[PATCH] ipw2x00: Use struct_size helper instead of open-coded arithmetic

From: Len Baker
Date: Sat Jul 17 2021 - 10:26:17 EST

Next message: Jonathan Cameron: "Re: [PATCH 1/4] iio: add modifiers for linear acceleration"
Previous message: Jonathan Cameron: "Re: [PATCH v6 2/2] dt-bindings: iio: frequency: add adrf6780 doc"
Next in thread: Stanislav Yakovlev: "Re: [PATCH] ipw2x00: Use struct_size helper instead of open-coded arithmetic"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dynamic size calculations (especially multiplication) should not be
performed in memory allocator function arguments due to the risk of them
overflowing. This could lead to values wrapping around and a smaller
allocation being made than the caller was expecting. Using those
allocations could lead to linear overflows of heap memory and other
misbehaviors.

To avoid this scenario, use the struct_size helper.

Signed-off-by: Len Baker <len.baker@xxxxxxx>
---
drivers/net/wireless/intel/ipw2x00/libipw_tx.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/intel/ipw2x00/libipw_tx.c b/drivers/net/wireless/intel/ipw2x00/libipw_tx.c
index d9baa2fa603b..36d1e6b2568d 100644
--- a/drivers/net/wireless/intel/ipw2x00/libipw_tx.c
+++ b/drivers/net/wireless/intel/ipw2x00/libipw_tx.c
@@ -179,8 +179,8 @@ static struct libipw_txb *libipw_alloc_txb(int nr_frags, int txb_size,
{
struct libipw_txb *txb;
int i;
- txb = kmalloc(sizeof(struct libipw_txb) + (sizeof(u8 *) * nr_frags),
- gfp_mask);
+
+ txb = kmalloc(struct_size(txb, fragments, nr_frags), gfp_mask);
if (!txb)
return NULL;

--
2.25.1

Next message: Jonathan Cameron: "Re: [PATCH 1/4] iio: add modifiers for linear acceleration"
Previous message: Jonathan Cameron: "Re: [PATCH v6 2/2] dt-bindings: iio: frequency: add adrf6780 doc"
Next in thread: Stanislav Yakovlev: "Re: [PATCH] ipw2x00: Use struct_size helper instead of open-coded arithmetic"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]