Re: [PATCH v3] staging: rtl8723bs: os_dep: avoid NULL pointer dereference in rtw_cbuf_alloc

Next message: Mukesh Ojha: "Re: [PATCH 05/11] media: iris: Enable Secure PAS support with IOMMU managed by Linux"
Previous message: Guilherme Ivo Bozi: "[PATCH 3/3] iio: adc: xilinx-ams: refactor alarm mapping to table-driven approach"
In reply to: Andy Shevchenko: "Re: [PATCH v3] staging: rtl8723bs: os_dep: avoid NULL pointer dereference in rtw_cbuf_alloc"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dan Carpenter

Date: Tue Apr 14 2026 - 05:33:30 EST

On Tue, Apr 14, 2026 at 11:44:18AM +0300, Andy Shevchenko wrote:
> On Tue, Apr 14, 2026 at 11:33:22AM +0300, Dan Carpenter wrote:
> > Really _obj() can't be ZERO_SIZE_PTR either, or if they are then it's
> > very difficult to dereference them since they don't have any struct
> > members.
> >
> > The main way that ZERO_SIZE_PTR bugs show up is with strings and NUL
> > terminators.
>
> Wouldn't it be the problem for
>
> struct foo {
> u32 baz[];
> };

There isn't really any difference between doing an out of bounds access
on an array with zero elements vs 10 elements. That's the beauty of
the ZERO_SIZE_PTR is that it lets you treat zero as just another number
of elements. But zero sizes can cause problems for code which does
things like "size - 1" but because of signedness that's ULONG_MAX.

regards,
dan carpenter