The pattern malloc(size + constant) is dangerous when size can be manipulated by an attacker. In that case 'size' can be manipulated in a way that 'size + constant' is 0 due to integer overflow. The result is a zero sized buffer to which is then data written to. Avoid this by using struct_size() instead. Reported-by: Jonathan Bar Or <jonathanbaror@xxxxxxxxx> Signed-off-by: Sascha Hauer <s.hauer@xxxxxxxxxxxxxx> --- fs/pstore/fs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/pstore/fs.c b/fs/pstore/fs.c index 24b0fa5c9d..706c2d4684 100644 --- a/fs/pstore/fs.c +++ b/fs/pstore/fs.c @@ -62,7 +62,7 @@ int pstore_mkfile(struct pstore_record *record) return -EEXIST; } - private = xzalloc(sizeof(*private) + size); + private = xzalloc(struct_size(private, data, size)); private->type = record->type; private->id = record->id; private->count = record->count; -- 2.39.5
