Date: Tue, 28 Apr 2015 12:37:10 +0000 (UTC) From: Jean-Sebastien Pedron <dumbbell@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r282141 - stable/10/sys/dev/drm2 Message-ID: <201504281237.t3SCbASJ054890@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dumbbell Date: Tue Apr 28 12:37:09 2015 New Revision: 282141 URL: https://svnweb.freebsd.org/changeset/base/282141 Log: DRM2: fix off-by-one overflow in ioctl processing Call to the driver-specific ioctl used to process ioctl number that will lead to the out-of-bounds access to the ioctl handler array. PR: 193367 Approved by: kib MFC of: r275209 (original commit by rea) Modified: stable/10/sys/dev/drm2/drm_drv.c Directory Properties: stable/10/ (props changed) Modified: stable/10/sys/dev/drm2/drm_drv.c ============================================================================== --- stable/10/sys/dev/drm2/drm_drv.c Tue Apr 28 12:02:24 2015 (r282140) +++ stable/10/sys/dev/drm2/drm_drv.c Tue Apr 28 12:37:09 2015 (r282141) @@ -909,7 +909,7 @@ int drm_ioctl(struct cdev *kdev, u_long if (ioctl->func == NULL && nr >= DRM_COMMAND_BASE) { /* The array entries begin at DRM_COMMAND_BASE ioctl nr */ nr -= DRM_COMMAND_BASE; - if (nr > dev->driver->max_ioctl) { + if (nr >= dev->driver->max_ioctl) { DRM_DEBUG("Bad driver ioctl number, 0x%x (of 0x%x)\n", nr, dev->driver->max_ioctl); return EINVAL;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201504281237.t3SCbASJ054890>