DRM2: fix off-by-one overflow in ioctl processing

Call to the driver-specific ioctl used to process ioctl number that will lead to the out-of-bounds access to the ioctl handler array. PR: 193367 Approved by: kib MFC after: 1 week
2014-11-28 12:14:59 +00:00 · 2014-11-28 12:14:59 +00:00 · 96e8d9b85a
commit 96e8d9b85a
parent 6c403c8a16
1 changed files with 1 additions and 1 deletions
--- a/sys/dev/drm2/drm_drv.c
+++ b/sys/dev/drm2/drm_drv.c
@ -905,7 +905,7 @@ int drm_ioctl(struct cdev *kdev, u_long cmd, caddr_t data, int flags,
 	if (ioctl->func == NULL && nr >= DRM_COMMAND_BASE) {
 		/* The array entries begin at DRM_COMMAND_BASE ioctl nr */
 		nr -= DRM_COMMAND_BASE;
-		if (nr > dev->driver->max_ioctl) {
+		if (nr >= dev->driver->max_ioctl) {
 			DRM_DEBUG("Bad driver ioctl number, 0x%x (of 0x%x)\n",
 			    nr, dev->driver->max_ioctl);
 			return EINVAL;