[2/2,next] wifi: brcmfmac: Use struct_size() in code ralated to struct brcmf_dload_data_le
Commit Message
Prefer struct_size() over open-coded versions of idiom:
sizeof(struct-with-flex-array) + sizeof(typeof-flex-array-elements) * count
where count is the max number of items the flexible array is supposed to
contain.
In this particular case, in the open-coded version sizeof(typeof-flex-array-elements)
is implicit in _count_ because the type of the flex array data is u8:
drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h:941:
941 struct brcmf_dload_data_le {
942 __le16 flag;
943 __le16 dload_type;
944 __le32 len;
945 __le32 crc;
946 u8 data[];
947 };
Link: https://github.com/KSPP/linux/issues/160
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
Comments
On Tue, Nov 15, 2022 at 03:55:34PM -0600, Gustavo A. R. Silva wrote:
> Prefer struct_size() over open-coded versions of idiom:
>
> sizeof(struct-with-flex-array) + sizeof(typeof-flex-array-elements) * count
>
> where count is the max number of items the flexible array is supposed to
> contain.
>
> In this particular case, in the open-coded version sizeof(typeof-flex-array-elements)
> is implicit in _count_ because the type of the flex array data is u8:
>
> drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h:941:
> 941 struct brcmf_dload_data_le {
> 942 __le16 flag;
> 943 __le16 dload_type;
> 944 __le32 len;
> 945 __le32 crc;
> 946 u8 data[];
> 947 };
>
> Link: https://github.com/KSPP/linux/issues/160
> Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
On 11/16/22 16:23, Kees Cook wrote:
> On Tue, Nov 15, 2022 at 03:55:34PM -0600, Gustavo A. R. Silva wrote:
>> Prefer struct_size() over open-coded versions of idiom:
>>
>> sizeof(struct-with-flex-array) + sizeof(typeof-flex-array-elements) * count
>>
>> where count is the max number of items the flexible array is supposed to
>> contain.
>>
>> In this particular case, in the open-coded version sizeof(typeof-flex-array-elements)
>> is implicit in _count_ because the type of the flex array data is u8:
>>
>> drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h:941:
>> 941 struct brcmf_dload_data_le {
>> 942 __le16 flag;
>> 943 __le16 dload_type;
>> 944 __le32 len;
>> 945 __le32 crc;
>> 946 u8 data[];
>> 947 };
>>
>> Link: https://github.com/KSPP/linux/issues/160
>> Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
>
> Reviewed-by: Kees Cook <keescook@chromium.org>
>
Thanks for the reviews! :)
--
Gustavo
@@ -110,9 +110,9 @@ static int brcmf_c_download(struct brcmf_if *ifp, u16 flag,
dload_buf->dload_type = cpu_to_le16(DL_TYPE_CLM);
dload_buf->len = cpu_to_le32(len);
dload_buf->crc = cpu_to_le32(0);
- len = sizeof(*dload_buf) + len;
- err = brcmf_fil_iovar_data_set(ifp, "clmload", dload_buf, len);
+ err = brcmf_fil_iovar_data_set(ifp, "clmload", dload_buf,
+ struct_size(dload_buf, data, len));
return err;
}
@@ -139,7 +139,8 @@ static int brcmf_c_process_clm_blob(struct brcmf_if *ifp)
return 0;
}
- chunk_buf = kzalloc(sizeof(*chunk_buf) + MAX_CHUNK_LEN, GFP_KERNEL);
+ chunk_buf = kzalloc(struct_size(chunk_buf, data, MAX_CHUNK_LEN),
+ GFP_KERNEL);
if (!chunk_buf) {
err = -ENOMEM;
goto done;