As part of the work to perform bounds checking on all memcpy() uses,
replace the open-coded a deserialization of bytes out of memory into a
trailing flexible array by using a flex_array.h helper to perform the
allocation, bounds checking, and copying.
Cc: Stefan Richter <stefanr@xxxxxxxxxxxxxxxxx>
Cc: linux1394-devel@xxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
---
drivers/firewire/core-cdev.c | 7 ++-----
include/uapi/linux/firewire-cdev.h | 4 ++--
2 files changed, 4 insertions(+), 7 deletions(-)
diff --git a/drivers/firewire/core-cdev.c b/drivers/firewire/core-cdev.c
index c9fe5903725a..7e884c61e12e 100644
--- a/drivers/firewire/core-cdev.c
+++ b/drivers/firewire/core-cdev.c
@@ -913,17 +913,14 @@ static void iso_callback(struct fw_iso_context *context, u32 cycle,
size_t header_length, void *header, void *data)
{
struct client *client = data;
- struct iso_interrupt_event *e;
+ struct iso_interrupt_event *e = NULL;
- e = kmalloc(sizeof(*e) + header_length, GFP_ATOMIC);
- if (e == NULL)
+ if (__mem_to_flex_dup(&e, .interrupt, header, header_length, GFP_ATOMIC))
return;
e->interrupt.type = FW_CDEV_EVENT_ISO_INTERRUPT;
e->interrupt.closure = client->iso_closure;
e->interrupt.cycle = cycle;
- e->interrupt.header_length = header_length;
- memcpy(e->interrupt.header, header, header_length);
queue_event(client, &e->event, &e->interrupt,
sizeof(e->interrupt) + header_length, NULL, 0);
}
diff --git a/include/uapi/linux/firewire-cdev.h b/include/uapi/linux/firewire-cdev.h
index 5effa9832802..22c5f59e9dfa 100644
--- a/include/uapi/linux/firewire-cdev.h
+++ b/include/uapi/linux/firewire-cdev.h
@@ -264,8 +264,8 @@ struct fw_cdev_event_iso_interrupt {
__u64 closure;
__u32 type;
__u32 cycle;
- __u32 header_length;
- __u32 header[0];
+ __DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(__u32, header_length);
+ __DECLARE_FLEX_ARRAY_ELEMENTS(__u32, header);
};
/**
--
2.32.0
