From 0f9660a6f046df842809e65ec9c455d67d6a66f6 Mon Sep 17 00:00:00 2001 From: avg Date: Sat, 23 Mar 2013 08:48:44 +0000 Subject: [PATCH] fbt_typoff_init: fix an off by one in determining required memory size This issue would be silent most of the time, but if the requested memory is a multiple of a page size, then accessing one element beyond the end would lead to a kernel page fault. Otherwise, the unlucky last type would just be inaccessible. Reported by: glebius Tested by: glebius MFC after: 6 days --- sys/cddl/dev/fbt/fbt.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sys/cddl/dev/fbt/fbt.c b/sys/cddl/dev/fbt/fbt.c index be15d6e57f76..93bd1182891d 100644 --- a/sys/cddl/dev/fbt/fbt.c +++ b/sys/cddl/dev/fbt/fbt.c @@ -777,6 +777,8 @@ fbt_typoff_init(linker_ctf_t *lc) pop[kind]++; } + /* account for a sentinel value below */ + ctf_typemax++; *lc->typlenp = ctf_typemax; if ((xp = malloc(sizeof(uint32_t) * ctf_typemax, M_LINKER, M_ZERO | M_WAITOK)) == NULL)