Dynamic size calculations (especially multiplication) should not be
performed in memory allocator function arguments due to the risk of them
overflowing. This could lead to values wrapping around and a smaller
allocation being made than the caller was expecting. Using those
allocations could lead to linear overflows of heap memory and other
misbehaviors.
To avoid this scenario, use the struct_size helper.
Signed-off-by: Len Baker <len.baker@xxxxxxx>
---
drivers/net/wireless/intel/ipw2x00/libipw_tx.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/intel/ipw2x00/libipw_tx.c b/drivers/net/wireless/intel/ipw2x00/libipw_tx.c
index d9baa2fa603b..36d1e6b2568d 100644
--- a/drivers/net/wireless/intel/ipw2x00/libipw_tx.c
+++ b/drivers/net/wireless/intel/ipw2x00/libipw_tx.c
@@ -179,8 +179,8 @@ static struct libipw_txb *libipw_alloc_txb(int nr_frags, int txb_size,
{
struct libipw_txb *txb;
int i;
- txb = kmalloc(sizeof(struct libipw_txb) + (sizeof(u8 *) * nr_frags),
- gfp_mask);
+
+ txb = kmalloc(struct_size(txb, fragments, nr_frags), gfp_mask);
if (!txb)
return NULL;
--
2.25.1
