svn commit: r275209 - head/sys/dev/drm2
Eygene Ryabinkin
rea at FreeBSD.org
Fri Nov 28 12:15:00 UTC 2014
Author: rea (ports committer)
Date: Fri Nov 28 12:14:59 2014
New Revision: 275209
URL: https://svnweb.freebsd.org/changeset/base/275209
Log:
DRM2: fix off-by-one overflow in ioctl processing
Call to the driver-specific ioctl used to process ioctl number
that will lead to the out-of-bounds access to the ioctl handler
array.
PR: 193367
Approved by: kib
MFC after: 1 week
Modified:
head/sys/dev/drm2/drm_drv.c
Modified: head/sys/dev/drm2/drm_drv.c
==============================================================================
--- head/sys/dev/drm2/drm_drv.c Fri Nov 28 11:49:26 2014 (r275208)
+++ head/sys/dev/drm2/drm_drv.c Fri Nov 28 12:14:59 2014 (r275209)
@@ -905,7 +905,7 @@ int drm_ioctl(struct cdev *kdev, u_long
if (ioctl->func == NULL && nr >= DRM_COMMAND_BASE) {
/* The array entries begin at DRM_COMMAND_BASE ioctl nr */
nr -= DRM_COMMAND_BASE;
- if (nr > dev->driver->max_ioctl) {
+ if (nr >= dev->driver->max_ioctl) {
DRM_DEBUG("Bad driver ioctl number, 0x%x (of 0x%x)\n",
nr, dev->driver->max_ioctl);
return EINVAL;
More information about the svn-src-all
mailing list