FreeBSD: Fix out of bounds read in zfs_ioctl_ozfs_to_legacy()

There is an off by 1 error in the check. Fortunately, this function does not appear to be used in kernel space, despite being compiled as part of the kernel module. However, it is used in userspace. Callers of lzc_ioctl_fd() likely will crash if they attempt to use the unimplemented request number. This was reported by FreeBSD's coverity scan. Reported-by: Coverity (CID 1432059) Reviewed-by: Ryan Moeller <ryan@iXsystems.com> Reviewed-by: Damian Szuberski <szuberskidamian@gmail.com> Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov> Signed-off-by: Richard Yao <richard.yao@alumni.stonybrook.edu> Closes openzfs#14135
andrewc12 · Nov 11, 2022 · 8591efa · 8591efa
1 parent 930647e
commit 8591efa
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/module/os/freebsd/zfs/zfs_ioctl_compat.c b/module/os/freebsd/zfs/zfs_ioctl_compat.c
@@ -319,7 +319,7 @@ zfs_ioctl_legacy_to_ozfs(int request)
 int
 zfs_ioctl_ozfs_to_legacy(int request)
 {
-	if (request > ZFS_IOC_LAST)
+	if (request >= ZFS_IOC_LAST)
 		return (-1);
 
 	if (request > ZFS_IOC_PLATFORM) {