diff mbox series

[v2] wifi: qtnfmac: use struct_size and size_sub for payload length

Message ID 20230307230212.3735818-1-jacob.e.keller@intel.com (mailing list archive)
State Accepted
Commit 84e9e2102bdc4f60ce131dcb74046219dc4425ae
Delegated to: Kalle Valo
Headers show
Series [v2] wifi: qtnfmac: use struct_size and size_sub for payload length | expand

Commit Message

Jacob Keller March 7, 2023, 11:02 p.m. UTC 
Replace the calculations for the payload length in
qtnf_cmd_band_fill_iftype with struct_size() and size_sub(). While
the payload length does not get directly passed to an allocation function,
the performed calculation is still calculating the size of a flexible array
structure (minus the size of a header structure).

Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Cc: Igor Mitsyanko <imitsyanko@quantenna.com>
Cc: Sergey Matyukevich <geomatsi@gmail.com>
---
This was discovered by a coccinelle patch I developed, and submitted at:
  https://lore.kernel.org/all/20230227202428.3657443-1-jacob.e.keller@intel.com/

V1: https://lore.kernel.org/linux-wireless/99a9d4a2-d032-1c9d-90c6-3a68f6b3a092@intel.com/
Changes since v1
* Split series into individual postings to avoid confusion about dependency
* Fixed subject line

 drivers/net/wireless/quantenna/qtnfmac/commands.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)


base-commit: 8f9850dd8d23c1290cb642ce9548a440da5771ec

Comments

Kalle Valo March 13, 2023, 1:44 p.m. UTC | #1 
Jacob Keller <jacob.e.keller@intel.com> wrote:

> Replace the calculations for the payload length in
> qtnf_cmd_band_fill_iftype with struct_size() and size_sub(). While
> the payload length does not get directly passed to an allocation function,
> the performed calculation is still calculating the size of a flexible array
> structure (minus the size of a header structure).
> 
> Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
> Cc: Igor Mitsyanko <imitsyanko@quantenna.com>
> Cc: Sergey Matyukevich <geomatsi@gmail.com>

Patch applied to wireless-next.git, thanks.

84e9e2102bdc wifi: qtnfmac: use struct_size and size_sub for payload length
diff mbox series

Patch

diff --git a/drivers/net/wireless/quantenna/qtnfmac/commands.c b/drivers/net/wireless/quantenna/qtnfmac/commands.c
index b1b73478d89b..68ae9c7ea95a 100644
--- a/drivers/net/wireless/quantenna/qtnfmac/commands.c
+++ b/drivers/net/wireless/quantenna/qtnfmac/commands.c
@@ -1325,9 +1325,10 @@  static int qtnf_cmd_band_fill_iftype(const u8 *data,
 	struct ieee80211_sband_iftype_data *iftype_data;
 	const struct qlink_tlv_iftype_data *tlv =
 		(const struct qlink_tlv_iftype_data *)data;
-	size_t payload_len = tlv->n_iftype_data * sizeof(*tlv->iftype_data) +
-		sizeof(*tlv) -
-		sizeof(struct qlink_tlv_hdr);
+	size_t payload_len;
+
+	payload_len = struct_size(tlv, iftype_data, tlv->n_iftype_data);
+	payload_len = size_sub(payload_len, sizeof(struct qlink_tlv_hdr));
 
 	if (tlv->hdr.len != cpu_to_le16(payload_len)) {
 		pr_err("bad IFTYPE_DATA TLV len %u\n", tlv->hdr.len);