On Thu, 2018-08-23 at 20:03 -0700, Kees Cook wrote:
> On Thu, Aug 23, 2018 at 6:15 PM, Gustavo A. R. Silva
> <gustavo@xxxxxxxxxxxxxx> wrote:
> > One of the more common cases of allocation size calculations is finding
> > the size of a structure that has a zero-sized array at the end, along
> > with memory for some number of elements for that array. For example:
> >
> > struct foo {
> > int stuff;
> > void *entry[];
> > };
Question for Gustavo.
Did you find any existing instances that are miscalculated?
I believe there are some cases like:
size = sizeof(struct foo) + count * sizeof(something);
ptr = kmalloc(size);
memset(ptr + sizeof(struct foo), 0, size - sizeof(struct foo));
where something could go wrong and not be detected.
