Dynamic size calculations (especially multiplication) should not be
performed in memory allocator function arguments due to the risk of them
overflowing. This could lead to values wrapping around and a smaller
allocation being made than the caller was expecting. Using those
allocations could lead to linear overflows of heap memory and other
misbehaviors.
To avoid this scenario, use the struct_size helper.
Signed-off-by: Len Baker <len.baker@gmx.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20210717142513.5411-1-len.baker@gmx.com
{
struct libipw_txb *txb;
int i;
- txb = kmalloc(sizeof(struct libipw_txb) + (sizeof(u8 *) * nr_frags),
- gfp_mask);
+
+ txb = kmalloc(struct_size(txb, fragments, nr_frags), gfp_mask);
if (!txb)
return NULL;