Message ID | 20210717142513.5411-1-len.baker@gmx.com (mailing list archive) |
---|---|
State | Accepted |
Commit | 6f78f4a41ee0c348af73ed054ccff2d9c9c17cdb |
Delegated to: | Kalle Valo |
Headers | show |
Series | ipw2x00: Use struct_size helper instead of open-coded arithmetic | expand |
On Sat, 17 Jul 2021 at 18:25, Len Baker <len.baker@gmx.com> wrote: > > Dynamic size calculations (especially multiplication) should not be > performed in memory allocator function arguments due to the risk of them > overflowing. This could lead to values wrapping around and a smaller > allocation being made than the caller was expecting. Using those > allocations could lead to linear overflows of heap memory and other > misbehaviors. > > To avoid this scenario, use the struct_size helper. > > Signed-off-by: Len Baker <len.baker@gmx.com> > --- > drivers/net/wireless/intel/ipw2x00/libipw_tx.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > Looks fine, thanks! Stanislav.
Len Baker <len.baker@gmx.com> wrote: > Dynamic size calculations (especially multiplication) should not be > performed in memory allocator function arguments due to the risk of them > overflowing. This could lead to values wrapping around and a smaller > allocation being made than the caller was expecting. Using those > allocations could lead to linear overflows of heap memory and other > misbehaviors. > > To avoid this scenario, use the struct_size helper. > > Signed-off-by: Len Baker <len.baker@gmx.com> Patch applied to wireless-drivers-next.git, thanks. 6f78f4a41ee0 ipw2x00: Use struct_size helper instead of open-coded arithmetic
diff --git a/drivers/net/wireless/intel/ipw2x00/libipw_tx.c b/drivers/net/wireless/intel/ipw2x00/libipw_tx.c index d9baa2fa603b..36d1e6b2568d 100644 --- a/drivers/net/wireless/intel/ipw2x00/libipw_tx.c +++ b/drivers/net/wireless/intel/ipw2x00/libipw_tx.c @@ -179,8 +179,8 @@ static struct libipw_txb *libipw_alloc_txb(int nr_frags, int txb_size, { struct libipw_txb *txb; int i; - txb = kmalloc(sizeof(struct libipw_txb) + (sizeof(u8 *) * nr_frags), - gfp_mask); + + txb = kmalloc(struct_size(txb, fragments, nr_frags), gfp_mask); if (!txb) return NULL;
Dynamic size calculations (especially multiplication) should not be performed in memory allocator function arguments due to the risk of them overflowing. This could lead to values wrapping around and a smaller allocation being made than the caller was expecting. Using those allocations could lead to linear overflows of heap memory and other misbehaviors. To avoid this scenario, use the struct_size helper. Signed-off-by: Len Baker <len.baker@gmx.com> --- drivers/net/wireless/intel/ipw2x00/libipw_tx.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -- 2.25.1