt/fbt.c
parent: 32cda7dd8fcb487711096944c969f32c3eec845d (diff)
download: FreeBSD-src-0f9660a6f046df842809e65ec9c455d67d6a66f6.zip
FreeBSD-src-0f9660a6f046df842809e65ec9c455d67d6a66f6.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/sys/cddl/dev/fbt/fbt.c b/sys/cddl/dev/fbt/fbt.c
index be15d6e..93bd118 100644
--- a/sys/cddl/dev/fbt/fbt.c
+++ b/sys/cddl/dev/fbt/fbt.c
@@ -777,6 +777,8 @@ fbt_typoff_init(linker_ctf_t *lc)
 		pop[kind]++;
 	}
 
+	/* account for a sentinel value below */
+	ctf_typemax++;
 	*lc->typlenp = ctf_typemax;
 
 	if ((xp = malloc(sizeof(uint32_t) * ctf_typemax, M_LINKER, M_ZERO | M_WAITOK)) == NULL)
author	avg <avg@FreeBSD.org>	2013-03-23 08:48:44 +0000
committer	avg <avg@FreeBSD.org>	2013-03-23 08:48:44 +0000
commit	0f9660a6f046df842809e65ec9c455d67d6a66f6 (patch)
tree	434772384522a4861192c55af96bdbb6c743d15b /sys/cddl/dev/fbt/fbt.c
parent	32cda7dd8fcb487711096944c969f32c3eec845d (diff)
download	FreeBSD-src-0f9660a6f046df842809e65ec9c455d67d6a66f6.zip FreeBSD-src-0f9660a6f046df842809e65ec9c455d67d6a66f6.tar.gz