DRM2: fix off-by-one overflow in ioctl processing

Call to the driver-specific ioctl used to process ioctl number
that will lead to the out-of-bounds access to the ioctl handler
array.

PR:             193367
Approved by:    kib
MFC of:		r275209 (original commit by rea)
This commit is contained in:
dumbbell 2015-04-28 12:37:09 +00:00
parent f30b599658
commit d4d41d1bcf

View File

@ -909,7 +909,7 @@ int drm_ioctl(struct cdev *kdev, u_long cmd, caddr_t data, int flags,
if (ioctl->func == NULL && nr >= DRM_COMMAND_BASE) {
/* The array entries begin at DRM_COMMAND_BASE ioctl nr */
nr -= DRM_COMMAND_BASE;
if (nr > dev->driver->max_ioctl) {
if (nr >= dev->driver->max_ioctl) {
DRM_DEBUG("Bad driver ioctl number, 0x%x (of 0x%x)\n",
nr, dev->driver->max_ioctl);
return EINVAL;