From 550b3ee1d3d8a66ccb383d25023d13d8a34a9219 Mon Sep 17 00:00:00 2001
From: Ondrej Kozina <okozina@redhat.com>
Date: Fri, 14 Jun 2019 09:03:45 +0200
Subject: [PATCH] Fix off-by-one error in reencryption keyslots count check.

---
 src/cryptsetup.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/cryptsetup.c b/src/cryptsetup.c
index b4fdb9b2..6950d68a 100644
--- a/src/cryptsetup.c
+++ b/src/cryptsetup.c
@@ -2874,13 +2874,13 @@ static int _check_luks2_keyslots(struct crypt_device *cd)
 	}
 
 	/* at least one keyslot for reencryption plus new volume key */
-	if (active + unbound >= max - 2) {
+	if (active + unbound > max - 2) {
 		log_err(_("Not enough free keyslots for reencryption."));
 		return -EINVAL;
 	}
 
 	if ((opt_key_slot == CRYPT_ANY_SLOT) &&
-            (2 * active + unbound + 1 >= max)) {
+            (2 * active + unbound > max - 1)) {
 		log_err(_("Not enough free keyslots for reencryption."));
 		return -EINVAL;
 	}