From 7449a8ffdf985258921afef4fed9c58fd370b9c3 Mon Sep 17 00:00:00 2001
From: trasz <trasz@FreeBSD.org>
Date: Thu, 28 May 2009 07:20:52 +0000
Subject: Fix off by one error in acl_create_entry(3).

Reviewed by:	rwatson@
MFC after:	2 weeks
---
 lib/libc/posix1e/acl_entry.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'lib/libc')

diff --git a/lib/libc/posix1e/acl_entry.c b/lib/libc/posix1e/acl_entry.c
index aaef611..407aff1 100644
--- a/lib/libc/posix1e/acl_entry.c
+++ b/lib/libc/posix1e/acl_entry.c
@@ -51,7 +51,12 @@ acl_create_entry(acl_t *acl_p, acl_entry_t *entry_p)
 
 	acl_int = &(*acl_p)->ats_acl;
 
-	if ((acl_int->acl_cnt >= ACL_MAX_ENTRIES) || (acl_int->acl_cnt < 0)) {
+	/*
+	 * +1, because we are checking if there is space left for one more
+	 * entry.
+	 */
+	if ((acl_int->acl_cnt + 1 >= ACL_MAX_ENTRIES) ||
+	    (acl_int->acl_cnt < 0)) {
 		errno = EINVAL;
 		return (-1);
 	}
-- 
cgit v1.1