On Mon, May 13, 2024 at 07:12:57PM +0200, Erick Archer wrote:
> Hi Kees, Jiri and Luiz,
> First of all, thanks for the reviews.
>
> On Mon, May 13, 2024 at 12:29:04PM -0400, Luiz Augusto von Dentz wrote:
> > Hi Jiri, Eric,
> >
> > On Mon, May 13, 2024 at 1:07 AM Jiri Slaby <jirislaby@xxxxxxxxxx> wrote:
> > >
> > > On 12. 05. 24, 13:17, Erick Archer wrote:
> > > > This is an effort to get rid of all multiplications from allocation
> > > > functions in order to prevent integer overflows [1][2].
> > > >
> > > > As the "dl" variable is a pointer to "struct rfcomm_dev_list_req" and
> > > > this structure ends in a flexible array:
> > > ...
> > > > --- a/include/net/bluetooth/rfcomm.h
> > > > +++ b/include/net/bluetooth/rfcomm.h
> > > ...
> > > > @@ -528,12 +527,12 @@ static int rfcomm_get_dev_list(void __user *arg)
> > > > list_for_each_entry(dev, &rfcomm_dev_list, list) {
> > > > if (!tty_port_get(&dev->port))
> > > > continue;
> > > > - (di + n)->id = dev->id;
> > > > - (di + n)->flags = dev->flags;
> > > > - (di + n)->state = dev->dlc->state;
> > > > - (di + n)->channel = dev->channel;
> > > > - bacpy(&(di + n)->src, &dev->src);
> > > > - bacpy(&(di + n)->dst, &dev->dst);
> > > > + di[n].id = dev->id;
> > > > + di[n].flags = dev->flags;
> > > > + di[n].state = dev->dlc->state;
> > > > + di[n].channel = dev->channel;
> > > > + bacpy(&di[n].src, &dev->src);
> > > > + bacpy(&di[n].dst, &dev->dst);
> > >
> > > This does not relate much to "prefer struct_size over open coded
> > > arithmetic". It should have been in a separate patch.
> >
> > +1, please split these changes into its own patch so we can apply it separately.
>
> Ok, no problem. Also, I will simplify the "bacpy" lines with direct
> assignments as Kees suggested:
>
> di[n].src = dev->src;
> di[n].dst = dev->dst;
>
> instead of:
>
> bacpy(&di[n].src, &dev->src);
> bacpy(&di[n].dst, &dev->dst);
I think that's a separate thing and you can leave bacpy() as-is for now.
--
Kees Cook
