FreeBSD: Fix out of bounds read in zfs_ioctl_ozfs_to_legacy()

There is an off by 1 error in the check. Fortunately, this function does not appear to be used in kernel space, despite being compiled as part of the kernel module. However, it is used in userspace. Callers of lzc_ioctl_fd() likely will crash if they attempt to use the unimplemented request number. This was reported by FreeBSD's coverity scan. Reported-by: Coverity (CID 1432059) Reviewed-by: Ryan Moeller <ryan@iXsystems.com> Reviewed-by: Damian Szuberski <szuberskidamian@gmail.com> Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov> Signed-off-by: Richard Yao <richard.yao@alumni.stonybrook.edu> Closes #14135
2022-11-04 14:06:14 -04:00 · 2022-11-04 14:06:14 -04:00 · 957c3776f2
parent 85537f77a3
commit 957c3776f2
1 changed files with 1 additions and 1 deletions
--- a/module/os/freebsd/zfs/zfs_ioctl_compat.c
+++ b/module/os/freebsd/zfs/zfs_ioctl_compat.c
@ -319,7 +319,7 @@ zfs_ioctl_legacy_to_ozfs(int request)
 int
 zfs_ioctl_ozfs_to_legacy(int request)
 {
-	if (request > ZFS_IOC_LAST)
+	if (request >= ZFS_IOC_LAST)
 		return (-1);

 	if (request > ZFS_IOC_PLATFORM) {