Date: Fri, 28 Nov 2014 12:15:00 +0000 (UTC) From: Eygene Ryabinkin <rea@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r275209 - head/sys/dev/drm2 Message-ID: <201411281215.sASCF08A081894@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: rea (ports committer) Date: Fri Nov 28 12:14:59 2014 New Revision: 275209 URL: https://svnweb.freebsd.org/changeset/base/275209 Log: DRM2: fix off-by-one overflow in ioctl processing Call to the driver-specific ioctl used to process ioctl number that will lead to the out-of-bounds access to the ioctl handler array. PR: 193367 Approved by: kib MFC after: 1 week Modified: head/sys/dev/drm2/drm_drv.c Modified: head/sys/dev/drm2/drm_drv.c ============================================================================== --- head/sys/dev/drm2/drm_drv.c Fri Nov 28 11:49:26 2014 (r275208) +++ head/sys/dev/drm2/drm_drv.c Fri Nov 28 12:14:59 2014 (r275209) @@ -905,7 +905,7 @@ int drm_ioctl(struct cdev *kdev, u_long if (ioctl->func == NULL && nr >= DRM_COMMAND_BASE) { /* The array entries begin at DRM_COMMAND_BASE ioctl nr */ nr -= DRM_COMMAND_BASE; - if (nr > dev->driver->max_ioctl) { + if (nr >= dev->driver->max_ioctl) { DRM_DEBUG("Bad driver ioctl number, 0x%x (of 0x%x)\n", nr, dev->driver->max_ioctl); return EINVAL;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201411281215.sASCF08A081894>