Dynamic size calculations (especially multiplication) should not be performed in memory allocator function arguments due to the risk of them overflowing. This could lead to values wrapping around and a smaller allocation being made than the caller was expecting. Using those allocations could lead to linear overflows of heap memory and other misbehaviors. To avoid this scenario, use the struct_size helper. Signed-off-by: Len Baker <len.baker@xxxxxxx> --- drivers/net/wireless/intel/ipw2x00/libipw_tx.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/intel/ipw2x00/libipw_tx.c b/drivers/net/wireless/intel/ipw2x00/libipw_tx.c index d9baa2fa603b..36d1e6b2568d 100644 --- a/drivers/net/wireless/intel/ipw2x00/libipw_tx.c +++ b/drivers/net/wireless/intel/ipw2x00/libipw_tx.c @@ -179,8 +179,8 @@ static struct libipw_txb *libipw_alloc_txb(int nr_frags, int txb_size, { struct libipw_txb *txb; int i; - txb = kmalloc(sizeof(struct libipw_txb) + (sizeof(u8 *) * nr_frags), - gfp_mask); + + txb = kmalloc(struct_size(txb, fragments, nr_frags), gfp_mask); if (!txb) return NULL; -- 2.25.1