ipw2x00: Use struct_size helper instead of open-coded arithmetic

Dynamic size calculations (especially multiplication) should not be
performed in memory allocator function arguments due to the risk of them
overflowing. This could lead to values wrapping around and a smaller
allocation being made than the caller was expecting. Using those
allocations could lead to linear overflows of heap memory and other
misbehaviors.

To avoid this scenario, use the struct_size helper.

Signed-off-by: Len Baker <len.baker@gmx.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20210717142513.5411-1-len.baker@gmx.com

diff --git a/drivers/net/wireless/intel/ipw2x00/libipw_tx.c b/drivers/net/wireless/intel/ipw2x00/libipw_tx.c
index d9baa2f..36d1e6b 100644 (file)
--- a/drivers/net/wireless/intel/ipw2x00/libipw_tx.c
+++ b/drivers/net/wireless/intel/ipw2x00/libipw_tx.c
@@ -179,8 +179,8 @@ static struct libipw_txb *libipw_alloc_txb(int nr_frags, int txb_size,
 {
        struct libipw_txb *txb;
        int i;
-       txb = kmalloc(sizeof(struct libipw_txb) + (sizeof(u8 *) * nr_frags),
-                     gfp_mask);
+
+       txb = kmalloc(struct_size(txb, fragments, nr_frags), gfp_mask);
        if (!txb)
                return NULL;