[PATCH] ipw2x00: Use struct_size helper instead of open-coded arithmetic

* [PATCH] ipw2x00: Use struct_size helper instead of open-coded arithmetic
@ 2021-07-17 14:25 Len Baker
  2021-07-21 10:20 ` Stanislav Yakovlev
  2021-08-21 17:15 ` Kalle Valo
  0 siblings, 2 replies; 3+ messages in thread
From: Len Baker @ 2021-07-17 14:25 UTC (permalink / raw)
  To: Stanislav Yakovlev, Kalle Valo, David S. Miller, Jakub Kicinski
  Cc: Len Baker, linux-wireless, netdev, linux-kernel

Dynamic size calculations (especially multiplication) should not be
performed in memory allocator function arguments due to the risk of them
overflowing. This could lead to values wrapping around and a smaller
allocation being made than the caller was expecting. Using those
allocations could lead to linear overflows of heap memory and other
misbehaviors.

To avoid this scenario, use the struct_size helper.

Signed-off-by: Len Baker <len.baker@gmx.com>
---
 drivers/net/wireless/intel/ipw2x00/libipw_tx.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/intel/ipw2x00/libipw_tx.c b/drivers/net/wireless/intel/ipw2x00/libipw_tx.c
index d9baa2fa603b..36d1e6b2568d 100644
--- a/drivers/net/wireless/intel/ipw2x00/libipw_tx.c
+++ b/drivers/net/wireless/intel/ipw2x00/libipw_tx.c
@@ -179,8 +179,8 @@ static struct libipw_txb *libipw_alloc_txb(int nr_frags, int txb_size,
 {
 	struct libipw_txb *txb;
 	int i;
-	txb = kmalloc(sizeof(struct libipw_txb) + (sizeof(u8 *) * nr_frags),
-		      gfp_mask);
+
+	txb = kmalloc(struct_size(txb, fragments, nr_frags), gfp_mask);
 	if (!txb)
 		return NULL;

--
2.25.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread