DRM2: fix off-by-one overflow in ioctl processing
Call to the driver-specific ioctl used to process ioctl number that will lead to the out-of-bounds access to the ioctl handler array. PR: 193367 Approved by: kib MFC of: r275209 (original commit by rea)
This commit is contained in:
parent
f30b599658
commit
d4d41d1bcf
@ -909,7 +909,7 @@ int drm_ioctl(struct cdev *kdev, u_long cmd, caddr_t data, int flags,
|
||||
if (ioctl->func == NULL && nr >= DRM_COMMAND_BASE) {
|
||||
/* The array entries begin at DRM_COMMAND_BASE ioctl nr */
|
||||
nr -= DRM_COMMAND_BASE;
|
||||
if (nr > dev->driver->max_ioctl) {
|
||||
if (nr >= dev->driver->max_ioctl) {
|
||||
DRM_DEBUG("Bad driver ioctl number, 0x%x (of 0x%x)\n",
|
||||
nr, dev->driver->max_ioctl);
|
||||
return EINVAL;
|
||||
|
Loading…
Reference in New Issue
Block a user