Author: dumbbell
Date: Tue Apr 28 12:37:09 2015
New Revision: 282141
URL: https://svnweb.freebsd.org/changeset/base/282141
Log:
DRM2: fix off-by-one overflow in ioctl processing
Call to the driver-specific ioctl used to process ioctl number
that will lead to the out-of-bounds access to the ioctl handler
array.
PR: 193367
Approved by: kib
MFC of: r275209 (original commit by rea)
Modified:
stable/10/sys/dev/drm2/drm_drv.c
Directory Properties:
stable/10/ (props changed)
Modified: stable/10/sys/dev/drm2/drm_drv.c
==============================================================================
--- stable/10/sys/dev/drm2/drm_drv.c Tue Apr 28 12:02:24 2015
(r282140)
+++ stable/10/sys/dev/drm2/drm_drv.c Tue Apr 28 12:37:09 2015
(r282141)
@@ -909,7 +909,7 @@ int drm_ioctl(struct cdev *kdev, u_long
if (ioctl->func == NULL && nr >= DRM_COMMAND_BASE) {
/* The array entries begin at DRM_COMMAND_BASE ioctl nr */
nr -= DRM_COMMAND_BASE;
- if (nr > dev->driver->max_ioctl) {
+ if (nr >= dev->driver->max_ioctl) {
DRM_DEBUG("Bad driver ioctl number, 0x%x (of 0x%x)\n",
nr, dev->driver->max_ioctl);
return EINVAL;
_______________________________________________
svn-src-stable-10@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-stable-10
To unsubscribe, send any mail to "svn-src-stable-10-unsubscr...@freebsd.org"
