This series fixes a few wireless drivers to use struct_size rather than open coding some equivalent checks. This ensures that these size calculations will not overflow but instead be bounded at SIZE_MAX. In the first case, the code is first converted to a flexible array, which saves a few bytes of memory in addition to the fix with struct_size. These were caught with a coccinelle patch I recently posted at [1]. [1]: https://lore.kernel.org/all/20230227202428.3657443-1-jacob.e.keller@xxxxxxxxx/ Cc: Johannes Berg <johannes@xxxxxxxxxxxxxxxx> Cc: linux-wireless@xxxxxxxxxxxxxxx Jacob Keller (3): wifi: ipw2x00: convert ipw_fw_error->elem to flexible array[] wifi: cfg80211: use struct_size and size_sub for payload length wifi: nl80211: convert cfg80211_scan_request allocation to *_size macros drivers/net/wireless/intel/ipw2x00/ipw2200.c | 7 +++-- drivers/net/wireless/intel/ipw2x00/ipw2200.h | 3 +-- .../net/wireless/quantenna/qtnfmac/commands.c | 7 ++--- net/wireless/nl80211.c | 26 ++++++++++--------- 4 files changed, 22 insertions(+), 21 deletions(-) -- 2.39.1.405.gd4c25cc71f83
