As part of the work to perform bounds checking on all memcpy() uses,
replace the open-coded a deserialization of bytes out of memory into a
trailing flexible array by using a flex_array.h helper to perform the
allocation, bounds checking, and copying.
Cc: "David S. Miller" <davem@xxxxxxxxxxxxx>
Cc: Eric Dumazet <edumazet@xxxxxxxxxx>
Cc: Jakub Kicinski <kuba@xxxxxxxxxx>
Cc: Paolo Abeni <pabeni@xxxxxxxxxx>
Cc: Baowen Zheng <baowen.zheng@xxxxxxxxxxxx>
Cc: Eli Cohen <elic@xxxxxxxxxx>
Cc: Louis Peens <louis.peens@xxxxxxxxxxxx>
Cc: Simon Horman <simon.horman@xxxxxxxxxxxx>
Cc: netdev@xxxxxxxxxxxxxxx
Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
---
include/net/flow_offload.h | 4 ++--
net/core/flow_offload.c | 7 ++-----
2 files changed, 4 insertions(+), 7 deletions(-)
diff --git a/include/net/flow_offload.h b/include/net/flow_offload.h
index 021778a7e1af..ca5db457a0bc 100644
--- a/include/net/flow_offload.h
+++ b/include/net/flow_offload.h
@@ -190,8 +190,8 @@ enum flow_action_hw_stats {
typedef void (*action_destr)(void *priv);
struct flow_action_cookie {
- u32 cookie_len;
- u8 cookie[];
+ DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(u32, cookie_len);
+ DECLARE_FLEX_ARRAY_ELEMENTS(u8, cookie);
};
struct flow_action_cookie *flow_action_cookie_create(void *data,
diff --git a/net/core/flow_offload.c b/net/core/flow_offload.c
index 73f68d4625f3..e23c8d05b828 100644
--- a/net/core/flow_offload.c
+++ b/net/core/flow_offload.c
@@ -199,13 +199,10 @@ struct flow_action_cookie *flow_action_cookie_create(void *data,
unsigned int len,
gfp_t gfp)
{
- struct flow_action_cookie *cookie;
+ struct flow_action_cookie *cookie = NULL;
- cookie = kmalloc(sizeof(*cookie) + len, gfp);
- if (!cookie)
+ if (mem_to_flex_dup(&cookie, data, len, gfp))
return NULL;
- cookie->cookie_len = len;
- memcpy(cookie->cookie, data, len);
return cookie;
}
EXPORT_SYMBOL(flow_action_cookie_create);
--
2.32.0
